Data Processing Agreement
Tinct SAS · Version 1.1 — June 2026
1. Parties and Background
This Data Processing Agreement (the “DPA”) forms part of and is incorporated into the Tinct SaaS Subscription Agreement, order form, or other written or electronic agreement between the parties governing the provision of the Tinct platform and services (together, the “Principal Agreement”). It is entered into between:
Tinct SAS, a société par actions simplifiée organised under the laws of France, having its registered office at 5 Rue Pleyel, Bureau 3, 93200 Saint-Denis, France (“Tinct”, the “Processor”); and
the Client identified in the Principal Agreement (the “Client”, the “Controller”),
each a “Party” and together the “Parties”.
This DPA sets out the terms on which Tinct processes Personal Data on behalf of the Client in connection with the Tinct platform, an account-based marketing (ABM) personalisation service. It is concluded pursuant to Article 28 of Regulation (EU) 2016/679 (the “GDPR”) and any applicable national data protection laws. Where the subject matter of the Principal Agreement is governed by this DPA and there is any conflict, this DPA prevails on matters of data protection.
Scope of roles. Under the Tinct service, Tinct acts as Processor on behalf of the Client (Controller) in respect of website visitor analytics data collected via the Tinct Snippet and CRM-sourced account data imported on the Client’s instruction. Tinct acts as an independent Controller in respect of platform user account data, billing data, and its own company-intelligence database; those processing activities are governed by Tinct’s Privacy Policy and not by this DPA. This DPA governs only the processing carried out by Tinct as Processor, described in Annex 1.
2. Definitions
Capitalised terms not defined in this DPA have the meaning given to them in the GDPR or the Principal Agreement. In particular:
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach” and “Special Categories of Personal Data” have the meanings given in Article 4 GDPR.
“Client Personal Data” means any Personal Data that Tinct processes on behalf of the Client under the Principal Agreement, as described in Annex 1.
“Sub-processor” means any third party engaged by Tinct to process Client Personal Data.
“SCCs” means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Data Protection Laws” means the GDPR, the UK GDPR, the French Data Protection Act (Loi Informatique et Libertés), the ePrivacy Directive 2002/58/EC as implemented nationally, and any other applicable laws relating to the processing of Personal Data.
3. Subject Matter, Duration, Nature and Purpose
The subject matter, duration, nature and purpose of the processing, the types of Personal Data and the categories of Data Subjects are set out in Annex 1 (Description of the Processing). Tinct processes Client Personal Data only for the purpose of providing the Tinct service in accordance with the Principal Agreement and the Client’s documented instructions.
This DPA applies for as long as Tinct processes Client Personal Data on behalf of the Client, and survives termination of the Principal Agreement to the extent Tinct retains any Client Personal Data.
4. Obligations of Tinct as Processor
Tinct undertakes the following obligations pursuant to Article 28(3) GDPR.
4.1 Processing on documented instructions
4.1.1 Tinct shall process Client Personal Data only on documented instructions from the Client, including with regard to transfers to a third country, unless required to do so by Union or Member State law to which Tinct is subject. In such a case, Tinct shall inform the Client of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
4.1.2 The Principal Agreement, this DPA (including Annex 1), and the configuration options selected by the Client through the Tinct platform constitute the Client’s complete and final documented instructions. Additional instructions must be agreed in writing.
4.1.3 Tinct shall immediately inform the Client if, in its opinion, an instruction infringes the GDPR or other Data Protection Laws.
4.2 Confidentiality
4.2.1 Tinct shall ensure that persons authorised to process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to personnel who need it to provide the service.
4.3 Security of processing
4.3.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to Data Subjects, Tinct shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. The measures currently implemented are described in Annex 3.
4.3.2 Tinct may update the measures in Annex 3 from time to time provided that the updates do not materially reduce the overall level of security of the service.
4.4 Sub-processing
4.4.1 The Client grants Tinct general written authorisation to engage the Sub-processors listed at tinct.ai/static/sub-processors for the processing of Client Personal Data.
4.4.2 Tinct shall impose on each Sub-processor, by way of a written contract, data protection obligations equivalent to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Where a Sub-processor fails to fulfil its data protection obligations, Tinct remains fully liable to the Client for the performance of that Sub-processor’s obligations.
4.4.3 Tinct shall inform the Client of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance, thereby giving the Client the opportunity to object on reasonable data-protection grounds. If the Client reasonably objects and the Parties cannot agree on a resolution, the Client may terminate the affected part of the service.
4.5 Assistance with data subject rights
4.5.1 Taking into account the nature of the processing, Tinct shall assist the Client by appropriate technical and organisational measures, insofar as possible, in fulfilling the Client’s obligation to respond to requests by Data Subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).
4.5.2 If Tinct receives a request directly from a Data Subject relating to Client Personal Data, it shall not respond directly (other than to acknowledge receipt where appropriate) but shall promptly forward the request to the Client.
4.6 Assistance with compliance, DPIA and breach
4.6.1 Tinct shall assist the Client in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security of processing, breach notification to the supervisory authority and to Data Subjects, data protection impact assessments and prior consultation), taking into account the nature of processing and the information available to Tinct.
4.7 Personal data breach notification
4.7.1 Tinct shall notify the Client without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Client Personal Data.
4.7.2 The notification shall include, to the extent available, a description of the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Where information cannot be provided at the same time, it may be provided in phases without undue further delay.
4.8 Return and deletion
4.8.1 Upon termination of the service, and at the choice of the Client, Tinct shall delete or return all Client Personal Data and delete existing copies, unless Union or Member State law requires storage of the Personal Data.
4.8.2 Deletion is implemented through Tinct’s scheduled two-phase deletion mechanism and completed within thirty (30) days of termination, subject to routine backup cycles after which residual copies are overwritten. Aggregated data that contains no Personal Data may be retained.
4.9 Audits and demonstration of compliance
4.9.1 Tinct shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Client or an auditor mandated by the Client.
4.9.2 Audits shall be conducted on reasonable prior notice (at least thirty (30) days, save in the event of a substantiated Personal Data Breach), no more than once per year save where required by a supervisory authority, during normal business hours, and subject to confidentiality. Tinct may satisfy audit requests by providing its certifications, third-party audit reports and security documentation (including, when available, its ISO 27001 certification).
5. Obligations of the Client as Controller
The Client warrants and undertakes that:
it has a valid legal basis for the processing of Client Personal Data and, where the Tinct Snippet is deployed in Advanced (persistent identifier) mode, that it has obtained valid prior consent from website visitors through a compliant consent mechanism before the Tinct cookie is set, in accordance with the ePrivacy Directive and applicable CNIL guidance;
its processing instructions comply with Data Protection Laws and do not cause Tinct to breach those laws;
it has accurately described Tinct’s analytics configuration in its website privacy policy and cookie banner, and provides Data Subjects with the required transparency information; and
it is responsible for the accuracy, quality and legality of the Client Personal Data and the means by which it acquired such data.
6. International Data Transfers
Tinct’s primary infrastructure is hosted within the European Union (Amazon Web Services, eu-west-1, Ireland). Where the provision of the service involves a transfer of Client Personal Data to a country outside the European Economic Area that is not subject to an adequacy decision, such transfer shall be governed by an appropriate transfer mechanism under Chapter V GDPR, in particular the Standard Contractual Clauses, as set out in Annex 4.
Where the SCCs apply, the Client (or the relevant data exporter) is the “data exporter” and Tinct (or the relevant Sub-processor) is the “data importer”. The module applicable is Module Two (Controller to Processor) or Module Three (Processor to Processor) as relevant. The details required to complete the SCC annexes are set out in Annexes 1, 2 and 3.
7. Liability
Each Party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement. Nothing in this DPA limits any liability that cannot be limited under applicable law. The allocation of liability between controllers and processors set out in Article 82 GDPR applies.
8. Term, Governing Law and Miscellaneous
This DPA takes effect on the effective date of the Principal Agreement and continues for as long as Tinct processes Client Personal Data. This DPA is governed by the law specified in the Principal Agreement or, in the absence of such specification, by French law, and the courts competent under the Principal Agreement (or, failing that, the courts of Paris, France) have jurisdiction, without prejudice to the rights of Data Subjects and supervisory authorities under the GDPR.
If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force. The Annexes form an integral part of this DPA.
9. Acceptance
This DPA is incorporated into the Principal Agreement by reference and is accepted electronically by the Client when creating an account or otherwise accepting the Tinct Terms of Service. No separate or handwritten signature is required for this DPA to be binding (Article 28(9) GDPR — “in writing, including in electronic form”). Where the Client agrees on behalf of a legal entity, the person accepting represents that they have the authority to bind that entity.
Annex 1 — Description of the Processing
This Annex completes the information required under Article 28(3) and Article 30(2) GDPR and, where applicable, Annex I to the SCCs.
A1.1 Categories of Data Subjects
Visitors to the Client’s Landing Pages on which the Tinct Snippet is deployed (in a B2B context, primarily employees and representatives of Target Account companies).
The Client’s Authorised Users who initiate CRM (HubSpot, Salesforce, Attio) OAuth connections.
A1.2 Categories of Personal Data
Data category | Description |
|---|---|
IP address | Used exclusively to resolve the visitor’s company via IP-range lookup; not linked to an individual-level profile. Potentially Personal Data under GDPR. |
Online identifiers | Basic mode: session ID in sessionStorage (cleared on tab close). Advanced mode: persistent Tinct cookie (consent-gated). |
Device / browser data | User-agent string, browser and device characteristics. |
Behavioural / usage data | Page URLs visited, referrer URL, session timing, scroll depth, click events, campaign / page variant. |
CRM OAuth tokens | Access and refresh tokens of the user authorising a CRM integration. |
Incidental free-text | Any personal references incidentally contained in imported records or campaign-configuration input. |
No special categories of Personal Data (Article 9 GDPR) are intended to be processed. The Tinct personalisation engine operates at company (account) level and does not identify, track or profile individual natural persons.
A1.3 Nature and Purpose of the Processing
Collection, storage, structuring, aggregation and analysis of Landing Page visitor session and behavioural data, and IP-to-company resolution, in order to route identified Target Accounts to personalised Landing Page Variants and to generate and measure those Variants; and OAuth authentication and import of company / account-level records from the Client’s CRM for campaign targeting. The Tinct Snippet can be deployed in two configurations:
Configuration | Consent required | Returning-visitor detection | Browser storage |
|---|---|---|---|
Analytics — Basic | No (where CNIL audience-measurement exemption is met) | No — each visit counted as a unique visitor | Session ID in sessionStorage (cleared on tab close) |
Analytics — Advanced | Yes (visitor consent) | Yes — returning visitors recognised across sessions | Persistent Tinct cookie |
A1.4 Duration of the Processing / Retention
Data | Retention |
|---|---|
Visitor analytics events and sessions (Basic & Advanced) | Per Client contract (default: duration of the contract); deleted on account deletion. |
Aggregated analytics | Per Client contract — aggregate data contains no Personal Data. |
Persistent Tinct cookie (Advanced only) | 13 months from setting, renewed on each visit subject to active consent; associated data max 25 months from collection (CNIL guidance). |
CRM OAuth tokens | Until revocation or deletion of the integration. |
System / access logs (CloudWatch) | 90 days. |
Frequency: continuous, for the duration of the service.
Annex 2 — Sub-processors
The Client grants general written authorisation for Tinct to engage the Sub-processors set out in the up-to-date list maintained at tinct.ai/static/sub-processors, which forms part of this DPA. Each Sub-processor is engaged under a written agreement imposing data-protection obligations equivalent to those in this DPA. Tinct will notify the Client of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance, as set out in clause 4.4.3.
Annex 3 — Technical and Organisational Security Measures (Article 32)
Tinct implements the following measures to ensure a level of security appropriate to the risk. These measures form part of the SCC Annex II where the SCCs apply.
A3.1 Infrastructure Security
All data stored and processed within AWS eu-west-1 (Ireland), within the European Union.
Databases (PostgreSQL, Elasticsearch, Redis) deployed in private subnets with no public internet access.
Network isolation via VPC with least-privilege security group rules; multi-account architecture (dev / preprod / prod / shared) isolating production.
Application Load Balancer enforcing TLS 1.3; all HTTP redirected to HTTPS; AWS WAF with managed rule sets protecting the API.
Developer access to production via Client VPN with certificate-based mutual authentication; no public SSH. Deletion protection enabled on stateful resources.
A3.2 Data Encryption
Encryption at rest: RDS PostgreSQL (AES-256), EFS, and S3 (server-side AES-256).
Encryption in transit: TLS 1.2+ on all external connections; TLS enforced between CloudFront and ALB.
RSA-2048 JWT signing keys generated and stored exclusively in AWS Secrets Manager (never in source or environment variables).
A3.3 Access Control
Role-based access control at application level (Admin / Editor / Viewer) with a fine-grained, resource-level permission system.
All secrets stored in AWS Secrets Manager and SSM Parameter Store; CI/CD via GitHub Actions with OIDC (no long-lived AWS credentials).
Production deployments require manual approval via GitHub Environments with required reviewers.
A3.4 Application Security
Passwords stored as bcrypt hashes; OAuth 2.0 / OpenID Connect authorization-code flow; OTP for sensitive operations.
Rate limiting on authentication endpoints; user-enumeration protection; restrictive CORS; reCAPTCHA for bot and abuse prevention; actuator endpoints blocked at the load balancer.
A3.5 Monitoring and Audit
CloudWatch logging (90-day retention) with Container Insights; Prometheus + Grafana metrics; Slack alerting via AWS Chatbot.
RDS connection/disconnection logging; GitHub Actions deployment audit trail for all production deployments.
A3.6 Organisational Measures
Production access restricted to authorised technical personnel under confidentiality obligations; developer VPN required for direct database access.
Infrastructure as Code (OpenTofu / Terraform) for reproducible, version-controlled, auditable infrastructure.
ISO 27001 certification in progress with a specialised compliance partner.
A3.7 Resilience, Breach and Sub-processor Management
Documented Personal Data Breach response procedure: assessment within 24 hours; CNIL notification within 72 hours where required; data-subject and Client notification per Articles 33, 34 and 28(3)(f).
All Sub-processors engaged under written agreements with equivalent data-protection obligations and supplier risk review.
Annex 4 — Standard Contractual Clauses (International Transfers)
Where Client Personal Data is transferred from the EEA to a country that does not benefit from an adequacy decision, the Parties agree that the Standard Contractual Clauses adopted by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated into this DPA by reference and apply as follows:
Modules: Module Two (Controller to Processor) applies between the Client and Tinct; Module Three (Processor to Processor) applies between Tinct and onward Sub-processors.
Clause 7 (docking): applies.
Clause 9 (sub-processors): Option 2 (general written authorisation) applies, with a minimum 30-day prior notice period as set out in clause 4.4.3 of this DPA.
Clause 11 (redress): the optional independent dispute-resolution body is not selected.
Clause 17 (governing law): the laws of France.
Clause 18 (forum): the courts of France.
Annexes: Annex I (parties, description of transfer, competent supervisory authority — the CNIL) is completed by Annex 1 of this DPA; Annex II (technical and organisational measures) is completed by Annex 3 of this DPA; the list of authorised Sub-processors is maintained at tinct.ai/static/sub-processors.
UK transfers: for transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the SCCs (issued by the ICO) applies and is incorporated by reference.
Several key Sub-processors (including Stripe, Google and Microsoft) are additionally certified under the EU–US Data Privacy Framework, providing a further adequacy-based safeguard for transfers to the United States.
Tinct SAS — 5 Rue Pleyel, Bureau 3, 93200 Saint-Denis, France · SIREN 101 730 018 — RCS Bobigny · contact@tinct.ai