Data Processing Agreement (DPA) — Cenaclo template
Last updated: 2026-05-21
This Data Processing Agreement (the “DPA”) is a preliminary template. It describes the conditions under which Cenaclo processes personal data on behalf of its clients within the Cenaclo Cloud service, in accordance with article 28 of the General Data Protection Regulation (GDPR).
This template is intended to be signed between the publisher of Cenaclo and each professional client operating a community on Cenaclo Cloud, once the service opens commercially (V1 and beyond). It supplements the terms of service and the privacy policy, of which it forms an integral part.
Phase 0 (waitlist): during the waitlist phase, no processing is carried out on behalf of a client. The publisher then acts as the data controller of its own sign-up list (see the privacy policy). This DPA only applies once a client makes actual use of the Cenaclo Cloud service.
Parties
This DPA is entered into between:
- the Data Controller (the “Client”): the natural or legal person who creates and administers a community on Cenaclo Cloud and who determines the purposes and means of processing the personal data of its members;
- the Processor (“Cenaclo”): the publisher of the service identified in article 9, who processes personal data on behalf of the Client.
The Client acts as the data controller within the meaning of article 4.7 of the GDPR. Cenaclo acts as the processor within the meaning of article 4.8 of the GDPR. Each party undertakes to comply with the applicable data protection regulations, in particular the GDPR and the French Data Protection Act.
Article 1 — Subject matter and duration of processing
This DPA defines the conditions under which Cenaclo carries out, on behalf of the Client, the personal data processing operations necessary to provide the Cenaclo Cloud service (hosting and management of an online community).
Processing is carried out for the duration of the Client’s subscription to the service, as defined by the terms of service, plus the time needed for the return and deletion of data provided for in article 6.7. This DPA terminates automatically when all processing and return obligations are extinguished.
Article 2 — Nature and purpose of processing
Cenaclo processes personal data solely to provide the service to the Client, and according to its documented instructions. The nature of the operations includes in particular: collection, recording, organisation, structuring, storage, consultation, use, communication by transmission and making available, erasure and destruction of data.
The purposes of the processing are strictly limited to:
- hosting and making available the community space (discussion channels, live workshops, calendar, shared files);
- managing the accounts and authentication of the members of the Client’s community;
- routing the notifications and emails related to the operation of the community;
- the security, backup and operational maintenance of the service.
Cenaclo refrains from processing data for any other purpose, and in particular from exploiting it for its own account, reselling it or using it for advertising or profiling purposes.
Article 3 — Type of data processed
Within the service, Cenaclo may process, on behalf of the Client, the following categories of data:
- Identification and account data: email address, identifier, nickname, password (in hashed form), language, time zone.
- Profile data: display name, avatar, and any information the member chooses to provide.
- Published content: messages, files, images, audio and video published by members within the community.
- Technical and connection data: IP address, access and event logs, session metadata, necessary for the security and proper operation of the service.
The service is not intended to process sensitive data within the meaning of article 9 of the GDPR. If the Client decides to process such data through the service, it assumes responsibility for it and must inform Cenaclo so that appropriate measures can be implemented.
Article 4 — Categories of data subjects
The data subjects affected by the processing are the natural persons whose data is processed within the Client’s community, namely:
- the members of the community (registered users, guests, workshop participants);
- the administrators and moderators designated by the Client;
- any person whose data appears in content published within the community.
The Client remains solely responsible for the lawfulness of the collection and for determining the categories of data subjects affected by the processing it implements.
Article 5 — Obligations and rights of the data controller
The Client, as data controller:
- determines the purposes and means of the processing, and provides Cenaclo with documented instructions;
- warrants that it has obtained a valid legal basis (consent, contract, legitimate interest, etc.) for processing its members’ data and has fulfilled its information obligation;
- ensures compliance with its own data protection obligations, in particular keeping a record of processing activities where required;
- is responsible for moderating and ensuring the lawfulness of the content published within its community;
- has the right to obtain from Cenaclo any information necessary to demonstrate compliance with the obligations of article 28 of the GDPR, under the conditions provided for in article 6.8 (audit).
Article 6 — Obligations of the processor Cenaclo
As processor, Cenaclo undertakes to comply with the following obligations under article 28 of the GDPR.
6.1 — Processing on documented instruction
Cenaclo processes data only on the documented instruction of the Client, including with regard to transfers outside the European Union, unless required to do so by law. In the latter case, Cenaclo informs the Client of that legal requirement before processing, unless the law prohibits it.
6.2 — Confidentiality
Cenaclo ensures that persons authorised to process the data undertake to respect confidentiality or are subject to an appropriate statutory obligation of confidentiality. Access to data is strictly limited to persons who need to know it in order to provide the service.
6.3 — Technical and organisational security measures
Cenaclo implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32 of the GDPR), in particular:
- encryption of data in transit (TLS) and encryption at rest of sensitive data (in particular password hashes);
- partitioning of data per community (logical isolation of spaces);
- logging of access and security events;
- regular, tested backups hosted in the European Union;
- access management based on least privilege and strong authentication of administrative access;
- security maintenance procedures (updates, vulnerability management).
6.4 — Use of sub-processors
Cenaclo is authorised to use sub-processors to perform specific processing activities, under the conditions of article 7. Cenaclo imposes on each sub-processor, by contract, the same data protection obligations as those set out in this DPA, and remains fully liable for the performance of those sub-processors’ obligations.
Cenaclo informs the Client of any intended change concerning the addition or replacement of a sub-processor, giving the Client a reasonable period to raise reasoned objections before the change is implemented.
6.5 — Personal data breach notification
Cenaclo notifies the Client of any personal data breach as soon as possible after becoming aware of it, and no later than within 72 hours, to enable the Client to comply with its obligation to notify the supervisory authority (article 33 of the GDPR). The notification specifies the nature of the breach, the categories and approximate number of data subjects, the likely consequences and the measures taken or proposed.
Any breach notification is sent to the Client by Cenaclo, and any notification from the Client may be sent to privacy@cenaclo.com.
6.6 — Assistance and data subject rights
Taking into account the nature of the processing, Cenaclo assists the Client, through appropriate technical and organisational measures, in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection — articles 15 to 22 of the GDPR). Where a data subject sends a request directly to Cenaclo, Cenaclo forwards it to the Client without delay.
Cenaclo also assists the Client in complying with the obligations set out in articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessment, prior consultation of the supervisory authority), taking into account the information available to Cenaclo.
6.7 — Fate of data at the end of processing
At the end of the service, and at the Client’s choice, Cenaclo returns all the data in a structured, commonly used format, then deletes it, including backup copies, unless a legal retention obligation applies. The Client has a reasonable period after the end of the subscription to export its data before final deletion. Deletion then takes place as soon as possible.
6.8 — Making available and audit
Cenaclo makes available to the Client all the information necessary to demonstrate compliance with the obligations of article 28 of the GDPR and allows for audits, including inspections, by the Client or an auditor mandated by it. The audit arrangements (reasonable notice, frequency, cost allocation, respect for the confidentiality and security of other clients) are defined by mutual agreement so as not to disrupt the service.
Article 7 — Transfers outside the European Union
Processing is carried out within the European Union. The service data (database, files and backups) is hosted in the EU zone.
Where a sub-processor is legally established outside the European Union (for example Cloudflare, Inc. and Discord, Inc., US entities), the actual processing is confined to European datacenters and any residual transfer is governed by the Standard Contractual Clauses (SCC) adopted by the European Commission, supplemented by additional measures where appropriate. No transfer is carried out in the absence of appropriate safeguards within the meaning of Chapter V of the GDPR.
Article 8 — List of sub-processors
As at the update date of this DPA, Cenaclo uses the following sub-processors. This list is consistent with the one in the privacy policy and kept up to date; any addition or replacement is notified to the Client in accordance with article 6.4.
| Sub-processor | Purpose | Jurisdiction / hosting | Safeguards |
|---|---|---|---|
| Listmonk (self-hosted by the publisher) | List management and routing of community-related emails (transactional and campaigns) | Instance self-hosted by the publisher on a VPS located in the European Union (Hetzner) | Self-hosted: direct control, no sharing with any third party other than the Amazon SES SMTP backend |
| Amazon Web Services EMEA SARL (Amazon SES) | SMTP backend used by Listmonk for actual email delivery (send metadata) | SES eu-west region (Ireland / Frankfurt), AWS Europe legal entity in Luxembourg | Signed DPA, EU Standard Contractual Clauses (SCC), ISO 27001 / SOC 2 compliance |
| PostHog Cloud EU | Anonymous audience measurement and product analytics of the service | EU — Frankfurt hosting (PostHog EU clusters) | Signable DPA, EU SCC, “Discard client IP data” setting enabled at the project level |
| Cloudflare, Inc. | CDN, DDoS protection, static hosting, anti-spam (Turnstile) | US entity; actual processing on nodes located in the EU | EU SCC (clauses published by Cloudflare), Data Processing Addendum available |
| Hetzner Online GmbH | Server hosting (Listmonk VPS and Cenaclo backend) | Datacenters in Germany (Falkenstein, Nuremberg) or Finland (Helsinki) | German jurisdiction, native GDPR compliance, DPA available |
| Discord, Inc. (V1+, opt-in) | Reading the messages of a Discord server to migrate to a Cenaclo community — explicit opt-in | US entity | EU SCC and explicit opt-in per community; not applicable without activation |
Article 9 — Identity of the processor
The Cenaclo Cloud service is published by the processor identified below:
- Processor: Nicolas Roger EGERMANN
- Status: sole trader — micro-enterprise (auto-entrepreneur), unregulated liberal profession
- SIRET: 522 700 640 00033
- Address: 79 rue des Micocouliers, 30260 Cannes-et-Clairan, France
- Data protection contact: privacy@cenaclo.com
For any question relating to this DPA or to exercise the rights provided for by the GDPR, the Client and data subjects can write to privacy@cenaclo.com.