Data Processing Addendum

Version 1.0 · Effective date: 3 May 2026

This DPA forms part of the agreement between Palms Sky Conv ("Processor") and the customer ("Controller"). It applies whenever the Processor processes Personal Data on behalf of the Controller in connection with the Service.

1. Parties

Processor: Palms Sky Conv, 30 T Route du Vieux Flamboyant, Saint-Gilles-Les-Hauts, 97460 Saint-Paul, Réunion, France.
Controller: the entity identified as Customer in the Service order or account.

2. Definitions

Capitalised terms have the meaning given in the GDPR. "Personal Data", "Data Subject", "Processing", "Sub-processor", and "Supervisory Authority" follow Article 4 GDPR.

3. Scope & nature of processing

Subject-matter: Processor performs invoice rendering and related processing tasks instructed by the Controller via the Service.
Duration: the term of the principal Service agreement.
Categories of data subjects: the Controller's customers and any individuals named in the documents the Controller chooses to process.
Categories of Personal Data: as determined by the Controller — typically names, addresses, tax IDs, and any other Personal Data contained in the documents.
Special categories: only if the Controller chooses to include them.

4. Processor duties

The Processor will (a) process Personal Data only on documented instructions; (b) ensure persons authorised to process Personal Data are subject to confidentiality; (c) implement appropriate technical and organisational measures (Section 5); (d) assist the Controller in fulfilling Data-Subject rights and Articles 32-36 GDPR; (e) make available all information necessary to demonstrate Article 28 compliance.

5. Security

The Processor maintains the measures described at /legal/gdpr.html#measures.

6. Sub-processors

The Controller grants general written authorisation for the Processor to engage Sub-processors listed at /legal/gdpr.html#subprocessors. The Processor will give 30 days' prior notice of any new Sub-processor; the Controller may object on reasonable data-protection grounds.

7. International data transfers

Where Personal Data is transferred outside the EEA / UK, the parties incorporate by reference the Standard Contractual Clauses (Module Two) adopted by the European Commission in Decision 2021/914 and, where relevant, the UK IDTA.

8. Assistance with data-subject rights

The Processor will provide reasonable assistance, including by appropriate technical and organisational measures, for the fulfilment of the Controller's obligation to respond to Chapter III GDPR requests.

9. Personal-data-breach notification

The Processor will notify the Controller without undue delay (within 72 hours of becoming aware) of any Personal Data Breach affecting Controller Personal Data.

10. Audits

Processor will share third-party audit reports on request. Additional audits at the Controller's expense, on 30 days' notice, no more than once per year.

11. Return & deletion

On termination the Processor will return or delete Personal Data, except where retention is required by law. Standard backups are overwritten within 30 days.

12. Liability

Each party's liability under this DPA is subject to the liability limits in the principal Service agreement, except where law forbids such limitation.

Counter-signed DPA: request via [email protected] with your account email and registered company name.