Data Processing Agreement (DPA)
ConsentMonitor — Tagstack SASU · Effective date: [DATE] · Version 1.0
Annex to the General Terms of Use of ConsentMonitor
Courtesy translation — This English version is provided for convenience only. In the event of any discrepancy, the French version shall prevail.
This Data Processing Agreement ("DPA") is entered into between:
- •The Customer (hereinafter the "Data Controller" or the "Customer"), as identified upon subscription to the ConsentMonitor service;
- •Tagstack SASU (hereinafter the "Data Processor" or "Tagstack"), SASU, [ADDRESS], SIREN [SIREN].
This DPA is an integral part of the ConsentMonitor GTU and is concluded pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR").
Article 1 — Purpose
1.1 This DPA defines the conditions under which Tagstack, as data processor, processes personal data on behalf of the Customer in the context of providing the ConsentMonitor service.
1.2 Tagstack undertakes to process personal data only on documented instructions from the Customer, including with regard to transfers of data outside the EU/EEA.
Article 2 — Description of processing
The details of the processing are as follows:
| Element | Description |
|---|---|
| Subject matter | Automated verification of cookie/tracker compliance on Customer websites |
| Duration | Duration of the ConsentMonitor subscription |
| Nature of processing | Automated collection, storage, technical analysis, reporting |
| Purpose | Enable the Customer to monitor their website's cookie and tracker behaviour |
| Categories of data subjects | Customer's employees (service users) |
| Categories of personal data | Account data (name, email, organisation), technical check data (cookie names, request domains, screenshots) |
Important note: the technical data collected during checks (cookie names without values, request domains without parameters) does not in principle contain any personal data of end users visiting the Customer's websites. This DPA nevertheless applies as a precautionary measure.
Article 3 — Processor obligations
3.1 Tagstack undertakes to process personal data only for the purpose described in Article 2 and in accordance with the Customer's documented instructions. If Tagstack considers that an instruction constitutes a violation of the GDPR or other EU data protection provisions, it shall immediately inform the Customer.
3.2 Tagstack ensures that persons authorised to process personal data have committed to confidentiality or are subject to a statutory confidentiality obligation.
3.3 Tagstack implements appropriate technical and organisational measures within the meaning of Article 32 of the GDPR, including: encryption of data in transit and at rest, role-based access control, access logging, regular backups, and security testing.
3.4 Tagstack shall only engage a sub-processor with the Customer's general written authorisation. The list of sub-processors is appended to this DPA (Annex 1). Tagstack will inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object within thirty (30) days.
3.5 Taking into account the nature of the processing, Tagstack assists the Customer, insofar as possible, in fulfilling their obligation to respond to requests for the exercise of data subject rights (access, rectification, erasure, portability, etc.).
3.6 Tagstack assists the Customer in ensuring compliance with the obligations provided for in Articles 32 to 36 of the GDPR (security, breach notification, impact assessment), taking into account the nature of the processing and the information available to Tagstack.
3.7 At the Customer's choice, Tagstack shall delete or return all personal data at the end of the service provision, and destroy existing copies, unless required by law to retain them.
3.8 Tagstack makes available to the Customer all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and allows for audits, including inspections, by the Customer or an auditor mandated by the Customer, subject to reasonable notice of thirty (30) days and a confidentiality agreement.
Article 4 — Breach notification
4.1 Tagstack shall notify the Customer without undue delay, and no later than 48 hours, after becoming aware of a personal data breach within the meaning of Article 33 of the GDPR.
4.2 This notification shall contain at a minimum: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to remedy it.
Article 5 — International transfers
5.1 Tagstack shall only transfer personal data outside the EU/EEA on the basis of appropriate safeguards in accordance with Chapter V of the GDPR, in particular the Standard Contractual Clauses adopted by the European Commission.
5.2 The list of sub-processors and their locations are set out in Annex 1.
Article 6 — Duration
6.1 This DPA takes effect upon the Customer's acceptance of the GTU and remains in force for the duration of the ConsentMonitor subscription.
6.2 Tagstack's obligations regarding confidentiality and data deletion survive the termination of the contract.
Article 7 — Governing law
7.1 This DPA is governed by French law and the GDPR.
7.2 Any dispute relating to this DPA shall be submitted to the competent courts designated in the GTU.
Annex 1 — List of sub-processors
| Sub-processor | Service | Data processed | Location | Safeguards |
|---|---|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, database (D1), tag management (Zaraz) | All service data | EU / US | SCCs, Cloudflare DPA |
| Google LLC | Analytics (GA4) | Anonymised browsing data | EU / US | SCCs, EU region enabled |
| Stripe, Inc. | Payment | Billing data | EU / US | PCI DSS, SCCs |
| Axeptio (Agilitation SAS) | CMP | Consent choices | France / EU | EU hosting |