Indris Studio
Data Processing Agreement
Personal data processing terms for the indris.studio service and platform.
Version: 19/03/2026
French Version Prevails
This English version is provided for convenience only. In the event of any discrepancy between the French and English versions, the French version shall prevail.
French versionPreamble
The Client has subscribed to the architectural visualization services offered by Indris Studio, governed by the General Terms and Conditions of Sale (the "Main Agreement").
In the performance of these services, notably through use of the indris.studio web application, Indris Studio may process personal data on behalf of the Client, such as project data, plans, 3D files, and professional contact details.
In accordance with the requirements of applicable data protection law, and in particular Article 28 of Regulation (EU) 2016/679 (GDPR), the Parties have entered into this Data Processing Agreement (the "DPA") in order to define the conditions under which the Processor (Indris Studio) undertakes to carry out personal data processing operations on behalf of the Controller (the Client).
It has been agreed as follows:
Article 1. Identification of the Parties and Qualification of Their Roles
1.1 Parties
This Data Processing Agreement (the "DPA") is entered into between:
The Client, a natural or legal person acting for professional purposes, identified in the quote, purchase order, client account created on the platform, or any other contractual document accepted between the parties (the "Client");
and
Indris Studio, an EURL with share capital of EUR 1,000, whose registered office is located at 200 rue de la Croix Nivert, 75015 Paris, France, registered with the Paris Trade and Companies Register under number 101 367 274, intra-Community VAT number FR 44101367274, operating the platform accessible notably at indris.studio ("Indris Studio").
The Client and Indris Studio are individually referred to as a "Party" and together as the "Parties".
1.2 Qualification of the Roles for Processing Covered by This DPA
For personal data processing falling within the scope of this DPA, namely processing carried out by Indris Studio on behalf of the Client in connection with the provision of the service, including making the platform available, hosting, storage, organization, consultation, transmission, deletion, technical support, maintenance, backup, logging, and securing the data and content entrusted by the Client:
- the Client acts, in principle, as controller, insofar as it determines the purposes pursued and the essential characteristics of the processing of personal data integrated or transmitted in connection with its use of the service;
- Indris Studio acts as processor, insofar as it processes such personal data on behalf of the Client and in accordance with the Client's documented instructions, under the conditions set out in this DPA and the main agreement.
1.3 Indris Studio's Own Processing
The Parties expressly acknowledge that Indris Studio may also act as a separate and independent controller for personal data processing carried out for its own purposes, independently from processing carried out on behalf of the Client.
This separate capacity notably includes, where applicable:
- management of the contractual and commercial relationship;
- creation and administrative management of client accounts;
- invoicing, accounting, and payment management;
- fraud prevention, general security of its systems, and defense of its rights;
- compliance with its legal, regulatory, tax, and accounting obligations;
- management of litigation and pre-litigation matters;
- where applicable, its own commercial prospecting, in compliance with applicable regulations.
Such own processing does not fall within this DPA and remains governed by the contractual documents and privacy information applicable to Indris Studio in its capacity as controller.
1.4 Primacy of the Reality of the Operations
The Parties agree that the qualification of their roles is assessed processing operation by processing operation, in light of the reality of the operations actually implemented. Consequently, if a particular processing operation should, under applicable law, receive a qualification different from that stated in this article, that qualification shall prevail for the relevant operation, without affecting the qualification of other processing operations.
1.5 No Joint Controllership by Default
Unless expressly stipulated otherwise or unless a different legal qualification is imposed by the nature of a specific processing operation, the Parties acknowledge that this DPA is not intended to establish joint controllership between the Parties within the meaning of applicable personal data protection law.
Article 2. Purpose of the DPA
2.1 Purpose
This DPA is intended to define the conditions under which Indris Studio, in its capacity as processor, is authorized to process, on behalf of the Client, personal data covered by the processing operations governed by this DPA, in connection with the provision of the service and the performance of the main agreement.
This DPA applies exclusively to personal data processing carried out by Indris Studio for the purposes of making available, operating, securing, and supporting the service provided to the Client.
2.2 Scope of Covered Services
Within the limits of the features subscribed to by the Client, the selected settings, the service documentation, and the Client's documented instructions, this DPA notably covers processing operations related to the following services:
- making available and operating the platform accessible to the Client;
- hosting, storage, retention, organization, and making available files, documents, deliverables, comments, attachments, project data, and content imported or generated in connection with the service;
- technical management of user accounts, authentication, authorizations, access, and permissions within the platform;
- management of exchanges, interactions, validations, comments, transmissions, and collaboration operations around the Client's projects within the service;
- performance of technical support, corrective, evolutionary, or preventive maintenance, user assistance, diagnostics, backup, restoration, supervision, logging, and platform and data security operations;
- more generally, any technical operation strictly necessary for performance of the service, its continuity, integrity, availability, and security.
2.3 Processing Related to Artificial Intelligence Features
Where the service includes, on the date of contract performance or subsequently, features involving automated or AI-assisted processing, this DPA also covers the personal data processing strictly necessary to provide those features, provided that they are actually offered in the service, activated for the Client, or required for performance of the agreed service.
Any such processing may be implemented by Indris Studio only for performance of the service, in accordance with the main agreement, this DPA, the applicable service documentation, and the Client's documented instructions.
Unless the Client gives express written consent, Indris Studio does not use the data, documents, project content, or deliverables covered by this DPA to train artificial intelligence models for its own account.
2.4 Scope Limitation
This DPA does not cover personal data processing carried out by Indris Studio for its own purposes, as a separate controller, notably for management of the contractual and commercial relationship, invoicing, accounting, compliance with its legal obligations, internal system security, fraud prevention, dispute management, or its own prospecting where applicable.
Such processing remains excluded from the scope of this DPA and falls under the contractual documents and privacy information applicable to Indris Studio in its own capacity as controller.
The detailed description of the processing operations covered by this DPA appears in Annex 1 and Article 4 below.
Article 3. Term
3.1 Effective Date
This DPA takes effect on the earliest of the following dates:
- acceptance of the main agreement by the Client;
- express acceptance of this DPA by the Client, notably when validating an order, accepting a quote, creating or activating an account, or using any other contracting or acceptance method proposed by Indris Studio;
- the actual start of the Client's use of the service, where such use involves personal data processing falling within this DPA.
3.2 Term of Application
This DPA remains in force throughout the term of performance of the main agreement binding the Parties, as well as during any period in which Indris Studio processes personal data on behalf of the Client in connection with the services covered by this DPA.
Consequently, this DPA ceases, in principle, on the date of expiry, termination, rescission, non-renewal, or cessation, for any reason, of the main agreement, subject to the provisions of this article that are intended to survive such cessation.
3.3 Survival of Certain Provisions
Notwithstanding cessation of the main agreement and/or this DPA, the following remain applicable for the period necessary to give them full effect:
- confidentiality obligations;
- obligations relating to personal data security;
- obligations relating to return, export, deletion and, where applicable, technically unavoidable or legally required residual archiving;
- cooperation, information, and assistance obligations in the event of a data breach, claim, request from a data subject, audit by a competent authority, or administrative, pre-litigation, litigation, or judicial proceeding relating to processing carried out during performance of the agreement;
- provisions relating to demonstration of compliance, documentation, and audit rights, to the extent strictly necessary to allow the Client to verify Indris Studio's compliance with its obligations for processing carried out before the DPA ceased.
3.4 Post-Contractual Confidentiality
The confidentiality obligations applicable under this DPA remain in force for as long as Indris Studio or its authorized subprocessors retain or hold, in any form, the relevant personal data, and then for any additional period provided by the main agreement or applicable law. In this respect, the GTCS already provide for a general confidentiality obligation during the contractual relationship and for five (5) years after its cessation.
3.5 End of Processing on Behalf of the Client
Upon cessation of this DPA, Indris Studio ceases processing personal data on behalf of the Client, except to the extent that:
- temporary residual processing remains strictly necessary to carry out return, export, deletion, backup purge, end-of-service security, or technical closure operations;
- retention of certain data is required by a legal or regulatory obligation;
- limited retention of certain information is strictly necessary for the establishment, exercise, or defense of Indris Studio's rights.
In these cases, the relevant data remains subject to the confidentiality and security obligations set out in this DPA for as long as it is retained.
3.6 Autonomy of This Article
Cessation of the main agreement does not affect the validity or enforceability of the provisions of this DPA that, by their nature, are intended to continue producing effects after the end of the contractual relationship.
Article 4. Description of Processing
4.1 General Description
In connection with performance of the services covered by this DPA, Indris Studio is authorized to process, on behalf of the Client, the personal data strictly necessary to provide the service, perform the agreed service, operate the platform technically, manage access, collaborate around projects, and ensure continuity, security, and support of the service.
The processing referred to in this article relates to personal data that the Client, its authorized users, or its contacts enter, import, transmit, consult, modify, share, or delete when using the service.
4.2 Nature of the Processing Operations
The processing operations that may be carried out by Indris Studio on behalf of the Client include, depending on the features used and the Client's documented instructions:
- collection or receipt of data when accounts are created, the platform is used, content is imported, or messages, comments, or attachments are sent;
- recording, organization, structuring, classification, indexing, and retention of data and content;
- hosting, storage, technical duplication, backup, restoration, and temporary technical archiving;
- consultation, display, making available, downloading, sharing, and, more generally, accessibility of content to authorized users;
- technical transmission of data between authorized users, project spaces, integrated services, and technical components necessary for performance of the service;
- logging of technical events, accesses, operations, and actions carried out in the service;
- detection, analysis, diagnosis, and resolution of incidents, anomalies, errors, or technical difficulties;
- support, assistance, and corrective, preventive, or evolutionary maintenance operations, strictly to the extent necessary to provide the service;
- deletion, purging, return, or export of data, under the conditions set out in this DPA and the main agreement.
4.3 Purposes of Processing
Processing carried out by Indris Studio on behalf of the Client has only the following purposes:
- performance of the services ordered by the Client;
- making available and operational operation of the platform;
- management of user accounts, authorizations, access, and permissions;
- management of exchanges, comments, validations, transmissions, and collaborations around the Client's projects;
- hosting, storage, and security of files, documents, deliverables, attachments, and project data;
- technical administration of the service, including supervision, business continuity, backup, restoration, and incident prevention;
- technical support and assistance to authorized users;
- where applicable, performance of automated or AI-assisted features actually offered in the service and activated by the Client, strictly within the limits necessary to provide the relevant service.
4.4 Categories of Personal Data Processed
The categories of personal data that may be processed on behalf of the Client include in particular:
- professional identification data: surname, first name, title, position, company, entity, department, or role in the project;
- professional contact details: professional email address, professional telephone number, professional address, and other contact details;
- account and authentication data: user identifier, login information, authorization data, passwords in protected form where applicable, login histories, and elements necessary for authentication security;
- data relating to projects and imported files: documents, plans, facade drawings, sections, elevations, models, 3D files, PDF documents, visual references, comments, annotations, instructions, briefs, correction requests, validations, messages, attachments, and more generally any content transmitted by the Client in connection with the service;
- metadata associated with content and projects: file name, type, size, format, date, author, version, action history, relevant project space, and other technical or functional metadata;
- logging and traceability data: access logs, event logs, IP address, date and time of actions, technical identifiers, device or session information, security logs, and application logs;
- assistance and support data: content of support requests, exchanges relating to incidents, screenshots, excerpts, or technical elements communicated in connection with support;
- where applicable, data contained in inputs, outputs, instructions, or results linked to an artificial intelligence feature actually used in connection with the service.
4.5 Categories of Data Subjects
The categories of data subjects concerned by the processing covered by this DPA may include in particular:
- employees, officers, partners, collaborators, consultants, or representatives of the Client;
- authorized users of the platform created, invited, or administered by the Client;
- the Client's project contacts;
- partners, joint contractors, subcontractors, design offices, architects, urban planners, landscape designers, engineers, quantity surveyors, project managers, contracting authorities, developers, companies, and other stakeholders mentioned in project documents or exchanges;
- institutional, administrative, or public contacts mentioned in project documents or exchanges, including, where applicable, elected officials, examining departments, local authorities, or administrations;
- prospects, end clients, purchasers, occupants, investors, or other third parties whose data may appear in documents, files, or exchanges transmitted by the Client;
- more generally, any natural person whose personal data is integrated by the Client into content, files, documents, comments, messages, or attachments falling within the service.
4.6 Data Present Incidentally or Unintentionally
The Parties acknowledge that files, documents, models, plans, attachments, exchanges, or other content imported or transmitted by the Client may contain personal data incidentally, accessorily, or unintentionally, which does not constitute the main subject of the service but appears in content entrusted to Indris Studio.
Such data may notably result from:
- the content of the transmitted documents themselves;
- annotations, comments, or exchanges associated with the project;
- metadata embedded in files;
- elements appearing in plans, tables, schedules, minutes, contact lists, correspondence, or administrative documents attached to the project.
Indris Studio processes such data only to the extent strictly necessary for performance of the service, technical operation of the platform, security, backup, support, and, more generally, compliance with the Client's documented instructions.
4.7 Evolving and Controlled Nature of the Description
This description is understood as covering processing reasonably necessary for the features subscribed to by the Client and actually used in the service. It must be interpreted in light of the main agreement, the applicable service documentation, the settings selected by the Client, and, where applicable, Annex 1 relating to the detailed description of processing.
Article 5. Processing Only on Documented Instructions
5.1 Principle
Indris Studio processes the personal data covered by this DPA only on documented instructions from the Client, acting as controller, and exclusively for the purposes and within the limits defined by the main agreement, this DPA, and the applicable service documentation.
Indris Studio shall not use personal data processed on behalf of the Client for its own purposes, subject to the processing it carries out as a separate controller for its own purposes, as identified in this DPA.
5.2 Initial Instructions of the Client
The Parties agree that the Client's initial documented instructions include in particular:
- the main agreement, including the quote, validated order, specific terms, and any contractual document accepted between the Parties;
- this DPA and its annexes;
- the functional and technical service documentation made available by Indris Studio;
- the settings, configurations, administration choices, authorizations, permissions, user invitations, project spaces, activated options, and, more generally, steering actions carried out by the Client or its authorized users in the service;
- support requests, operating instructions, or assistance requests made in writing by the Client, to the extent compatible with the main agreement, this DPA, and applicable law.
5.3 Additional Instructions
Any additional instruction from the Client that is not already covered by the initial documented instructions and that may:
- significantly modify the nature, scope, or purposes of the processing;
- impose specific developments, settings, manual operations, extractions, restrictions, investigations, or compliance measures;
- or affect the technical, organizational, timing, or economic conditions of the service,
must be made in writing and be sufficiently precise to allow Indris Studio to assess its scope, lawfulness, feasibility, and, where applicable, its operational or financial consequences.
Where applicable, performance of such an additional instruction may be subject to Indris Studio's written validation and/or the conclusion of an amendment, additional quote, or update to the applicable contractual documents.
5.4 Manifestly Unlawful or Non-Compliant Instruction
If Indris Studio considers that an instruction from the Client is manifestly contrary to applicable personal data protection law, or more generally to any rule of law applicable to the relevant processing, it informs the Client as soon as possible.
In such a case, Indris Studio may suspend performance of the disputed instruction for the time strictly necessary to obtain clarification, regularization, or a compliant instruction, without such suspension, where justified, being considered a contractual breach by Indris Studio.
5.5 Processing Required by Law
By way of derogation from this article, if Indris Studio is required to process certain personal data under European Union law or French law applicable to it, it informs the Client before the relevant processing, unless the law prohibits such information on important grounds of public interest. This rule is expressly set out in Article 28(3)(a) GDPR.
5.6 No General Obligation to Legally Monitor the Client
Under this DPA, Indris Studio is not required to carry out a general and abstract review of the lawfulness of all data, documents, files, content, comments, instructions, or business decisions of the Client. The Client remains solely responsible for defining the purposes pursued, the legal basis for the processing it implements, the relevance of the data imported, and the lawful nature of the instructions it gives to Indris Studio, subject to the alert obligation set out in this article.
Article 6. Confidentiality of Authorized Persons
6.1 Access Reserved to Authorized Persons Only
Indris Studio ensures that access to personal data processed on behalf of the Client is strictly limited to the persons it authorizes for the purposes of performing the service, support, maintenance, security, technical administration, or performance of its obligations under this DPA.
6.2 Need-to-Know Access Limitation
Indris Studio ensures that each person authorized to access personal data may access it only to the extent strictly necessary for the performance of their duties, functions, or interventions, in accordance with the need-to-know principle.
Access rights are assigned according to the actual responsibilities of the persons concerned, their level of intervention, and the scope strictly necessary for performance of the operations entrusted to them.
6.3 Confidentiality Obligation
Indris Studio ensures that any person authorized to process personal data under this DPA is subject, before any access to such data, to an appropriate contractual or legal confidentiality obligation covering all data, information, documents, files, content, exchanges, and elements brought to their knowledge in connection with such processing.
This confidentiality obligation remains applicable for the entire duration of access to the relevant data and after cessation of the relevant person's functions, duties, or interventions, for the period necessary to protect the data and information concerned.
6.4 Internal Access Governance
Indris Studio implements appropriate organizational measures to govern the assignment, modification, and withdrawal of access authorizations to personal data processed on behalf of the Client.
In particular, Indris Studio ensures that authorizations are limited to the necessary scope, reviewed regularly where relevant, and withdrawn without undue delay when access is no longer justified.
6.5 Compliance With the Client's Instructions
Persons authorized by Indris Studio to access personal data may process it only in connection with the functions entrusted to them and in accordance with the Client's documented instructions, as defined in this DPA.
Article 7. Appropriate Security Measures
7.1 General Security Principle
Indris Studio undertakes to implement and maintain, throughout the term of this DPA, appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by personal data processing carried out on behalf of the Client.
These measures are defined having regard, in particular, to the state of knowledge, implementation costs, the nature, scope, context, and purposes of the relevant processing, as well as the risks, varying in likelihood and severity, to the rights and freedoms of natural persons.
7.2 Objectives of the Security Measures
The measures implemented by Indris Studio are intended in particular, depending on the nature of the service and the relevant processing:
- to preserve the confidentiality, integrity, availability, and resilience of systems, applications, services, and data;
- to prevent unauthorized access, unauthorized disclosure, alteration, loss, destruction, or accidental or unlawful unavailability;
- to allow, to a reasonable and appropriate extent, restoration of the availability of and access to personal data within appropriate timeframes in the event of a physical or technical incident;
- to ensure a level of traceability, control, and supervision appropriate to the processing covered by this DPA;
- to verify and periodically evaluate the effectiveness of the security measures implemented.
7.3 Security Annex
A more detailed description of the technical and organizational measures implemented by Indris Studio appears in Annex 2 - Technical and Organizational Security Measures, which forms an integral part of this DPA.
That annex may notably describe, depending on the services and components actually used:
- logical access control and authorization management measures;
- measures relating to authentication and account security;
- logging, traceability, and supervision measures;
- backup, restoration, and technical continuity measures;
- measures protecting data in transit and, where applicable, at rest;
- measures for vulnerability, patch, incident, and technical environment management;
- measures governing authorized persons and, where applicable, subprocessors.
7.4 Evolving Nature of the Security Measures
The Client acknowledges that applicable security measures may evolve during performance of the agreement in order to account for technical developments, identified risks, the state of the art, the service architecture, legal or regulatory requirements, and security best practices.
Indris Studio may therefore modify, replace, or supplement certain security measures, provided that it does not substantially reduce the overall level of protection applicable to the processing covered by this DPA.
7.5 Measures Adapted to the Scope of the Service
The security measures implemented by Indris Studio apply to the processing covered by this DPA within the limits of the services provided, the technical components operated, the features used by the Client, and the obligations respectively incumbent on the Parties.
Article 8. Subprocessors
8.1 Controlled General Authorization
The Client generally authorizes Indris Studio to use subprocessors for performance of all or part of the personal data processing covered by this DPA, subject to compliance with the conditions defined in this article.
The list of subprocessors authorized on the effective date of this DPA appears in Annex 3 - List of Authorized Subprocessors.
8.2 Information in Case of Addition or Replacement
Indris Studio informs the Client, by any appropriate written means, of any planned addition or replacement of a subprocessor likely to have an impact on the processing covered by this DPA.
This information is provided within a reasonable period before the contemplated change takes effect and specifies, to the useful and available extent, the identity of the relevant subprocessor, the nature of the services provided, the role performed, the main location of the relevant processing or hosting, and, where applicable, useful information relating to transfers of data outside the European Economic Area.
8.3 Client's Right to Object
The Client may issue a written objection, reasoned and based on serious grounds relating to the protection of personal data, against the use of a new subprocessor or the contemplated replacement of an existing subprocessor.
Except in cases of legitimate urgency, security requirement, legal obligation, or service continuity necessity, this objection must be notified to Indris Studio within fifteen (15) calendar days from receipt of the information provided under Article 8.2.
In the event of an admissible objection, the Parties shall consult in good faith to identify a reasonable solution preserving service continuity and an appropriate level of personal data protection.
Failing a reasonable solution within a period compatible with the applicable technical and contractual constraints, Indris Studio may, as the case may be, not implement the contested change for the relevant Client, suspend the affected feature or component, or propose termination of the service or part of the service directly affected, without any right to compensation other than, where applicable, a pro rata refund of sums paid in advance for the unperformed period of the relevant service.
8.4 Contractual Governance of Subprocessors
Where Indris Studio uses a subprocessor to carry out specific processing activities on behalf of the Client, it ensures that it enters into a written contract with such subprocessor imposing on it, for the relevant processing, personal data protection obligations providing a substantially equivalent level of protection to that set out in this DPA, notably regarding:
- processing only on documented instructions;
- confidentiality;
- security;
- use of additional subprocessors;
- assistance;
- notification of data breaches;
- return or deletion of data;
- making available the information necessary to demonstrate compliance.
8.5 Responsibility of Indris Studio
Indris Studio remains fully responsible to the Client for the proper performance by its subprocessors of the personal data protection obligations applicable to them for the processing covered by this DPA.
Use of a subprocessor shall not have the effect of reducing or excluding Indris Studio's contractual and legal obligations toward the Client.
8.6 Scope of the Authorization
The authorization provided in this article applies only to subprocessors involved in performance of the services covered by this DPA and only for the technical, operational, or support purposes necessary for such performance.
It does not cover third-party services, tools, applications, integrations, or providers chosen, imposed, activated, or administered directly by the Client outside Indris Studio's standard offering, unless expressly stipulated otherwise in the applicable contractual documents.
Article 9. Assistance to the Controller
9.1 General Principle of Assistance
Indris Studio assists the Client, to a reasonable and appropriate extent, taking into account the nature of the processing covered by this DPA, the information available to it, and its role as processor, so that the Client can comply with its own personal data protection obligations.
This assistance is provided only for processing covered by this DPA and within the limits of the services provided by Indris Studio.
9.2 Assistance Relating to Requests to Exercise Rights
To the extent the relevant processing falls under this DPA, Indris Studio reasonably assists the Client so that the Client can respond to requests by data subjects to exercise their rights, including requests for access, rectification, erasure, restriction, objection, or, where applicable, portability.
Where Indris Studio directly receives a request from a data subject relating to data processed on behalf of the Client, it forwards the request to the Client as soon as possible, unless it is legally required to respond itself.
The Client remains solely responsible for assessing the admissibility of the request, the relationship with the data subject, the decision to be made, and, more generally, compliance with its legal obligations as controller.
9.3 Assistance Relating to Security and Data Breaches
Indris Studio reasonably assists the Client so that the Client can comply with its obligations regarding security of processing, assessment of incidents affecting personal data, and, without prejudice to Article 10 of this DPA, management of personal data breaches.
This assistance may notably include, depending on the case and to the applicable extent:
- communication of useful information available to Indris Studio concerning the relevant incident or breach;
- reasonable cooperation to classify the event, assess its scope, and limit its effects;
- reasonable support in collecting the elements necessary to document the incident and, where applicable, to make notifications or communications for which the Client is responsible.
9.4 Assistance Relating to Impact Assessments and Prior Consultation
Where the Client considers that a data protection impact assessment is required for processing covered by this DPA, Indris Studio provides, to a reasonable extent, the information available to it and the assistance necessary concerning aspects of the processing falling within its services.
Where applicable, Indris Studio also reasonably assists the Client with any prior consultation of the competent supervisory authority, insofar as such consultation concerns processing carried out on behalf of the Client under this DPA and subject to the information actually available to Indris Studio.
9.5 Terms of Assistance
Except in justified emergencies, the Client's requests for assistance are made in writing and include sufficient detail to allow Indris Studio to assess their purpose, scope, and degree of urgency.
Indris Studio provides the assistance set out in this article within reasonable timeframes, taking into account the nature of the request, its urgency, complexity, available information, and applicable technical or organizational constraints.
Where the request for assistance manifestly exceeds the scope of assistance reasonably expected from a processor under this DPA, involves specific developments, extensive searches, unusual extractions, significant mobilization of resources, or services not included in the standard service, Indris Studio may make its performance subject to a specific agreement on its terms, schedule, and, where applicable, financial conditions.
9.6 Limits of Assistance
The assistance provided by Indris Studio under this article does not transfer to the processor the legal obligations incumbent on the Client as controller.
In particular, Indris Studio is not required under this article to substitute for the Client in assessing the legal basis of processing, drafting information notices, deciding the admissibility of a rights request, deciding whether an impact assessment is necessary, or itself making, in place of the Client, notifications or consultations for which the Client is responsible.
Article 10. Notification of Data Breaches
10.1 Notification Principle
Indris Studio notifies the Client, without undue delay after becoming aware of it, of any personal data breach affecting processing carried out on behalf of the Client under this DPA.
This notification is sent to the point of contact designated by the Client for data protection matters or, failing that, to any relevant contractual or operational contact communicated by the Client.
10.2 Content of the Initial Notification
The initial notification includes, to the extent of information then available, the useful elements allowing the Client to assess the nature and scope of the breach, including:
- a description of the nature of the breach and, where possible, the category of the relevant incident;
- the estimated date or period of occurrence and the date of detection;
- the categories of personal data concerned;
- the categories of data subjects potentially affected;
- the known or reasonably suspected consequences of the breach;
- the first measures taken or contemplated to contain, correct, mitigate, or secure the situation;
- any other reasonably available useful information allowing the Client to comply with its own legal obligations.
10.3 Additional Information
Where all useful information is not available at the time of the initial notification, Indris Studio sends the Client, without undue delay, the additional information available to it as it becomes available.
10.4 Cooperation and Assistance
Indris Studio reasonably cooperates with the Client so that the Client can:
- analyze the nature, origin, extent, and effects of the breach;
- take appropriate containment, correction, remediation, and mitigation measures;
- document the breach and the measures taken;
- comply, where applicable, with its obligations to notify the competent supervisory authority and communicate with data subjects;
- prepare, where necessary, useful elements in the event of an audit, claim, litigation, or request from a competent authority.
10.5 Allocation of Roles
The Client remains solely responsible for assessing the legal qualification of the breach in light of its own obligations, deciding whether to notify the competent supervisory authority, deciding whether to communicate the breach to data subjects, and determining the final content of such notifications or communications.
Unless a contrary legal obligation applies directly to Indris Studio, notifications to a supervisory authority or to data subjects in respect of processing covered by this DPA are made by the Client or on the Client's documented instructions.
10.6 Protective Measures
Indris Studio takes, to the extent reasonably necessary and appropriate, protective measures within its scope in order to limit the effects of the breach, prevent recurrence of the incident, and preserve useful elements for analysis and traceability of the event.
10.7 Applicable Procedure
The practical notification methods, communication channels, point of contact, expected minimum information, and update schedule may be specified in Annex 4 - Incident / Breach Procedure, which forms an integral part of this DPA.
Article 11. Fate of Data at the End of the Agreement
11.1 General Principle
At the end of the main agreement, or earlier where applicable upon closure of a project, service, or relevant space, Indris Studio, at the Client's choice and subject to applicable legal or regulatory obligations, returns to the Client or deletes the personal data processed on its behalf under this DPA.
Until their actual return or deletion, the relevant data remains subject to the confidentiality and security obligations set out in this DPA.
11.2 Client Choice and Default Rule
The Client may, by written instruction, request:
- either return of the relevant data before deletion;
- or deletion without prior return.
Failing a contrary written instruction from the Client within the timeframes provided in this article, the Parties expressly agree that deletion is the default option applied.
11.3 Return of Data
Where the Client requests return of its data before expiry of the applicable deletion periods, Indris Studio returns, to a reasonable and technically possible extent, only the final deliverables made available to the Client under the main agreement.
Standard return is limited, within the limits of items actually available in the service on the date of the request, to final deliverables consisting of image files or video files, in the format in which such deliverables are available in the service or, failing that, in a format commonly used for this type of deliverable.
Unless expressly stipulated otherwise in the main agreement, the return obligation under this article does not entail delivery of:
- methods, tools, workflows, libraries, templates, or processes proprietary to Indris Studio;
- prompts, working scenes, native files, intermediate versions, or preparatory elements belonging to Indris Studio;
- security logs, internal technical traces, supervision elements, or information whose communication would compromise the security of systems or the rights of Indris Studio or third parties;
- files, documents, models, 3D models, textures, plans, references, attachments, project content, or other source elements transmitted by the Client for the purposes of the service.
Elements transmitted by the Client for the purposes of the service are not returned under this article. They remain subject to the retention and deletion rules set out in this DPA and may, where applicable, be deleted by the Client from the service where this feature is available.
The return or export request must be made in writing by the Client before expiry of the deletion periods applicable under this article. Failing this, deletion remains the option applied in accordance with this DPA.
Any service exceeding standard return, including any specific extraction, conversion into a non-standard format, historical reconstruction, particular sorting, migration assistance, assistance with reimport into a third-party system, or manual reversibility intervention, shall be performed only upon written request from the Client and may be subject to separate technical, scheduling, and financial conditions.
11.4 Rapid Deletion of Project Source Data
Unless a contrary legal obligation, need to defend rights, or different written instruction from the Client applies, Indris Studio deletes project source data processed on behalf of the Client under the following conditions:
- plans, sections, elevations, models, 3D files, PDF documents, attachments, visual references, comments, annotations, project exchanges, and, more generally, content transmitted by the Client for performance of the service are deleted from active environments as soon as possible after final delivery and closure of the relevant project or service, and no later than fifteen (15) calendar days from such closure;
- where the main agreement ends while no project is still being performed, such data is deleted from active environments no later than fifteen (15) calendar days from termination of the agreement, unless a return request is made within the same period.
Deletion means removal of operational access to the data and erasure from active environments operated by Indris Studio, subject to the special regime applicable to backups and technical residues set out in this article.
11.5 Minimal Account, Access, and Authentication Data
By way of derogation from the provisions relating to rapid deletion of project source data, Indris Studio may retain data strictly necessary for user account management, authentication, access security, and continued availability of deliverables to the Client, notably the login email address, account identifier, account status, authorization information, and strictly necessary technical access or authentication logs.
This data is retained for the duration of activity of the relevant account or, where the Client must continue to access deliverables through the platform, for the period strictly necessary to maintain such access.
When the account is no longer intended to remain active and no access to deliverables needs to be ensured, such data is deleted or anonymized within a reasonable period, subject to data that must be retained for security, evidentiary, defense of Indris Studio's rights, or legal or regulatory compliance reasons.
Retention of this minimal account and access data does not, by itself, authorize retention of the project source data transmitted by the Client, which remains subject to the deletion provisions set out in this article.
11.6 Distinction Between Client Source Data and Final Deliverables
The Parties acknowledge that, in connection with Indris Studio's services, the source data and documents transmitted by the Client may be distinct from the final deliverables produced by Indris Studio.
Consequently, any retention by Indris Studio of final deliverables under the conditions set out in the main agreement does not, by itself, entail retention of the Client's source data.
However, if the final deliverables still contain personal data processed on behalf of the Client, their fate follows the regime set out in this article, unless their retention is based on a distinct purpose, a distinct legal capacity, and a properly identified legal basis.
11.7 Backups and Technical Residues
The Client acknowledges that certain data deleted from active environments may temporarily remain in backups, recovery systems, technical logs, or other technical residues that cannot be immediately modified.
This inability to delete immediately may result in particular from technical security constraints, immutability mechanisms, non-compressible retention cycles, deferred backup architectures, or restoration systems that do not allow immediate unit-by-unit erasure.
In this case:
- such data remains protected by the security and confidentiality measures set out in this DPA;
- it is not put back into production, consulted, extracted, or used, except where strictly necessary for a technical need relating to service continuity, restoration, security, preservation of evidence, or compliance with a legal or regulatory obligation;
- it is deleted or made permanently inaccessible according to Indris Studio's normal backup retention cycle, without exceeding ninety (90) days from deletion from active environments, unless a specific legal or technical constraint is duly justified.
11.8 Legal Exceptions and Minimal Residual Retention
In the event of exceptional restoration of a backup for continuity, recovery, or security purposes, the data thus restored remains subject to this DPA and is, as soon as reasonably possible, subject to the operations necessary to re-establish the deletion status applicable to data that was no longer intended to be retained.
By way of derogation from this article, Indris Studio may retain certain personal data or information strictly necessary:
- to comply with a legal or regulatory obligation;
- for the establishment, exercise, or defense of its rights;
- to manage a security incident, dispute, audit, or request from a competent authority;
- or to retain minimal technical elements necessary for the integrity, security, or proof of operations carried out.
Data so retained is limited to what is strictly necessary, remains subject to applicable confidentiality and security obligations, and may not be used for other incompatible purposes.
11.9 Confirmation of Deletion
Upon reasonable written request from the Client, Indris Studio provides written confirmation of deletion carried out under this article, covering the active environments and systems it directly administers, subject to data retained under the exceptions set out above and residual technical mechanisms not directly administrable by Indris Studio at the infrastructure level of its subprocessors.
Where applicable, this confirmation may take the form of a deletion certificate or an equivalent contractual confirmation.
Article 12. Information and Audit
12.1 Making Necessary Information Available
Indris Studio makes available to the Client, upon reasonable written request, the information necessary to demonstrate compliance with the obligations incumbent on Indris Studio under this DPA, to the extent such information relates to the processing covered by it and falls within the information actually available to Indris Studio.
This information may notably include, depending on the case and to the applicable extent:
- relevant contractual provisions relating to data protection;
- the annexes applicable to this DPA;
- the description of the technical and organizational measures implemented;
- useful information relating to authorized subprocessors;
- useful information relating to data breaches, incidents, deletions, or returns, where such events concern processing covered by this DPA;
- any document, summary, written response, certificate, report, procedure excerpt, evidentiary element, or equivalent information reasonably appropriate to demonstrate Indris Studio's compliance.
12.2 Principle of the Audit Right
Subject to the conditions set out in this article, Indris Studio allows and facilitates reasonable audits or inspections relating to personal data processing carried out on behalf of the Client under this DPA.
Such audits may be carried out either by the Client or by an independent third-party auditor appointed by the Client.
12.3 Priority of Proportionate Verification Methods
The Parties agree that the audit right is exercised in compliance with a principle of proportionality and minimization of operational disruption.
Consequently, unless duly justified special circumstances exist, the Client shall first use documentary or remote verification methods, such as review of contractual annexes, provision of certificates, reasonably available third-party audit reports, compliance questionnaires, written responses, minutes, summaries, security documents, reasonably available evidentiary elements, or clarification exchanges with Indris Studio.
An on-site audit or more intrusive inspection may be requested only if the elements so made available do not reasonably allow the Client to verify Indris Studio's compliance with respect to the relevant processing, or in the event of a significant security incident, data breach, request from a competent authority, or serious indications of a substantial breach.
12.4 Conditions for Exercising the Audit
Any audit or inspection is subject to the following conditions:
- the Client sends Indris Studio a written request specifying the purpose of the audit, its scope, the relevant processing, the planned diligence, the auditor's identity, the desired date, and the reasons justifying, where applicable, use of an on-site audit;
- except in justified emergencies, legal obligations, or requests from a competent authority, at least fifteen (15) calendar days' prior notice is observed;
- audits take place during Indris Studio's usual business hours and in a manner that limits disruption to its activities;
- their scope is strictly limited to processing covered by this DPA and shall not give access to confidential information of other clients, trade secrets, security measures whose disclosure would compromise overall system security, or any element exceeding what is necessary for the purpose of the audit;
- any auditor appointed by the Client must be independent, not be in a manifest conflict of interest, and be subject to an appropriate confidentiality undertaking; Indris Studio may refuse a direct competitor auditor or an auditor presenting a serious security or confidentiality risk, subject to proposing a reasonable alternative;
- audits may not include intrusive tests, vulnerability scans, penetration operations, mass extractions, or manipulations likely to affect the availability, integrity, or security of the services, unless Indris Studio gives prior written consent;
- unless exceptional circumstances are duly justified, the Client may not request more than one audit per twelve (12) month period.
12.5 Cooperation of Indris Studio
Indris Studio cooperates in good faith with the audit or inspection to the extent reasonably necessary and appropriate, notably by answering relevant questions, facilitating access to authorized information, taking part in useful exchanges, and, where justified, allowing reasonable access to relevant personnel or environments.
12.6 Expenses and Costs
Each Party bears its own costs for audits carried out under this article.
However, where an audit request is manifestly abusive, repetitive in breach of the limits provided in this article, or manifestly exceeds the scope reasonably necessary to verify Indris Studio's compliance for processing covered by this DPA, the Client bears the reasonable and duly justified additional costs incurred by Indris Studio as a result of such request.
Conversely, if an audit reveals a substantial and proven breach by Indris Studio of its obligations under this DPA, directly attributable to Indris Studio, the Parties may agree in good faith that Indris Studio will bear all or part of the reasonable and duly justified external costs of the relevant audit.
No provision of this article may be interpreted as requiring Indris Studio automatically to bear audit costs merely because the Client alleges an insufficiency, non-compliance, or technical weakness.
12.7 Audit Results and Corrective Measures
The Client communicates to Indris Studio the relevant conclusions of the audit to the extent they concern processing covered by this DPA.
Where the audit reveals a proven breach by Indris Studio of its obligations under this DPA, the Parties shall consult in good faith on the reasonably necessary corrective measures and on an appropriate compliance schedule, taking into account the nature of the breach, its risk level, and applicable technical constraints.
12.8 Confidentiality of Audit Information
All documents, information, exchanges, findings, reports, results, and elements obtained in connection with exercise of the audit right are confidential. They may be used by the Client only to verify Indris Studio's compliance under this DPA, to comply with a legal or regulatory obligation, or to exercise or defend rights in court.
Article 13. Precise Delimitation of Scope
13.1 Scope of Processing Covered by This DPA
This DPA applies exclusively to personal data processing carried out by Indris Studio on behalf of the Client in connection with making available and operating the platform, hosting and storing the Client's content and files, managing project spaces, collaborating around projects, support, maintenance, backup, logging, and, more generally, any technical operation strictly necessary to perform the service on behalf of the Client.
This DPA notably covers processing relating to data, files, documents, content, metadata, comments, attachments, and information imported, transmitted, hosted, consulted, shared, retained, or deleted through the platform by the Client or its authorized users, where such processing is performed by Indris Studio as processor.
13.2 Exclusion of Indris Studio's Own Processing
This DPA does not apply to personal data processing carried out by Indris Studio for its own purposes, as a separate and independent controller.
The following are notably excluded from the scope of this DPA, where applicable:
- management of the pre-contractual and contractual relationship with the Client;
- placement of orders;
- invoicing, accounting, payment management, and recovery;
- prevention and detection of fraud, abuse, unlawful use, or breaches of contractual terms;
- internal security of systems, networks, workstations, administrator accounts, technical environments, and infrastructure operated by Indris Studio;
- management of access to its own internal systems and general security of the application;
- production of statistics, audience measurements, technical indicators, performance metrics, operating logs, or analyses strictly necessary for operation, administration, security, improvement, or continuity of the service, where such processing is qualified and implemented by Indris Studio for its own purposes;
- administrative, tax, legal, and regulatory management of its business;
- establishment, exercise, and defense of its rights, as well as management of claims, pre-litigation, litigation, and requests from competent authorities.
13.3 Data That May Fall Under Distinct Qualifications Depending on the Purpose Pursued
The Parties acknowledge that the same category of personal data may, depending on the purpose pursued and the operation carried out, fall either within the scope of this DPA or within Indris Studio's own processing.
For example, identification, contact, login, authentication, logging, or support data may be processed:
- on the one hand, on behalf of the Client, when used in connection with performance of the service covered by this DPA;
- on the other hand, for Indris Studio's own purposes, when necessary for contractual management, internal security, fraud prevention, evidence, legal compliance, or general administration of its services.
In such a case, the applicable qualification is assessed operation by operation, according to the purpose actually pursued and the role actually performed by Indris Studio.
13.4 No Implied Extension of the DPA to Own Processing
No provision of this DPA may be interpreted as having the effect of:
- including Indris Studio's own processing within its scope;
- depriving Indris Studio of the ability to process certain data as controller where that qualification results from applicable law or the reality of the operations;
- or prohibiting Indris Studio from retaining and processing data strictly necessary to comply with its legal obligations, secure its services, manage the contractual relationship, or defend its rights.
13.5 Relationship With Other Contractual Documents
Indris Studio's own processing excluded from this DPA remains governed by the contractual documents, transparency information, and policies applicable to Indris Studio in its capacity as controller.
This DPA governs only processing carried out by Indris Studio as processor on behalf of the Client.
Article 14. Clear Allocation of Responsibilities
14.1 General Principle
For personal data processing covered by this DPA, the Client acts as controller and Indris Studio acts as processor, under the conditions set out in the main agreement, this DPA, and applicable law.
14.2 Responsibilities of the Client
The Client remains solely responsible, for the processing it determines and for which Indris Studio acts as processor, for:
- determining the purposes pursued and the applicable legal basis;
- informing data subjects and, more generally, complying with the obligations incumbent on it as controller;
- defining retention periods that meet its business needs and its own obligations;
- choosing the data, files, documents, content, and information that it imports, transmits, hosts, consults, shares, or deletes through the service;
- verifying that the data entrusted to Indris Studio is relevant, adequate, accurate, and not excessive;
- refraining from importing data unnecessary for the purpose pursued and, unless duly justified necessity and an appropriate legal framework exist, sensitive or particularly protected data;
- configuring, administering, and controlling access, authorizations, permissions, and profiles of its authorized users.
14.3 Obligations of Indris Studio
Indris Studio, for its part:
- processes the personal data covered by this DPA only on documented instructions from the Client, under the conditions set out in this DPA;
- implements and maintains, within its scope, appropriate technical and organizational measures, and ensures technical operation of the platform under the conditions set out in the main agreement and this DPA;
- reasonably assists the Client, within the limits set out in this DPA, so that the Client can comply with its own personal data protection obligations.
14.4 No Transfer of the Client's Own Obligations
No provision of this DPA may be interpreted as transferring to Indris Studio the obligations incumbent on the Client as controller.
The Client remains solely responsible for its choices relating to legal basis, information of data subjects, retention periods, data imported into the service, and access granted to its authorized users.
Article 15. Prohibition or Governance of Sensitive Data
15.1 Principle
Unless duly justified legal necessity exists and Indris Studio has given prior written consent, the Client shall not import, transmit, host, share, or, more generally, cause to be processed through the service:
- special categories of personal data within the meaning of Article 9 GDPR;
- personal data relating to criminal convictions and offenses within the meaning of Article 10 GDPR;
- or, more generally, any data whose processing would require, under applicable law, enhanced safeguards not provided in the standard framework of the service.
15.2 Controlled Exception
By way of derogation from the preceding paragraph, the Client may entrust such data to Indris Studio only if all the following conditions are met:
- the processing is strictly necessary for a specific purpose under the Client's responsibility;
- the Client has an appropriate legal basis authorizing it to carry out such processing;
- the Client has informed Indris Studio in advance, in writing, of the nature of the relevant data, the purpose pursued, and the particular constraints applicable;
- and Indris Studio has accepted, in writing, their processing within the service.
15.3 Special Conditions
In the event of exceptional acceptance, the Parties agree, where applicable, on the special conditions applicable to such processing, notably regarding access restrictions, appropriate enhanced measures, assistance terms, and retention, return, or deletion conditions for the relevant data.
Failing prior written agreement on these special conditions, such data must not be entrusted to Indris Studio in connection with the service.
15.4 Data Imported in Breach of This Article
If Indris Studio finds or is informed that data falling under this article has been imported or processed through the service in breach of the conditions above, it informs the Client as soon as possible.
Indris Studio may then, to the reasonably necessary and proportionate extent, request any useful regularization, require deletion or removal of the relevant data, suspend the relevant instruction or operation, or take any protective measure justified by applicable law, service security, or protection of data subjects.
15.5 Responsibility of the Client
The Client remains solely responsible for the decision to import such data into the service, the assessment of the necessity of such processing, compliance with applicable legal conditions, and, more generally, the particular obligations incumbent on it because of the nature of the relevant data.
Article 16. Governance of Transfers Outside the EEA
16.1 Principle
The Parties acknowledge that, depending on the services, technical components, and settings actually selected for performance of the service, the personal data covered by this DPA may be mainly hosted or stored in one or more regions located in the European Union or the European Economic Area.
The applicable main location for the relevant components may, where applicable, be specified in Annex 1, Annex 3, or the applicable contractual documentation.
However, the mere main location of hosting or storage may not be interpreted as excluding, by principle, any access, transfer, or making available of data outside the European Economic Area.
16.2 Transfer Scenarios
The Client acknowledges that certain processing necessary for performance of the service may, depending on the circumstances, involve a transfer of personal data outside the European Economic Area within the meaning of applicable law.
This article may notably cover certain support, maintenance, diagnostic, supervision, security, and technical administration operations, as well as the intervention of authorized subprocessors or technical components involving remote access, communication, transit, or making available of data from or to a country located outside the European Economic Area.
16.3 Legal Framework for Transfers
Any transfer of personal data outside the European Economic Area carried out in connection with processing covered by this DPA is governed in accordance with Chapter V GDPR by a transfer mechanism valid on the date of the transfer.
Depending on the case, this mechanism may result from an adequacy decision, standard contractual clauses adopted by the European Commission, or any other mechanism recognized by applicable law.
Indris Studio ensures, to the extent incumbent on it, that it uses for the relevant processing only recipients or subprocessors offering a framework compliant with the applicable requirements for international data transfers.
16.4 Information and Cooperation
Without prejudice to the provisions of this DPA relating to subprocessors and assistance owed to the Client, Indris Studio makes available to the Client, to a reasonable extent and only for processing covered by this DPA, the information available to it or that it can reasonably obtain concerning the main location of the relevant processing and, where applicable, the applicable transfer mechanism.
The Client remains solely responsible, in its capacity as controller, for assessing the lawfulness of transfers linked to the processing it determines, taking them into account in the information it provides to data subjects, and satisfying its own documentation, analysis, and compliance obligations.
Article 17. Explicit Reference to Google / Firebase as Authorized Subprocessor
17.1 Use of Google / Firebase
For performance of all or part of the processing covered by this DPA, the Client acknowledges and accepts that Indris Studio may use services provided in the Google Cloud and/or Firebase ecosystem, under the conditions set out in this DPA.
In this respect, the Client expressly authorizes use of the Google entities acting, depending on the services actually used, as subprocessors for technical purposes necessary for performance of the service.
17.2 Nature of the Relevant Services
Depending on the components actually used in the service, the services referred to in this article may notably concern hosting, storage, databases, authentication, logging, technical supervision, maintenance, support, and any associated technical feature strictly necessary to provide the service.
The details of the services, roles, main locations, types of access to data, and, where applicable, mechanisms applicable in the event of transfer outside the EEA, appear or may be specified in Annex 3 - List of Authorized Subprocessors.
17.3 Applicable Contractual Documentation
Use of the Google Cloud and/or Firebase services referred to in this article falls within the contractual and compliance documentation published by Google and applicable to the relevant services, including notably, depending on the case:
- Firebase Data Processing and Security Terms: https://firebase.google.com/terms/data-processing-terms
- Google Cloud Data Processing Addendum: https://cloud.google.com/terms/data-processing-addendum
and, where applicable, Google documentation relating to subprocessors and mechanisms governing international data transfers.
17.4 Relationship With Other DPA Provisions
The sole purpose of this article is to identify Google / Firebase explicitly as authorized subprocessor(s) for the relevant services.
It applies without prejudice to the provisions of this DPA relating to use of subprocessors, contractual governance of their interventions, Indris Studio's responsibility toward them, and, where applicable, transfers of data outside the European Economic Area.
Article 18. Detailed Documentation of Security Measures
18.1 Relationship With the General Security Obligation
The Parties acknowledge that the technical and organizational measures implemented by Indris Studio for the processing covered by this DPA fall under the general security obligation provided in this DPA and are described in more detail in Annex 2 - Technical and Organizational Security Measures, which forms an integral part of this DPA.
18.2 Categories of Documented Measures
Annex 2 may notably describe, depending on the services, technical components, environments, and features actually used:
- measures protecting data in transit and, where applicable, at rest;
- measures relating to authentication, access management, authorization review, segmentation of rights, and, where applicable, multifactor authentication for privileged or administrator accounts;
- logging, traceability, supervision, and security event detection measures;
- backup, restoration, technical continuity, and, where applicable, recovery measures;
- measures relating to testing, security maintenance, vulnerability management, and application of patches;
- measures governing technical environments, administration operations, support access, and, more generally, interventions likely to affect processing security;
- and internal procedures applicable to detection, classification, handling, documentation, and remediation of security incidents.
18.3 Scope and Level of Detail
The measures described in Annex 2 are understood as measures adapted to the scope of processing covered by this DPA, the architecture of the service, the components actually operated, the state of the art, and the reasonably identified risk level.
The level of detail appearing in Annex 2 may take into account the need to preserve Indris Studio's operational security, the confidentiality of its internal protection mechanisms, and the overall security of its systems and those of its other clients.
18.4 Evolution of Measures
Indris Studio may evolve the measures described in Annex 2 in order to account for technical developments, identified risks, incidents encountered, the state of knowledge, applicable security recommendations, or changes in its technical architecture, provided that it does not substantially reduce the overall level of protection applicable to the processing covered by this DPA.
18.5 Contractual Value of Annex 2
Annex 2 has contractual value between the Parties.
In the event of contradiction between a general description in the body of this DPA and a more precise description in Annex 2, the interpretation most consistent with the security obligation applicable to the processing covered by this DPA prevails, without reducing Indris Studio's legal obligations regarding personal data protection.
Article 19. Reference Timeframes
19.1 Principle of Coordination
The timeframes provided in this article are intended to specify, where useful, the timing for performance of certain obligations provided in this DPA.
They apply without prejudice to specific timeframes already provided by other provisions of this DPA, which prevail in case of contradiction.
19.2 Notification of Data Breaches
For purposes of Article 10, the obligation to notify without undue delay means an initial notification sent to the Client as soon as reasonably possible after Indris Studio becomes aware of a personal data breach affecting processing carried out on behalf of the Client and, unless reasonably justified impossibility exists, within a period not exceeding forty-eight (48) hours from such awareness.
Where all useful information is not available within this period, the initial notification may be partial, subject to sending, without undue delay, additional information available later.
19.3 First Response Timeframes for Assistance
For purposes of Article 9, and except in justified emergencies, Indris Studio provides the Client with an initial written response:
- within two (2) business days for requests of high urgency, notably where linked to a security incident, data breach, request from a competent authority, or approaching legal deadline;
- within five (5) business days for other assistance requests falling within the normal scope of this DPA.
Depending on the case, this first response may take the form of a detailed acknowledgment of receipt, request for clarification, partial response, or communication of a reasonable processing schedule where the request is particularly complex.
19.4 Prior Information in Case of Addition or Replacement of a Subprocessor
For purposes of Article 8.2, and except in cases of legitimate urgency, security requirement, legal obligation, or service continuity necessity, information relating to a planned addition or replacement of a subprocessor is provided to the Client at least fifteen (15) calendar days before the contemplated change takes effect.
The objection period provided in Article 8.3 runs from receipt of this information.
19.5 End of Agreement, Return, and Deletion
The timeframes applicable to return, deletion of data from active environments, and purging of backups or technical residues remain governed by Article 11 of this DPA.
In this respect, the Parties acknowledge that the numerical timeframes provided in that article constitute the reference timeframes applicable at the end of the agreement or at the end of a project, unless expressly stipulated otherwise in this DPA or the main agreement.
Article 20. Cooperation With Authorities and in Case of Litigation
20.1 Information in Case of Request From an Authority or Court
Subject to legal, regulatory, or judicial obligations directly binding on it, Indris Studio informs the Client, as soon as possible, of any request, injunction, requisition, investigative measure, decision, or other act from a competent authority or court concerning personal data processed on behalf of the Client under this DPA.
However, such information is not due to the extent such communication is prohibited to Indris Studio by law, by a decision of a competent authority, or by any legally enforceable confidentiality obligation.
20.2 Reasonable Cooperation
In the event of an audit, request for information, administrative, pre-litigation, litigation, or judicial proceeding relating to processing covered by this DPA, Indris Studio reasonably cooperates with the Client, within the limits of the information available to it, the scope of the services provided, and the obligations actually incumbent on it.
Depending on the case and to the applicable extent, this cooperation may notably consist of communicating useful elements available to Indris Studio, providing reasonably necessary explanations on processing operations within its scope, or assisting the Client in preparing responses, observations, or documents relating to the relevant processing.
20.3 Allocation of Roles
The Client remains solely responsible for its exchanges with the supervisory authority, competent authority, or relevant court, the positions it adopts, the responses it sends, and, more generally, compliance with its obligations as controller, except where a legal obligation applies directly to Indris Studio.
20.4 Relationship With Other DPA Provisions
This article applies without prejudice to the provisions of this DPA relating to:
- assistance to the Client;
- notification and management of data breaches;
- making available the information necessary to demonstrate compliance;
- and limited retention of certain data where strictly necessary to comply with a legal obligation, defend Indris Studio's rights, or manage an audit, dispute, or request from a competent authority.
Article 21. Contractual Hierarchy
21.1 Integration Into the Contractual Framework
This DPA forms an integral part of the contractual framework binding the Parties and applies together with the main agreement, including, where applicable, the general terms and conditions of sale, specific terms, quote, purchase order, service contractual documentation, and its annexes, to the extent such documents apply to the relationship between the Parties.
21.2 Primacy of the DPA for Data Protection Matters
In the event of contradiction, inconsistency, or divergence between this DPA and any other provision of the main agreement or general terms and conditions of sale, this DPA prevails for all matters relating to:
- personal data processing carried out by Indris Studio on behalf of the Client;
- allocation of the Parties' roles in data protection matters;
- documented instructions, confidentiality, security, subprocessors, transfers, assistance, data breaches, audits, and return, deletion, or residual retention of data at the end of the agreement.
21.3 Continued Application of Other Contractual Provisions
For all matters that do not specifically concern personal data protection or that are not governed by this DPA, the main agreement and, where applicable, the general terms and conditions of sale remain fully applicable.
However, this article may not be interpreted as reducing, excluding, or neutralizing mandatory obligations resulting from applicable personal data protection law.
Article 22. Liability and Relationship With the Main Agreement
22.1 Principle of Coordination
Unless expressly stipulated otherwise in this DPA, the Parties' contractual liability for processing covered by this DPA remains governed by the liability provisions of the main agreement, to the extent such provisions are compatible with applicable personal data protection law and this DPA.
22.2 Reservation for Mandatory Provisions
No provision of this DPA or of the main agreement may be interpreted as excluding, limiting, or neutralizing mandatory obligations resulting from applicable personal data protection law, nor the rights enjoyed by data subjects or the powers of supervisory authorities under such law.
22.3 Scope of Indris Studio's Liability
Indris Studio is liable for breaches attributable to it in respect of the obligations incumbent on it as processor for processing covered by this DPA, without prejudice to:
- cases in which the Client remains solely responsible for the obligations incumbent on it as controller;
- Indris Studio's own liability when it acts as a separate controller for its own purposes;
- and cases in which applicable law imposes a different qualification or liability regime in light of the reality of the operations actually implemented.
22.4 Subprocessors
Indris Studio's use of an authorized subprocessor does not reduce or exclude the liability incumbent on it toward the Client under the conditions set out in this DPA.
Annex 1. Description of Processing
Subject Matter of Processing
The processing entrusted to the Processor is for the purpose of providing and operating the "Indris.Studio: architectural visualization project management" service, allowing in particular account administration, project management, organization of exchanges with the Client, receipt, hosting, consultation, and processing of files, documents, and content transmitted in connection with the preparation, performance, and follow-up of architectural visualization services.
Purposes
Processing is carried out solely to allow the Processor to perform the services agreed with the Client, ensure operational project management, process the Client's requests, instructions, and validations, receive and use the technical, graphic, and documentary elements necessary to produce deliverables, and ensure the deposit, making available, and follow-up of such deliverables.
Nature of Operations
Collection, recording, organization, structuring, consultation, hosting, retention, extraction, use, communication by transmission or making available, matching, deletion, and, more generally, any operation strictly necessary for performance of the services entrusted by the Client.
Categories of Data
Identification and contact data of the Client's users and contacts; account and authentication data; project data; content, comments, instructions, and validations; technical, administrative, or commercial documents transmitted by the Client; attachments and deliverables; metadata associated with exchanges, deposits, and access to the service. The service is not intended to process special categories of data within the meaning of Article 9 GDPR, without excluding that such content may be transmitted incidentally by the Client under the Client's sole responsibility.
Categories of Data Subjects
Authorized users of the Client, representatives, employees, collaborators, project contacts, providers, partners, or any other natural person whose data may be contained in the elements, documents, files, or content transmitted by the Client in connection with the service.
Duration of Processing
The data is processed for the term of the agreement.
Retention / Deletion
Project data is intended to be deleted by the Processor within fifteen (15) days after the end of the relevant project or contractual relationship, subject, where applicable, to residual technical constraints specific to the infrastructure used and to the provisions of the DPA relating to return, deletion, and legal retention obligations.
Frequency
Processing is occasional and continuous according to project needs and actions carried out within the service during the term of the agreement.
Tools / Services Concerned
Firebase Authentication, Firebase Storage, Firebase Functions, Firebase App Hosting, Cloud Run and, where applicable, Vertex AI, strictly to the extent necessary for technical performance of the services and the service.
Main Location
European Union.
Annex 2. Technical and Organizational Security Measures
Logical Access Control
Access to environments, consoles, services, and data is limited to authorized persons only, according to need to know. On the date of this DPA, such access is limited to the Service Provider only.
Authorization Management
Access rights are assigned nominally and restricted to the resources necessary for administration of the service and performance of the services. No shared administration account is used.
Strong Authentication for Administrator Access
Administrator access to infrastructure and hosting services is protected by multifactor authentication (MFA).
Authentication of Service Users
Authentication of service users relies on the technical mechanisms implemented in the application, including a login system by email address and secure login link ("magic link"), according to the components used.
Password Policy and Credential Security
Administration identifiers are subject to appropriate protection measures. The Service Provider ensures that it maintains suitable security practices for access to the environments and services used.
Encryption of Data in Transit
Communications with the service are protected by encryption mechanisms in transit, notably through HTTPS/TLS, according to the components used. Firebase states that it encrypts data in transit through HTTPS, and Google Cloud documents encryption in transit on its infrastructure.
Encryption of Data at Rest
Data hosted on the infrastructure used for the service benefits from encryption at rest according to the mechanisms provided by the cloud services used. Google Cloud states that it encrypts customer content at rest by default, and Firebase documents the existence of such encryption for several services.
Segregation of Environments
The Service Provider maintains separation between local, development, and production environments. Production data is not intended to be used in development or test environments.
Logging
Logging mechanisms may be implemented to ensure traceability of relevant actions on the service, including administration access, technical operations, logins, deposits, or deletion of content, to the extent useful for security, proper functioning of the service, and justification of operations carried out. Several Firebase services integrate with Cloud Audit Logs / Cloud Logging to trace administrative actions and certain accesses.
Incident Detection and Management
The Service Provider implements reasonable measures to detect, analyze, and handle security incidents affecting the service or data, according to the size of its structure and the components used.
Updates and Patches
The Service Provider applies, within a reasonable period, relevant patches, security updates, and remediation actions concerning the components, dependencies, environments, and workstations it directly administers.
Monitoring of Technical Alerts
The Service Provider carries out reasonable monitoring of relevant security alerts and information communicated by the service providers used, notably Google / Firebase, in order to adapt necessary measures where required.
Workstation Security
The workstation used to administer the service is subject to appropriate security measures, including authentication protection, system security updates, and native protections of the environment used.
Internal Confidentiality
Access to the Client's data occurs only as needed for performance of the services, analysis of transmitted elements, production of deliverables, support, or handling of a Client request.
Subprocessor Management
The Service Provider selects subprocessors offering an appropriate level of safeguards with regard to data security and confidentiality, and governs their intervention under the conditions set out in the DPA.
Backups and Technical Continuity
The technical components used may include redundancy, replication, backup, or restoration mechanisms according to the services selected and their configuration. Firestore notably offers backup and restoration features, but their existence alone does not imply an organizational restoration plan tested by the Service Provider.
Restoration Tests
No specific commitment to periodic restoration testing is made under this annex, unless subsequently implemented and documented by the Service Provider.
Periodic Access Review
The Service Provider carries out a periodic review of administrative access and, more generally, relevant authorizations in light of the actual needs of the service.
Erasure of Data and Local Copies
The Service Provider implements erasure of data and local copies that are no longer needed for the purpose pursued, subject to the provisions of the DPA, applicable technical constraints, and retention only of necessary elements, including deliverables or documents that must be retained.
Annex 3. List of Authorized Subprocessors
Google LLC and/or Competent Google Entities Depending on the Service - Google Cloud / Firebase
Service: Google Cloud / Firebase, including Firebase Authentication, Firebase Storage, Firebase Functions, Firebase App Hosting, Cloud Run, and associated infrastructure services.
Role: Hosting, storage, authentication, application execution, and technical processing necessary for operation of the service.
Location: European Union, mainly Netherlands region (europe-west4), depending on the components used.
Type of data access: Hosting, storage, processing, authentication, application execution; limited technical access may occur in connection with operation, maintenance, security, or support of the relevant services.
Transfer basis if outside the EEA: Where applicable, standard contractual clauses and/or any other valid transfer mechanism provided by the applicable Google contractual documentation.
Documentary reference: Cloud Data Processing Addendum; Google Cloud Platform Subprocessors; Firebase Data Processing and Security Terms.
Google LLC and/or Competent Google Entities Depending on the Service - Vertex AI
Service: Vertex AI.
Role: Technical production assistance tool used by the Processor for performance of certain services, where applicable.
Location: European Union, mainly Netherlands region (europe-west4), depending on the components used.
Type of data access: Occasional processing of content, instructions, excerpts, files, or elements necessary for production assistance operations, within the limits of uses actually implemented by the Processor.
Transfer basis if outside the EEA: Where applicable, standard contractual clauses and/or any other valid transfer mechanism provided by the applicable Google contractual documentation.
Documentary reference: Cloud Data Processing Addendum; Google Cloud Platform Subprocessors.
Annex 4. GDPR Operational Procedures
1. Purpose and Scope
This annex specifies, for personal data processing carried out by Indris Studio on behalf of the Client under this DPA:
- the procedure applicable to security incidents and personal data breaches;
- the procedure applicable to requests by data subjects to exercise their rights;
- the operational terms for return, deletion, and residual retention of data at the end of a project, service, or contractual relationship.
This annex supplements this DPA and is interpreted consistently with its other provisions. In the event of contradiction, the provisions in the body of the DPA prevail.
This annex does not apply to processing for which Indris Studio acts as a separate controller for its own purposes, which remains governed by the GTCS, applicable information notices, and, where applicable, other relevant contractual documents.
2. Incident / Breach Procedure
2.1 Processor Point of Contact
For any question relating to a security incident or personal data breach falling under this DPA, Indris Studio's point of contact is: privacy@indris.studio.
2.2 Client Point of Contact
Notifications are sent to the point of contact designated by the Client for data protection matters. Failing express designation, they are validly sent to any relevant contractual or operational contact communicated by the Client.
2.3 Notification and Follow-Up Channels
The initial notification is made in writing, by email. Email is the primary contractual notification channel.
Where the Client has active access to the platform and this feature is actually made available, a copy of the notification, its updates, and, where applicable, the closure report may also be made available in a secure space of the platform or by secure message within it. This additional channel is not intended to replace email, unless the Parties expressly agree otherwise.
2.4 Initial Notification
The initial notification is sent without undue delay after awareness of the breach or incident, under the conditions provided by the DPA. It may be partial if all useful information is not yet available on that date.
2.5 Minimum Information
The initial notification contains, to the extent of information then available:
- a description of the nature of the incident or breach;
- the estimated date or period of occurrence and the date of detection;
- the categories of data concerned;
- the categories of data subjects potentially affected;
- known or reasonably suspected consequences;
- the first measures taken or contemplated;
- contact details of the point of contact from whom additional information may be obtained.
Where useful, Indris Studio may also indicate the estimated severity level, the affected technical scope, and the containment status of the incident.
2.6 Updates and Cooperation
Additional information is transmitted without undue delay and, where useful, according to a reasonable schedule communicated to the Client.
Indris Studio reasonably cooperates with the Client to allow analysis of the incident, documentation of facts, implementation of containment and remediation measures, and preparation of useful elements for notifications or communications falling under the Client's responsibility.
2.7 Incident Closure
When the incident is stabilized or handled to a sufficient level, Indris Studio sends the Client a closure report within a reasonable period.
This report includes, to the extent information is available:
- a summary of the incident;
- its identified or probable cause;
- the scope of the data concerned;
- containment, correction, and remediation measures implemented;
- final resolution status;
- corrective or preventive actions decided, where relevant.
If certain elements are not yet definitively established, the report may be provisional and supplemented later.
2.8 Traceability
Indris Studio keeps a reasonable record of notifications, updates, and closure elements relating to incidents and breaches covered by this DPA, to the extent necessary for security, demonstration of compliance, and proof of operations carried out.
3. Data Subject Rights Procedure
3.1 Scope
This section applies to requests to exercise rights relating to personal data processed by Indris Studio on behalf of the Client in connection with the service.
It does not apply to requests relating to processing for which Indris Studio acts as a separate controller.
3.2 Reception Channels
Where a request falling within this section is sent to Indris Studio, it may be received:
- at privacy@indris.studio;
- and, where this feature is activated, through a secure module or message available in the platform.
3.3 Forwarding to the Client
Where Indris Studio directly receives from a data subject a request relating to data processed on behalf of the Client, it forwards the request to the Client as soon as possible and, unless reasonably justified impossibility exists, no later than two (2) business days from receipt.
Unless a contrary legal obligation applies directly to it, Indris Studio does not respond on the merits to the data subject's request and does not make an autonomous decision on its outcome. It may, where applicable, acknowledge receipt purely procedurally or invite the data subject to contact the Client where appropriate.
3.4 Reasonable Assistance
On documented instruction from the Client and to the extent required by applicable law, Indris Studio provides reasonable assistance to the Client so that the Client can handle requests to exercise rights, notably with a view to:
- identifying relevant data in active environments;
- extracting or making available the available elements;
- deleting, restricting, or making certain data inaccessible where technically possible;
- communicating to the Client useful information actually available to Indris Studio concerning the relevant processing.
3.5 First Response Timeframes to the Client
When the Client sends Indris Studio an assistance request relating to exercise of rights, Indris Studio provides a first written response as soon as possible and, unless specific complexity or justified urgency falls under another regime provided in the DPA, within two (2) business days.
This first response may take the form of a detailed acknowledgment of receipt, request for clarification, partial response, or communication of a reasonable processing schedule.
3.6 Technical and Operational Limits
The Client acknowledges that, given the nature of the service and services, certain personal data may appear incidentally, accessorily, or unintentionally in plans, sections, elevations, models, 3D files, PDF documents, comments, annotations, messages, attachments, visual references, or other content transmitted by the Client.
In this context:
- Indris Studio is required only to provide reasonable assistance based on the information actually available to it and the features actually available in the service;
- Indris Studio does not guarantee, unless a specific service is agreed in writing, exhaustive identification of every occurrence scattered across complex, heterogeneous, or unstructured content;
- Indris Studio is not required to modify individually a final deliverable already produced or delivered, unless expressly agreed in writing and technically feasible;
- any specific extraction, particular sorting, in-depth search, significant manual intervention, or operation exceeding standard assistance may be subject to separate technical, scheduling, and financial conditions.
4. Return, Deletion, and Residual Retention
4.1 General Principle
Unless the Client gives contrary written instruction within the applicable timeframes, deletion is the default option applied.
The return or export request must be made in writing by the Client before expiry of the applicable deletion periods.
4.2 Standard Return
For purposes of this DPA, standard return is limited, within the limits of elements actually available on the date of the request, only to final deliverables made available to the Client under the main agreement.
This standard return concerns exclusively final deliverables consisting of image files or video files, in the format in which they are available in the service or, failing that, in a format commonly used for this type of deliverable.
Unless expressly agreed otherwise in writing, standard return does not include files, documents, models, 3D models, textures, plans, references, attachments, project content, or other source elements transmitted by the Client for the purposes of the service.
4.3 Return Exclusions
Standard return does not include:
- source files provided by the Client;
- plans, sections, elevations, models, 3D files, PDF documents, attachments, visual references, comments, annotations, or project exchanges transmitted for performance of the service;
- methods, tools, workflows, libraries, templates, prompts, working scenes, native files, intermediate versions, or preparatory elements proprietary to Indris Studio;
- security logs, internal technical traces, supervision elements, or information whose communication would compromise the security of systems or the rights of Indris Studio or third parties.
4.4 Rapid Deletion of Project Source Data
Unless a contrary legal obligation, need to defend rights, request from a competent authority, or different written instruction from the Client accepted by Indris Studio applies, project source data processed on behalf of the Client is deleted from active environments as soon as possible and, at the latest, within fifteen (15) calendar days following the later of final delivery and full payment.
This deletion notably concerns plans, sections, elevations, models, 3D files, PDF documents, attachments, visual references, comments, annotations, project exchanges, and, more generally, content transmitted by the Client for performance of the service.
Where the contract or service ends without a final delivery still being due, the relevant data is deleted from active environments no later than fifteen (15) calendar days from effective cessation of the relevant contract or service, unless an admissible written return request is made under this annex.
4.5 Final Deliverables and Limited Operational Retention
Unless the Client gives contrary written instruction or deletion is made necessary by the end of the contractual relationship, final deliverables may remain accessible in Indris Studio's active environments or operational archive environments for the period reasonably necessary:
- to make them available to the Client;
- for project follow-up;
- to prove performance of the service;
- for the establishment, exercise, or defense of Indris Studio's rights.
4.6 Backups and Technical Residues
Certain data deleted from active environments may temporarily remain in backups, recovery systems, technical logs, or other technical residues that cannot be immediately modified.
In this case:
- such data remains protected by the security and confidentiality measures provided in the DPA;
- it is not put back into production, consulted, extracted, or used, except where strictly necessary for a technical need relating to service continuity, restoration, security, preservation of evidence, or compliance with a legal or regulatory obligation;
- it is deleted or made permanently inaccessible according to the normal applicable retention cycle, without exceeding ninety (90) days from deletion from active environments, unless a specific legal or technical constraint is duly justified.
4.7 Minimal Residual Retention
By way of derogation from the foregoing, Indris Studio may retain certain personal data or information strictly necessary:
- to comply with a legal or regulatory obligation;
- for the establishment, exercise, or defense of its rights;
- to manage a security incident, dispute, audit, or request from a competent authority;
- to retain minimal technical elements necessary for the integrity, security, or proof of operations carried out.
Data so retained is limited to what is strictly necessary, remains subject to applicable confidentiality and security obligations, and may not be used for other incompatible purposes.
4.8 Deletion Certificate
Upon reasonable written request from the Client, Indris Studio provides a deletion certificate or contractually equivalent written confirmation covering deletion operations carried out in active environments and systems directly administered by Indris Studio in connection with the service.
Where applicable, this certificate confirms that the relevant data has been removed from operational access and erased from active environments operated by Indris Studio, subject to:
- data whose retention remains required under this DPA, a legal or regulatory obligation, or the need to establish, exercise, or defend rights;
- residual, temporary technical mechanisms not directly administrable by Indris Studio that may exist at the infrastructure or service level of its subprocessors.
The deletion certificate does not constitute standalone certification of instant purging of all internal cache, replication, logging, backup, or technical retention mechanisms specific to third-party infrastructure providers.
5. Contractual Value
This annex forms an integral part of the DPA. From its adoption, it replaces and consolidates the former annexes relating to:
- the incident / breach procedure;
- the data subject rights procedure;
- the return / deletion policy.