Data Processing Agreement (DPA)

Language note: The legally binding version of this DPA is the French version. This English translation is provided for information purposes only. In case of discrepancy, the French version prevails. For questions, contact dpa@jefacturebien.fr.

Preamble

This Data Processing Agreement (hereinafter the "DPA") is entered into pursuant to Article 28 of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter the "GDPR"). It governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the provision of the jefacturebien.fr services.

This DPA is incorporated by reference into the Terms of Sale and takes effect on the date the Client's account is activated. It may be accepted from your jefacturebien.fr workspace. In the event of a conflict between this DPA and the Terms of Sale regarding the protection of personal data, this DPA prevails.

The Processor

QR Communication SAS Simplified joint-stock company (Société par Actions Simplifiée) with a share capital of EUR 5,000 Paris Trade and Companies Register 940 163 496 — VAT: FR43940163496 23 rue de Richelieu, 75001 Paris, France Legal representative: Joëlle Azogui, President DPA contact: dpa@jefacturebien.fr

Hereinafter the "Processor" or "jefacturebien.fr".

The Controller

The Client, a legal entity or natural person, as identified in their jefacturebien.fr account (company or sole-trader name, SIRET, address, billing email), who determines the purposes and means of the processing entrusted to jefacturebien.fr.

Hereinafter the "Controller" or the "Client".

Article 1 — Definitions

The terms used in this DPA have the meaning given to them by the GDPR, in particular its Article 4.

Article 2 — Subject matter, nature and purpose of the processing

2.1 Purposes and legal bases

The Processor processes personal data solely for the purpose of providing the following services to the Controller.

2.2 Nature of the processing operations

The processing operations carried out by the Processor include in particular: collection, recording, organization, structuring, storage, encryption, consultation, use, transmission to recipient bodies (partner dematerialization platform), probative-value archiving, extraction (export), restriction, erasure and destruction of personal data, strictly to the extent necessary for the provision of the services.

2.3 Categories of data processed

• Issuer identification data (company or sole-trader name, SIRET, VAT number, address, contact details, account credentials);
• Buyer identification data (name, company name, SIRET, VAT number, billing and shipping address, email, phone);
• Data contained in quotes, invoices and credit notes (amounts, descriptions, references, legal mentions);
• Technical and connection data (IP addresses, access logs, technical identifiers);
• Payment references (excluding full card numbers, processed directly by the payment provider).

The Processor does not process any special categories of data within the meaning of Article 9 of the GDPR.

2.4 Categories of data subjects

• The Client's legal representatives and staff (account users);
• The Client's individual buyers and the contacts of the Client's corporate buyers;
• Any natural person mentioned in the quotes, invoices or credit notes processed by the Client via the services.

Article 3 — Duration of the processing

This DPA takes effect on the date the Client's account is activated and remains in force for the entire duration of the jefacturebien.fr services contract. Processing continues until the effective termination of the contract, subject to the legal retention periods detailed in Article 12 and the end-of-contract effects provided for in Article 13.

Article 4 — Processor obligations (Article 28.3)

The Processor undertakes to comply with all obligations incumbent upon it under Article 28.3 of the GDPR.

4.a) Processing on documented instructions

The Processor processes personal data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do so by Union or Member State law to which it is subject; in such a case, it informs the Controller of that legal requirement before processing, unless legally prohibited. This DPA, the Terms of Sale and the configurations made by the Client in their workspace constitute these documented instructions. The Processor immediately informs the Controller if it considers that an instruction infringes the GDPR or another data protection provision.

4.b) Confidentiality

The Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This staff confidentiality commitment survives the end of duties or of the employment contract.

4.c) Security of processing

The Processor implements the appropriate technical and organizational measures provided for in Article 32 of the GDPR to ensure a level of security appropriate to the risk. These measures are detailed in Annex 2.

4.d) Engagement of sub-processors

The Controller generally authorizes the Processor to engage the sub-processors listed in Annex 3. The Processor imposes on each sub-processor, by contract, the same data protection obligations as those set out in this DPA. Any change (addition or replacement) is subject to 30 days' prior notice, in accordance with Article 6.

4.e) Assistance with data subjects' rights

Taking into account the nature of the processing, the Processor assists the Controller, by appropriate technical and organizational measures, in fulfilling its obligation to respond to requests for the exercise of data subjects' rights (right of access, rectification, erasure, restriction, portability and objection) provided for in Articles 12 to 23 of the GDPR. The Processor provides the Client with export and deletion features from their workspace.

4.f) Assistance with the Controller's compliance

Taking into account the nature of the processing and the information available to it, the Processor assists the Controller in ensuring compliance with the obligations provided for in Articles 32 to 36 of the GDPR, namely: security of processing, notification of data breaches to the supervisory authority and to data subjects, data protection impact assessments (DPIA, Art. 35) and prior consultation of the supervisory authority (Art. 36).

4.g) Fate of the data at the end of the service

At the Controller's choice, the Processor deletes all personal data or returns it to the Controller at the end of the service, and destroys existing copies, unless retention is required by Union or applicable national law (Art. 28.3.g). The terms are specified in Article 13.

4.h) Provision of information and audits

The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28, and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by it (Art. 28.3.h). The terms are specified in Article 10.

Article 5 — Controller obligations

The Controller undertakes to:

• Ensure it has a valid legal basis for each processing entrusted to the Processor;
• Inform its own users and buyers of the use of jefacturebien.fr and of the processing carried out;
• Provide the Processor with lawful, documented instructions compliant with the GDPR;
• Obtain, where applicable, the consent of data subjects and ensure their rights are respected;
• Maintain its own record of processing activities in accordance with Article 30 of the GDPR;
• Notify data breaches to the supervisory authority and, where applicable, to data subjects, within the legal deadlines.

Article 6 — Sub-processing

The Controller consents to the Processor's engagement of the sub-processors listed in Annex 3 (general authorization within the meaning of Articles 28.2 and 28.4 of the GDPR).

Before adding a new sub-processor or replacing an existing one, the Processor notifies the Client 30 days in advance. The Client has this period to raise a reasoned written objection. In the absence of a response upon expiry of the period, silence constitutes tacit acceptance. In the event of an unresolved reasoned objection, the Client may terminate the affected part of the services.

The Processor remains fully liable to the Controller for the performance by the sub-processor of its data protection obligations.

Article 7 — Transfers outside the European Union

✓ No transfer of personal data outside the European Union — all processing and hosting takes place within the European Union.

Consequently, no appropriate safeguards within the meaning of Chapter V of the GDPR (standard contractual clauses, adequacy decision) are required. Should a transfer outside the EU be envisaged in the future, it would be subject to prior notification under Article 6 and the implementation of the required appropriate safeguards.

Article 8 — Personal data breach

In the event of a personal data breach affecting the Client's data, the Processor notifies the Controller as soon as possible and at the latest within 24 hours of becoming aware of it, in order to enable the Controller to notify the supervisory authority (CNIL) within the legal deadline of 72 hours provided for in Article 33 of the GDPR.

The Processor's notification to the Client includes, as far as possible:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned;
• The contact details of the point of contact from which more information can be obtained;
• A description of the likely consequences of the breach;
• A description of the measures taken or proposed to address the breach and, where applicable, mitigate its consequences.

Where this information cannot be provided at the same time, it is communicated in phases without undue delay.

Article 9 — Impact assessment and prior consultation

Taking into account the nature of the processing and the information available to it, the Processor provides the Controller with the reasonable assistance necessary to carry out the data protection impact assessments (DPIA) provided for in Article 35 of the GDPR, as well as the prior consultation of the supervisory authority provided for in Article 36 when a DPIA reveals a high residual risk. To this end, the Processor communicates to the Controller the relevant information regarding security measures and processing architecture.

Article 10 — Audit and compliance verification

The Controller may audit the Processor's processing activities once a year, on 30 calendar days' written notice and at its own expense. The audit is carried out under conditions that do not compromise the security of other clients or the continuity of the service.

The Processor may offer, as an alternative to an on-site audit, available audit reports or certifications, which the Controller undertakes to accept provided they cover the relevant scope:

• ISO 27001 — gap assessment planned Q3 2026;
• SOC 2 Type II — planned 2027;
• External pentest — planned Q3 2026;
• Response to a written compliance questionnaire within 10 business days.

Article 11 — Liability

Each party is liable for damage caused by processing under the conditions provided for in Article 82 of the GDPR. The Controller is responsible for compliance with its own obligations, in particular the lawfulness of the processing and the information of data subjects. The Processor is liable for damage caused by processing only where it has not complied with the GDPR obligations specifically applicable to processors (in particular Article 28) or where it has acted outside or contrary to the Controller's lawful instructions.

Article 12 — Retention periods

Article 13 — Effect at the end of the contract

At the end of the contract, at the Controller's choice:

• 30 days — Provision of the export of personal data in a structured, commonly used format;
• 60 days — Deletion of active data from the Processor's and its sub-processors' systems, followed by the delivery of a certificate of destruction;
• 11 years — Retention of tax archives (invoices and credit notes) in Object Lock COMPLIANCE.

Tax exception: invoices and credit notes are kept for 11 years in Object Lock COMPLIANCE in accordance with Article 54 of the French Tax Code and Article L. 123-22 of the Commercial Code. This retention falls under the exception provided for in Article 17.3.b of the GDPR (legal retention obligation). These archives are read-only and cannot be deleted before the legal deadline expires, including at the request of the data subject.

Annex 1 — Description of the processing

Annex 2 — Technical and organizational measures (TOM)

Encryption

• AES-256 — sensitive data at rest;
• TLS 1.3 — all connections in transit;
• S3 Object Lock COMPLIANCE — tax archives 11 years, deletion impossible.

Access control

• Row Level Security (RLS) PostgreSQL — strict multi-account isolation;
• TOTP MFA — mandatory for administrator access.

Traceability and integrity

• Immutable SHA-256 chain (ISCA) — anti-mutation PostgreSQL trigger;
• OpenTimestamps — Bitcoin blockchain anchoring (best-effort).

Certifications (upcoming)

• ISO 27001 — gap assessment planned Q3 2026;
• SOC 2 Type II — planned 2027;
• External pentest — planned Q3 2026.

Annex 3 — Authorized sub-processors

Last updated: 5 June 2026 (version 1.0)

Contact and exercise of rights

DPA contact: dpa@jefacturebien.fr

GDPR rights: dpo@jefacturebien.fr or Workspace → Settings → Personal data

Supervisory authority (France): CNIL

DPA version 1.0 — QR Communication SAS — jefacturebien.fr — 5 June 2026 This document is available for PDF download from your jefacturebien.fr workspace (Settings → DPA).