Data Processing Agreement (DPA)
Derniere mise a jour : April 14, 2026
This Data Processing Agreement (hereinafter the "DPA") is concluded in accordance with Article 28 of the General Data Protection Regulation (GDPR — Regulation EU 2016/679) between:
- The Data Controller (hereinafter the "Customer"): any natural or legal person registered on the ConsentLab Platform and using the Widget on their website(s).
- The Processor (hereinafter "ConsentLab" or the "Processor"): Bob le Développeur (SIRET 891 488 512 00015), publisher of the ConsentLab Platform.
This DPA is an integral part of the Terms of Use and the Terms of Sale. It enters into force as soon as the Customer uses the Widget.
1. Subject matter and scope of the processing
1.1 Nature of the processing
ConsentLab processes personal data on behalf of the Customer in the context of collecting, recording and retaining cookie consent records of Visitors to the Customer's websites.
1.2 Purpose
The sole purpose of the processing is to enable the Customer to comply with their legal obligations regarding cookie consent (Article 82 of the French Data Protection Act, ePrivacy Directive, GDPR) and to retain the consent records required in case of audit by the authorities.
1.3 Categories of data processed
| Data | Nature | Collection method |
|---|---|---|
| Visitor hash (visitor_hash) | Pseudonymised identifier (irreversible SHA-256: IP + user-agent + rotating daily salt) | Computed server-side, IP never stored in plain text |
| Consent choices | JSON: necessary, analytics, marketing (boolean) | Transmitted by the Widget when the Visitor makes a choice |
| Consent identifier (consent_id) | Unique UUID per consent action | Generated by the Widget |
| User-agent | Browser/device string | Automatically transmitted by the browser |
| Country (ip_country) | ISO country code derived from the IP | Server-side geolocation, IP not retained |
| Timestamp (created_at) | UTC date and time of the choice | Recorded server-side |
1.4 Categories of data subjects
The data subjects are the Visitors of the Customer's websites who interact with the ConsentLab Widget (cookie consent banner).
1.5 Duration of the processing
The processing is carried out for the entire duration of the contract between the Customer and ConsentLab. Upon expiry or termination of the contract, the provisions of Article 10 apply.
2. Obligations of the Processor
In accordance with Article 28-3 of the GDPR, ConsentLab undertakes to:
2.1 Documented instructions (Art. 28-3-a)
Process personal data only on documented instructions from the Customer. The Customer instructs ConsentLab to process data solely for the purposes described in this DPA. Any additional instruction must be subject to written agreement.
2.2 Confidentiality (Art. 28-3-b)
Ensure that persons authorised to process personal data have committed to confidentiality or are bound by an appropriate statutory obligation of confidentiality.
2.3 Security (Art. 28-3-c / Art. 32)
Implement appropriate technical and organisational measures to guarantee a level of security appropriate to the risk, in particular:
- Anonymisation of Visitor data via irreversible SHA-256 hashing with rotating daily salt
- Encryption of communications in transit (TLS/HTTPS)
- Exclusive hosting in France (OVH, Roubaix)
- Data isolation between Customers (filtering by API Key and project)
- Brute-force protection (rate limiting)
- HTTP security headers (Helmet.js)
- Docker containerisation with non-root user
- Automated dependency auditing in continuous integration
- Role-based access control (customer / admin)
2.4 Sub-processors (Art. 28-2 and 28-4)
ConsentLab uses the following sub-processors, to which the Customer gives their general authorisation by accepting this DPA:
| Sub-processor | Function | Data location | Safeguards |
|---|---|---|---|
| OVHcloud (OVH SAS) | Infrastructure hosting, PostgreSQL database | Roubaix, France | ISO 27001, HDS, SOC 2 |
| Stripe (Stripe Payments Europe, Ltd.) | Payment processing (no consent data) | Ireland (EU) | PCI-DSS, GDPR compliant |
| Resend | Transactional email delivery (no consent data) | United States | EU-US Data Privacy Framework |
ConsentLab will inform the Customer of any addition or replacement of a sub-processor with at least thirty (30) days' notice. The Customer has a right to object on reasoned grounds. In case of justified and unresolved objection, the Customer may terminate the contract without penalty.
Note: Stripe and Resend do not process any Visitor consent data. Only OVHcloud hosts the consent data.
2.5 Assistance to the Customer (Art. 28-3-e and 28-3-f)
ConsentLab undertakes to assist the Customer, as far as possible, with:
- Responding to requests by data subjects to exercise their rights (access, rectification, erasure, portability)
- Compliance with security obligations (Art. 32)
- Notification of personal data breaches to the supervisory authority (Art. 33) and to data subjects (Art. 34)
- Carrying out data protection impact assessments (DPIAs) where necessary (Art. 35-36)
2.6 Personal data breach notification (Art. 33)
In case of personal data breach, ConsentLab undertakes to inform the Customer within a maximum of forty-eight (48) hours after becoming aware of it, communicating:
- The nature of the breach
- The categories and approximate number of data subjects concerned
- The likely consequences
- The measures taken or proposed to address it
3. Obligations of the Customer (Data Controller)
The Customer undertakes to:
- Be the data controller of the consent data of their Visitors
- Have a valid legal basis for the collection of consents
- Inform their Visitors in accordance with Articles 13 and 14 of the GDPR
- Correctly configure the Widget in accordance with their legal obligations
- Not transmit any health data or special category data (Art. 9 of the GDPR) via the Widget
- Document the processing in their record of processing activities (Art. 30 of the GDPR)
4. International transfers
Visitor consent data is exclusively hosted in France (OVH, Roubaix). No transfer outside the European Union is carried out for consent data.
Third-party services (Stripe, Resend) do not process Visitor consent data. For Customer account data (see Privacy Policy), transfers are governed where applicable by the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) adopted by the European Commission.
5. Audits and inspections (Art. 28-3-h)
ConsentLab makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allows audits, including inspections, conducted by the Customer or an auditor mandated by them.
Audits are carried out subject to reasonable notice of fifteen (15) working days, while preserving the confidentiality of the data of ConsentLab's other customers, and at the requesting Customer's expense. ConsentLab reserves the right to limit the audit to a proportionate scope and to propose an audit by an independent third party as an alternative.
6. Retention period
Consent data is retained throughout the duration of the contract between the Customer and ConsentLab. The recommended retention period for consent records is five (5) years, corresponding to the general statutory limitation period (Article 2224 of the French Civil Code).
The Customer may request the export of their consent data at any time from the Platform dashboard (CSV export).
7. Cooperation with authorities
ConsentLab undertakes to cooperate with the CNIL (France's data protection authority) or any other competent supervisory authority in the context of any investigation or procedure relating to the processing carried out on behalf of the Customer.
8. Termination and data return (Art. 28-3-g)
Upon expiry or termination of the contract, ConsentLab undertakes, at the Customer's choice expressed in writing:
- To return all consent data in a structured, machine-readable format (CSV), within thirty (30) days of the request
- To delete all consent data and existing copies, unless statutory retention obligations apply
Failing instruction from the Customer within ninety (90) days following the end of the contract, ConsentLab will proceed with the permanent deletion of the data.
9. Liability
In accordance with Article 82 of the GDPR:
- ConsentLab is not liable for penalties imposed against the Customer due to the Customer's non-compliance with their own obligations as data controller
- ConsentLab assumes liability for damage caused by processing for which it has not complied with the GDPR obligations specifically applicable to processors
- ConsentLab is exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage (Art. 82-3)
10. Applicable law
This DPA is governed by French law and the GDPR. In case of dispute, the parties undertake to seek an amicable solution prior to any legal action.
11. Contact
For any question relating to this DPA or to data protection: privacy@consentlab.eu.