Data Processing Agreement (DPA)
🌐 English translation for convenience. The French version is the legally binding one.
⚠️ Document under legal review. This content is a working draft written by the Weloom team and is not enforceable until validated by legal counsel. For a contractual deployment, contact legal@weloom.ai for the signed version.
Last updated: June 2026
Preamble
This Data Processing Agreement ("DPA") is concluded pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR") between:
- Weloom ("the Processor") — publisher of the Weloom.ai platform,
- the Customer company ("the Controller") — having subscribed to the Weloom services.
This DPA is an integral part of the Terms of Service and applies automatically to any Customer company.
1. Definitions
Capitalized terms have the meaning given by the GDPR (Art. 4), in particular: Personal Data, Processing, Data Subject, Sub-processor, Personal Data Breach.
2. Purpose
This DPA frames the conditions under which Weloom processes Personal Data on behalf of the Controller, in the context of using the Weloom.ai platform.
3. Categories of data processed
| Category | Examples | |---|---| | Identification | First name, last name, professional email, image, language | | Professional life | Role, hire / end-of-contract dates, manager, buddy | | Onboarding journey | Progress, scores, badges, points, milestones | | AI exchanges | Chat messages (stored encrypted AES-256-GCM) | | Feedback | 360° responses, manager notes, comments | | Connection | IP, user-agent, connection dates |
No special categories (health, opinions, union, etc.). Using the platform to collect sensitive data is prohibited by the Terms of Service.
4. Categories of data subjects
- Employees being onboarded (new hires)
- Managers and tutors (buddies)
- HR managers (admins)
5. Duration
Processing takes place for the entire term of the subscription contract to the Weloom services, with an additional retention period of 3 years after the end of the contract for the data of employees who have left the company (RM-08), unless the Controller requests early deletion.
6. Weloom's obligations (Processor)
Weloom undertakes to:
6.1 Confidentiality and instructions
- Process the Data only on the documented instruction of the Controller (tenant configuration via the platform).
- Ensure the confidentiality of the Data among its authorized personnel.
6.2 Security (Art. 32)
Technical and organizational measures in place (see Security):
- Multi-tenant isolation via PostgreSQL Row Level Security on
tenant_id. No cross-tenant query possible on the API side. - Application-level encryption of AI conversations: AES-256-GCM with a per-company derived key (HKDF). Losing the master key makes conversations unrecoverable (strong confidentiality guarantee).
- Encryption at rest native AES-256 on Supabase.
- TLS 1.3 mandatory in transit, strict HTTPS.
- Immutable audit log of sensitive actions.
- Authentication: NextAuth.js v5, Google SSO, single-use magic link.
- Rate limiting on AI chat per user and per hour.
- Backup Supabase (PITR 7 days, daily snapshots).
6.3 Sub-processors (Art. 28.2)
Weloom relies on Sub-processors listed on the Subprocessors page. Any material change to this list is notified to the Controller with reasonable notice, allowing it to object.
6.4 Assistance with data subject rights (Art. 28.3.e)
Weloom provides in its HR interface a GDPR export function (Art. 20) and a one-click deletion / anonymization function (Art. 17), enabling the Controller to respond within the deadlines.
6.5 Breach notification (Art. 33-34)
In the event of a Data Breach affecting the Controller, Weloom notifies it without undue delay, in practice within 72 hours of becoming aware, with:
- the nature and estimated scope of the breach,
- the likely consequences,
- the measures taken or proposed to mitigate the effects.
6.6 Cooperation and audits (Art. 28.3.h)
Weloom makes available, at the reasonable request of the Controller, the information needed to demonstrate compliance with its obligations. An annual on-site audit may be organized according to terms to be agreed (notice, NDA, scope).
6.7 End of contract (Art. 28.3.g)
At the end of the contract, Weloom:
- returns to the Controller a full export of the Data (on request, JSON format per user), OR
- deletes the Data within a reasonable period (immediate anonymization, full purge at the end of the RM-08 retention period).
This option must be notified by the Controller within 30 days following the end of the contract. Failing that, the "deletion at RM-08 term" option applies by default.
7. Controller's obligations
The Controller undertakes to:
- Use the platform only for legitimate onboarding purposes (Art. 5 GDPR purpose-limitation principle).
- Have an appropriate legal basis for processing its employees' data (typically, performance of the employment contract).
- Inform its employees (employer information notice) of the use of the platform.
- Configure roles and settings proportionately.
- Not upload to the knowledge base sensitive or personal data of a third party without a legal basis.
8. Authorized sub-processors
Up-to-date list: /en/legal/sous-traitants.
9. International transfers
Some Sub-processors are established outside the EU (Anthropic, OpenAI, Resend — United States). Transfers are framed by:
- the Standard Contractual Clauses (SCC) of the European Commission (Decision 2021/914),
- and, where applicable, additional technical measures (encryption in transit, pseudonymization, minimization).
No personally identifying data is sent to the embeddings provider (OpenAI). AI conversations transmitted to Anthropic are at the Controller's initiative (via the Companion) and traced in the audit log.
10. Liability
Weloom's liability is limited under the terms of the Terms of Service § 10. For breaches falling exclusively under Article 82 GDPR, the legal allocation rules apply.
11. Entry into force
This DPA takes effect on the date of subscription to a paid plan or separate signature by the Controller. For free-trial subscriptions, the DPA also applies by adherence to the Terms of Service.
12. Governing law
This DPA is governed by French law and the GDPR. The competent courts are those defined in the Terms of Service § 12.
13. GDPR contact
For any question: dpo@weloom.ai.