Data Processing Agreement.

When you use Mes Papiers, you are the data controller of the documents and letters you upload. Mes Papiers is the processor: we process those documents on your instructions to produce explanations, reminders, and exports.

We process personal data contained in your documents and letters for as long as your account is active, plus a 30-day grace window after deletion (during which you can restore your account). After that, all personal data is irreversibly deleted.

• Account data: email, authentication state
• Document content: photos and PDFs of French administrative documents you upload, plus the structured fields we extract from them (names, dates, addresses, IDs)
• Letter content: photos of admin letters and the explanations we produce
• Usage data: counters for free-tier limits
• Payment data: not stored on our servers — handled by Stripe under their own DPA

We use the third-party processors listed in our Privacy Policy → Vendors section. Each one has signed a DPA with us; the list is kept current as we change vendors.

Some sub-processors (notably Anthropic, our AI provider) are based in the United States. Transfers rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. Details are in the Privacy Policy.

• Application-layer envelope encryption for letter content: every letter explanation is encrypted with a 32-byte AES-256-GCM key unique to the data subject. The key is wrapped under a master key held only in the application server environment, never in the database. A database compromise alone does not yield readable letter content.
• Encryption at rest (AES-256) on all databases and storage
• Encryption in transit (TLS 1.2+) for every request
• EU data residency for personal data: Supabase Frankfurt (database + storage), PostHog EU (analytics), Sentry Germany (error monitoring)
• Anthropic (model sub-processor) does not train on Mes Papiers traffic; Mes Papiers does not train any model on user content
• Access to user documents requires authenticated session; row-level-security enforces per-user isolation
• Audit logs of every administrative access, retained 12 months
• Regular dependency security review and automated CVE scanning

You can exercise your GDPR rights — access, portability, rectification, erasure — directly from your account in Settings → Your data. Export and deletion are self-service; rectification and other requests go through privacy@mespapiers.app.

In the event of a personal data breach affecting your data, we will notify you and the CNIL within 72 hours of becoming aware, in accordance with Articles 33 and 34 GDPR.

Email privacy@mespapiers.app with the subject “DPA request” and your account email. We’ll send the signed PDF within two business days.

PLACEHOLDER — JJ month YYYY