ELRIC

Data Processing Agreement (DPA)

Data Processing Agreement · Last updated: April 15, 2026

Who is this document for? This DPA is intended for business customers (data controllers) who use Elric to process personal data relating to their own users, employees, prospects, or customers. It formalizes the controller ↔ processor relationship under GDPR Article 28.

If you use Elric only for your own individual personal data, our Privacy Policy applies. Privacy

1. Parties

Processor: Accelerhate SAS, simplified joint-stock company with share capital of EUR 99 — 31 Rue de la Rive, 44230 Saint-Sébastien-sur-Loire, France — Nantes Trade and Companies Register: 989 119 672 — intra-community VAT: FR18989119672.

Controller: any legal entity that subscribed to Elric and accepted the Terms of Service.

2. Purpose

This DPA supplements the Terms of Service and governs Accelerhate’s processing of personal data entrusted to Elric as part of the Service.

It is entered into under Article 28 of Regulation (EU) 2016/679 of April 27, 2016 (GDPR). In case of conflict, this DPA prevails over the Terms for personal-data matters.

3. Definitions

The terms “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Personal Data Breach” have the meanings given by the GDPR.

4. Description of processing

  • Nature of processing : hosting, indexing, semantic search, AI analysis, summarization, transcription, storage, and transfer to connected third-party services.
  • Purposes : provide Elric: AI assistance, document search, content analysis, task management, and meeting summaries.
  • Categories of data : identification, professional data, uploaded content, conversations, meetings, usage metadata, and data from enabled integrations.
  • Data subjects : the Customer’s employees, clients, prospects, partners, and candidates.
  • Duration : subscription term plus technical deletion period.

5. Sensitive data

The Customer agrees not to upload special categories of data under GDPR Article 9, nor data relating to criminal convictions, unless Accelerhate gives prior written agreement.

6. Controller obligations

  • Have a legal basis for each processing activity performed through Elric.
  • Inform data subjects under GDPR Articles 13 and 14.
  • Collect required consents where consent is the legal basis.
  • Document processing activities in its own register.
  • Ensure data minimization.
  • Notify Accelerhate of data-subject rights requests involving data processed through Elric.

7. Processor obligations

  • Process data only on documented Customer instructions.
  • Ensure confidentiality of processed data.
  • Implement appropriate technical and organizational measures.
  • Assist the Customer with GDPR compliance obligations.
  • Notify the Customer in case of a data breach.
  • Delete or return data at the end of the service.

8. No AI model training

Accelerhate does not use Customer data to train or fine-tune artificial-intelligence models. Data is sent to third-party AI providers only for real-time inference required by a Customer-initiated request.

9. Subprocessors

The Customer authorizes Accelerhate to use subprocessors required to provide the Service. Accelerhate will inform the Customer of any significant addition or replacement with reasonable prior notice.

9.1 Subprocessors

ProviderPurposeLocation
Supabase Inc.PostgreSQL database + authenticationEU (eu-west-1, Ireland)
Vercel Inc.Web application hostingEU / US (edge network)
Google LLCAI inference, OAuth, Google Workspace APIsUS (Data Privacy Framework + SCC)
Recall.aiOnline meeting transcriptionEU (eu-central-1)
Stripe Inc.Payments and billingUS (PCI DSS + SCC)
ResendTransactional emailsUS (SCC)

10. Security measures

  • TLS 1.3 on connections.
  • AES-256 encryption of databases and OAuth credentials.
  • Strict isolation through PostgreSQL Row-Level Security.
  • Access control, logging, and monitoring.
  • Application protections: CSP, HSTS, X-Frame-Options, rate limiting, SSRF protection, and prompt-injection protections.
  • Mandatory human approval for irreversible external actions.
  • Automatic backups and continuous supervision.

11. Data breach

In the event of a personal data breach, Accelerhate will notify the Customer as soon as possible and no later than 72 hours after becoming aware of it. The notice will include the nature of the breach, affected data, likely consequences, and proposed remediation measures.

12. Data-subject rights

Accelerhate assists the Customer, where possible, in responding to data-subject rights requests. The Customer has self-service tools to export data, delete a workspace, and revoke third-party integrations.

13. End of contract — fate of data

At the end of the service, Accelerhate allows the Customer to export data and then deletes personal data within the applicable timelines, except where legal retention obligations apply. A deletion certificate may be provided on written request.

14. Audit

The Customer may conduct one annual audit with 30 days’ written notice, at its own expense, during business hours, without disrupting the Service, and under strict confidentiality. Accelerhate may provide independent audit reports when available.

15. Transfers outside the EU

When personal data is transferred outside the European Union to a country without an adequacy decision, Accelerhate implements appropriate safeguards, including Standard Contractual Clauses.

16. Liability

The parties’ liability under this DPA applies under the conditions set out in the Terms. Each party remains responsible for non-compliance with its own GDPR obligations.

17. Term and termination

This DPA takes effect upon acceptance of the Terms and remains applicable throughout the service term and during the period required for effective data deletion.

18. Governing law

This DPA is governed by French law and the GDPR. Any dispute falls under the exclusive jurisdiction of the courts within the jurisdiction of the Rennes Court of Appeal.

19. DPO / Data protection contact

For any question about this DPA or data protection:

An external DPO may be appointed later if Accelerhate’s processing volume or obligations require it.

jean@elric-ia.com
Accelerhate SAS — 31 Rue de la Rive, 44230 Saint-Sébastien-sur-Loire, France

See also : Terms · Privacy · Legal notice · Security