Last Updated: November 30, 2025
Website: openaleph.io

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or any other agreement between Seven SAS, a company registered in France with its registered office at 5 Rue Moret, 75011 Paris, France (“Processor”, “We”), and the Client (“You”) using the OpenAleph platform.

This DPA governs the processing of personal data performed by Seven SAS on behalf of the Client in accordance with Regulation (EU) 2016/679 (GDPR).

1. Purpose of this DPA

This DPA describes how Seven SAS acts as a data processor and processes personal data solely for the purpose of providing, maintaining, and securing the OpenAleph platform and related services.

2. Categories of Personal Data Processed

Seven SAS may process the following data categories:

• Identification data: name, email address, job title

• HR-related data: skills, evaluations, interview answers, performance notes, comments

• Technical data: access logs, IP address, device data, metadata

• Usage data: interactions within the platform, activity timestamps

• Any information entered by the Client or users into OpenAleph

Seven SAS does not request or require sensitive data (Art. 9 GDPR), unless voluntarily submitted by the Client.

3. Purpose of the Processing

Personal data is processed exclusively for:

• Providing and operating the OpenAleph platform

• Ensuring hosting, maintenance, backups, and security

• Delivering customer support and issue resolution

• Improving performance, reliability, and user experience

No personal data is used for marketing purposes without the Client’s explicit consent.

4. Data Location & Sub-Processors

4.1 Data Location

All primary data is hosted in France by:
OVHcloud – France (GDPR compliant)

4.2 Authorized Sub-Processors

To deliver and operate the OpenAleph platform, Seven SAS relies on selected external service providers acting as sub-processors. These providers support essential technical functions such as hosting, email delivery, analytics, media storage, and AI-powered features. All sub-processors used by Seven SAS are vetted for security and GDPR compliance, and Seven SAS ensures that they are contractually bound to confidentiality, security, and data protection obligations equivalent to those in this DPA.

The current authorized sub-processors are:

OVHcloud (France — EU)
Used for hosting infrastructure and storage of all primary platform data. OVHcloud provides full EU data residency and GDPR compliance.

Postmark (USA)
Used for sending transactional emails such as verification messages and system notifications. International data transfers rely on Standard Contractual Clauses (SCC).

Microsoft Clarity (USA)
Used to analyze platform usage patterns and improve user experience. Data is anonymized where possible, and international transfers rely on SCC.

Google Firebase (EU / USA)
Used for mobile analytics and crash reporting. Firebase offers GDPR configuration options with EU data residency for several services. Where international transfers occur, SCC are applied.

Cloudinary (EU region)
Used for storing and processing media assets such as profile pictures and uploaded images. Cloudinary is configured to store data exclusively in EU regions, ensuring GDPR-compliant data residency.

OpenAI – ChatGPT API (USA)
Used in specific OpenAleph features that involve AI-powered content creation, translation, and automated analytics generation. Only the minimum required data is sent for inference, OpenAI does not use API data for training, and SCC apply to international transfers.

Seven SAS may update this list when new sub-processors are added or existing providers are replaced to maintain or enhance service quality. The Client may request notification of such changes or additional information at any time.

5. Security Measures

Seven SAS implements industry-standard technical and organizational measures, including:

• Encryption in transit (HTTPS / TLS)

• Strict internal access control and role-based permissions

• Logging and audit trails for access and activity

• Regular backups and secure storage

• Monitoring and incident alerting

• Environment segregation for development, staging, and production

6. Confidentiality

Seven SAS ensures that:

• Only authorized personnel may access personal data

• All staff are bound by confidentiality obligations

• Personal data is never sold or shared with unauthorized third parties

7. Data Breach Notification

If a personal data breach occurs, Seven SAS will:

• Notify the Client without undue delay,

• Provide all relevant details required to comply with Articles 33 and 34 of the GDPR,

• Support the Client in fulfilling any legal obligations related to the breach.

8. Rights of the Client

The Client may request:

• Access, correction, or deletion of personal data

• Restriction of processing

• Data portability in a structured, commonly used format

• Support in handling data subject requests (Art. 12–23 GDPR)

Seven SAS assists the Client in responding to such requests.

9. Retention & Deletion of Data

Upon termination of the service agreement:

• Data may be returned to the Client upon request

• All personal data will be deleted from Seven SAS systems within 90 days, unless legal requirements mandate longer retention

Backups containing personal data follow the same deletion schedule.

10. Audit Rights

The Client may request a documentation-based audit to assess GDPR compliance.
Audits must be:

• Reasonably limited in scope

• Scheduled in advance

• Non-disruptive to Seven SAS operations

11. Liability

Each party is independently responsible for compliance with its GDPR obligations.
Seven SAS is liable solely for processing activities performed in its capacity as a data processor.

12. Contact Information

For all privacy or data protection inquiries:

support@byseven.co
Seven SAS, 5 Rue Moret, 75011 Paris, France
openaleph.io