Data Processing Agreement (DPA)
Last updated: 11 May 2026
This Data Processing Agreement ("DPA") supplements the Terms of Service and governs the processing of personal data carried out by Chut.App BV, a private limited company under Belgian law, BCE/VAT BE 1035.742.145, with registered office at Ballingstraat 116, 8560 Wevelgem, Belgium (the "Processor") on behalf of the Customer (the "Controller") in the context of using the Chut platform.
1. Definitions
- Personal data: any information relating to an identified or identifiable natural person (Art. 4(1) GDPR)
- Processing: any operation performed on personal data (Art. 4(2) GDPR)
- Controller: the Customer, who determines the purposes and means of processing
- Processor: Chut.App BV, who processes the data on behalf of the Controller
2. Subject-matter and duration
2.1 Purpose
The Processor processes personal data solely to deliver the Chut platform services, namely:
- Secure hosting and storage of Customer data
- Accounting (Accounting module): documents, entries, reports
- AI legal assistance (Legal module): document analysis, advice
- Authentication and access management
2.2 Duration
Processing lasts for the entire service-contract term, plus any applicable statutory retention periods.
3. Categories of processed data
3.1 Types of personal data
| Category | Examples |
|---|---|
| Identity data | Name, email address, user identifier |
| Company identifiers | BCE number, VAT number, legal name, registered address |
| Financial documents | Invoices, receipts, statements |
| Accounting data | Entries, chart of accounts, journals |
| Third-party contact data | Contact details of the Customer's suppliers and customers |
| Legal documents | Contracts, articles of incorporation (Legal module) |
| AI conversations | History of exchanges with AI agents (Legal module) |
3.2 Categories of data subjects
- Employees and collaborators of the Customer
- Customers and suppliers of the Customer
4. Processor obligations
The Processor undertakes to:
- Process data only on documented instructions of the Controller (Art. 28(3)(a) GDPR)
- Ensure confidentiality: all staff are subject to a confidentiality obligation
- Implement the technical and organisational measures described in section 5
- Not engage a sub-processor without prior notification (see section 6)
- Assist the Controller with data-subject rights (Art. 28(3)(e) GDPR)
- Notify any data breach within 24 hours (see section 7)
- Delete or return all data at the end of the contract, subject to statutory retention
- Make available the information needed to demonstrate compliance (Art. 28(3)(h) GDPR)
5. Technical and organisational measures
5.1 Encryption
- In transit: TLS 1.2 minimum on all communications
- At rest: AES-256 encryption on all databases and object storage
5.2 Data isolation
- PostgreSQL Row-Level Security (RLS) for full data isolation between tenants
- Every query runs in the authenticated tenant's context
5.3 Network isolation
- Scaleway VPC Private Network: all application resources deploy inside an isolated private network
- Databases reachable only from the private VPC; no public access
- Network filtering and segmentation at the VPC and container-namespace level
5.4 Identity and secrets management
- Scaleway IAM Applications auto-bound to container namespaces: no long-term secret stored in code
- Encrypted-at-rest environment variables for application secrets; rotation documented
- MFA required for all infrastructure-administration access
5.5 Logging
- Structured (JSON) audit logs on every data operation
- Log retention: 2 years
- Real-time monitoring via Scaleway Cockpit and application alerting
6. Sub-processors
The Processor uses the sub-processors listed at /sub-processors.
Confidentiality and data-protection commitments of sub-processors are governed by their respective DPAs, referenced on the sub-processors page (Scaleway DPA, OpenAI Ireland DPA, Google Ads DPA, iDenfy DPA).
6.1 Change notification
- The Controller will be notified at least 30 days before any addition or replacement of a sub-processor, by email to the account administrator
- The Controller has 30 days to raise a reasoned objection
- If an unresolved objection remains, the Controller may terminate the contract without charge
7. Data-breach notification
In the event of a data breach, the Processor:
- Notifies the Controller within 24 hours of discovery
- Provides the information required by Art. 33(3) GDPR: nature of the breach, categories and number of data subjects, likely consequences, measures taken
- Assists the Controller with notifications to the Belgian Data Protection Authority (72 hours) and to data subjects (Art. 34 GDPR)
8. Data retention
| Category | Retention | Basis |
|---|---|---|
| Active account data | Term of contract + 30 days | Contractual |
| Accounting documents | 7 years | Belgian Economic Law Code, Art. III.86 |
| AI conversations | 1 year after last activity | Legitimate interest |
| Audit logs | 2 years (anonymised thereafter) | Legitimate interest |
| Backups | 30 days rolling | Business continuity |
9. Data-subject rights
The Processor assists the Controller in responding to data-subject requests:
- Right of access (Art. 15) — full JSON export of data
- Right to rectification (Art. 16) — edit via the interface
- Right to erasure (Art. 17) — deletion with a 30-day grace period
- Right to portability (Art. 20) — structured JSON export
- Right to restriction (Art. 18) — on request to the DPO
- Right to object (Art. 21) — disable AI processing
Technical endpoints are available per backend: GET /data-export, DELETE /account, POST /account/cancel-deletion.
10. Audits
The Controller may, at its own cost and with reasonable 30-day notice, conduct or have conducted a compliance audit of the Processor. The Processor will make the necessary information available and facilitate the audit.
11. Governing law
This DPA is governed by Belgian law and the GDPR. Any dispute is subject to the exclusive jurisdiction of the courts of Chut's registered seat, namely the Business Court of Ghent, Kortrijk division.