Data Protection Agreement
Last updated: April 17, 2026
This Data Protection Agreement (“DPA”) forms part of the Terms and Conditions between OpenPrisma EURL, 66 Avenue des Champs-Elysees, 75008 Paris, France (“Processor”, “Claper”, “we”, “us”) and you (“Controller”, “you”) for the use of app.claper.co.
1. Definitions
- GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation)
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on Personal Data
- Data Subject: The individual to whom the Personal Data relates
- Sub-processor: A third party engaged by the Processor to process Personal Data
2. Scope and Roles
When you use Claper Cloud to host interactive events, you act as the Data Controller and Claper acts as the Data Processor in respect of the personal data of your event participants.
Data Processed
| Category | Data Types | Data Subjects |
|---|---|---|
| Account Data | Email, name, password hash | Presenters / organizers |
| Event Interaction Data | Messages, poll responses, quiz answers, form submissions | Event participants |
| Technical Data | IP address, browser info, device info | All users |
Purpose and Duration
Personal Data is processed solely to provide the Claper interactive presentation service. Processing continues for the duration of your use of the service and until all Personal Data is deleted in accordance with this DPA.
3. Obligations of the Processor
Claper shall:
- Process Personal Data only on your documented instructions, unless required by EU or Member State law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Not engage another processor without your prior general written authorization (see Sub-processors section)
- Assist you in responding to requests from Data Subjects exercising their rights under the GDPR
- Assist you in ensuring compliance with obligations related to security, breach notification, and data protection impact assessments
- At your choice, delete or return all Personal Data upon termination of the service
- Make available all information necessary to demonstrate compliance and allow for audits
4. Sub-processors
We maintain a list of sub-processors on our Subprocessors page. By agreeing to this DPA, you provide general authorization for us to engage sub-processors listed on that page.
We will notify you of any intended changes to our sub-processors by updating the Subprocessors page. You may object to a new sub-processor by contacting us within 30 days of the update.
5. International Data Transfers
All primary data is stored and processed within the European Union on Hetzner Cloud infrastructure. Some sub-processors may process data outside the EU (see Subprocessors). Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.
6. Security Measures
We implement the following technical and organizational measures:
- Encryption in transit: All data is transmitted over TLS 1.2 or higher
- Encryption at rest: Data is encrypted at rest using industry-standard encryption
- Access controls: Role-based access with principle of least privilege
- Error monitoring: Sentry for real-time error detection and resolution
- Backups: Regular encrypted backups stored within the EU on Hetzner infrastructure
- Open source: Our source code is publicly available on GitHub for security review
7. Data Breach Notification
In the event of a Personal Data breach, we will:
- Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide sufficient information to allow you to meet your obligations under GDPR Article 33
- Cooperate with you and take reasonable steps to assist in the investigation and mitigation of the breach
8. Audit Rights
You have the right to audit our compliance with this DPA. Audits shall be conducted with reasonable advance notice, during normal business hours, and in a manner that does not disrupt our operations.
9. Term and Termination
This DPA is effective for as long as we process Personal Data on your behalf. Upon termination of the service, we will delete all Personal Data within 30 days, unless retention is required by applicable law.
10. Governing Law
This DPA is governed by the laws of France and the GDPR. Any disputes shall be subject to the exclusive jurisdiction of the courts of Paris, France.
Contact
For questions about this DPA: alex@claper.co