FerrLens

FerrLens · Legal

Data Processing Agreement

Last updated · 2026-05-17

This DPA applies automatically when you subscribe to a paid FerrLens plan (Pro, Team or Enterprise). It governs how FerrLabs ("us", the processor) handles personal data on behalf of you ("you", the controller) under GDPR Art. 28. Free / anonymous use is not covered — there's no controller / processor relationship because we don't process personal data on your behalf.

1. Scope

FerrLabs SAS processes personal data only as needed to deliver the FerrLens service you subscribe to: storing your scan history, your saved monitors, your API tokens, your team members' login state. Nothing else.

2. What data we process for you

  • The URLs and inputs you submit through the tools (typically not personal data, but we treat them as such by default).
  • Your account identifiers and your team members' identifiers (email, name) coming from auth.ferrlabs.com.
  • Your scan history, saved monitor configurations, share snapshots you create.
  • Billing data (handled by Stripe — see subprocessors).

3. Duration

For the duration of your subscription, plus 30 days for deletion / export requests after cancellation. After 30 days we permanently delete your data (export it before).

4. Our obligations

  • Process data only on your documented instructions (clicking buttons in the UI / calling the API counts as documented instructions).
  • Ensure our team is bound by confidentiality.
  • Implement technical and organisational measures (encryption at rest, encryption in transit, access logs, least-privilege RBAC, regular backups, incident response).
  • Notify you without undue delay (within 72 hours) of any personal data breach affecting your data.
  • Assist you in responding to data subject requests (access, erasure, rectification, portability) — typically by giving you UI to do it yourself; otherwise within 30 days of your request.
  • Delete or return all personal data after the end of the agreement (your choice).

5. Subprocessors

Our subprocessors are listed at /legal/subprocessors and updated when a new one is added. You'll see the update in the FerrLabs changelog. If you object to a new subprocessor you can cancel your subscription within 30 days for a pro-rata refund.

6. International transfers

All processing happens in France (EU). The only edge case: Stripe processes payments in the EU but is a US company; transfers happen under the EU-US Data Privacy Framework.

7. Audit

Once per calendar year, with 30 days notice, you can audit our compliance with this DPA by asking written questions; we respond within 30 days with evidence. On-site audits are reserved for enterprise customers and scheduled in advance.

8. Liability and indemnity

The liability terms in our Terms of service apply. Each party remains responsible for its own compliance with GDPR.

9. Sign a separate copy

For procurement teams who need a counter-signed DPA on letterhead, email legal@ferrlabs.com. We use the standard SCC-aligned template from gdpr.eu pre-filled with our details — no surprises.