Legal

Data Processing Agreement

This DPA governs processing of personal data when you use the Law4Devs API in connection with data subjects in the EU. Effective 14 March 2026.

GDPR Art. 28

Scope & applicability

This Data Processing Agreement ("DPA") supplements the Law4Devs Terms of Service and applies when the User ("Controller") uses the Law4Devs API in a manner that involves the processing of personal data on behalf of the User, making Hamlaoui & Co. ("Processor") a sub-processor under GDPR Art. 28.

The Law4Devs API delivers structured EU regulatory text — it does not itself process personal data of end-users. This DPA is relevant only where the User's application transmits personal data to the API (e.g., queries containing user identifiers) or where the User's compliance tool processes personal data and relies on Law4Devs outputs.

Parties

Processor details

  • ProcessorHamlaoui & Co.
  • SIRET102 404 456 00018
  • Address254 Rue Vendôme, 69003 Lyon, France
  • Contact[email protected]
  • DPA authorityCNIL — Commission Nationale de l'Informatique et des Libertés

Processing Details

Nature of processing

Where applicable, we process personal data only to the extent strictly necessary to provide the API service described in the Terms of Service. Specifically:

  • ·Processing is limited to executing API requests you submit.
  • ·No personal data received through API queries is retained beyond the duration of the request.
  • ·API request logs (IP, timestamp, endpoint, response code) are retained for 13 months for security and billing, then deleted.
  • ·We do not sell, share, or use personal data for any purpose outside service delivery.

Obligations

Processor obligations (Art. 28.3)

We agree to:

  • ·Process personal data only on your documented instructions.
  • ·Ensure that anyone authorised to process personal data has committed to confidentiality.
  • ·Implement appropriate technical and organisational security measures (Art. 32).
  • ·Not engage sub-processors without your prior written consent, except for Scaleway SAS (infrastructure hosting).
  • ·Help you fulfil requests from data subjects exercising GDPR rights.
  • ·Delete or return all personal data to you upon termination of service.
  • ·Make available all information necessary to demonstrate compliance with Art. 28.

Sub-processors

Authorised sub-processors

The Controller authorises the following sub-processor:

Scaleway SAS

8 rue de la Ville l'Evêque, 75008 Paris, France

Role: Infrastructure hosting within the EU. Scaleway's own DPA is available at www.scaleway.com/en/privacy/.

Security & Breaches

Data security

We maintain appropriate technical and organisational measures including encryption at rest and in transit, access controls, and audit logging. In the event of a personal data breach, we will notify you without undue delay (and in any case within 72 hours of becoming aware), so you can fulfil your own GDPR notification obligations.

Governing Law

Applicable law

This DPA is governed by French law. Disputes shall be subject to the exclusive jurisdiction of the courts of Lyon, France.

To enter into a signed version of this DPA or request custom contractual clauses, contact [email protected].