Last Revised: 29 April 2026 · Effective: 29 April 2026
This page consolidates Devaito's privacy and data-protection commitments. It contains five documents that together form our complete privacy framework. Each document is identified, dated, and can be referenced independently:
Quick navigation:
If you have signed a separate written agreement with Devaito (Master Services Agreement, Order Form, or similar), that agreement may modify the terms of Part C (DPA) for your use of the Services.
Last revised: 29 April 2026 · Section identifier: PRIV-2026-04
Devaito SAS ("Devaito", "we", "our", "us") cares about your privacy. This Privacy Policy explains what Personal Data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have. It applies to all visitors and users of our websites, web applications, mobile applications, APIs, and related services (collectively, the "Services").
By using the Services, you confirm that you have read this Privacy Policy. If you do not agree, please stop using the Services. This Privacy Policy is incorporated into our Terms of Use.
The data controller for the processing described in this Privacy Policy is Devaito SAS, a French société par actions simplifiée. Statutory information is available in Part E (Legal Notice). For privacy enquiries, contact .
This Privacy Policy applies when Devaito acts as a controller. When you use the Services to process Personal Data of your visitors, customers, or members (your "End Users"), Devaito acts as your processor, and Part C (Data Processing Addendum) governs that processing.
When you create an account, contact us, subscribe to communications, register a domain, purchase a Paid Service, or otherwise interact with us, you may provide:
Identification data: name, email address, phone number, postal address, country of residence, language preference.
Account data: username, password (stored hashed and salted, never in plaintext), profile picture, account preferences, role, organization name.
Billing data: billing address, VAT number, business identification number, last four digits of payment card, payment provider tokens, invoice history. We do not store full payment-card numbers; these are handled by our PCI-DSS-compliant payment processors.
Communications data: the content of support tickets, emails, chat messages, and call recordings (where applicable and notified).
Identification documents: where required for fraud prevention, sanctions screening, or KYC obligations, copies of ID cards, passports, or business-registration documents.
When you use the Services, we automatically collect:
Device and connection data: IP address, device identifiers, browser type and version, operating system, screen resolution, language, timezone.
Usage data: pages viewed, clicks, features used, sessions, performance metrics, error logs, referring and exit pages, timestamps.
Location data: approximate location derived from IP address (city/country level only). We do not collect precise GPS location unless you grant explicit permission in a mobile app.
Cookies and similar technologies: see Part B (Cookie Policy).
We may receive Personal Data from:
Identity and authentication providers (e.g. Google, Apple, Facebook) when you sign in via their services — limited to the data you authorize them to share.
Payment processors regarding the status of transactions.
Fraud-prevention and sanctions-screening providers for compliance and security.
Analytics and advertising partners for measurement and attribution (only where we have a lawful basis).
Resellers and partners if you sign up through one of them.
We do not knowingly collect special categories of Personal Data (such as data revealing health, political opinions, religion, sexual orientation, biometric data, or trade-union membership) and we ask you not to provide such data to us. If you upload such data as part of your User Content, you do so as a controller and you are responsible for its lawful basis.
Under the GDPR, every processing activity must have a legal basis. The following sets out the main purposes for which Devaito processes Personal Data and the legal basis we rely on.
Purpose: create your account, authenticate you, deliver the Services, process transactions, manage subscriptions, provide customer support.
Legal basis: performance of the contract (Article 6(1)(b) GDPR).
Purpose: send service announcements, security alerts, billing notices, account confirmations, transactional communications.
Legal basis: performance of the contract and our legitimate interests (Article 6(1)(b) and (f) GDPR).
Purpose: detect and prevent fraud, abuse, and security incidents; verify identity; screen for sanctions; comply with anti-money-laundering, tax, accounting, and other legal obligations.
Legal basis: compliance with our legal obligations (Article 6(1)(c) GDPR) and our legitimate interests (Article 6(1)(f) GDPR).
Purpose: analyze usage, debug, A/B test, develop new features.
Legal basis: our legitimate interests, balanced against your privacy rights (Article 6(1)(f) GDPR). For non-essential analytics that rely on cookies, we rely on your consent (Article 6(1)(a) GDPR and Article 82 of the French Loi Informatique et Libertés).
Purpose: send promotional emails about features, offers, and events; show personalized advertising; measure campaign performance.
Legal basis: your consent (Article 6(1)(a) GDPR), withdrawable at any time. For existing customers, we may rely on the soft opt-in under Article L.34-5 of the French Code des postes et des communications électroniques to send you marketing about similar services, with an easy unsubscribe.
Purpose: as further described in Section A.4, improve our AI models and features.
Legal basis: your explicit opt-in consent (Article 6(1)(a) GDPR). We do not rely on legitimate interests for training-related processing of Personal Data.
Purpose: establish, exercise, or defend legal claims; respond to lawful requests from authorities.
Legal basis: our legitimate interests and compliance with legal obligations (Article 6(1)(c) and (f) GDPR).
We do not use solely-automated decision-making producing legal effects on you within the meaning of Article 22 GDPR. We do use automated systems for fraud detection, abuse prevention, and content moderation, but human review is available where these systems produce decisions that materially affect you (such as account suspension). To request human review, contact .
The AI Services let you generate text, images, code, designs, and other content from prompts ("Inputs") to produce results ("Outputs"). Inputs and Outputs may contain Personal Data if you choose to include it.
Inputs and Outputs are processed to provide the AI Services to you, including by transmitting them to and from third-party AI model providers. The list of current AI providers is in Part D (Subprocessors).
Paid plans: Devaito does not use the content of your Inputs or Outputs to train its proprietary AI models. We use only anonymized usage signals (latency, error rates, feature usage).
Free plans: we will not use your Inputs or Outputs to train AI models unless you explicitly opt in through your account settings. This consent is granular, separate from your acceptance of the Terms, and revocable at any time. Withdrawal does not affect the lawfulness of prior processing.
Third-party providers: we contractually require our third-party AI providers not to train their models on your Inputs and Outputs unless you have separately opted in.
We strongly advise you not to include sensitive Personal Data in Inputs to the AI Services. If you do, you are responsible for ensuring you have a lawful basis under Article 9 GDPR.
Where required by Regulation (EU) 2024/1689 (the EU AI Act), we will inform you that you are interacting with an AI system and disclose AI-generated or AI-modified content. You remain responsible for AI-disclosure obligations on your own User Platform.
We share Personal Data only with parties who have a legitimate need to process it.
We rely on selected service providers to operate the Services. Each is contractually bound to protect your Personal Data and to process it only on our instructions. The current list is in Part D (Subprocessors).
We may share Personal Data with our affiliates and group entities for the purposes described in this Privacy Policy. Intra-group transfers are governed by appropriate safeguards, including Standard Contractual Clauses where applicable.
We may disclose Personal Data when legally required, including in response to valid subpoenas, court orders, or other lawful demands; to comply with tax, accounting, or regulatory obligations; or to protect our rights, our users, or the public. We assess each request for legality and necessity, and notify you where legally permitted.
If Devaito is involved in a merger, acquisition, sale of assets, financing, or insolvency, your Personal Data may be transferred to the parties involved, subject to confidentiality obligations and the terms of this Privacy Policy.
We share Personal Data with third parties when you direct us to (e.g., when you connect a third-party app via our marketplace) or with your separate consent.
Devaito does not sell your Personal Data in the ordinary meaning of "sale". For the purposes of certain U.S. state laws (see Section A.13), some sharing for cross-context behavioral advertising may qualify as a "sale" or "share" under broad statutory definitions; you have the right to opt out.
Devaito is established in France. We may transfer Personal Data to countries outside the European Economic Area (EEA), the United Kingdom, or Switzerland. Where we do, we rely on:
(a) Adequacy decisions issued by the European Commission, the UK Government, or the Swiss Federal Council.
(b) Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and, for UK transfers, the UK International Data Transfer Addendum.
(c) EU-U.S. Data Privacy Framework, where the recipient is certified.
(d) Other recognized transfer mechanisms as permitted by applicable law.
We have conducted transfer-impact assessments where required and implement supplementary measures (encryption, pseudonymization, access controls) where appropriate. To request a copy of the safeguards in place for a specific transfer, contact .
We keep Personal Data only as long as necessary for the purposes described in this Privacy Policy or as required by law:
Account data: for the duration of your account, plus up to ninety (90) days after account closure.
Billing and tax records: ten (10) years from the end of the relevant financial year (Article L.123-22 of the French Code de commerce; Article L.102 B of the French Livre des procédures fiscales).
Identity verification records: five (5) years after the end of the relationship (anti-money-laundering rules).
Marketing data: three (3) years from your last interaction (CNIL guidance).
Customer support records: five (5) years from closure of the support case.
Cookies: as set out in Part B; maximum thirteen (13) months for analytics and advertising cookies (CNIL guidance).
Server logs: twelve (12) months for security and debugging.
AI Inputs and Outputs: stored for as long as your account exists, unless deleted earlier by you.
After the applicable retention period, we delete or anonymize Personal Data. Some data may be retained longer to comply with legal obligations or defend claims; access is restricted to those purposes.
We implement appropriate technical and organizational measures, including:
– Encryption in transit (TLS) and at rest for sensitive data.
– Access controls based on the principle of least privilege.
– Multi-factor authentication for administrative access.
– Regular security assessments, penetration testing, and vulnerability management.
– PCI-DSS compliance for payment-card data handling.
– Employee training on security and data protection.
– Incident-response procedures and breach-notification protocols.
No system can be guaranteed fully secure. You are responsible for the security of your account credentials and for using strong unique passwords. If you suspect unauthorized access, contact immediately.
Subject to applicable law, you have the following rights:
Right of access: obtain confirmation of whether we process your Personal Data and a copy.
Right to rectification: have inaccurate or incomplete data corrected.
Right to erasure: have your Personal Data deleted in certain circumstances.
Right to restriction: ask us to restrict processing.
Right to data portability: receive your Personal Data in a structured, commonly used, machine-readable format.
Right to object: object to processing based on legitimate interests, including profiling, and to direct marketing.
Right to withdraw consent: withdraw consent at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint: with a supervisory authority (in France, the CNIL: cnil.fr).
Right to define directives concerning the fate of your data after death: under Article 85 of the French Loi Informatique et Libertés.
To exercise any of these rights: (a) use the privacy controls in your account settings, including data export and account-deletion features; or (b) contact .
We respond within one (1) month of receipt, extendable by two (2) months for complex requests (Article 12 GDPR). We may verify your identity. We may charge a reasonable fee or refuse manifestly unfounded or excessive requests.
You can delete your account at any time through your settings. Deletion permanently removes your User Content from active systems within ninety (90) days, except where retention is required by law or for legitimate purposes.
The Services are not directed to children under sixteen (16) (or the higher minimum digital-consent age in your jurisdiction). We do not knowingly collect Personal Data from children under that age. If you believe a child has provided Personal Data to us, contact . If you operate a User Platform that collects data from children, you are responsible for obtaining verifiable parental consent and complying with applicable laws (including the GDPR, the U.S. Children's Online Privacy Protection Act, and the UK Age-Appropriate Design Code).
We send essential communications about your account, security, billing, and material changes to the Services. These cannot be opted out of while you maintain an account.
We send marketing only to recipients who have provided consent or who are existing customers receiving information about similar services (soft opt-in). You can unsubscribe at any time using the link in any marketing email or by contacting .
If you use the Services to operate a User Platform, you collect Personal Data from your own End Users. For that processing, you are the controller and Devaito is your processor. Part C (DPA) governs this relationship. You must:
(a) have a lawful basis for processing End-User data;
(b) maintain a transparent privacy policy on your User Platform;
(c) honor End-User rights under applicable law;
(d) implement appropriate security measures and respond to data-subject requests as controller.
Devaito has no direct relationship with your End Users. End Users wishing to exercise their rights regarding data processed through your User Platform must contact you directly.
This section applies if you are a resident of a U.S. state with an applicable consumer-privacy law, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Iowa, Tennessee, Indiana, New Jersey, Delaware, New Hampshire, Minnesota, Maryland, and others.
Categories collected (CCPA categories): identifiers; commercial information; internet or other electronic network activity information; geolocation data (approximate only); audio, electronic, visual, or similar information (e.g. support call recordings); professional or employment-related information (where you provide it); inferences drawn from the above.
See Sections A.2, A.3, and A.5.
We do not knowingly process sensitive Personal Information beyond what is needed to perform the Services and comply with law. We do not use sensitive Personal Information to infer characteristics about you.
We do not sell Personal Information for monetary consideration. We may engage in "sharing" or "targeted advertising" as defined under U.S. state laws when we use advertising cookies. You have the right to opt out.
Subject to your state's law, you may have the right to: (a) Know / Access; (b) Correct; (c) Delete; (d) Opt out of sale or sharing; (e) Limit use of sensitive Personal Information; (f) Non-discrimination; (g) Appeal.
– Email with subject "U.S. State Privacy Request" and your state of residence.
– Use the "Do Not Sell or Share My Personal Information" link in our footer.
– Submit a Global Privacy Control (GPC) signal through your browser; we honor GPC as an opt-out request where required by law.
We may verify your identity. We respond within the timeframes required by your state's law (generally 45 days, extendable by 45 days). To appeal, reply with subject "Appeal".
You may designate an authorized agent. We will require proof of authorization and may require you to verify your identity directly with us.
California residents may request a list of categories of Personal Information disclosed to third parties for direct marketing in the previous calendar year. Send to .
We do not knowingly sell or share Personal Information of California residents under sixteen (16) without affirmative authorization.
The UK GDPR and the Data Protection Act 2018 apply. Rights are equivalent. The supervisory authority is the UK Information Commissioner's Office (ICO), accessible at ico.org.uk.
If you reside in a country with a specific data-protection law not addressed above (Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, etc.), you may have additional rights. Contact .
For material changes — including changes that expand the categories of data collected, the purposes of processing, or recipients of disclosure — we will provide at least thirty (30) days' advance notice through the Services or by email. Non-material updates are posted with an updated "Last Revised" date. Continued use after the effective date constitutes acceptance, except where applicable law requires renewed consent.
Last revised: 29 April 2026 · Section identifier: COOK-2026-04
Cookies are small text files placed on your device when you visit a website. Similar technologies include pixels, web beacons, local storage, and software development kits (SDKs). In this Cookie Policy, "Cookies" refers to all of these.
Essential for the Services to function. These do not require consent under Article 82 of the French Loi Informatique et Libertés.
Examples: session authentication, CSRF protection, load balancing, language preference, security challenge tokens (e.g. Cloudflare Turnstile).
Typical lifespan: session to 12 months.
Remember your preferences and settings to enhance your experience.
Examples: theme preference, recently viewed items, dismissed banners.
Typical lifespan: up to 13 months.
Help us understand how the Services are used.
Examples: page views, clicks, session duration, error tracking.
Typical lifespan: up to 13 months (CNIL guidance).
Used to deliver and measure advertising on Devaito and third-party platforms.
Examples: conversion tracking, audience-building, retargeting, attribution.
Typical lifespan: up to 13 months.
You can accept or refuse non-essential Cookies through our cookie banner shown on first visit, and change your choices at any time via the "Cookie Preferences" link in our footer.
You can also manage Cookies through your browser settings (delete, block, or be notified). Detailed instructions for major browsers are available at allaboutcookies.org. Note that disabling strictly necessary Cookies may break parts of the Services.
We honor the Global Privacy Control (GPC) signal where it applies under U.S. state law. We do not currently respond to "Do Not Track" browser signals because there is no industry consensus on their interpretation.
Some Cookies are set by service providers acting on our behalf. These are listed with their purpose and lifespan in Part D (Subprocessors). The current detailed Cookie inventory, with names and durations, is available through our cookie banner under "Cookie Settings".
We may update this Cookie Policy when we add, remove, or change Cookies. Material changes will be reflected in our cookie banner and you will be asked to refresh your consent where required by law.
Last revised: 29 April 2026 · Section identifier: DPA-2026-04
This Part C applies to Customers who use the Services to process Personal Data of their End Users in their capacity as a controller under the GDPR, UK GDPR, or Swiss FADP. It forms part of the Devaito Terms. Where you have signed a separate negotiated Data Processing Agreement with Devaito, that agreement prevails over this Part C in case of conflict.
For convenience and signature evidence, a downloadable PDF version of this DPA, including pre-completed Standard Contractual Clauses, is available at devaito.com/legal/dpa.pdf. Contact to request a counter-signed copy.
Capitalized terms used in this Part C have the meanings given in the Devaito Terms or in applicable data-protection law. In particular: "Customer" means you, the entity using the Services; "Customer Personal Data" means Personal Data of Customer's End Users processed by Devaito on Customer's behalf; "Data Protection Laws" means the GDPR, UK GDPR, Swiss FADP, U.S. state privacy laws, and any other applicable data-protection law.
For Customer Personal Data processed under the Services:
(a) Customer is the controller (or processor on behalf of a third-party controller).
(b) Devaito is the processor (or sub-processor, where Customer is itself a processor).
(c) Devaito processes Customer Personal Data only on documented instructions from Customer, including instructions provided through Customer's configuration and use of the Services.
The processing details required by Article 28(3) GDPR are set out in Annex 1 of this Part C. In summary:
Subject matter: the processing of Customer Personal Data by Devaito as necessary to provide the Services.
Duration: for as long as Customer uses the Services, plus the retention periods set out in Section A.7.
Nature and purpose: hosting, storage, transmission, retrieval, and processing of Customer Personal Data to provide the Services described in the Devaito Terms.
Categories of data subjects: Customer's End Users (visitors, customers, members, employees, contacts).
Categories of Personal Data: identifiers, contact information, account credentials, transactional data, content uploaded by Customer or its End Users, and any other Personal Data Customer chooses to process through the Services.
Devaito will:
(a) process Customer Personal Data only on documented instructions from Customer, except where Devaito is required by EU or Member State law to process such data, in which case Devaito will inform Customer before processing unless the law prohibits such notice;
(b) ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations or under an appropriate statutory obligation of confidentiality;
(c) implement appropriate technical and organizational measures as set out in Annex 2;
(d) respect the conditions for engaging sub-processors set out in Section C.7;
(e) assist Customer, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to requests for exercising data-subject rights;
(f) assist Customer in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data-protection impact assessments, prior consultation), taking into account the nature of processing and the information available to Devaito;
(g) at Customer's choice, delete or return all Customer Personal Data to Customer after the end of the provision of the Services, and delete existing copies unless EU or Member State law requires storage; and
(h) make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer (subject to the conditions in Section C.9).
Customer represents and warrants that:
(a) it has provided all required notices to data subjects and has obtained or has an alternative lawful basis for the processing carried out under the Services;
(b) the instructions it gives to Devaito (including through configuration of the Services) comply with applicable Data Protection Laws;
(c) it will not provide Devaito with sensitive Personal Data in excess of what is reasonably necessary, and acknowledges the Services are not designed for processing special categories of data unless specifically supported and configured;
(d) it is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired such data.
Devaito implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, as further described in Annex 2. Devaito reviews and updates these measures regularly to maintain effectiveness.
(a) Customer provides general written authorization for Devaito to engage sub-processors to process Customer Personal Data, subject to this Section C.7.
(b) Devaito maintains a current list of sub-processors in Part D.
(c) Devaito will inform Customer of any intended additions or replacements of sub-processors at least thirty (30) days before the change takes effect, by email to the address Customer designates and/or by updating Part D and notifying through the Services. Customer may object to such change on reasonable grounds related to data protection within fifteen (15) days of notification by emailing . If the parties cannot reach a resolution, Customer may terminate the affected Services without penalty for the period not yet provided.
(d) Devaito imposes data-protection obligations on each sub-processor that are no less protective than those in this Part C, by written contract.
(e) Devaito remains fully liable to Customer for the performance of each sub-processor's obligations.
Where Customer Personal Data is transferred outside the EEA, the UK, or Switzerland by Devaito or its sub-processors, the parties agree that:
(a) the European Commission's Standard Contractual Clauses (Decision 2021/914) are incorporated by reference and apply to such transfers, with Customer as data exporter and Devaito (or the relevant sub-processor) as data importer. The applicable module is determined by the parties' roles for the transfer in question (typically Module 2: controller to processor; or Module 3: processor to processor where Customer is itself a processor);
(b) for transfers subject to UK GDPR, the UK International Data Transfer Addendum issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018 is incorporated by reference and applies in addition to or in modification of the SCCs as required;
(c) for transfers subject to Swiss FADP, the SCCs apply with the modifications recommended by the Swiss Federal Data Protection and Information Commissioner;
(d) the docking clause and option of Clause 7 of the SCCs is selected; the option in Clause 9 (general written authorization for sub-processors) is selected with the 30-day notice period set out in Section C.7(c); the optional language in Clause 11 regarding independent dispute resolution is not adopted; the governing law in Clause 17 is the law of France; the forum in Clause 18 is the courts of Paris, France;
(e) Devaito has conducted a transfer-impact assessment and applies supplementary measures as appropriate.
(a) On request from Customer, Devaito will make available all information reasonably necessary to demonstrate compliance with this Part C, including third-party audit reports, certifications (such as ISO 27001, SOC 2), and security questionnaires.
(b) Customer may, no more than once per twelve (12) months and on reasonable advance notice (no less than thirty (30) days, except in the event of a confirmed Personal Data Breach), conduct or commission a third-party audit of Devaito's data-protection practices to the extent strictly necessary to verify compliance with this Part C.
(c) Audits must be conducted during business hours, must not unreasonably interfere with Devaito's operations, and the auditor must execute appropriate confidentiality undertakings. Customer bears its own audit costs unless the audit reveals material non-compliance, in which case Devaito will reimburse reasonable costs.
Devaito will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent known, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. Devaito will provide reasonable cooperation to assist Customer in meeting its own breach-notification obligations.
Devaito will provide Customer with reasonable assistance, including by appropriate technical and organizational measures, to fulfill Customer's obligation to respond to requests from data subjects exercising their rights under Data Protection Laws. Where Devaito receives a request directly from a data subject relating to Customer Personal Data, Devaito will promptly forward the request to Customer and will not respond directly except as required by law.
On termination of the Services, Customer may export Customer Personal Data using the export tools provided in the Services. After ninety (90) days following termination (or any longer period required to fulfil legal obligations), Devaito will delete Customer Personal Data from active systems. Backup copies are deleted in the ordinary course of business within the rotation period of the relevant backup system.
Each party's liability under this Part C is subject to the limitations set out in the Devaito Terms (in particular the enhanced cap for data-protection breaches), without prejudice to liability that cannot be limited under applicable law.
Categories of data subjects: Customer's End Users, including visitors, registered users, customers, members, contacts, and any other individual whose Personal Data Customer chooses to process through the Services.
Categories of Personal Data: identifiers (name, email, username), contact details, IP address and device data, login credentials (hashed), transaction data, communications, content uploaded, and any other Personal Data Customer chooses to include.
Sensitive categories: none by default. The Services are not designed for processing special categories of data within the meaning of Article 9 GDPR. If Customer chooses to process such data, Customer is responsible for ensuring it has the required legal basis.
Frequency of processing: continuous, for the duration of the Services.
Nature of processing: hosting, storage, retrieval, transmission, display, backup, deletion, and other operations necessary to provide the Services.
Purpose: provision of the Services as described in the Devaito Terms.
Period of retention: as set out in Section A.7 of this document and in Customer's configuration of the Services.
Devaito implements the following measures to ensure the security of Customer Personal Data:
Encryption: data encrypted in transit using TLS 1.2 or higher; sensitive data at rest encrypted using industry-standard algorithms.
Access control: role-based access control with the principle of least privilege; multi-factor authentication for administrative access; access logs reviewed regularly.
Network security: firewalls, intrusion detection and prevention systems, DDoS protection.
Application security: secure development lifecycle, code review, static and dynamic application security testing, regular dependency vulnerability scanning.
Physical security: data center providers compliant with ISO 27001 or equivalent; restricted physical access; environmental controls.
Personnel: background checks where lawful; confidentiality undertakings; mandatory security and privacy training.
Backup and recovery: regular automated backups with tested recovery procedures; geographically redundant backup storage.
Incident response: documented incident-response plan with breach-notification procedures; security operations monitoring.
Vendor management: due diligence on sub-processors; contractual security obligations; regular review.
Vulnerability management: regular penetration testing; bug-bounty program; patch-management procedures.
Business continuity: documented business-continuity and disaster-recovery plans; periodic testing.
Logging and monitoring: security event logging with appropriate retention; log analysis for anomaly detection.
The list of authorized sub-processors is maintained in Part D of this document.
Last revised: 29 April 2026 · Section identifier: SUBP-2026-04
This Part D lists the third-party service providers (sub-processors) that Devaito engages to process Personal Data in connection with the Services. Devaito has data-protection contracts with each sub-processor that are no less protective than the obligations in Part C (DPA).
Devaito may add, remove, or change sub-processors. We will notify Customers of changes at least thirty (30) days before the change takes effect, by email to the address Customer designates and/or by updating this Part D and notifying through the Services. Customers with an active DPA may object on reasonable data-protection grounds within fifteen (15) days of notification, in accordance with Section C.7.
To receive proactive email notifications of subprocessor changes, subscribe at devaito.com/legal/subprocessor-updates or contact .
The current sub-processors are organized by category. The detailed table below identifies, for each sub-processor: its legal name, the category of service, the type of Personal Data processed, the country of processing, and the applicable data-transfer mechanism where data leaves the EEA.
Cloud hosting, content delivery, DNS, security infrastructure.
Transactional and marketing email delivery, SMS, in-product messaging, customer support tooling.
Payment processing, fraud detection for transactions, invoicing, taxation services.
Authentication, fraud and abuse detection (including bot-detection services such as Cloudflare Turnstile), sanctions screening, security monitoring.
Third-party AI providers used to deliver AI-powered features. Each provider is bound by contractual restrictions including a no-training commitment, except where you have separately opted in to model improvement.
Product analytics, error monitoring, performance monitoring.
Document storage, internal collaboration, accounting, HR systems.
The current detailed list with provider names, services, processing locations, and transfer mechanisms is published and updated at devaito.com/legal/subprocessors. By contractual obligation, this list is kept synchronized with the actual sub-processors in use.
Last revised: 29 April 2026 · Section identifier: LEGN-2026-04
The information below is published in accordance with Article 6 III of the French Loi pour la Confiance dans l'Économie Numérique (LCEN) and Article L.111-1 of the French Code de la consommation.
Devaito SAS
Legal form: société par actions simplifiée
Registered office: [registered office address to insert]
Share capital: [share capital amount in EUR to insert]
RCS registration: [city of registration] B [SIREN number]
SIRET: [SIRET number to insert]
VAT number: [intracommunity VAT number to insert]
APE/NAF code: [activity code to insert]
Director of publication: [name and title of legal representative to insert]
Contact:
[Hosting provider legal name]
[Address]
[Contact information]
The Services, including their structure, content (texts, images, videos, sounds, software, databases, layouts, and trademarks), are protected by intellectual-property rights belonging to Devaito SAS or its licensors. Any reproduction, representation, modification, publication, or adaptation of all or part of the Services, by any means, is prohibited without the prior written authorization of Devaito SAS, except as expressly permitted by the Devaito Terms.
In accordance with Article 6 of the LCEN and Regulation (EU) 2022/2065 (Digital Services Act), illegal content hosted on Devaito or on a User Platform may be reported to . Reports should include the elements required by law to enable assessment.
In accordance with Articles L.611-1 et seq. of the French Code de la consommation, French consumers may have recourse to a consumer mediator after first attempting to resolve a dispute with our customer service. Current mediator information will be published at devaito.com/legal/mediation when designated.
In accordance with Regulation (EU) No 524/2013, EU consumers may access the European Commission's Online Dispute Resolution platform at ec.europa.eu/consumers/odr.
Devaito SAS
Privacy & Data Protection:
Legal:
Security:
Copyright:
Billing:
General support:
Postal address: see Part E (Legal Notice).
If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. For French residents, the CNIL is reachable at cnil.fr or by post at 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France.
This document is originally drafted in English. Translations may be made available for convenience; in case of conflict, the English version prevails, except where French law requires otherwise for French consumers.