Celestical Cloud Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Celestical Cloud SAS ("Celestical", "Processor") and the customer entity entering into this Agreement ("Customer", "Controller"), governing Celestical's processing of Personal Data on behalf of Customer under GDPR.

This DPA applies automatically when Customer uses Celestical Services to process Personal Data.

Last updated: 2026-02-05 (February 2026)

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms and Conditions or GDPR.

"Controller", "Processor", "Personal Data", "Processing", "Data Subject", "Supervisory Authority" have the meanings in GDPR.
"Customer Personal Data" means Personal Data processed by Celestical on behalf of Customer in connection with the Services.
"Subprocessor" means any third party engaged by Celestical to process Customer Personal Data.
"Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

2. Roles and Scope

2.1 Roles. Customer acts as Controller. Celestical acts as Processor.

2.2 Scope. Celestical processes Customer Personal Data solely to provide the Services, in accordance with Customer's documented instructions and this DPA.

2.3 Compliance. Both parties shall comply with GDPR and applicable data protection law.

3. Processing Details

Item	Description
Subject Matter	Provision of cloud infrastructure, serverless compute, container hosting, managed services, networking, storage, and related tools
Duration	For the duration of the Services and in accordance with statutory retention periods as described in the Privacy Policy
Nature of Processing	Hosting, storage, transmission, computation, backup, recovery, logging
Categories of Data Subjects	End users, customers, employees, contractors
Types of Personal Data	As determined and controlled by Customer
Special Categories	Not intended; Customer responsible for compliance if processed

4. Processor Obligations

Celestical shall:

4.1 Process Customer Personal Data only on documented instructions from Customer, unless required by law.

4.2 Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.

4.3 Implement appropriate technical and organizational measures to protect Personal Data as required by Article 32 GDPR.

4.4 Assist Customer, taking into account the nature of processing, with Data Subject rights requests under Articles 12–23 GDPR, including those submitted to Supervisory Authorities such as CNIL, where applicable.

4.5 Assist Customer with obligations under Articles 32–36 GDPR, including security, breach notification, DPIAs, and consultations with Supervisory Authorities.

4.6 Not use Customer Personal Data for its own purposes.

5. Security Measures

Celestical implements and maintains appropriate safeguards including:

Encryption in transit and at rest where appropriate
Logical access controls and authentication mechanisms
Network segmentation and monitoring
Backup, redundancy, and disaster recovery
Incident detection and response procedures
Employee confidentiality and security training

Detailed measures may evolve over time consistent with industry standards.

6. Personal Data Breach Notification

Celestical shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Customer Personal Data, and provide reasonable information to enable Customer to meet its GDPR obligations.

7. Subprocessing

7.1 Authorization. Customer grants Celestical general authorization to engage Subprocessors.

7.2 Transparency. A current list of Subprocessors is available at: https://celestical.eu/legal/subprocessors (or equivalent), updated at least quarterly or upon material change.

7.3 Objections. Customer may object to a new Subprocessor on reasonable data protection grounds within 30 days of notice.

7.4 Flow-Down. Celestical shall impose materially equivalent data protection obligations on Subprocessors.

7.5 Liability. Celestical remains responsible for Subprocessors' compliance.

8. International Data Transfers

Celestical processes and stores Customer Personal Data exclusively within the European Economic Area (EEA) on documented instructions from the Customer and in accordance with GDPR (including Art. 6(1) lawful bases). No Customer Personal Data is transferred or hosted outside the EEA.

Any traffic or requests originating from outside the EEA are served by Customer applications and remain under Customer's control. Celestical is not responsible for the routing, storage, or processing of such traffic.

Celestical does not engage in transfers of Customer Personal Data to countries outside the EEA, and no such transfers occur in the provision of Services.

9. Audits and Compliance

Customer may audit Celestical's compliance with this DPA once per year upon reasonable notice, subject to confidentiality and security requirements. Independent third-party certifications or audit reports (ISO 27001, SOC2 Type II) may satisfy this obligation unless a material concern arises.

10. Return and Deletion of Data

Upon termination of the Services, Celestical shall, at Customer's choice, delete or return Customer Personal Data within a reasonable timeframe unless retention is required by law.

11. Confidentiality

All Customer Personal Data and information relating to this DPA are Confidential Information under the main Agreement.

12. Liability

Liability under this DPA is subject to the limitations and exclusions in the main Terms and Conditions, except where prohibited by applicable law.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of France. The courthouse and judicial centre of Paris, France shall have exclusive jurisdiction unless mandatory law provides otherwise.

14. Order of Precedence

If there is any conflict between this DPA and the Terms and Conditions, this DPA shall prevail regarding Personal Data processing.

✔ Subject Matter: Cloud infrastructure services ✔ Duration: Duration of Services ✔ Nature and Purpose: Hosting, processing, storage, execution of workloads ✔ Categories of Data Subjects: End users, employees, contractors ✔ Types of Personal Data: As determined by Customer ✔ Special Categories: None intended

16. Annex II - Technical and Organizational Measures

Celestical maintains security measures including:

TLS encryption for data in transit
Encryption at rest where applicable
Role-based access controls
Multi-factor authentication for administrative access
Logging and monitoring
Secure development practices
Incident response playbooks
Data isolation between tenants
Physical security controls at data centers
Business continuity and disaster recovery planning

17. Annex III - Subprocessors

A list of subprocessors is maintained at: https://celestical.eu/legal/subprocessors

18. Annex IV - Standard Contractual Clauses (Fallback Mechanism)

(EU SCC 2021 format)

18.1 Conditional Application. To the extent that Customer Personal Data is transferred outside the European Economic Area ("EEA") to a country not subject to an adequacy decision under GDPR, the parties agree that such transfers shall be governed by the Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) GDPR ("SCCs"), which are incorporated by reference into this DPA.

18.2 Module Selection. The applicable SCC modules shall be:

Module Two (Controller → Processor) where Customer is a Controller and Celestical is a Processor.

Module Three (Processor → Subprocessor) where Celestical engages a Subprocessor outside the EEA.

18.3 Docking Clause. Clause 7 (Docking Clause) of the SCCs is enabled.

18.4 Appendices. The Annexes to this DPA (Processing Details, Security Measures, and Subprocessors) shall serve as Annex I, II, and III of the SCCs respectively.

18.5 Conflicts. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail with respect to international data transfers.

18.6 Transfer Impact Assessments. Where required, Celestical shall reasonably assist Customer in conducting transfer impact assessments and implementing supplementary measures.

18.7 Onward Transfers. Celestical shall not permit onward transfers inconsistent with the SCCs.

19. Annex V - Enterprise Data Protection and Compliance Clauses

19.1 Law Enforcement and Government Requests

Celestical may receive requests from law enforcement or government authorities for access to Customer Personal Data.

Celestical shall notify Customer promptly of any such request unless prohibited by law.

Celestical shall provide Customer with reasonable assistance to challenge, limit, or respond to such requests.

19.2 Independent Audit and Certifications

Celestical may maintain independent third-party audits or certifications (including but not limited to; ISO 27001, SOC 2 Type II) covering its PaaS and serverless services.

Customer may rely on such certifications as evidence of appropriate technical and organizational measures.

Upon reasonable notice, Customer may request audit reports or summaries relevant to Celestical's obligations as Processor.

19.3 Data Segregation and Multi-Tenancy

Customer Personal Data shall be logically segregated from other customers' data.

Celestical ensures data isolation between tenants through role-based access controls, secure tenancy design, and strict internal separation policies.

19.4 Business Continuity and Disaster Recovery

Celestical maintains business continuity and disaster recovery measures appropriate to its PaaS and serverless services, including:

Regular backups
Redundant service deployment
Recovery plans for service outages

These measures aim to minimize service disruption and safeguard Customer Personal Data.

19.5 Subprocessor Management (Enhanced Enterprise Clause)

Celestical maintains a current list of Subprocessors, including those engaged for critical PaaS/serverless functions.

Subprocessors are contractually bound to comply with GDPR and materially equivalent obligations to this DPA.

Customer may request details of specific Subprocessor controls upon reasonable notice, subject to confidentiality.

19.6 Compliance Transparency

Celestical commits to transparency about its security measures, technical controls, and applicable compliance certifications.

Customer may request documentation or summaries that demonstrate adherence to GDPR, security, and PaaS/serverless best practices.

Versioning

Updated versions of this DPA supersede prior versions automatically upon publication.

Celestical Cloud Data Processing Agreement ​

1. Definitions ​

2. Roles and Scope ​

3. Processing Details ​

4. Processor Obligations ​

5. Security Measures ​

6. Personal Data Breach Notification ​

7. Subprocessing ​

8. International Data Transfers ​

9. Audits and Compliance ​

10. Return and Deletion of Data ​

11. Confidentiality ​

12. Liability ​

13. Governing Law and Jurisdiction ​

14. Order of Precedence ​

15. Annex I - Processing Details (Article 28(3) GDPR) ​

16. Annex II - Technical and Organizational Measures ​

17. Annex III - Subprocessors ​

18. Annex IV - Standard Contractual Clauses (Fallback Mechanism) ​

19. Annex V - Enterprise Data Protection and Compliance Clauses ​