Last updated: 1 July 2026. This agreement applies when getMax processes personal data on behalf of the Client (leads, prospects, campaign recipients, CRM contacts, imported data). For any question: [email protected].
Controller: the Client, holder of the getMax account. Processor: Nexifi SASU, capital €500, RCS 88190103700013, 5 Avenue du Général de Gaulle, 94160 Saint-Mandé, France, publisher of the getMax platform. This agreement forms an integral part of the contract between the parties (Terms of Use and Terms of Sale) and prevails over it for everything concerning the processing of personal data on behalf of the Client.
The Processor processes the data only on the Client's documented instructions, including for transfers outside the EU. The Client's use of the Service (configuration, imports, campaigns) constitutes these instructions. If the Processor considers that an instruction infringes the GDPR, it informs the Client.
The Processor undertakes to: process the data only for the described purposes and according to the Client's instructions; ensure the confidentiality of the data and that authorized persons are bound by confidentiality; implement appropriate technical and organizational measures (section 5); comply with the conditions for engaging sub-processors (section 6); assist the Client, as far as possible, in responding to data subject rights requests; assist the Client in meeting its security, breach notification and impact assessment obligations; at the Client's choice, delete or return the data at the end of the service, unless a legal retention obligation applies; make available to the Client the information needed to demonstrate compliance with article 28 and allow reasonable audits.
The Processor implements appropriate measures, including: encryption of data in transit and at rest where relevant, encryption of integration tokens, access control, per-organization isolation, logging, backups, exclusion of the IP address from analytics tracking, minimization (hashing of identifiers and domains for analytics), strengthened authentication (two-factor available), and incident management procedures.
The Client authorizes the Processor to engage the sub-processors listed in Annex 1. The Processor imposes on them by contract obligations equivalent to those of this agreement. In the event of an addition or replacement, the Processor informs the Client with reasonable notice, allowing the Client to raise a reasoned objection.
Some sub-processors are established outside the European Union (see Annex 1). These transfers are covered by appropriate safeguards: the European Commission's standard contractual clauses and, where applicable, adherence to the Data Privacy Framework for providers established in the United States. The Client may obtain a copy or description of these safeguards on request.
The Processor notifies the Client of any personal data breach as soon as possible after becoming aware of it, with the information needed to enable the Client to meet its own notification obligations.
At the end of the service, the Client has a reversibility period to export their data. On expiry of this period, the Processor deletes or anonymizes the data, unless a legal retention obligation applies.
This agreement is effective for the entire duration of the processing of data on behalf of the Client.
| Sub-processor | Purpose | Location | Safeguards if outside EU |
|---|---|---|---|
| PostHog | Product audience measurement | European Union | Not applicable |
| Cloudflare | CDN, storage, security, performance | EU / worldwide | Standard contractual clauses |
| Stripe | Payment and billing | EU / United States | Standard contractual clauses / DPF |
| SendGrid, Brevo | Sending campaign emails | United States / EU | Standard contractual clauses / DPF |
| Google, Microsoft | Sign-in and sending via Google or Microsoft accounts | EU / United States | Standard contractual clauses / DPF |
| AI model providers | Content generation (text, image, audio, video) | European Union | Not applicable |
| Crisp | Support chat | European Union | Not applicable |
The list of sub-processors is kept up to date and provided on request at [email protected].
Reflect section 5 above: access policy, secrets management, encryption, backups, testing, infrastructure sub-processors, business continuity plan.