Early access The first 100 founders lock in their launch price · only 6 spots left Launch price · only 6 spots left
Legal information

Data Processing Agreement (DPA)

Last updated: 1 July 2026. This agreement applies when getMax processes personal data on behalf of the Client (leads, prospects, campaign recipients, CRM contacts, imported data). For any question: [email protected].

1. Parties and roles

Controller: the Client, holder of the getMax account. Processor: Nexifi SASU, capital €500, RCS 88190103700013, 5 Avenue du Général de Gaulle, 94160 Saint-Mandé, France, publisher of the getMax platform. This agreement forms an integral part of the contract between the parties (Terms of Use and Terms of Sale) and prevails over it for everything concerning the processing of personal data on behalf of the Client.

2. Subject matter and description of the processing

  • Subject matter: provision of the getMax platform features (CRM, prospecting, emailing, content generation, campaigns, project analytics).
  • Nature of operations: collection, recording, organization, storage, consultation, use, disclosure by transmission, alignment, erasure.
  • Purposes: performance of the Service according to the Client's documented instructions.
  • Duration: the duration of the subscription, plus the reversibility and deletion periods provided for.
  • Categories of data subjects: the Client's prospects, customers, contacts and recipients; users of the Client's forms.
  • Categories of data: identification and contact data (last name, first name, email, phone, company, role), campaign data (opens, clicks, unsubscribes), custom fields defined by the Client, technical metadata. The Client refrains from importing special categories of data (article 9 GDPR) unless specifically agreed in writing.

3. Documented instructions

The Processor processes the data only on the Client's documented instructions, including for transfers outside the EU. The Client's use of the Service (configuration, imports, campaigns) constitutes these instructions. If the Processor considers that an instruction infringes the GDPR, it informs the Client.

4. Processor obligations

The Processor undertakes to: process the data only for the described purposes and according to the Client's instructions; ensure the confidentiality of the data and that authorized persons are bound by confidentiality; implement appropriate technical and organizational measures (section 5); comply with the conditions for engaging sub-processors (section 6); assist the Client, as far as possible, in responding to data subject rights requests; assist the Client in meeting its security, breach notification and impact assessment obligations; at the Client's choice, delete or return the data at the end of the service, unless a legal retention obligation applies; make available to the Client the information needed to demonstrate compliance with article 28 and allow reasonable audits.

5. Security

The Processor implements appropriate measures, including: encryption of data in transit and at rest where relevant, encryption of integration tokens, access control, per-organization isolation, logging, backups, exclusion of the IP address from analytics tracking, minimization (hashing of identifiers and domains for analytics), strengthened authentication (two-factor available), and incident management procedures.

6. Sub-processors

The Client authorizes the Processor to engage the sub-processors listed in Annex 1. The Processor imposes on them by contract obligations equivalent to those of this agreement. In the event of an addition or replacement, the Processor informs the Client with reasonable notice, allowing the Client to raise a reasoned objection.

7. Transfers outside the European Union

Some sub-processors are established outside the European Union (see Annex 1). These transfers are covered by appropriate safeguards: the European Commission's standard contractual clauses and, where applicable, adherence to the Data Privacy Framework for providers established in the United States. The Client may obtain a copy or description of these safeguards on request.

8. Data breach

The Processor notifies the Client of any personal data breach as soon as possible after becoming aware of it, with the information needed to enable the Client to meet its own notification obligations.

9. Fate of the data at the end of the contract

At the end of the service, the Client has a reversibility period to export their data. On expiry of this period, the Processor deletes or anonymizes the data, unless a legal retention obligation applies.

10. Duration

This agreement is effective for the entire duration of the processing of data on behalf of the Client.

Annex 1 - Sub-processors

Sub-processorPurposeLocationSafeguards if outside EU
PostHogProduct audience measurementEuropean UnionNot applicable
CloudflareCDN, storage, security, performanceEU / worldwideStandard contractual clauses
StripePayment and billingEU / United StatesStandard contractual clauses / DPF
SendGrid, BrevoSending campaign emailsUnited States / EUStandard contractual clauses / DPF
Google, MicrosoftSign-in and sending via Google or Microsoft accountsEU / United StatesStandard contractual clauses / DPF
AI model providersContent generation (text, image, audio, video)European UnionNot applicable
CrispSupport chatEuropean UnionNot applicable

The list of sub-processors is kept up to date and provided on request at [email protected].

Annex 2 - Technical and organizational measures

Reflect section 5 above: access policy, secrets management, encryption, backups, testing, infrastructure sub-processors, business continuity plan.