+33 9 84 25 52 61
Sign in
Legal

Data processing agreement

How Obexal processes personal data on your behalf, under Article 28 of the GDPR. The signed DPA is provided with the quote: ask for it.

This data processing agreement (the DPA) forms part of the agreement between the customer (the controller) and the publisher of Obexal, a French company currently being incorporated whose registration details will be published as soon as the incorporation is complete (the processor), for the use of the Obexal identity platform. It sets out the terms under which Obexal processes personal data on behalf of the customer, in accordance with Article 28 of Regulation (EU) 2016/679 (the GDPR).

1. Subject matter

Obexal is a European sovereign identity provider. In providing the service, Obexal processes personal data on behalf of the customer for the sole purpose of delivering identity and access management: authentication, single sign-on, directory and group management, provisioning (SCIM), conditional access, agent identity, and audit logging. The subject matter, duration, nature and purpose of the processing are defined by the customer's use of the service and by this DPA.

2. Roles of the parties

The customer acts as the controller and determines the purposes and means of the processing. Obexal acts as the processor and processes personal data only on documented instructions from the customer, including the configuration choices made by the customer within the platform. Where Obexal engages another party to carry out processing activities, that party acts as a subprocessor.

Obexal processes personal data solely for the customer. It does not use customer personal data for its own purposes, does not sell it, and does not build advertising or resale profiles from it.

3. Categories of data and data subjects

The categories of personal data processed depend on the customer's configuration and typically include:

  • Identity and profile attributes: first name, last name, display name, email address, job title, department, preferred language.
  • Authentication data: password hashes, TOTP secrets, passkey (WebAuthn) credentials, one-time codes, social and LDAP connection identifiers.
  • Directory data: users, groups, group memberships, roles, linked identities.
  • Access and security data: IP addresses, country (via GeoIP), device signals, risk signals, session and consent records.
  • Audit and log data: authentication events, administrative actions, agent activity, timestamps.
  • Agent identity data: machine and AI agent credentials, scopes, audiences, policy and activity records.

The data subjects are the natural persons whose data the customer manages in Obexal, typically the customer's employees, contractors, partners and end users, as well as the human operators responsible for AI or machine agents.

4. Security measures

Obexal implements appropriate technical and organisational measures to protect personal data, taking into account the state of the art and the risks of the processing. These measures include:

  • Password policy aligned with NIST guidance, including a weak-password blocklist checked entirely locally.
  • Strong and phishing-resistant authentication: passkeys (WebAuthn), TOTP, email one-time codes, and step-up (strict MFA) by policy.
  • Conditional access as versioned policy-as-code, with simulation before enforcement and version rollback, across the network, time and country dimensions, complemented by a risk score (the device is a signal of that score).
  • Agent identity controls: scope ceilings, TTL caps, audience allowlists, fail-closed defaults, secret rotation and expiry, and a kill switch to suspend or revoke.
  • Tenant isolation in a multi-tenant architecture, with per-tenant configuration and branding.
  • An audit log and a real-time audit stream covering authentication, administration and agent activity.
  • Encryption in transit, access controls for administrative operations, and API tokens scoped to the administration API.

The detailed technical and organisational measures are published on our security page; the security annex of the signed DPA reflects that content.

5. Subprocessors

The customer authorises Obexal to engage subprocessors for the provision of the service. The current list comprises: a hosting provider established in the European Union (France) and a transactional email provider established in the European Union. The named list is available on request through our contact page. Obexal imposes on each subprocessor data protection obligations equivalent to those set out in this DPA. Any intended addition or replacement of a subprocessor is notified by email to the customer's administrators with 30 days' notice, giving the customer the opportunity to object.

6. Location of processing

Obexal is designed and hosted in the European Union, with no non-EU dependency and self-hosted fonts (no external CDN). Personal data is hosted in France, in a datacenter in the Paris region. Obexal does not transfer personal data outside the European Economic Area. Should any such transfer become necessary, it will be governed by an appropriate transfer mechanism under Chapter V of the GDPR and notified to the customer beforehand.

7. Duration

Obexal processes personal data for the duration of the agreement between the parties and for as long as necessary to provide the service. Technical and audit logs are kept for 12 months. The other retention periods are set out in our privacy policy and remain consistent with this DPA.

8. Assistance to the controller

Taking into account the nature of the processing, Obexal assists the customer in fulfilling its obligations under the GDPR, including:

  • Responding to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection), through the platform's directory, profile and provisioning features.
  • Ensuring the security of processing, notifying personal data breaches, and, where applicable, carrying out data protection impact assessments and prior consultations.
  • Automatic deprovisioning on departure (joiner, mover, leaver) via outbound SCIM to downstream applications.

Obexal notifies the affected controllers of a personal data breach without undue delay after becoming aware of it, and at the latest 72 hours after it is established.

9. Audit

Obexal makes available to the customer the information necessary to demonstrate compliance with Article 28 of the GDPR, and allows for and contributes to audits, including inspections, conducted by the customer or an auditor mandated by the customer. The customer may also rely on the platform's own audit log and real-time audit stream. Audit terms (reasonable written notice, at most one audit per twelve-month period except in case of a security incident or a request from an authority, confidentiality undertaking) are set out in the signed DPA. Obexal is not certified ISO 27001, SOC 2 or HDS to date; an ISO 27001:2022 mapping is documented and a SecNumCloud roadmap is under way.

10. End of processing

On termination of the agreement, Obexal, at the customer's choice, deletes or returns all personal data processed on behalf of the customer, and deletes existing copies, unless retention is required by Union or Member State law. Permanent deletion takes place within 30 days of the customer's request or, failing a request, of the end of the agreement.

11. Contact

For any question relating to this DPA or to data protection, contact contact@obexal.com or call +33 9 84 25 52 61. The personal data point of contact is contact@obexal.com (a data protection officer will be appointed when the incorporation is complete).

Version dated 2 July 2026.

Need the signed version?

The signed DPA is provided with the quote: ask for it, along with the security measures annex.