GO TRACE

Data Processing Agreement (DPA)

Version 1.0 · last updated 3 May 2026

1. When a DPA is needed

For most interactions with the Site (browsing, the contact form, the LinkedIn newsletter, buying a course on Teachable) Altanest SAS is the controller for its own data and a sub-processor list is published at /sub-processors. No bilateral DPA is needed for those flows.

A DPA is needed when, in the course of a paid Consultancy engagement, Altanest SAS handles personal data on your behalf as a processor. This typically applies to:

  • The Compliance Partner package, where we may receive supplier and product data from your systems for review or for inclusion in deliverables;
  • The Implementation Strategy package, where we may receive an export of your PIM or supplier database to perform the gap analysis;
  • Any bespoke engagement that involves us processing personal data identifying your employees, suppliers, or end customers.

The Readiness Audit package usually does not require a DPA: deliverables are based on the documentation you share, which is generally not personal data, and we do not retain copies after the audit closes.

2. How to obtain a signed DPA

Two paths, both starting with an email to contact@go-trace.com:

  1. You provide your DPA template. Send your standard DPA along with the engagement details. We will review it within 5 working days, send back redlines or sign as-is, and counter-sign on letterhead. We are familiar with the EDPB-recommended SCC modules and will not accept clauses that contradict GDPR Article 28(3) requirements.
  2. You ask us for our DPA template. We will send a GDPR Article 28-compliant DPA template within 5 working days, drafted around the EU Commission's 2021 Standard Contractual Clauses (Modules 1–4 as appropriate). The template covers: subject-matter and duration; nature and purpose of the processing; types of data and categories of data subjects; obligations and rights of the controller; technical and organisational measures (TOMs); sub-processor list and authorisation; assistance with data-subject rights; breach notification; audit rights; deletion or return of data on termination.

3. Sub-processors authorised under the DPA

Where Altanest SAS acts as your processor, the following sub-processors may be used in the engagement:

  • Hetzner Online GmbH (Germany, EU) for any data we host on our infrastructure during the engagement;
  • Google Workspace (EU/US, EU–US Data Privacy Framework + SCCs) for email correspondence about the engagement.

Web3Forms is not used in the processor flow (it is only used for the public contact form, where we are controller). Teachable is not used in the processor flow either.

If you require a more restrictive sub-processor list (for example EU-only with no US sub-processors), tell us at the proposal stage; we can scope the engagement so that only Hetzner is involved.

4. Technical and organisational measures (TOMs) summary

A short, non-exhaustive summary; the full TOMs are in the DPA template:

  • HTTPS/TLS for all data in transit; encryption at rest on Hetzner-managed disks.
  • Access control: data accessed only by Catherine Lomonaco Membré and, where named in the SoW, specified subcontractors under written confidentiality.
  • Backups encrypted; retention aligned with the engagement deletion clause.
  • Breach notification within 72 hours of becoming aware (GDPR Article 33).
  • On termination, deletion or return of data within 30 days, certified in writing on request.

5. Contact

To request the GO TRACE DPA template, or to send your own for our review, write to contact@go-trace.com with the subject line "DPA request: [your company]".

Altanest SAS
20 rue Guillaume Fichet
74000 Annecy, France
Email: contact@go-trace.com