DIV Protocol
SolutionHow it works?PricingBlogContact

PRIVACY POLICY

DIV PROTOCOL SAS

Last updated: February 13, 2026

1. Introduction and commitment

DIV PROTOCOL SAS (hereinafter "DIV PROTOCOL", "we", "our" or "us"), a simplified joint-stock company with a share capital of €105.10, registered with the Paris Trade and Companies Register under number 939 283 164, with its registered office at 200 rue de la Croix-Nivert, 75015 Paris, attaches the utmost importance to the protection of your personal data. This Privacy Policy aims to inform you, in full transparency, of the methods of collection, processing, storage and protection of your personal data in connection with your use of our platform for secure storage, sharing and end-to-end encryption of professional data. DIV PROTOCOL acts in compliance with Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data (GDPR), French Law No. 78-17 of January 6, 1978 on Information Technology, Data Files and Civil Liberties (as amended), and Directive 2002/58/EC "ePrivacy".

2. Data controller

The data controller for personal data is: DIV PROTOCOL SAS Share capital: €105.10 SIREN: 939 283 164 Paris Trade Register: 939 283 164 Registered office: 200 rue de la Croix-Nivert, 75015 Paris Represented by: Gaspard Bonnot, President Email: contact@divprotocol.com For processing carried out on behalf of Clients in the context of the Service, DIV PROTOCOL acts as data processor within the meaning of Article 28 of the GDPR.

3. Data collected

DIV PROTOCOL collects and processes only data strictly necessary for the provision, security and improvement of the Service. This data includes:

  • Identification data: last name, first name, professional email address, company name, position within the company;
  • Connection data: account identifiers, connection logs, IP addresses, date and time of connection, browser type and operating system;
  • Authentication data: 2FA method used (email, TOTP), WebAuthn key fingerprint (where applicable);
  • Usage data: actions performed on the Platform (upload, download, sharing, modification, deletion — over 28 types of tracked actions), interface preferences, configurations;
  • Contractual data: billing information, banking details (processed by Stripe, never stored by DIV PROTOCOL), subscription history and transactions;
  • Technical data: file metadata (name, size, MIME type, creation/modification date, directory structure), diagnostic and performance data.

Important: due to the end-to-end encryption architecture, DIV PROTOCOL does not have access to the clear text content of hosted files. Only the metadata listed above is accessible server-side. DIV PROTOCOL does not collect any sensitive data within the meaning of Article 9 of the GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, etc.).

4. Processing purposes

Personal data collected is processed exclusively for the following purposes:

  • Service provision and management: account creation and management, authentication, hosting, storage, sharing, collaborative editing;
  • Security and integrity: detection and prevention of unauthorized access, fraud and security incidents, audit event logging;
  • Commercial relationship management: billing, subscription management, technical support, Service-related communications;
  • Service improvement: aggregated and anonymized usage analysis to improve performance, usability and functionalities;
  • Legal and regulatory compliance: compliance with accounting, tax and legal retention obligations;
  • Communications: sending Service-related information (updates, maintenance, incidents), and, with your consent, newsletter and commercial communications.

5. Legal bases for processing

In accordance with Article 6 of the GDPR, each processing operation is based on a specific legal basis:

  • Performance of a contract (Art. 6.1.b): account creation, Service provision, subscription management, technical support;
  • Legitimate interest (Art. 6.1.f): information system security, fraud prevention, Service improvement, audit logging;
  • Legal obligation (Art. 6.1.c): retention of billing data, cooperation with competent authorities;
  • Consent (Art. 6.1.a): sending commercial communications and newsletter.

You may withdraw your consent at any time for processing based on this ground, without affecting the lawfulness of processing carried out prior to withdrawal.

6. Sub-processors and recipients

DIV PROTOCOL uses trusted technical service providers, acting as sub-processors within the meaning of the GDPR, strictly necessary for Service provision. These sub-processors are bound by contractual obligations of confidentiality and security in compliance with GDPR requirements (Article 28).

  • OVH SAS (Roubaix, France): infrastructure and data hosting on servers located in France and the European Union. OVH also provides secret management services (Secret Manager) for secure storage of infrastructure keys;
  • Stripe Inc. (Dublin, Ireland — EU): credit card payment processing. Stripe is PCI-DSS Level 1 certified. Banking data is processed directly by Stripe and does not transit through DIV PROTOCOL's servers;
  • OnlyOffice (Latvia — EU): integrated office suite enabling collaborative document editing. Processing occurs within the context of temporary document decryption for editing, within the Platform's secure environment;
  • Vercel Inc. (San Francisco, USA): hosting of the showcase website (landing page) only. No Platform user data transits through Vercel.

DIV PROTOCOL does not sell, rent, transfer or disclose any personal data to third parties for commercial, advertising or profiling purposes. DIV PROTOCOL may be required to disclose personal data to competent authorities (judicial, administrative, tax) pursuant to a legal obligation.

7. Hosting and data location

All Client Data and personal data processed in connection with the Service are hosted exclusively on servers located in France and the European Union, with OVH SAS. The showcase website (landing page) is hosted by Vercel Inc. in the United States. This website does not process any personal data from the Platform; only standard browsing data (technical cookies, anonymous analytics) may be collected in this context. DIV PROTOCOL guarantees that no transfer of Client Data or Service-related personal data is made outside the European Union.

8. Data security

DIV PROTOCOL implements robust technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure or destruction:

  • End-to-end encryption (E2E): files are encrypted client-side before any transfer. DIV PROTOCOL never has access to decryption keys;
  • Encryption at rest: data stored on servers is encrypted at rest;
  • Encryption in transit: all communications are encrypted in transit;
  • Enhanced authentication: 2FA (email, TOTP, backup codes), magic links, WebAuthn/Passkeys;
  • Strict access control: granular permissions per User and per resource, principle of least privilege;
  • Logging and audit: over 28 types of actions tracked in audit logs;
  • Data isolation: logical data isolation per Client;
  • Encrypted backups: regular and redundant backups, stored in encrypted form;
  • Continuous monitoring: infrastructure monitoring and real-time alerts.

9. Retention periods

Personal data is retained for the period strictly necessary for the purposes for which it was collected, plus applicable legal limitation periods:

  • Account data (identification, authentication): retained for the duration of the contract, then deleted within 30 days following account closure;
  • Billing and contractual data: retained for 10 years from the close of the fiscal year, in accordance with the French Commercial Code (Art. L.123-22);
  • Connection logs: retained for 12 months in accordance with Article 6-II of the LCEN;
  • Audit logs: retained for the duration of the contract and 12 months after its termination;
  • Recycle bin data: permanently deleted upon emptying of the recycle bin or expiration of the retention period;
  • Cookies: see the Cookie Policy for specific durations.

10. User rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights over your personal data:

  • Right of access (Art. 15): obtain confirmation that your data is being processed and receive a copy;
  • Right to rectification (Art. 16): have inaccurate data corrected or incomplete data completed;
  • Right to erasure (Art. 17): request deletion of your data, subject to legal retention obligations;
  • Right to restriction of processing (Art. 18): request suspension of processing in certain cases;
  • Right to data portability (Art. 20): receive your data in a structured, commonly used and machine-readable format;
  • Right to object (Art. 21): object to processing based on legitimate interest;
  • Right to withdraw consent (Art. 7.3): withdraw your consent at any time for processing based on this ground;
  • Right to define post-mortem directives: define directives regarding the fate of your data after your death (French Data Protection Act).

To exercise your rights, send your request by email to: contact@divprotocol.com Your request will be processed within a maximum period of thirty (30) days from receipt. This period may be extended by two (2) months in case of complexity or a high number of requests, subject to informing you thereof. Proof of identity may be requested in case of reasonable doubt as to your identity.

11. Cookies and trackers

DIV PROTOCOL uses cookies and trackers on its website and Platform. For comprehensive information about the cookies used, their purposes, retention periods and how to manage your preferences, please refer to our dedicated Cookie Policy, accessible at /cookies.

12. International transfers

DIV PROTOCOL does not transfer any Service-related personal data outside the European Union. The showcase website is hosted by Vercel Inc. in the United States. This processing is governed by Standard Contractual Clauses (SCCs) adopted by the European Commission and does not involve any personal data from the Platform. Payments are processed by Stripe via its Irish entity (Stripe Technology Europe Limited), within the European Union.

13. Data breach notification

In case of a personal data breach likely to pose a risk to the rights and freedoms of data subjects, DIV PROTOCOL commits to:

  • notify the French Data Protection Authority (CNIL) within a maximum of 72 hours after becoming aware of it, in accordance with Article 33 of the GDPR;
  • inform affected individuals as soon as possible when the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 of the GDPR;
  • document any breach in an internal register, including the facts, effects and corrective measures taken.

14. Contact and complaints

For any questions regarding this Privacy Policy or to exercise your rights, you may contact: DIV PROTOCOL SAS — Legal Department 200 rue de la Croix-Nivert, 75015 Paris Email: contact@divprotocol.com If you believe, after contacting us, that your data protection rights are not being respected, you have the right to lodge a complaint with the French Data Protection Authority (CNIL): CNIL — 3 Place de Fontenoy, TSA 80715 — 75334 Paris Cedex 07 www.cnil.fr

15. Privacy Policy modifications

DIV PROTOCOL reserves the right to modify this Privacy Policy at any time to adapt it to legal, regulatory, technical or organizational developments. Any material modification will be notified to Users by email or by notification on the Platform at least fifteen (15) days before coming into effect. The date of last update is indicated at the top of this document.