Edgee Data Processing Addendum (DPA)

This is Edgee's standard Data Processing Addendum (DPA) and applies by default to all customers who use Edgee as a data processor. A signed version can be made available upon request.

1. Definitions

• Customer: The legal entity that has entered into an agreement with Edgee for the provision of services.
• Edgee: Edgee Cloud SAS, a French company registered at 9 rue des Colonnes, 75002 Paris, France, and its U.S. entity Edgee Inc.
• Data Protection Laws: All applicable data protection and privacy legislation, including the EU GDPR, UK GDPR, CCPA/CPRA, LGPD, and PIPEDA.
• End User: An individual whose personal data is processed through the Edgee platform on behalf of the Customer.
• Services: The Edge Component Platform provided by Edgee.
• Subprocessor: Any third-party processor engaged by Edgee to support the delivery of the Services.

2. Scope of the Addendum

This DPA applies when Edgee processes personal data on behalf of the Customer in the course of providing the Services. It supplements the main service agreement between Edgee and the Customer.

3. Roles and Responsibilities

• Customer acts as the Data Controller.
• Edgee acts as the Data Processor.

Customer determines the purposes and means of processing personal data. Edgee processes data only on documented instructions from the Customer.

4. Categories of Data and Data Subjects

Data Subjects: End users of the Customer's websites, APIs, or applications.

Categories of Data:

• IP addresses (with optional truncation)
• Pseudonymous identifiers (e.g., session hashes, cookies)
• Device/browser metadata (e.g., screen size, language)
• Event and network metadata (e.g., pageviews, TCP/IP headers)
• Consent preferences (via CMP integrations)

Edgee does not collect sensitive personal data unless explicitly configured by the Customer.

5. Processing Activities

Edgee processes personal data solely to:

• Route and transform event and analytics traffic
• Enforce user consent preferences
• Provide anonymization (when enabled by Customer)
• Debug service delivery (temporary logs for 24 hours)

Edgee does not:

• Use personal data for marketing or profiling
• Retain end user event payloads beyond processing
• Sell personal data

6. Subprocessing

Edgee uses the following subprocessors:

• Fastly – Edge delivery infrastructure
• AWS – Hosting and compute services
• Google Cloud Platform – Hosting and storage
• Vercel – Web deployment and frontend delivery

Edgee imposes data protection obligations on all subprocessors via contracts and audits. Customers may request notice of changes to subprocessors. Edgee may add or change subprocessors at any time, and the most up-to-date list of subprocessors will be reflected in this DPA or provided upon request.

7. Data Transfers

• Data is processed and stored in the European Union by default.
• Where transfers outside the EU/EEA occur, Edgee relies on:
  • Standard Contractual Clauses (SCCs) (available upon request)
  • Adequacy decisions by the European Commission
  • Technical safeguards, including end-to-end encryption and isolated edge processing

For further information, refer to our Trust Center.

8. Security Measures

Edgee maintains a security program compliant with industry best practices and SOC 2 requirements. Measures include:

• TLS encryption in transit; AES encryption at rest
• Role-based access control and audit logs
• Isolated edge node processing
• Zero persistent access from browser context

See our Trust Center for full documentation.

9. Data Subject Rights

Customers are responsible for responding to data subject requests. If Edgee receives a request from an end user and can identify the relevant Customer, Edgee will forward the request to the Customer for response.

10. Data Retention

• Logs: retained up to 25 months
• Debug events: retained up to 24 hours
• End user events: not stored beyond real-time processing

11. Data Portability and Export

During the term of the Services, and upon written request, Edgee shall provide Customer with access to its processed personal data in a structured, commonly used, and machine-readable format. This includes any data processed on behalf of the Customer that has not been deleted in accordance with Section 10 (Data Retention).

Upon termination or expiration of the Services, Customer shall have a window of at least 30 days to request export of such data prior to deletion, unless longer retention is mandated by applicable law.

Edgee shall provide reasonable assistance and available tools to facilitate the secure export or migration of data upon termination, subject to the Customer’s written instructions and any applicable fees outlined in the Master Service Agreement or Service Order.

12. Termination and Deletion

Upon termination of the Services, Edgee will delete or return personal data to the Customer, unless required to retain it by law.

13. Audit and Assistance

Edgee will make available relevant documentation and allow for audits upon reasonable notice to demonstrate compliance with this DPA and applicable laws.

14. Liability and Indemnity

Each party's liability is governed by the main service agreement. Edgee shall be liable for its subprocessors in accordance with Article 28 of the GDPR.

15. Governing Law and Jurisdiction

This DPA shall be governed by the same law and jurisdiction as the principal agreement between the Customer and Edgee.

16. Contact