Data Processing Agreement (summary)

Last updated: 2026-06-13

When you collect feedback from visitors on your site through Couac, you are the data controller and Couac is the data processor. This page summarizes our commitments; the full DPA is available on request at [email protected].

Categories of data processed

• Email address and name of feedback reporters (if provided)
• Screenshots and annotations captured by the widget
• Technical metadata: URL, user agent, OS, viewport, console & network errors
• Comments left by clients via magic-link boards

Sub-processors

See the dedicated sub-processors page.

Security measures

• TLS everywhere · HSTS · cookie flags (HttpOnly, Secure, SameSite)
• Hashed-at-rest tokens for API keys, MCP tokens, share links, webhooks
• Rate limiting and CAPTCHA on public submission endpoints
• Encrypted daily Postgres backups, stored in France
• Audit logs for share access and MCP tool usage

Data residency

Application compute, the Postgres database and logs are hosted in France (PulseHeberg, Toulon). Screenshots are stored on Cloudflare R2 (EU region). Any transfer outside the EEA relies on Standard Contractual Clauses.

Sub-processor changes

We will notify you at least 30 days before adding a new sub-processor. You may object; if the objection cannot be resolved within 30 days you may terminate your account.

Data subject rights

Couac assists you with data subject requests (access, rectification, erasure, portability) through the in-app account deletion + export, and via email at [email protected].