What is Melis Platform?

Melis Platform is a free, Open Source Digital Experience Platform (DXP) made in France that unifies CMS, e-commerce, marketing and CRM, and natively embeds generative and agentic AI through Melis AI, with Model Context Protocol (MCP) integration.

How does Melis Platform use AI?

Melis AI brings generative AI (content creation, translation, page layout) and agentic AI (multi-step automated tasks) into the back office, and uses MCP to connect with external AI models and tools across CMS, commerce, marketing and CRM.

What is MCP integration in Melis Platform?

MCP (Model Context Protocol) lets Melis Platform connect to external AI models, tools and data, and expose its own content, commerce and CRM context to AI agents, so agentic workflows can operate on the DXP.

Is Melis Platform open source and free?

Yes. The Community Edition is free and Open Source. Professional and Enterprise editions add support, SLA and custom development.

What makes Melis Platform different from other DXPs or CMSs?

It is one of the few Open Source DXPs to combine CMS, e-commerce, marketing and CRM in one extensible PHP platform, and among the first to make the DXP intelligent with native generative and agentic AI and MCP, without vendor lock-in and with European / GDPR sovereignty.

Melis AI Try it now

Legal · Annex C

Personal Data Processing (DPA)

Version 1 — in force since 10 April 2025

This English text is a translation provided for information only. The French version (“Traitement des données à caractère personnel”) is the sole legally binding text and prevails in the event of any discrepancy.

C.1 Context and purpose

The Client, as data controller, has subscribed to one or more services from Melis Technology under a specific contract.

The Client hosts personal data on Melis Technology's servers, which gives Melis Technology the status of processor in accordance with the CNIL's guidance.

The purpose of these clauses is to define the conditions under which the processor undertakes to carry out, on behalf of the controller, the personal-data processing operations defined below.

In the context of their contractual relationship, the parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable from 25 May 2018 (hereinafter the “European data protection regulation”).

It is recalled that the scope of the processing carried out by Melis Technology on behalf of the controller depends on the services subscribed under the specific contract. Where the Client subscribes to a hosting service only, Melis Technology merely hosts the personal data (storage and, where applicable, backup if that option is subscribed) without acting on its content. Where the Client subscribes to a SaaS, managed-services or application-maintenance (TMA) service, Melis Technology acts as a processor within the meaning of Article 28 of the European data protection regulation and may access and process the personal data, strictly to the extent necessary for operating, maintaining, supporting and correcting the Applications, exclusively on the controller's documented instructions and for the sole purposes of the subscribed services.

In the case of hosting only, and in its capacity as host within the meaning of the French LCEN, Melis Technology has no general obligation to monitor the hosted content. In the case of a SaaS, managed-services or application-maintenance service, Melis Technology is aware of the nature of the processing it operates on behalf of the Client, as described in the Special Conditions, and accordingly assumes all the processor obligations laid down in Article 28 of the European data protection regulation.

C.2 Description of the processing covered by the sub-processing

The Provider (or processor) is authorised to process, on behalf of the COMPANY (or controller), the personal data necessary to provide the hosting service(s) for the Software packages and the associated managed services (or associated maintenance and support).

All ordered services are described in this Contract (and/or the Purchase Orders or Special Conditions approved by the COMPANY).

The purpose(s) of the processing is the provision of the ordered services as described in this Contract. The COMPANY grants the PROVIDER a personal, non-assignable, non-exclusive and non-transferable right to reproduce its data, for the sole purpose of performing the subscribed services for the term of the contract.

The personal data processed are all of the COMPANY's files or data transmitted to the PROVIDER for the performance of the subscribed services, entered by the COMPANY in the software hosted by the PROVIDER, as well as the data collected or processed by the PROVIDER in connection with the service subscribed by the COMPANY, of the following type: identification data, professional life, monitoring of the commercial relationship, login/password, IP, web browsing.

The categories of data subjects are sole traders / natural persons who are clients, prospects and suppliers of the COMPANY, and the COMPANY's staff.

C.3 Term of the contract

The term of this contract refers to the term of the hosting contract signed by both parties.

C.4 Obligations of the processor towards the controller

The processor undertakes to:

Process the data solely for the purpose(s) covered by the sub-processing, as defined in the Special Conditions: host the data and, depending on the subscribed services, operate, maintain in operational condition, correct and support the Applications. In the case of hosting only, the processor performs no action on the data other than storing it and, where applicable, backing it up. In the case of a SaaS, managed-services or application-maintenance service, any access by the processor to the personal data is limited to what is strictly necessary to provide the subscribed services.
Process the data in accordance with the services subscribed by the Client and with the controller's documented instructions. If the processor considers that an instruction infringes the European data protection regulation or any other provision of Union or Member State law on data protection, it shall immediately inform the controller. In addition, if the processor is required to transfer data to a third country or an international organisation under Union or Member State law to which it is subject, it shall inform the controller of that legal requirement before processing, unless the law concerned prohibits such information on important grounds of public interest.
Guarantee the confidentiality and security of the personal data processed under this contract (insofar as the controller does not make its hosting accessible to unauthorised third parties and ensures that the security measures enabling confidentiality are taken, since the Client has full access to the personal data hosted by Melis Technology).
Ensure that the persons authorised to process the personal data under this contract:
- undertake to respect confidentiality and security or are subject to an appropriate statutory obligation of confidentiality and security;
- receive the necessary training on personal data protection.
Take into account, as regards its tools, products, applications or services, the principles of data protection by design and data protection by default.

C.5 Sub-processing

The processor may engage the entity Oracle, via Oracle Cloud Infrastructure (hereinafter the subsequent processor), to carry out the following processing activities:

hosting of the physical servers in its datacentres located in FRANCE;
network management;
backups.

In such a case, it shall inform the controller in advance and in writing of any intended change concerning the addition or replacement of other processors.

This information must clearly indicate the sub-contracted processing activities, the identity and contact details of the processor and the dates of the sub-processing contract.

The controller has a maximum period of 15 days from the date of receipt of this information to raise objections.

Such sub-processing may only take place if the controller has not objected within the agreed period.

The subsequent processor is required to comply with the obligations of this contract on behalf of and according to the instructions of the controller. It is for the initial processor to ensure that the subsequent processor provides the same sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the European data protection regulation.

If the subsequent processor fails to fulfil its data protection obligations, the initial processor remains fully liable to the controller for the performance by the other processor of its obligations.

C.6 Data subjects' right to information

It is for the controller to provide information to the persons concerned by the processing operations at the time the data is collected.

C.7 Exercise of data subjects' rights

As far as possible, the processor must assist the controller in fulfilling its obligation to respond to requests from data subjects to exercise their rights: right of access, rectification, erasure and objection, right to restriction of processing, right to data portability, and right not to be subject to an automated individual decision (including profiling).

Where data subjects send the processor requests to exercise their rights, the processor must forward these requests, upon receipt, by email to the address indicated by the Client when subscribing to the services.

C.8 Notification of personal data breaches

The processor shall notify the controller of any personal data breach as soon as possible after becoming aware of it, by email to the address indicated by the Client when subscribing to the services.

This notification shall be accompanied by any relevant documentation to enable the controller, if necessary, to notify the breach to the competent supervisory authority.

The notification shall contain at least:

a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
the name and contact details of the data protection officer or another point of contact from whom further information can be obtained;
a description of the likely consequences of the personal data breach;
a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the information may be provided in phases without undue further delay.

The controller is responsible for communicating personal data breaches to the data subjects. In the case of hosting only, the processor is not aware of the content of the hosted data and is therefore not able, on its own, to assess whether a breach is likely to result in a high risk to the rights and freedoms of individuals; that assessment is the controller's responsibility. In the case of a SaaS, managed-services or application-maintenance service, the processor assists the controller with that assessment in the light of the information available to it.

C.9 Processor's assistance with the controller's compliance with its obligations

The processor provides the controller with the documentation relevant to the controller's carrying out of data protection impact assessments, solely as regards the aspects for which the processor is responsible, i.e., for the processor, the hosting of the data.

The processor assists the controller, as far as possible and reasonably, in carrying out the prior consultation of the supervisory authority by providing the necessary documentation.

C.10 Security measures

The processor undertakes to implement the following security measures:

raising staff accountability through IT-security awareness;
use of a professional password manager;
deployment of tools to be prepared against cyber-attacks (antivirus, anti-spam, firewalls);
segregation of the client's networks;
any administrative access to a production system is carried out via a bastion host;
connection to the target system is carried out either through a shared service account or through a named account via bastion hosts;
the use of default accounts on systems and equipment is prohibited;
SSH keys are protected by a password meeting the requirements of the password policy;
automatic management of security updates;
all systems and data necessary for service continuity, for rebuilding the information system or for post-incident analysis are backed up;
the frequencies, retention periods and storage methods of the backups are defined in line with the needs of each backed-up asset;
the performance of the backups is monitored, together with the management of alerts and errors;
logging of all logs of the servers used in the infrastructure.

Melis Technology's measures do not replace the security measures that the controller must take for its personal-data processing in order to ensure that its processing complies with the GDPR.

C.11 Fate of the data at the end of the commercial relationship

On completion of the services relating to the processing of this data, the processor undertakes to, at the parties' choice:

destroy all the personal data; or
return all the personal data to the controller; or
return the personal data to the processor designated by the controller,

unless there is a regulation requiring the processor to retain this data or a clause of this contract authorising the processor to retain it.

The return must be accompanied by the destruction of all existing copies in the processor's information systems.

C.12 Documentation and audit

The processor makes available to the controller the documentation necessary to demonstrate compliance with its obligations relating to the processing of personal data carried out on behalf of the controller, and to allow audits, including inspections, to be carried out by the controller or another auditor it has mandated, and to contribute to such audits.

This information is available on request. The Client may ask the processor for additional information.

The processor will allow the Client, or another auditor mandated by the Client, to carry out audits under the conditions set out below:

the processor undertakes to respond to audit requests from the Client, carried out by the Client itself or by a third party it has selected;
the audit will be carried out subject to a minimum of 30 days' notice;
audits must allow an analysis of compliance with the obligations of this contract, in particular by verifying all the security measures implemented by the processor;
the maximum number of audits is set at once per year;
the conclusions of the audit will be sent by email to the processor;
the audit costs will be borne by the Client.

Following the audit, if shortcomings are found, the processor will have a period of 2 months to remedy them and must provide written proof thereof to the Client. After this period, if the shortcoming persists, the Client may terminate this contract for breach by following the procedure described in the Special Conditions.

C.13 Data protection officer

The processor provides the controller with the name and contact details of the person in charge of personal data protection.

C.14 Obligations of the controller towards the processor

The controller undertakes to:

document in writing any instruction concerning the processing of the data by the processor;
ensure, beforehand and throughout the processing, the processor's compliance with the obligations laid down by the European data protection regulation;
supervise the processing carried out by the processor in accordance with the Contract.

Version 1 — in force since 10 April 2025 — Melis Technology