After 10 years serving the 42 community, S42 is closing its doors.

I see that you have an active sponsorship program on GitHub, and I understand you have a cosmetics system. Now that the project is hosted, there's no need to maintain this program and these sponsorship options. Can you take the necessary steps to remove them as soon as possible?

The first reason is that we cannot take the risk of leaving you with ownership of the domain, as it gives you the ability to modify DNS entries.

The second is purely a legal need to protect the 42 brand. Now that the app is officially hosted by 42, letting you keep the domain means accepting the risk of having subdomains that have no connection to 42 or its pedagogy, and that’s a risk we cannot take.

I wanted to summarize the actions to take, to make sure we're aligned on the roadmap:

• Transfer of the domain to 42 and DNS switch
• Change of the API key
• Retrieval of production access
• Retrieval of admin access

I’d like to switch the domain and DNS before January 30. Does that seem realistic to you?

Hello Sébastien,

Sorry for the delayed response — my weeks have been quite busy.

Following up on your request, I wanted to revisit a few key points to ensure optimal management and avoid potential roadblocks:

Points raised:

API Key Retrieval:
Keys must be rotated annually, which includes managing webhooks (maintenance, creation, secret rotation, deletion), endpoints, and related configurations.
By delegating this responsibility, your teams will need to intervene regularly, which adds to their workload.

Production and Admin Access Management:
Full transfer of access would mean that all interventions (modifications, updates or fixes, student GDPR-related requests, maintenance) would have to go through your developers.
This implies that for every technical need, your resources would have to be mobilized, which could burden your operations.

Resource Availability:
Given the pace of communication we’ve observed over the past four years — on both sides — I find it unrealistic to assume a developer will always be available to respond to project or student needs promptly.

Proposal:
To maintain efficient and smooth operations, I propose formalizing the current arrangement with a written and signed agreement that clarifies responsibilities and protects both parties.

This contract could include:

• That I retain full management of the domain, technical access, and related operations.
• Your rights as an organization to oversee proper data use, ensure hosting, and protect data, while allowing me to continue maintaining the project.
• A definition of security responsibilities for each party, such as a Licensing and Confidentiality Agreement (LCA).

This ensures the project remains functional without burdening your teams, while also legally framing our collaboration.

I'm available to further refine this proposal.

Best regards,
Atom

(...)
Key renewal isn’t an issue for us.

Regarding updates, the workflow we aim to have is the same as for any open-source tool: bugs are reported on the project’s Git, the project members create a new version, and we deploy it according to our schedule.
I agree this process will be slower than the current one, but I believe it’s a necessary compromise.

As for admin tasks, I hadn’t realized they took that much time. How much time do you typically spend on administration?

To conclude, we really need to regain full control over the domain and the application.
I don’t think a hybrid model, where you remain the app’s administrator, is a good idea. It creates ambiguity around responsibilities toward students.

To proceed, we need to initiate the transfer of the domain and all items listed in my previous email.
(...)

(...)
Without a response from you and concrete progress on these matters as soon as possible, we will unfortunately be forced to shut down the project and delete the custom webhooks configured on your account starting April 18.
(...)

Finally, regarding the domain name s42.app, Article 24 of the internal regulations states: “Any registration/use by a 42 User, applicant, or student of a distinctive sign composed of the number ‘42’, notably as a trademark, company name, or domain name, that would infringe on the prior rights of the 42 Association, is expressly prohibited. Any breach of this commitment may expose the offender to disciplinary sanctions as well as civil and/or criminal proceedings.”

Thank you for your message and for finally recognizing the work accomplished over nearly 10 years with the S42 project. I’m fully aware of its impact within the network and the constant effort it has required since its inception.

I would still like to provide a clear and structured response to the proposals and arguments raised—technical, regulatory, and legal:

1. On Webhooks and Data Collection

Yes, the webhooks may technically include some sensitive data such as phone numbers. However, none of these are used or processed in S42’s code. They are explicitly ignored and are verifiably absent from any exposed feature.
Furthermore, since the data is stored on 42’s infrastructure, 42 remains the data controller under GDPR.
The project is open source, making it fully auditable by anyone.
The data actually used (like location events) is identical to what’s available via the REST API, which many other student projects already use—sometimes bypassing quota limits via polling.

2. On API Access and Terms of Use

I use the API via my active alumni account, in accordance with the terms of use.
The project fully complies with all technical and legal requirements, including the API charter.
I remain, of course, open to correcting any issue within a reasonable timeframe if needed.
S42 remains the only project that has systematically complied with DPO requests—particularly the explicit campus validation before any activation—limiting its diffusion compared to other unsupervised projects.

3. On the Domain Name and Article 24 of the Internal Regulations

The domain s42.app is registered under my organization, Atomys.
It contains no 42 logo, slogan, or branding, and cannot reasonably be mistaken for an official service.
Article 24 applies only to students, within an internal disciplinary context.
It provides no legal basis for a domain claim, nor does it imply exclusive rights over anything containing “42”.
There is no commercial use or harm done—its use is strictly open source, educational, and voluntary, in full respect of the internal regulations.

4. On the Options Proposed

Option 1: Full takeover by 42
I cannot support this. It would mean handing over a project I’ve conceived, maintained, evolved, funded, and secured for almost a decade.
I will not accept being demoted to an occasional contributor, with no decision-making power, over something I’ve carried entirely on my own.
If 42 wants to take legal responsibility for data processing, this can be done via a bilateral, signed agreement—without requiring transfer of the project.

Option 2: Hosting by 42, Administration by Me
This is the most reasonable solution.
Hosting remains under 42’s control, ensuring GDPR compliance.
I continue handling development, technical governance, and evolution of the project.
This model was jointly initiated recently to meet your expectations. Before that, I handled the full stack, without incident, since day one.
I am fully open to formalizing this via a clear contract:
42 as host and data controller, me as technical lead and maintainer.

Option 3: End of the S42 Project
If no balanced agreement is found, I will shut down the project and publish a public communication.
I will not hand over a tool built with rigor, ethics, and GDPR compliance to an organization that would strip me of it without guarantees of continuity, transparency, or respect for the model that was agreed to before the migration.
My original intent in proposing the partnership was to secure student data, as the original webhook author and former 42 staff with awareness of GDPR responsibilities.
Today, I’m the only project penalized for having respected those rules to the letter.

5. Communication Protocol

For legal traceability, I expressly request that all communications occur via written form (email).
I will not attend any undocumented or unstructured verbal meetings.

Awaiting a clear and formalized response, I remain available to move forward in mutual respect for the work done and commitments made.

Kind regards,
Atom
Creator and Maintainer of S42
P.S.: Congrats on the launch of 42Up.

That being said, if — as you mentioned — the webhooks are of little importance to your application and their deactivation poses no particular issue, that seems to resolve all our problems and drastically simplify the situation.
=> No webhook processing student data means no data processing outside the scope authorized by 42
=> No need to regulate this processing, and therefore no need to manage hosting, administration, or even the s42.app domain

I'm therefore pleased to positively respond to your request by leaving you with the responsibility for hosting and administering S42.
We will proceed with deactivating the following webhooks on June 24. (...)

Through this unilateral decision, it becomes clear that the partnership proposed by 42 was not intended to sustain an open-source project beneficial to the community, but rather to temporarily address an internal need for reporting and presence tracking.

The fact that, at the first sign of difficulty, you chose to fully disengage from the project — without even offering a contractual solution — speaks volumes.

I now see that this dialogue has been broken unilaterally, and that the continuity of the project matters little to you as long as your legal or operational obligations are bypassed.

We confirm that the hosting services as well as the webhooks allowing access to private information will be deactivated on June 24 at 11:30 AM.

Furthermore, we confirm that access to the Kubernetes GCP environment has been restored. Regarding your admin rights on the application, they are still active, even if you are not currently using them. You are therefore free to choose the migration date.

We will not provide a certificate of partnership termination, since no formal partnership contract was ever established. It was a tolerance granted at the time by 42, not a structured partnership. This situation now needs to be reconsidered.

You are, of course, free to communicate publicly about the end of your project. However, we draw your attention to the use of the term “termination”, which is inappropriate: in the absence of an official partnership, there can be no “termination.”

We are still awaiting the data destruction attestation, as previously discussed with Sébastien.

We would also like to remind you of several points regarding the GDPR non-compliance of your site:

• The privacy policy does not comply with Articles 13 and 14 of the GDPR, despite a prior alert sent by email on November 5, 2024. Additionally, the Terms of Use and Privacy Policy are still marked as “draft.”
• The access to data via webhooks does not comply with Article 5 of the GDPR: personal data remains accessible even though, according to your previous message, it is neither processed nor used — this constitutes a breach of the data minimization principle.
• In this context, claiming GDPR compliance is surprising, especially as the non-compliance was previously raised without corrective action, and student complaints have also been received.

Lastly, I would like to point out that we’ve been in discussions on these topics for over eight months, with a consistent intention to find a mutually satisfactory outcome. Unfortunately, recent statements and the tone adopted do not reflect a desire to work toward joint solutions.

We are still awaiting the signed document confirming data deletion.