As part of the performance of the Contract, The Service Provider, as a subcontractor, is required to process personal data on behalf of the Customer, who acts as a data controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter "the European Data Protection Regulation" or "EDPR"). Such processing involves appropriate and reinforced protection measures on the part of the Service Provider to guarantee the security and confidentiality of the data.
Each Party acknowledges that personal data and related processing are subject to the legal and regulatory provisions on the protection of personal data in force. The Parties undertake to comply with these regulations, in particular the obligations arising from the RGPD, and to implement all technical and organizational measures necessary to ensure the protection of personal data processed under this Contract.
The Customer remains the owner of the computer media and documents it provides as well as the personal data processed by the Service Provider under the Contract. As the data controller, the Customer guarantees that the instructions provided to the Service Provider comply with the RGPD and respect the rights of the data subjects, in particular their rights of access, rectification, opposition, erasure and portability.
The Parties undertake to cooperate proactively to ensure security, confidentiality and respect for the rights of data subjects, in accordance with Articles 32 to 36 of the RGPD, taking into account the nature, scope, context and purposes of the processing carried out and the associated risks to the rights and freedoms of individuals.
In the course of performing the Contract, the Service Provider, as a subcontractor, will process personal data only on the documented instructions of the Customer, who acts as data controller. Such processing is carried out to enable the Service Provider to provide the platform services and associated functionalities defined in the Contract.
The processing operations carried out by the Service Provider on behalf of the Customer include, but are not limited to:
- the secure storage and hosting of data
- the regular backup of data to prevent any loss
- the management of access and authorizations for users of the platform
- the provision of technical support and assistance in the use of the platform
- the monitoring of performance and security to ensure the smooth operation of the platform.
The Service Provider undertakes not to carry out any processing beyond that required for the performance of the Contract and the instructions provided by the Customer. Under no circumstances will the Service Provider process personal data for purposes other than those agreed, unless required by law or expressly requested in writing by the Customer.
Personal information is collected on the platform during its use. It is required to open, maintain and operate a user account or to enable the Service Provider or its Customer to pursue a legitimate interest in respect of the rights of the Customer and Users.
The Service Provider stores and backs up personal data. The Service Provider never replaces the Customer in the processing of personal data, which it can carry out autonomously on the platform.
As part of the services provided, the Service Provider, as a subcontractor, will process personal data to enable the opening, maintenance and proper operation of user accounts on the platform, as well as to meet the Customer's operational requirements.
Processing is carried out primarily for the following purposes, while respecting the Customer's legitimate interests and the rights of users:
- Management of user accounts: creation, modification, access management and deletion of accounts.
- Data backup and storage: secure storage of data to prevent loss.
- Technical support and security: assistance to users and maintenance of secure access and use of the platform.
The Service Provider undertakes not to carry out any processing beyond the defined purposes, except on documented instruction from the Customer or in the event of a legal obligation.
Personal data is stored and processed for the time strictly necessary to fulfill the purposes specified in article 2, and then archived or securely deleted. The retention period shall not exceed the duration of the contractual or commercial relationship, plus the time required to meet legal obligations, such as the liquidation and consolidation of rights, prescription periods and the exhaustion of legal remedies.
In the event of legal obligation, requests from regulators or administrative authorities, or for historical, statistical and scientific research purposes, data may be archived in accordance with the conditions laid down by law.
- For the Customer: The maximum data retention period is 10 years after the end of the contractual relationship.
- For the Service Provider: Data will be securely deleted or anonymized within a maximum of 30 days after the end of the contractual relationship with the Customer, unless otherwise stipulated by law.
Personal data may be used by the Customer for the following purposes, in compliance with the legal provisions in force:
- Commercial and customer relationship management
- Customer knowledge and management of products and services
- Prospecting and sales promotion, Statistical studies and data analysis
- Profiling for commercial purposes (subject to compliance with the rules in force)
- Risk assessment and management, Compliance with legal and regulatory obligations
- Invoicing of subscriptions and commissions.
As a subcontractor, the Service Provider may under no circumstances be held jointly responsible for the processing of personal data in the following situations:
- When the Customer downloads personal data and transmits it to a third party
- When the Customer transfers personal data via APIs to integrate third-party services.
These exclusions of liability are particularly applicable to purposes pursued by the Customer outside the Services provided by the Service Provider, in particular for activities such as prospecting, sales promotion, statistical studies and profiling, which are the sole responsibility of the Customer.
The purpose of the processing carried out by the Service Provider is to provide the services specified in the Contract, including the following operations:
- Recording and hosting of data
- Organization, structuring and provision of data for the Customer
- Secure storage of data
- Consultation of data as part of technical support
- Transmission and transfer of data to third parties designated by the Customer
- Deletion or anonymization of data in accordance with regulatory standards and documentation
- Use of data as part of the security and proper operation of the platform.
The collection, adaptation, modification, extraction, consultation, use, distribution, deletion and reconciliation of data are operations carried out autonomously by users and the Customer, without direct intervention by the Service Provider, except in the case of services specifically provided for in the Contract.
Personal data processed and entered by operators or users on the platform includes the following information:
- Profile photo
- Title
- Last name, First name
-Company
- E-mail address
- Telephone number,
-Postal address (street number and name, additional address, city, zip code, region, country)
- Language used.
IP addresses
Data specific to certain users (if applicable) This information may be requested only for specific users and in compliance with applicable regulations:
-Date of birth (only to verify the user's majority, if necessary).
Technical informationrequired for the platform to function properly This data is collected for security, diagnostic and technical support purposes:
- IP address
- Connection and activity logs
- Database index.
The personal data collected and processed on the platform concerns the following categories of persons:
- Users: persons accessing and using the platform, whether as end users or administrators.
- Customer's employees: employees of the Customer accessing the platform as part of their professional duties.
- Customer's partners: commercial or technical partners of the Customer, involved in the use or management of the platform in collaboration with the Customer.
The Service Provider undertakes to comply with all the legal and regulatory obligations incumbent upon it in terms of personal data protection, in accordance with the French Data Protection Act (Informatique et Libertés), including the RGPD. The Service Provider guarantees the Customer that it will implement the necessary measures to ensure the compliance of data processing carried out within the scope of this appendix.
The Customer, as the data controller, undertakes to carry out all the formalities required with the competent supervisory authority for data protection, and to inform, where necessary, the persons concerned of the processing of their personal data, in accordance with the regulations in force.
The Service Provider undertakes to take all necessary measures to ensure compliance with its legal and regulatory obligations, as well as those of its staff, with regard to the protection of personal data, in accordance with Articles 28, 32, and 33 of the RGPD. In this context, the Service Provider undertakes in particular to:
- Processdata solely for the purposes defined in the Contract or where necessary for the security, maintenance, and proper operation of the Services provided by the Service Provider, in accordance with Article 28(3)(a) of the RGPD.
- Strictly comply with the Customer's instructions regarding the processing of data, as required by Article 28(3)(a) of the RGPD. If the Service Provider believes that an instruction could constitute a breach of the RGPD or any other applicable data protection legislation, the Service Provider will immediately inform the Client. Furthermore, if the Service Provider is forced to transfer data to a third country or international organization by virtue of a legal obligation (in accordance with Article 28(3)(a) and Article 48 of the RGPD), it must inform the Customer of this requirement prior to processing, unless the applicable legislation prohibits such notification for reasons of public interest.
- Ensure the confidentiality of personal data processed under this Contract, ensuring that the data is not accessible to unauthorized third parties, in accordance with Article 28(3)(b) of the RGPD.
- Ensure that persons authorized to process data under the Contract undertake to comply with an appropriate confidentiality obligation, either contractually or by law, in accordance with Article 28(3)(b) of the RGPD. In addition, the Service Provider shall ensure that such persons receive the necessary training in the protection of personal data.
- Integrate the principles of "data protection by design" and "by default" into its tools, products, applications and services, in accordance with Article 25 of the RGPD, in order to guarantee a high level of security and confidentiality right from the development of its solutions.
In general, the Service Provider undertakes to implement all appropriate technical and organizational measures, in compliance with Article 32 of the RGPD, to guarantee the integrity, security and confidentiality of personal data processed on behalf of the Customer.
In the event of a personal data breach, the Service Provider undertakes to notify the Customer as soon as possible, in accordance with Article 33(2) of the RGPD, and to provide any documentation necessary to enable the Customer to comply with its obligations to notify the competent supervisory authority.
The parties agree that the notion of instruction is deemed to be fulfilled when the Service Provider acts in accordance with the terms of the Contract in the performance thereof.
The Customer, as data controller, undertakes to comply with the following obligations:
- Provide the data processor with the data necessary to carry out the processing specified in the Contract, in order to enable the Service Provider to comply with the purposes of the processing.
- To document in writing any instructions relating to the processing of personal data by the Processor, in accordance with Article 28(3)(a) of the RGPD, to ensure that all instructions are clear, precise and in compliance with the regulations in force.
- To ensure, before and throughout the processing, that the Processor complies with the obligations set out in the RGPD, in particular with regard to security, confidentiality and purpose limitation. Supervise the processing activities carried out by the processor and carry out, if necessary, audits or inspections. These audits may be carried out by the Customer or by a qualified third party selected by the Customer, in compliance with the conditions defined in Article 14 of Appendix E.
- Carry out a data protection impact analysis (DPIA), in accordance with Article 35 of the RGPD, when the processing is likely to give rise to a high risk for the rights and freedoms of the data subjects. The Customer will inform the Service Provider of the conclusions of the impact analysis and the measures to be implemented if necessary.
- Communicate to the Processor the contact details of its Data Protection Officer (DPO), if such an officer is appointed, indicating his identity and contact details in the Quotation. In the event of a change of DPO, the Customer undertakes to inform the Service Provider as soon as possible to ensure effective communication.
In accordance with the requirements of the RGPD and the Data Protection regulations, the Service Provider and the Customer undertake to take all necessary precautions to guarantee the security of personal data, taking into account the nature of the data processed and the associated risks. These measures aim in particular to prevent any alteration, accidental or unlawful destruction, loss, disclosure or unauthorized access to data by third parties.
The Service Provider and the Customer shall implement appropriate technical and organizational measures to ensure the protection of personal data, in accordance with Article 32 of the RGPD. These measures take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, as well as the level of risk to the rights and freedoms of the data subjects, with a view to guaranteeing an appropriate level of security.
The Service Provider undertakes to maintain these security measures throughout the performance of the Contract. In the event of a change in security or confidentiality measures, the Service Provider will ensure that they are replaced by measures of at least equivalent, if not superior, performance, in order to prevent any regression in the level of security. No change in measures may lead to a reduction in the level of data protection.
In accordance with Article 33(2) of the RGPD, the Service Provider undertakes to notify the Customer of any personal data breach as soon as possible after becoming aware of it, at the address indicated in the Quotation.
This notification will include any useful documentation enabling the Customer, if necessary, to notify this breach to the competent supervisory authority. Insofar as possible, the notification sent to the Customer shall include the following information:
- A description of the nature of the data breach, including the categories and approximate number of persons concerned as well as the number of data records affected,
- A description of the likely consequences of the data breach for the persons concerned,
- A description of the measures taken to remedy the breach, including the actions taken to mitigate any negative consequences.
The Service Provider undertakes to cooperate reasonably with the Customer to enable it to meet its regulatory and contractual obligations. As the data controller, it is the Customer's responsibility to notify, where appropriate, this data breach to the competent supervisory authority as well as to the data subjects, in accordance with Articles 33(1) and 34 of the RGPD.
The Customer, as data controller, has the necessary tools to enable data subjects to exercise their rights, in accordance with Articles 12 to 22 of the RGPD. The Customer is responsible for providing data subjects with all the information required concerning the processing of their personal data, in particular at the time the data is collected, and for facilitating the exercise of their rights.
The Service Provider provides the Customer with recommendations in its Documentation to support it in this management.
In the event of a complaint received directly from a data subject relating to personal data processed under this Contract, the Service Provider undertakes to inform the Customer as soon as possible and, in any event, no later than 72 hours following receipt of the complaint, at the address indicated in the Quotation.
If a request to exercise rights is sent directly to the Service Provider by a data subject, the Service Provider undertakes to forward this request to the Customer upon receipt, by e-mail, to the address mentioned in the Quotation, without replying to it directly, in accordance with the Customer's instructions and the provisions of the RGPD.
The servers used for hosting and data storage are located in the European Union. At the date of signature of the Contract, the main hosting subcontractor used by the Service Provider is Microsoft Azure.
In accordance with the French Data Protection Act (Informatique et Libertés) and the RGPD, the Service Provider may not subcontract, in whole or in part, services involving the processing of personal data to a country outside the European Union without first obtaining the Customer's express and specific written consent. The Customer has a period of seven (7) days in which to express objections to the proposed subcontractor.
Any subcontracting not involving the processing of personal data and/or carried out exclusively within the European Union is authorized by the Customer without the need for additional consent.
The Service Provider undertakes that each chosen subcontractor will be subject to the same data protection obligations as those stipulated in this Contract, in accordance with Articles 28(2) and 28(4) of the RGPD. These obligations include, in particular, compliance with security, confidentiality and transparency standards.
List of subcontractors
The Platform may be connected to third-party management or monitoring tools that do not process personal data, in accordance with confidentiality and security requirements.
%20(1).png)
The platform can be connected to third-party management or monitoring tools that do not process personal data, in compliance with confidentiality and security requirements.
In the event of the transfer of personal data to a third country that is not part of the European Union, or to an international organization, the Service Provider undertakes to obtain the Customer's prior written consent.
If such agreement is given, the Service Provider will work closely with the Customer to ensure that the procedures implemented comply with the requirements of the Data Protection Regulation and the RGPD, including Articles 44 to 49, relating to international data transfers.
In particular, the Service Provider will ensure that one of the transfer mechanisms provided for by the RGPD is put in place, such as:
- The use of standard contractual clauses approved by the European Commission,
- Binding Corporate Rules (BCR) if applicable,
- Or any other appropriate guarantee recognized by the regulations in force.
In the event of a change in the adequacy status of the country of destination, the Service Provider will inform the Customer without delay so that the Customer can take the necessary measures to maintain the conformity of the processing.
In its capacity as processor, the Service Provider undertakes to keep an up-to-date register of all categories of processing activities carried out on behalf of the controller, in accordance with Article 30(2) of the RGPD.
This register will include information on the nature of the processing activities, the purposes of such processing, as well as any other data required by the RGPD to ensure complete and compliant documentation.
The Service Provider undertakes to provide the Customer, upon request, with access to this register in order to enable the Customer to verify the compliance of processing activities with legal and contractual obligations.
In the event that Community law or the law of a Member State requires the retention of personal data, the Service Provider will inform the Customer of this obligation.
At the end of the service, the Service Provider undertakes to return the personal data to the Customer, in accordance with the reversibility terms defined in the Contract. This return will include all data processed on behalf of the Customer as part of the services provided.
Once the data has been returned, the Service Provider will destroy all remaining copies of the personal data in its information systems, unless otherwise required by Community law or the law of the applicable Member State.
This destruction will take place within thirty (30) days of the data being returned to the Customer. At the Customer's request, the Service Provider may provide written proof of destruction.
In the event that the legislation of the European Union or of a Member State requires the retention of personal data beyond this period, the Service Provider will inform the Customer of this legal obligation and of the retention terms imposed.
The Service Provider undertakes to respond to audit requests made by the Customer or by a trusted third party designated by the Customer, provided that such third party has the necessary qualifications to conduct a data protection compliance audit.
The Service Provider will provide the Customer with all relevant information and conclusions arising from the audit. The costs of the audit shall be borne by the Customer.
The Service Provider reserves the right to refuse an auditor for a legitimate reason, in particular if the auditor is a direct or indirect competitor of the Service Provider. In this case, the Customer will propose another qualified auditor. The purpose of audits is to verify the effective implementation of personal data security and confidentiality measures, in compliance with the RGPD and contractual obligations. The Customer will inform the Service Provider at least fifteen (15) working days prior to the start of the audit.
During the term of the Contract, at the Customer's express request and insofar as it does not affect the Provider's business, the Provider will provide the necessary assistance to the Customer in carrying out a data protection impact analysis (DPIA), in accordance with Article 35 of the RGPD, taking into account the information available.
In the course of performing the Contract, each Party may be required to process personal data concerning the other Party's employees, in particular the technical and commercial contact information necessary for the proper management of the contractual relationship. Such personal data may include, by way of example: surname, first name, business e-mail address, business postal address and business telephone numbers.
The processing of such personal data is essential for the management of customer/supplier files, communication between teams, and the conduct of commercial actions related to the Contract.
Each Party acts as Data Controller for the personal data it collects in this context and undertakes to:
- Process such personal data only to the extent strictly necessary for the performance of the Contract,
- Comply with current regulations, including the RGPD, and implement all appropriate technical and organizational measures to ensure the protection of such data, preventing its accidental or unlawful destruction, loss, alteration, and any unauthorized access or dissemination.
These security measures aim to guarantee a level of protection appropriate to the risks to the rights and freedoms of the persons concerned, in accordance with the legal obligations of each Party as Data Controller.
