GDPR - Data Processing Agreement

The processing of data is governed by the General Data Protection Regulation of the European Union and also accessible on the site of the CNIL.

Preamble

We undertake to process Personal Data only for the security and operation of the Platform, to guarantee the confidentiality of Personal Data, to ensure that the persons authorized to process such Personal Data respect confidentiality or are subject to a legal obligation of confidentiality and that they receive the necessary training on the protection of Personal Data.

We agree to comply with the principles of Article 25 of the Regulation regarding "Data Protection by Design and Data Protection by Default".

The anonymous data collected by the SDK is only used on behalf of our client.

We commit ourselves not to use the data of our customers for our own account.

Technical and organizational measures

We are committed to implementing all of the security measures specified below:

Outsourcing

We do not subcontract any processing of personal data, if this were the case we would inform our client and ensure the confidentiality of the data with the latter.

We will ensure that the subcontractor presents the same sufficient guarantees regarding the implementation of technical and organizational measures required by the Regulation.

Transfer outside the European Union (EU)

In case of transfer of personal data outside the EU, we guarantee compliance with the obligations set out in CHAPTER V "Transfers of personal data to third countries or international organizations" of the Regulation.

We will be able to provide all the guarantees that our client is entitled to require to ensure compliance with data transfers outside the EU.

Right to information for data subjects

It is the client's responsibility to provide information to the data subjects at the time of data collection.

Exercising the rights of individuals

We undertake to assist our client in fulfilling its obligation to comply with requests to exercise the rights of data subjects: right of access, rectification, erasure and objection, right to restrict processing, right to data portability, right not to be subject to an automated individual decision (including profiling). When data subjects exercise requests to exercise their rights, we address these requests to our client.

Notification of personal data breaches

We will notify our client by e-mail of any personal data breach as soon as possible after becoming aware of it, and in any case within a timeframe that allows our client to comply with the deadlines imposed by the Personal Data Regulation. This notification is accompanied by all useful documentation in order to allow the client to notify the competent control authority and the persons concerned of the violation, as soon as these notifications are required by the Personal Data Regulation.

Data Protection Officer (DPO)

In accordance with Article 37 we are not obliged to appoint a DPO as we are not a public body and our activity does not consist of personal data processing operations.

Fate of Personal Data

In accordance with Article 28.3.g of the Regulation, upon completion of the services relating to the processing of such data, we undertake to return the Personal Data to the client or any subcontractor designated by the client - in the most technically suitable form, in a non-proprietary, structured and consolidated format - and to destroy all existing copies in its information systems.

Management of customer/supplier accounts

The purpose of this processing is to manage the customer and supplier accounts of each of the Parties, such as commercial relations, administrative management, invoicing, processing of technical incidents and management of complaints. This processing is implemented by each of the Parties in their capacity as Joint Processor. This processing is necessary for the execution of the Contract, it also responds to the legitimate interests of each of the Parties as well as the legitimate interest of each Party to provide means of communication to their staff. The persons concerned by this processing are the employees of each party. The Personal Data concerned are the identity data of the Interlocutors: Surname - First name - Phone number - email. The storage period of the aforementioned personal data is limited to three (3) years from the end of the commercial relationship between the Parties, and can be deleted immediately if requested by the customer.