Data Processing Agreement

  1. The customer agreeing to these terms (“Customer”), and Supplier (Revevol France SAS or Revevol Italy SRL as applicable), have entered into an agreement under which Supplier has agreed to provide certain Services, which may be amended from time to time (the "Agreement").

  2. For the purpose of this DPA, the entity acting as Supplier is the entity designated in the Agreement to which this DPA is incorporated by reference. This Data Processing Agreement and its appendices (the “DPA”), which is between Supplier and Customer (each, a “Party”, and together, “the Parties”), forms part of the Agreement and is the Parties’ agreement related to Supplier’s processing of Customer’s Data. This DPA might be updated from time to time and will be effective and replace any previously applicable data processing agreement as from the Terms Effective Date (as defined below). To the extent of any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement, the terms of this DPA will govern. Definitions are provided in Section 26 below.

  3. The Parties acknowledge and agree that (a) under the Data Protection Legislation, Supplier is a Data Processor of Customer Personal Data listed in Appendix 1, (b) Customer subscribing to Supplier's services may be a Data Controller or Data Processor, as applicable, of Customer Personal Data and (c) each Party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of that Customer Personal Data.

  4. Details on categories of data processed and data subjects concerned, processing operations, location of processing, and purpose and duration of processing are provided in Appendix 1.

  5. Duration. This DPA will take effect on the Agreement Effective Date and, notwithstanding expiry of the Term, remains in effect until, and automatically expire upon, deletion of all Customer Data by Supplier as described in this DPA.

  6. Scope. The Parties acknowledge and agree that the Data Protection Legislation will apply to the Processing of Customer Personal Data if: (a) the Processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA/Switzerland; and/or (b) the Customer Personal Data relates to Data Subjects who are in the EEA/ Switzerland and the Processing relates to the offering of goods or services in the EEA or the monitoring of their behaviour in the EEA.

  7. Non-European Data Protection Legislation. The Parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the Processing of Customer Personal Data. Except to the extent this DPA states otherwise, the terms of this DPA will apply irrespective of whether the Data Protection Legislation or Non-European Data Protection Legislation applies to the Processing of Customer Personal Data by Supplier. If Non-European Data Protection Legislation applies to either Party’s Processing of Customer Personal Data, the Parties acknowledge and agree that the relevant Party will comply with any obligations applicable to it under that legislation with respect to the Processing of that Customer Personal Data.

  8. Third-party Data Controller. If the Data Protection Legislation applies to the Processing of Customer Personal Data and Customer is a Data Processor acting under the instructions of a third-party Data Controller, Customer warrants to Supplier that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment as Data Processor have been authorized by the Third Party Data Controller and shall provide evidence thereof, at Supplier’s request.

  9. Customer’s Instructions. By entering into this DPA, Customer instructs Supplier to Process Customer Personal Data only in accordance with the Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable: (a) to provide the Services and related technical support; (b) as further specified by Customer or required by Customer’s use of the Services and related technical support; (c) as documented in the form of the Agreement, including this DPA; and (d) as further documented in any other legitimate and written instructions given by Customer and acknowledged by Supplier as constituting instructions for purposes of this DPA. As from the Effective Date, Supplier will comply with the Customer’s instructions provided in this Section, including with regard to Personal Data transfers, in accordance with Section 21. Supplier shall not process, transfer, modify, amend or alter Customer Personal Data or disclose or permit the disclosure of the Customer Personal Data to any third-party other than in accordance with the Customer’s instructions (whether in the Agreement or otherwise) unless EU law or EU Member State law to which Processor is subject requires other Processing of Customer Personal Data by Supplier, in which case Supplier will inform Customer prior to implement the processing (unless that law prohibits Processor from doing so on important grounds of public interest) via the Notification Email Address. Supplier agrees to immediately inform the Customer if, in its opinion, an instruction infringes the applicable Data Protection Legislation.

  10. Deletion During Term. Supplier will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Services. If Customer or an End User uses the Services to delete any Customer Data during the Term and the Customer Data cannot be recovered by Customer or an End User, this use will constitute a Customer’s Instruction to Supplier to delete the relevant Customer Data from Supplier’s Systems in accordance with applicable Data Protection Legislation. Supplier will comply with this instruction as soon as reasonably practicable and within a maximum period of 90 days, unless EU or EU Member State law requires or justifies that such Personal Data be retained by Supplier for a longer period of time.

  11. Deletion on Term Expiry. Subject to Section 12 (Deferred Deletion Instructions), upon expiry of the Term, Customer instructs Supplier to delete all Customer Data (including existing copies) from Supplier’s Systems in accordance with applicable Data Protection Law. Processor will comply with this Instruction as soon as reasonably practicable and within a maximum period of 90 days, unless EU or EU Member State law requires or justifies that such Personal Data be retained by Processor for a longer period of time. Without prejudice to Section 20 (Data Subjects Rights and Requests) Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards.

  12. Deferred Deletion Instruction. To the extent any Customer Data covered by the deletion instruction described in Section 11 (Deletion on Term Expiry) is also processed, when the Term under Section 11 expires, in relation to an agreement between Customer and Supplier having a continuing Term, such deletion instruction will only take effect with respect to such Customer Data when the continuing Term expires. For clarity, in the event of a Deferred Deletion Instruction, this DPA will continue to apply to such Customer Data until its deletion by Supplier.

  13. Supplier Security Measure. Supplier will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of Supplier’s Systems, restore timely access to Customer Data following a Data Incident and regular testing of effectiveness. Supplier may update or modify the Security Measures in Appendix 2 from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services or Supplier’s Systems. Customer acknowledges that Customer Data will be hosted in a Third-Party Service Provider data centres, by Third-Party Service Provider and/or one or more of its affiliated entities (collectively, “Third-Party Service Providers”) (and not by the Supplier) and, as a consequence, that most of the technical and organisational security measures relating to the Customer Data (as notably referred to in Appendix 2) will be provided by the applicable Third-Party Service Provider under its own liability. Accordingly, and notwithstanding any other provision in the Agreement, the Supplier disclaims any and all responsibility in relation to any acts and/or omission of Third-Party Service Provider, including notably (without limitation) for such Third-Party Service Provider’s technical and organisational security measures as listed for information purposes only and without any representation in Appendix 2. Customer agrees to disclaim Supplier’s liability, in the event of any non-compliance of the Third-Party Service Provider under the applicable agreement.

  14. Security Compliance by Processor. Supplier will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, agents and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that such personnel has undertaken appropriate training in accordance with the Data Protection Legislation.

  15. Processor Security Assistance. Customer agrees that Supplier will (taking into account the nature of the Processing of Customer Personal Data and the information available to Supplier) assist Customer in ensuring compliance with Customer’s obligations in respect of security of Personal Data and Personal Data breaches, in particular in the event of a Data Incident, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Security Measures in accordance with Section 13 (Supplier’s Security Measures); (b) complying with the terms of Section 16 (Data Incidents).

  16. Data Incidents. If Supplier becomes aware of a Data Incident, Supplier will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Data. Notifications will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Supplier recommends Customer to take to address the Data Incident. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at Supplier’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid at any time. Supplier will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with notification obligations provided by Data Protection Legislation or Non-European Data Protection Legislation, as applicable to Customer, and fulfilling any third party notification obligations related to any Data Incident(s). Supplier’s notification of or response to a Data Incident under this Section 16 (Data Incidents) will not be construed as an acknowledgement by Supplier of any fault or liability with respect to the Data Incident.

  17. Customer’s Security Responsibilities and Assessment. Customer agrees that, without prejudice to Supplier’s obligations under Sections 13-15 (Supplier’s Security Measures, Controls and Assistance) and Section 16 (Data Incidents): (a) Customer is solely responsible for its use of the Services, including: (i) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (ii) securing the account authentication credentials, systems and devices Customer uses to access the Services; and (iii) backing up Customer Data; and (b) Supplier has no obligation to protect Customer Data that Customer elects to store or transfer outside of Processor’s and its Subprocessors’ systems (for example, offline or on-premise storage, or Customer’s Third-Party Service Provider). Customer is solely responsible for evaluating whether the Services, the Security Measures and Supplier’s commitments under Sections 13-17 meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Supplier as set out in Section 13 (Supplier’s Security Measures) and Appendix 2 provide a level of security appropriate to the risk in respect of the Customer Data.

  18. Audits of compliance. If the Data Protection Legislation applies to the Processing of Customer Personal Data, Supplier will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify Supplier’s compliance with its obligations under this DPA. Supplier will contribute to such audits as described in this Section 18 (Audits of Compliance). If Customer decides to conduct an audit as described above, then Customer shall bear all costs and expenses connected therewith, such as the auditors' fees, costs of transport, legal fees, etc. If Customer has entered into Model Contract Clauses as described in Section 21 (Personal Data Transfer), Supplier will, without prejudice to any audit rights of a Supervisory Authority under such Model Contract Clauses, allow Customer or an independent auditor appointed by Customer to conduct audits as described in the Model Contract Clauses. Customer may also conduct an audit to verify Supplier’s compliance with its obligations under this DPA. In any event, any audit mandated by Customer pursuant to this Section 18 shall not impair or otherwise trouble Supplier’s usual course of business.

  19. Impact Assessments and Consultations. Customer agrees that Supplier will (taking into account the nature of the Processing and the information available to Processor) provide Customer with reasonable assistance in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, to the extent necessary information is available to Supplier.

  20. Data Subject Rights and Request. During the Term, Supplier will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict Processing of Customer Data, or erase Customer Data, as applicable, including via the deletion functionality provided by Supplier as described in Section 10 (Deletion During Term), and to export Customer Data, as required by Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. During the Term, if Supplier receives any request from a Data Subject in relation to Customer Personal Data, Supplierv will advise the Data Subject to submit his/her request to Customer or directly report such request to Customer using the Notification Email Address or any other communication channel, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Customer agrees that (taking into account the nature of the Processing of Customer Personal Data) Supplier will provide Customer with reasonable assistance in fulfilling any obligation to respond to requests by Data Subjects, including if applicable Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR, by complying with the commitments set out in this Section 20, to the extent Supplier is able to respond to such requests.

  21. Personal Data Transfer. Customer acknowledges and agrees that Supplier may, subject to this Section 21 (Personal Data Transfer), store and process Customer Data in the United States and any other country outside the EEA in which Supplier or Subprocessors maintain facilities. If the storage and/or Processing of Customer Personal Data involves a Restricted Transfer, Supplier and Customer hereby agree to enter into the Model Contract Clauses. In such case, any Restricted Transfers are made in accordance with such Model Contract Clauses. Supplier will impose under a written agreement the same obligations on the Subprocessors, if any, as are imposed on the Processor under this DPA and the Model Contract Clauses. Where the Subprocessor fails to fulfil its data protection obligations under such written agreement, the Supplier shall remain fully liable to the Customer for the performance of the Subprocessor's obligations under such agreement. In addition, where provision of the Services involves a Restricted Transfer from the Supplier to a Subprocessor located outside EU, Customer (on behalf of itself and its relevant Affiliates) mandates Supplier, which mandate Supplier hereby accepts, to promptly enter, on Customer's own name and behalf as Data Exporter (Subprocessor being the Data Importer), into a Personal Data processing agreement with any Subprocessor engaged by Supplier in such Restricted Transfer, before such Subprocessor first Processes the Personal Data, so as to ensure that any such Restricted Transfer complies with the Data Protection Legislation. Such Personal Data processing agreement shall (a) meet the conditions set out in Article 28 of the GDPR and offer at least the same level of protection for the Personal Data as those set out in this DPA and (b) incorporate Model Contract Clauses. When Supplier uses Third Party Service Provider Cloud Platform to host and/or provide the Services, information about the locations of Supplier’s Third Party Service Providers’ data centers is available at the Third Party Service Providers’ pages specifying servers locations and may be updated by the Third Party Service Provider from time to time. If Customer has entered into Model Contract Clauses as described in this Section 21 (Personal Data Transfer), Supplier will, notwithstanding any term to the contrary in the Agreement, ensure that any disclosure of Customer's Confidential Information containing Customer Personal Data, and any notifications relating to any such disclosures, will be made in accordance with such Model Contract Clauses.

  22. Subprocessors. Customer hereby specifically authorizes the engagement of Supplier’s Affiliates as Subprocessors pursuant to the Agreement and for the Term. In addition, Customer hereby generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Service Provider Subprocessors”), subject to Supplier’s compliance with this Section 22. Customer hereby authorizes all “Subprocessors” listed in Appendix 3. If Customer has entered into Model Contract Clauses as described in Section 21 (Personal Data Transfer), the above authorizations will constitute Customer’s prior written consent to the subcontracting by Supplier of the Processing of Customer Data if such consent is required under the Model Contract Clauses and Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. Information about Subprocessors is available in Appendix 3 and may be updated by Supplier from time to time in accordance with this DPA. When engaging any Subprocessor, Supplier will: (a) ensure via a written legal instrument or contract that: (i) the Subprocessor only accesses and processes Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA) and any Model Contract Clauses entered into as described in Section 10.2 (Transfers of Data Out of the EEA), as applicable; and (ii) if the GDPR applies to the Processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this DPA, are mandated by said legal instrument or contract on the Subprocessor; and (b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor. When any Third-Party Subprocessor not listed in Appendix 3 at the Agreement Effective Date is engaged during the Term, Supplier will, at least 30 days before the new Third-Party Subprocessor processes any Customer Data, inform Customer of the engagement (including the name and location of the relevant Third-Party Subprocessor and the activities it will perform) by sending an email to the Notification Email Address. Customer may object to any new Third-Party Subprocessor by terminating the Agreement immediately upon written notice to Supplier, provided that Customer sends such notice within 90 days of being informed of the engagement of the Third-Party Subprocessor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third-Party Subprocessor.

  23. Processing Records. Customer acknowledges that Supplier is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of any Data Processor and/or Data Controller on behalf of which Processor is acting and, where applicable, of such Data Processor’s or Data Controller's local representative and data protection officer, as well as the categories of Processing carried out on behalf of each Data Controller, where possible a general description of the technical and organisational security measures; and (b) make such information available to the Supervisory Authorities.

  24. Agreed Liability Cap. The cap of liability set forth in the Agreement governing the provision of Services to which this DPA is part applies to any violation of the provisions of this DPA or any damage which may result from the Supplier's or its Affiliate's non-compliance with Data Protection Laws. Nothing in this Section 24 (Agreed Liability Cap) will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

  25. Miscellaneous.

    1. Neither the rights nor the obligations of any Party may be assigned in whole or in part without the prior written consent of the other Party, provided, however, that this DPA may be transferred or assigned in the event of a restructuring or change of control affecting a Party hereto.
    2. In the event of any dispute arising between the Parties in connection with this DPA, the Parties shall negotiate in good faith to resolve their dispute. If the dispute cannot be resolved by good faith negotiations by the Parties, the dispute shall be finally settled by a public court relevant for the seat of the Supplier.
    3. This DPA is governed by the laws of France, without reference to its rules governing conflicts of laws.
    4. Should any provision of this DPA be deemed invalid or unenforceable by a competent court, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
    5. Any amendments to this Data Processing Agreement shall be made in writing, otherwise being null and void.

  26. Definitions. Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. In this DPA, unless stated otherwise:

    Affiliate” means any entity controlling, controlled by, or under common control with a Party, where “control” is defined as: (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.

    Agreement” means the Services Agreement entered into between the Supplier and the Customer for the provision of Services by the Supplier to Customer.

    Agreed Liability Cap” means the maximum monetary or payment-based amount at which a Party’s liability is capped under the Agreement, either per annual period or event giving rise to liability, as applicable.

    Customer Data” means data submitted, stored, sent or received via the Services by Customer, its Affiliates or End Users. Customer Data may also include Personal Data sent or otherwise made available by Customer to Supplier and/or Supplier’s Affiliates where Customer uses Supplier Affiliates Solutions. For the avoidance of doubt, for the purpose of the Agreement and the DPA, Customer Data does not include data contained in files stored in Customer’s Third Party Service Provider Solution account(s) to which Supplier does not have access.

    Customer Personal Data” means Personal Data contained within the Customer Data, as described in Appendix 1.

    Data Incident” means a breach of Supplier’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Supplier. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

    Effective Date” means the date on which Customer and Supplier agreed to this DPA, and is the Agreement Effective Date.

    EEA” means the European Economic Area.

    End User” means natural persons authorized by Customer to access or use the Services, including Customer and Customer’s Affiliate personnel, employee, agent or contractor.

    Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) as well as any data protection laws substantially amending, replacing or superseding the GDPR, the Federal Data Protection Act of Switzerland and/or other applicable European Union Member state domestic data protection or national/federal or state/provincial privacy legislation in force, including where applicable, statutes, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by competent court or Supervisory Authority, relating to the Processing of personal data and privacy.

    GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

    Model Contract Clauses” or “MCCs” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as approved by the European Commission in Decision 2010/87/EU, as amended, replaced or superseded by any set of clauses approved by the European Commission.

    Non-European Data Protection Legislation” means any national/federal or state/provincial/emirate data protection or privacy legislation, other than the Data Protection Legislation.

    Notification Email Address(es)” means the email address(es) designated by Customer to receive certain notifications from Supplier.

    Supplier’s Systems” means the computing and storage infrastructure contracted by Supplier to run the Services and to store the Customer Data. For the avoidance of doubt, Supplier’s Systems do not include Third-Party Service Provider Solution used by Customer and contracted by Customer, nor any of the Third Party Offerings.

    Restricted Transfer” means (a) a transfer of the Personal Data from Customer to Supplier or Subprocessor, or (b) an onward transfer of the Personal Data from Supplier or Subprocessor to (or between two establishments of) Supplier or Subprocessor, in each case, being a transfer to a country outside the EEA, where such transfer would be prohibited by European Data Protection Legislation in the absence of Model Contract Clauses or other legal instruments required by European Data Protection Legislation.

    Subprocessor(s)” mean third parties authorized by Processor under this DPA to have logical access to and process Customer Data on behalf of Customer in order to provide parts of the Services and related technical support, including Supplier’s Affiliates.

    Security Measures” has the meaning given in Section 13 (Supplier Security Measures).

    Services” means the services that have been purchased by the Customer pursuant to the Agreement and any applicable Order Form, including any update or replacement thereof and technical support provided by Supplier to Customer from time to time. The Services do not include (i) Supplier Affiliates Solution that may have been separately licensed by Customer, (ii) any Third Party Offerings that may have been separately licensed by Customer, nor (iii) the Third-Party Service Provider Solution used by Customer.

    Supplier Affiliates Solution” means any solution of software provided by one or more Supplier’s Affiliates, which supplements and/or are necessary to provide the Services performed by Supplier, that have either been (i) licensed by Customer from a Supplier’s Affiliate or (ii) licensed by Customer from Supplier.

    The terms “Personal Data”, “Data Subject”, “Processing”, “Data Controller”, “Data Processor” and “Supervisory Authority” as used in this DPA have the meanings given to them in the GDPR, and the terms “Data Importer” and “Data Exporter” have the meanings given to them in the Model Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.

    Term” means the period from the Agreement Effective Date until the end of Supplier’s provision of the Services to Customer under the Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Supplier may continue providing the Services to Customer for transitional purposes.

    Third-Party Service Provider Solution” means any solution or software on which all or part of the Services are performed by the Supplier, that have been separately licensed by Customer, as the case may be, from an unaffiliated Third-Party Service Provider. Third Party Service Providers Solutions may notably include Google, Microsoft and/or Facebook solutions or software.

    “Terms Effective Date” means the date on which Customer accepted, or the parties otherwise agreed to, these Terms.

Appendix 1 - Data Processing Details

Subject Matter Supplier’s provision of the Services and related technical support to Customer.
Categories of Data Subjects

Categories of Data Subjects whose Personal Data will be Processed by Service Provider

Personal Data processed in relation to the provision of the Services may concern the following categories of Data Subjects: End Users including Data Controller’s employees and contractors; the personnel of Data Controller’s own customers, suppliers and subcontractors; and any other person whose data is processed via services, including third party services to which Customer grants access to Supplier, and including individuals collaborating and communicating with End Users.
Categories of data

Personal Data that will be Processed by Supplier

Personal Data that will be Processed by Supplier includes data submitted, stored, sent or received by Customer, its Affiliates or End Users via services, including third party services to which Customer grants access to Supplier, and may include the following categories of data: user IDs, emails, textual information used in document and document titles, description and other metadata, text and images to be displayed by such services, audit log information, system log information.
Location of Processing Operations

Locations where the personal data will be Processed by Supplier

Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may be processed at Supplier’s locations situated at:
  • 6 rue Beaubourg, 75004 Paris, France
  • 650 California Street, San Francisco, CA 94108, USA
  • 3280 Peachtree Road NE, 7th Floor Atlanta, GA 30305, USA
  • Via Giosue’ Carducci 125/A, 20099 Sesto San Giovanni, Milan, Italy
Purposes

Purposes for which the Personal Data will be Processed by Supplier

Supplier will process Customer Personal Data identified above for the purposes of providing the Services and related technical support to Customer in accordance with the Data Processing Agreement.
Duration of processing

The length of time for which Processing activities will be carried out Supplier

The applicable Term plus the period from expiry of such Term until deletion of all Customer Data by Supplier in accordance with the Data Processing Agreement.

Appendix 2 - Security Measures

  1. As from the Agreement Effective Date, Supplier will implement and maintain the Security Measures set out in this Appendix 2 to the Data Processing Agreement. Supplier may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Supplier’s System and of the Services.

  2. Infrastructure security. Supplier uses G Suite and Google Cloud Platform (GCP) to host the Supplier’s Systems. All of the Supplier’s Systems are fully managed by Google Inc. (Google), who is responsible for the physical and networking security of the Supplier’s Systems. Google’s security measures regarding the G Suite and GCP infrastructures are described on this page (G Suite) https://gsuite.google.com/security/?secure-by-design_activeEl=data-centers and this page (Google Cloud Platform): https://cloud.google.com/security/

  3. Personnel Security: Supplier personnel accessing Supplier’s Systems are authenticated via their G Suite account, protected by the same physical, networking and organizational measures as described above. Supplier personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Supplier conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labour law and statutory regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Supplier’s confidentiality and privacy policies. Personnel are also required to undertake appropriate training on privacy and data protection principles in compliance with the Data Protection Legislation.

  4. Subprocessor Security. Before onboarding Subprocessors, Supplier conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Supplier has assessed the risks presented by the Subprocessor, then subject always to the requirements set out in Section 22 (Requirements for Subprocessor Engagement) of this Data Processing Agreement, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

Appendix 3 - Subprocessors

Supplier uses the following Subprocessors for the performance of the Services:

Entity name Corporate location
Google Inc USA