DPA

This Personal Data Processing Agreement (“DPA”) ”) is an annex to the General Conditions and is an integral part of the Contract applicable between Signitic SAS and The Customer. In case of contradiction between the General Conditions and the DPA, the latter prevails.

‍

1. Scope and quality of the Parties

The purpose of this DPA is to define the conditions under which Signitic, acting as a Subcontractor, undertakes to perform on behalf of and at the instructions of the Customer, Personal Data Processing operations in connection with the Services, and to define the obligations and rights of Signitic and the Customer. This Agreement does not apply when Signitic acts as a Data Controller. This agreement terminates and replaces all conditions and previous contracts between the Parties for the same purpose.

Under this DPA, the Customer is presumed to act as a Data Controller. In the event that the Customer acts on behalf of a third party Data Controller, as a Subcontractor, he guarantees:

• That it has all the necessary authorizations for the conclusion of this DPA and for the Processing of Personal Data by Signitic as a Subcontractor;
• That the contract established with the Data Controller concerned is in accordance with the terms of the Contract;
• That the instructions given by the Customer in connection with the execution of this DPA are strictly in accordance with the instructions of the Data Controller and undertakes to provide him with the information communicated by Signitic, when required by the RGPD.

The Customer remains before Signitic, which is solely responsible for the proper performance of the Data Controller's obligations in accordance with this DPA.

The Parties undertake to comply with the provisions imposed by the RGPD, and more generally with the regulations applicable to them in terms of the protection of personal data.

‍

2. Definitions

For the purposes of the DPA, terms beginning with a capital letter will have the following meaning. When a capitalized term is not defined in this list, the definition is that specified in the Contract. The definitions of the terms “Data Controller”, “Subcontractor”, “Subcontractor”, “Subsequent Processors”, “Processing”, “Supervisory Authority”, “Personal Data Breach” are those determined by the GDPR.

Personal Data or Personal Data : refers to any information relating to an identified or identifiable natural person; is deemed to be an “identifiable natural person” a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more elements specific to him, which Signitic processes on behalf of the Customer, in order to provide the Services provided for in the Contract.

Person concerned : refers to a natural person whose Personal Data is processed.

RGPD : refers to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

‍

3. Description of Processing Operations

Signitic is authorized to process on behalf of the Customer, the Personal Data necessary to provide the Services provided for in the Contract, according to the following description:

a. Types of Personal Data: Identification data, browsing data, login data.

b. Categories of persons concerned: Employees of the Data Controller and their contacts;

c. Purpose and nature of the Processing: The purpose of the Processing of Personal Data by Signitic is the provision of Services to the Customer which involves the Processing of Personal Data. This is particularly the case with the service of personalized email signatures, the organization of campaigns targeted to users and the hosting of digital business cards. The nature of the Processing involves the collection, extraction, recording, recording, organization, organization, organization, storage, storage, storage, modification, consultation, use, communication by transmission, structuring, interconnection, interconnection, interconnection, destruction and deletion of Personal Data. Personal Data is subject to Processing activities as specified in the Agreement.

D. Duration of Treatment: The Processing activities are carried out for the duration provided for in the Contract.

4. Obligations of the Customer

The Customer undertakes to:

1. Ensure that the Services that he subscribes to from Signitic have the characteristics and conditions required for the envisaged Treatment. As such, the information made available to the Customer is intended in particular to enable him to assess the compliance of these measures in relation to the envisaged Treatment;

2. Collect under its responsibility, in a lawful, loyal and transparent manner, the Personal Data provided to Signitic for the performance of the Services. In particular, it will verify the legal basis for this collection as well as the proper compliance with the provisions relating to the information of the Persons Concerned, for which it remains responsible;

3. Provide Signitic with the Personal Data necessary for the performance of the Services, excluding any Personal Data that is irrelevant, disproportionate or unnecessary, and excluding any “particular” Data within the meaning of the GDPR, in particular sensitive data;

4. Document any instructions regarding the Processing of Personal Data. It is understood that the terms of use of the Services and this agreement will constitute instructions sent to Signitic as to the Processing to be implemented. Additional instructions or derogations require agreement between the Parties. They must initially be specified in writing when ordering the Services and may, at any time, with the prior written consent of Signitic, be modified, supplemented or replaced at the Customer's request, in separate written instructions, including electronic ones;

5. Ensure, in advance and throughout the duration of the Processing, that Signitic complies with the obligations provided for by the RGPD;

6. Respect the obligations incumbent on the Data Controller under the GDPR, in particular respect the rights of the Data Subjects.

5. Significtic Obligations

Signitic is committed to:

1. Process Personal Data under the conditions provided for in the Contract;
2. Process Personal Data only upon documented instructions from the Customer, in accordance with article 4.4, unless Signitic is required to do so under the law applicable to the Contract. In this case, Signitic will inform the Customer of this legal obligation, unless the law in question prohibits such information for reasons of public interest. If Signitic considers that an instruction constitutes a violation of the RGPD or any other provision of Union law or the law of the Member States relating to data protection, it shall immediately inform the Customer in writing;
3. Take into account, when it comes to its tools, products, applications or services, the principles of data protection by design and data protection by default;
4. Train and raise awareness among its staff in terms of personal data protection;
5. Maintain the confidentiality of Personal Data, not to disclose it, in any form whatsoever, except (i) for the purposes of performing the Services, the purposes and the Contract; (ii) in application of a legal or regulatory provision; (iii) to respond to requests for communication from judicial and/or administrative authorities; (iv) with the prior agreement, request or action of the Customer.

As such, Signitic ensures that persons authorized to process Personal Data (personnel, partners, Subcontractors, etc.) undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;

6. Keep a record of categories of processing activities carried out on behalf of the Customer, under the conditions of article 30.2 of the RGPD;
7. Respond to any reasonable request for assistance from the Customer in carrying out impact assessments relating to the protection of Personal Data, and in carrying out the prior consultation of the Supervisory Authority, insofar as the Customer is required to do so under the applicable data protection regulation/law, and if such assistance is necessary and relates to the Processing of Personal Data operated by Signitic.

6. Personal Data Retention Period

Upon expiration or termination of the Agreement, Signitic undertakes to irreversibly destroy or anonymize Personal Data under the terms of the Agreement, unless the law applicable to the Contract requires the retention of Personal Data.

Depending on the Processing, Personal Data may be irreversibly deleted or anonymized during the Contract. This is particularly the case when Signitic provides the Customer, as part of its Services, with functionalities allowing it to delete and export Personal Data, or when Personal Data has a limited storage period in relation to the purpose of the Processing concerned.

‍‍

‍7. security

Signitic implements technical and organizational measures to protect Personal Data against accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorized access to Personal Data, within the limits of its scope of intervention and the means under its control under the Contract. These measures are specified on the Signitic website. They may have to evolve. In this case, Signitic undertakes not to reduce the level of protection put in place and to ensure that the level of security provided to Personal Data is equivalent to or greater than that in place when subscribing to the Services. All changes of significant impact will be published on the Site and are brought to the attention of the Customer by this means. It is the responsibility of the latter to regularly check the adequacy of the measures for the Processing of his Personal Data.

For its part, the Customer undertakes to take the security measures necessary to protect the Personal Data that are incumbent on him on his perimeter and in particular:

1. to ensure the confidentiality of its possible API keys, its identifiers and passwords, or any means allowing it to access or use the Services and to use passwords that comply with the rules of good practice;
2. to ensure the security of workstations, equipment and networks from which its personnel, and any person authorized by them, access the Services;
3. by ensuring the application of system patches and updates, by having up-to-date anti-viruses and firewalls or similar systems;
4. by promoting the backups of Personal Data in appropriate locations;
5. by protecting its premises, in particular by having anti-intrusion systems and access controls that are periodically tested, differentiating between areas of premises according to risks (example: computer room), granting access to staff according to operational needs and respecting the principle of least privilege;
6. to train its staff, Users and other authorized persons in the protection of personal data; etc.

8. Responsibility

Signitic can only be held liable for damage caused by processing for which (i) it did not comply with the obligations provided for by the GDPR, which are specifically incumbent on Subcontractors or for which (ii) it acted outside of or contrary to the Customer's lawful instructions. In such cases, it is specified that the provisions referred to in the Agreement relating to the liability of Signitic apply.

‍

9. Audit

On its website, Signitic provides the main measures it takes to demonstrate compliance with its obligations. The Customer may request any reasonable additional information by contacting the services of Signitic. The Customer may carry out or have carried out by a mandated third party, not a competitor of the Group of which Signitic is a member, and bound by an obligation of confidentiality, any verification (audit), including in particular the implementation of pentest, reasonably useful to ascertain effective compliance with this DPA. In this context, Signitic and the Customer will meet beforehand to agree together on the operational and security conditions for a technical inspection on site or remotely. The Customer alone will bear all the costs associated with the audits/inspections. In any event, the audit conditions should not affect the data security of other Signitic customers and should not cause disturbances to the normal functioning of Signitic's activities.

‍

10. Rights of the Persons concerned

Right to information. It is the Customer's responsibility to inform the Persons concerned by the Processing operations under the conditions provided for by the RGPD and in particular in its articles 13 and 14.

Exercise of rights. It is the Customer's responsibility to respond to requests to exercise the rights of the Persons concerned (right of access, rectification, deletion and opposition, limitation of processing, data portability, not to be the subject of an automated individual decision, etc.).

As far as possible, taking into account the nature of the Processing and the information at its disposal, Signitic undertakes to assist the Customer, and at the Customer's request, in fulfilling its obligation to respond to requests to exercise the rights of Persons Concerned by the Processing, insofar as the Customer does not have the information or tools available via the Services. The Customer remains solely responsible for the response provided and for its resulting actions, to and with respect to the Persons concerned.

In the event of requests to exercise rights or complaints by Data Subjects sent directly to Signitic, the latter undertakes, as soon as possible, to send them to the Customer.

11. Personal Data Breach

If Signitic is aware of a Personal Data Breach, it shall notify the Customer by email as soon as possible. The notification made to the Customer contains at least:

• the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Persons affected by the breach and the categories and approximate number of Personal Data records concerned;
• the name and contact details of the Data Protection Officer or other contact point from which additional information can be obtained;
• the likely consequences of the Personal Data Breach;
• the measures taken or that can be implemented in response to the situation.

12. Subsequent subcontracting

Signitic may use other subcontractors to carry out specific Processing activities (“Subsequent Processors” - Appendix 1), which the Customer accepts. Customer accepts and approves that Signitic uses each Subcontractor on this list or other documents as such.

Signitic has entered into a contract with each of its Subcontractors containing substantially the same obligations as those to which it is subject in accordance with the DPA. If the Subcontractor does not meet its data protection obligations, Signitic remains fully liable to the Customer.

Signitic may be required to make any changes concerning the addition or replacement of other Subcontractors. In this case, Signitic shall notify the Customer by email at least 30 calendar days before the actual change, specifying the name, address and role of the new Subsequent Subcontractor (s). The Customer may oppose this change, by terminating the Service (s) concerned, no later than 30 days after the date of sending the notification informing the Customer of the upcoming change. In the event of termination for this reason and within this period, the Customer will receive a refund of the fees paid in advance but not used for the remaining period of the Service (s) concerned following the effective date of the cancellation, the latter occurring upon receipt of the notification by Signitic. Before proceeding with such termination, the Customer may file any objections with Signitic. The Parties will discuss reasonably possible alternatives to rule out the Subcontractor (s) concerned by the objections. In any case, these negotiations do not extend the termination period granted to the Customer. Signitic also has no obligation towards the Customer to renounce the planned change of Subcontractor (s). If the Customer does not cancel within the expected period, the Customer is deemed to have agreed to the addition or replacement of Subcontractor (s) Subcontractor (s).

Any objection/notification of termination provided for in this article must be sent to the following address: rgpd@signitic.com.

‍

13. Data transfers

The Customer is informed and accepts that, as part of the execution of the Services, Signitic may transfer Personal Data to companies in its Group. These transfers are strictly necessary to provide the Services and are limited to internal administration purposes.

If, pursuant to the Contract, Personal Data is transferred outside the European Union to a country that is not the subject of an adequacy decision, an agreement in accordance with the Standard Contractual Clauses or, at the option of Signitic, any other appropriate guarantee mechanism provided for by the GDPR is then implemented.

14. Contact Information - Notification

For any questions concerning his Personal Data, the Customer may contact at his choice:

- Customer service, or

- the legal department by email: rgpd@signitic.com, or

- the DPO, by post: SIGNITIC, Data Protection Officer, Data Protection Officer, Parc d'Activites des Quatre Vents, 3 Avenue Antoine Pinay, 59510 HEM or by email: dpo@signitic.com.

If the Customer wishes to receive any notification concerning the execution of this DPA to a specific email address, he may send his request to the email address: rgpd@signitic.com. Otherwise, any communication in connection with this DPA will be sent to the Customer's main contact email address known to Signitic as part of the Services.