1 Definitions and Interpretation

1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;

1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;

1.1.3 “Contracted Processor” means a Subprocessor;

1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 “EEA” means the European Economic Area;

1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.8 “Data Transfer” means:

1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor; or

1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor,

In each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

1.1.9 “Services” means the OpenCVE services the Company provides.

1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2 Processing of Company Personal Data

2.1 Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

2.1.2 not Process Company Personal Data other than on the relevant Company’s documented instructions.

2.2 The Company instructs Processor to process Company Personal Data.

3 Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4 Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from Personal Data Breaches.

5 Subprocessing

5.1 Subject to this Agreement, the Company grants general authorization to the Processor to engage Subprocessors and disclose or transfer Company Personal Data to them. The Company acknowledges and approves the list of Subprocessors outlined in the Processor’s Privacy Policy, understanding that this list may be updated by the Processor regularly, in which case the company shall be informed by the Processor according to the Privacy Policy notification process. Furthermore, the Company authorizes the Processor to disclose and transfer Personal Data to any company within its corporate group.

5.2 Processor ensures that Subprocessors are subject to an agreement with Processor no less restrictive and protective than the present Agreement with respect to the protection of Company Personal Data to the extent applicable to the nature of the services provided by the Subprocessor.

6 Data Subject Rights

6.1 Taking into account the nature of the Processing, Processor shall assist the Company, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Company's obligation to respond to requests for exercising the data subject's rights under the GDPR.

6.2 Processor shall promptly notify the Company if it receives a request from a data subject under any Data Protection Law in respect of Company Personal Data.

7 Personal Data Breach

7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 Such notification shall include, at a minimum:

7.2.1 a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

7.2.2 the name and contact details of the data protection officer or other contact point where more information can be obtained;

7.2.3 a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.3 Processor shall not inform data subjects of a Personal Data Breach without the prior written consent of the Company, unless required to do so by applicable law.

8 Data Protection Impact Assessment

8.1 Taking into account the nature of the Processing, the Processor shall assist the Company in ensuring compliance with its obligations under Articles 35 and 36 of the GDPR by providing the Company with the necessary information.

8.2 Processor shall provide the Company with all information reasonably necessary to demonstrate compliance with this Agreement, including written descriptions of security measures, internal policies, and other relevant documentation.

8.3 Any audit requested by the Company shall be subject to (i) at least 60 days’ prior written notice, (ii) mutual agreement on scope, timing, and auditor credentials, (iii) execution of a confidentiality agreement, and (iv) the condition that such audit does not interfere with the Processor’s normal business operations or compromise the security or confidentiality of other customers.

Audits shall take place no more than once per year and the costs of any such audit shall be borne entirely by the Company.

9 Return or Deletion of Company Personal Data

9.1 Upon termination of the Agreement or Services, Processor shall, at the choice of the Controller, delete or return all personal data. Existing copies will be deleted unless retention is required by applicable law.

9.2 Unless otherwise instructed by the Controller, the deletion will be executed within 30 days following the termination.

10 Governing Law and Jurisdiction

10.1 This Agreement shall be governed by and construed in accordance with the laws of France.

10.2 Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the competent courts of Lille, France.