V 1.0 published 26 September 2019
RCS Paris n° 822 349 288
5 rue des Italiens - 75009 Paris (France)
This document is an Appendix to the Terms and Conditions of Services between the Client and Mindsay (hereinafter referred to as the “Processor”). Each party is herein referred to as a “Party” and jointly the “Parties”.
For purposes of this agreement, the words and expressions used with initials in capital letters have the meanings given to them in the Terms and Conditions of Services.
The purpose of this document is to define the conditions in which the Processor undertakes to carry out, on the Client’s behalf, the personal data processing operations defined below.
For the purposes herein, the words “personal data”, “data protection officer”, “process/processing”, “data controller”, “recipient”, “processor” and “transfer” have the same meanings as those given in the Regulation (EU) 2016/679 of 27 April, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
As part of their contractual relations, the parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, the French law of 6th January, 1978, on Information Technology, Data Files and Civil Liberties (hereinafter the “French Data Protection Act”) and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 (hereinafter the "GDPR").
The acceptance of the Sales Order Form entails full and complete acceptance of this Data Processing Agreement.
This acceptance can only be full and complete. Any qualified acceptance is considered as null and void.
The processor is authorized to process, on behalf of the controller, the necessary personal data for providing the Services set forth in the Agreement.
The nature of operations carried out on the personal data is the collection, the processing and the hosting of the Users’ personal data within the provision of Services.
The purpose of the processing is the provision of Services.
The personal data processed are the identification data of the Users and information included in the conversations between the Users and the Chatbot.
Within the provision of Services, the Processor may process 3 (three) kinds of data :
The categories of data subjects are the Users, namely the Client’s clients.
This data processing agreement takes effect as of the date of entry into force of the Agreement and shall remain in force for the term of provision of the Services provided under the Agreement.
The Processor shall undertake to:
5.1 process the personal data solely for the purpose subject to the sub-contracting;
5.2 process the data in accordance with the documented instructions from the Client appended hereto. Where the Processor considers that an instruction infringes the GDPR or of any other legal provision of the Union or of Member States bearing on data protection, it shall immediately inform the Client thereof. Moreover, where the Processor is obliged to transfer personal data to a third country or an international organization, under Union law or Member State law to which the Processor is subject, the Processor shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
5.3 guarantee the confidentiality of personal data processed hereunder;
5.4 ensure that the persons authorised to process the personal data hereunder:
5.5 take into consideration, in terms of its tools, products, applications or services, the principles of data protection by design and by default.
5.6.1 The Client declares being informed and accept that the Processor has engaged the following sub-processors listed in Appendix 3 in the context of the Services.
5.6.2 The Processor may engage another processor (hereinafter "the sub-processor") to conduct specific processing activities. In this case, the Processor shall inform the Client, in writing beforehand, of any intended changes concerning the addition or replacement of other processors. This information must clearly indicate which processing activities are being subcontracted out, the name and contact details of the sub-processor and the dates of the subcontract. The Client has a minimum timeframe of 2 (two) weeks from the date on which it receives said information to object thereto. Such sub-contracting is only possible where the controller has not objected thereto within the agreed timeframe.
5.6.3 The sub-processor is obliged to comply with the obligations hereunder on behalf of and on instructions from the Client. It is the Processor's responsibility to ensure that the sub-processor provides the same sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing meets the requirements of the GDPR. Where the sub-processor fails to fulfil its data protection obligations, the Processor remains fully liable with regard to the Client for the subprocessor's performance of its obligations.
5.7 Data subjects’ right to information
5.7.1 It is the Client’s responsibility to inform the data subjects concerned by the processing operations at the time data are being collected.
5.8 Exercise of data subjects’ rights
5.8.1 The Processor shall assist the Client, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject's rights: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
5.8.2 Where the data subjects submit requests to the processor to exercise their rights, the Processor must forward these requests as soon as they are received by email to the email address that shall be communicated by the Client for that purpose.
5.9 Notification of personal data breach
5.9.1 The Processor shall notify the Client of any personal data breach not later than 48 (forty-eight) hours after having become aware of it and via email at the email address that shall be communicated by the Client for that purpose.
5.9.2 Said notification shall be sent along with any necessary documentation to enable the Client, where necessary, to notify this breach to the competent supervisory authority.
5.10 Assistance lent by the Processor to the Client regarding compliance with its obligations
5.10.1 The Processor assists the Client in carrying out data protection impact assessments.
5.10.2 The Processor assists the Client with regard to prior consultation of the supervisory authority.
5.11 Security measures
5.11.1 The Processor undertakes to take the appropriate technical and organizational measures to ensure the security, the confidentiality and the integrity of personal data.
5.11.2 To this end, the Processor undertakes to carry out the security measures indicated in Appendix 1.
5.12 Fate of the data
5.12.1 Within 14 (forteen) days following the termination of the Services provided in the Agreement, the Processor undertakes, at the Client’s choosing, to:
5.12.2 Together with said return, all existing copies in the Processor's information systems must be destroyed. Once destroyed, the Processor must demonstrate, in writing, that this destruction has taken place.
5.12.3 Notwithstanding the above, anonymized data shall be kept and used by the Processor, for an unlimited period, for purposes of improving its language comprehension technology, necessary for the provision of the Services.
5.13 Data Protection Officer (DPO)
5.13.1 The Processor communicates to the Client the name and contact details of its data protection officer, if it has designated one in accordance with Article 37 of the GDPR.
5.14 Record of categories of processing activities
5.14.1 The Processor states that it maintains a written record of all categories of processing activities carried out on behalf of the controller, containing:
5.15.1 The processor provides the Client with the necessary documentation for demonstrating compliance with all of its obligations and for allowing the Client or any other auditor it has authorized to conduct audits, including inspections, and for contributing to such audits.
5.15.2 During such audits, the Client or the auditor it has entrusted for this purpose shall not be authorized to access to the Processor’s trade secrets, its strategic information or any information that the Provider has undertaken to keep confidential. The Processor shall have the right to oppose all inspections and/or checks from the Client or its auditor that may enable them to access to such information, without the Client being able to make any claim in this regard. In any event, the Client shall ensure that the auditor and, more generally, its personnel proceeding to said audits are submitted to appropriate confidentiality obligations.
6.1 The Client must fulfill its obligations in compliance with the GDPR, including with regard to the obligation to inform the data subjects of the processing operations at the time of personal data collection, the maintenance of a record of processing activities carried out and more generally, the compliance with the principles of the GDPR.
6.2 Besides, the Client undertakes to:
1. Access control to systems (virtual):
2. Access control to devices and laptops:
Processor will implement and maintain security measures with respect mobile devices and laptops that are used to process Personal Data.
3. Access control to Personal Data:
4. Transmission and disclosure control:
5. Input control:
Processor will maintain system and database logs for access to all Personal Data under its control;
all Processor systems must be configured to provide event logging to identify a system compromise, unauthorized access, or any other security violation. Logs must be protected from unauthorized access or modification; and
Processor will maintain input controls on its systems.
6. Job control:
7. Incident management:
8. Availability control:
Processor will protect Personal Data against accidental destruction or loss by ensuring:
9. Control of instructions:
Processor will implement and maintain procedures to ensure that Personal Data are processed only in accordance with Client's instructions.
10. Separation control:
Processor will implement and maintain procedures to ensure that Personal Data collected for different purposes will be processed separately.
11. Regular testing of security measures:
Processor will frequently test, assess and evaluate the effectiveness of its technical and organisational security measures.
12. Security Policy
Mindsay’s Security Policy can be accessible on request by the Client at any time.
Please refer to approved subcontractors as mentioned in the Sales Order Form.