Data Processing Agreement (DPA)

V 1.0 published 26 September 2019‍

ViaSay
RCS Paris n° 984 651 117
152 Boulevard Pereire- 75017 Paris (France)

This document is an Appendix to the Terms and Conditions of Services between the Client and ViaSay (hereinafter referred to as the “Processor”). Each party is herein referred to as a “Party” and jointly the “Parties”.

For purposes of this agreement, the words and expressions used with initials in capital letters have the meanings given to them in the Terms and Conditions of Services.

1. Purpose

The purpose of this document is to define the conditions in which the Processor undertakes to carry out, on the Client’s behalf, the personal data processing operations defined below.

For the purposes herein, the words “personal data”, “data protection officer”, “process/processing”, “data controller”, “recipient”, “processor” and “transfer” have the same meanings as those given in the Regulation (EU) 2016/679 of 27 April, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

As part of their contractual relations, the parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, the French law of 6th January, 1978, on Information Technology, Data Files and Civil Liberties (hereinafter the “French Data Protection Act”) and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 (hereinafter the "GDPR").‍

2. Acceptance of this Data Processing Agreement

The acceptance of the Sales Order Form entails full and complete acceptance of this Data Processing Agreement.

This acceptance can only be full and complete. Any qualified acceptance is considered as null and void.‍

3. Data processing

The processor is authorized to process, on behalf of the controller, the necessary personal data for providing the Services set forth in the Agreement.

The nature of operations carried out on the personal data is the collection, the processing and the hosting of the Users’ personal data within the provision of Services.

The purpose of the processing is the provision of Services.

The personal data processed are the identification data of the Users and information included in the conversations between the Users and the Chatbot.

Within the provision of Services, the Processor may process 3 (three) kinds of data :

• Structured data, namely data which are detected in the conversations with the Users and stored by the Processor in a database, some of which may include personal data;
• Unstructured data, namely the content of conversations with the Users. These data may be linked with structured data and may be made anonymous;
• Anonymized data, namely all unstructured data which are made anonymous by the Processor for purposes of erasing all personal data (emails, telephone numbers or payment information) detected in the unstructured data. Anonymized data are property of the Processor, who only use them for purposes of research and development.

The categories of data subjects are the Users, namely the Client’s clients.‍

4. Term

This data processing agreement takes effect as of the date of entry into force of the Agreement and shall remain in force for the term of provision of the Services provided under the Agreement.‍

5. Processor’s obligations

The Processor shall undertake to:‍

5.1   process the personal data solely for the purpose subject to the sub-contracting;‍

5.2   process the data in accordance with the documented instructions from the Client appended hereto. Where the Processor considers that an instruction infringes the GDPR or of any other legal provision of the Union or of Member States bearing on data protection, it shall immediately inform the Client thereof. Moreover, where the Processor is obliged to transfer personal data to a third country or an international organization, under Union law or Member State law to which the Processor is subject, the Processor shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;‍

5.3   guarantee the confidentiality of personal data processed hereunder;‍

5.4   ensure that the persons authorised to process the personal data hereunder:

• have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality,
• receive the appropriate personal data protection training;
  

5.5   take into consideration, in terms of its tools, products, applications or services, the principles of data protection by design and by default.

5.6   Subcontracting‍

5.6.1   The Client declares being informed and accept that the Processor has engaged the following sub-processors listed in Appendix 3 in the context of the Services.

5.6.2   The Processor may engage another processor (hereinafter "the sub-processor") to conduct specific processing activities. In this case, the Processor shall inform the Client, in writing beforehand, of any intended changes concerning the addition or replacement of other processors. This information must clearly indicate which processing activities are being subcontracted out, the name and contact details of the sub-processor and the dates of the subcontract. The Client has a minimum timeframe of 2 (two) weeks from the date on which it receives said information to object thereto. Such sub-contracting is only possible where the controller has not objected thereto within the agreed timeframe.

5.6.3   The sub-processor is obliged to comply with the obligations hereunder on behalf of and on instructions from the Client. It is the Processor's responsibility to ensure that the sub-processor provides the same sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing meets the requirements of the GDPR. Where the sub-processor fails to fulfil its data protection obligations, the Processor remains fully liable with regard to the Client for the subprocessor's performance of its obligations.

5.7   Data subjects’ right to information‍

5.7.1   It is the Client’s responsibility to inform the data subjects concerned by the processing operations at the time data are being collected.

5.8   Exercise of data subjects’ rights‍

5.8.1   The Processor shall assist the Client, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject's rights: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).

5.8.2   Where the data subjects submit requests to the processor to exercise their rights, the Processor must forward these requests as soon as they are received by email to the email address that shall be communicated by the Client for that purpose.

5.9   Notification of personal data breach‍

5.9.1   The Processor shall notify the Client of any personal data breach not later than 48 (forty-eight) hours after having become aware of it and via email at the email address that shall be communicated by the Client for that purpose.

5.9.2   Said notification shall be sent along with any necessary documentation to enable the Client, where necessary, to notify this breach to the competent supervisory authority.

5.10   Assistance lent by the Processor to the Client regarding compliance with its obligations‍

5.10.1   The Processor assists the Client in carrying out data protection impact assessments.

5.10.2   The Processor assists the Client with regard to prior consultation of the supervisory authority.

5.11   Security measures‍

5.11.1   The Processor undertakes to take the appropriate technical and organizational measures to ensure the security, the confidentiality and the integrity of personal data.

5.11.2   To this end, the Processor undertakes to carry out the security measures indicated in Appendix 1.

5.12   Fate of the data‍

5.12.1   Within 14 (forteen) days following the termination of the Services provided in the Agreement, the Processor undertakes, at the Client’s choosing, to:

• destroy all personal data or
• return all personal data to the Client

5.12.2   Together with said return, all existing copies in the Processor's information systems must be destroyed. Once destroyed, the Processor must demonstrate, in writing, that this destruction has taken place.

5.12.3   Notwithstanding the above, anonymized data shall be kept and used by the Processor, for an unlimited period, for purposes of improving its language comprehension technology, necessary for the provision of the Services.

5.13   Data Protection Officer (DPO)

5.13.1   The Processor communicates to the Client the name and contact details of its data protection officer, if it has designated one in accordance with Article 37 of the GDPR.

5.14   Record of categories of processing activities

5.14.1   The Processor states that it maintains a written record of all categories of processing activities carried out on behalf of the controller, containing:

• the name and contact details of the controller on behalf of which the Processor is acting, any other processors and, where applicable, the data protection officer;
• the categories of processing carried out on behalf of the Client;
• where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
• where possible, a general description of the technical and organizational security measures.

5.15   Documentation

5.15.1   The processor provides the Client with the necessary documentation for demonstrating compliance with all of its obligations and for allowing the Client or any other auditor it has authorized to conduct audits, including inspections, and for contributing to such audits.

5.15.2   During such audits, the Client or the auditor it has entrusted for this purpose shall not be authorized to access to the Processor’s trade secrets, its strategic information or any information that the Provider has undertaken to keep confidential. The Processor shall have the right to oppose all inspections and/or checks from the Client or its auditor that may enable them to access to such information, without the Client being able to make any claim in this regard. In any event, the Client shall ensure that the auditor and, more generally, its personnel proceeding to said audits are submitted to appropriate confidentiality obligations.

6. Obligations of the Client

6.1   The Client must fulfill its obligations in compliance with the GDPR, including with regard to the obligation to inform the data subjects of the processing operations at the time of personal data collection, the maintenance of a record of processing activities carried out and more generally, the compliance with the principles of the GDPR.‍

6.2   Besides, the Client undertakes to:

1. provide the Processor with the data mentioned in Article 2 above;
2. document, in writing, any instruction bearing on the processing of data by the Processor;
3. ensure, before and throughout the processing, compliance with the obligations set out in the GDPR on the Processor's part;
4. supervise the processing, including by conducting audits and inspections with the Processor.
   

Schedule 1: Security Measures

1.   Access control to systems (virtual):

1. Processor will establish and maintain safeguards against accidental or unauthorized access to, destruction of, loss of, or alteration of Personal Data on its systems which are used to process Personal Data;
2. access will be granted to personnel through documented access request procedures. The employees’ managers or other responsible individuals must authorize or validate access before it is given;
3. access controls are enabled at the operating system, database, or application level;
4. administrative access will be restricted to prevent changes to systems or applications; and
5. users will be assigned a single account and prohibited from sharing accounts.

2.   Access control to devices and laptops:

Processor will implement and maintain security measures with respect mobile devices and laptops that are used to process Personal Data.

3.   Access control to Personal Data:

1. access will be granted only after processing an approved “access control form”, i.e. LAN Logon ID, application access ID, or other similar identification;
2. unique User IDs and passwords will be issued to the users; and
3. users, once authenticated, will be authorized for access levels based on their job functions.

4.   Transmission and disclosure control:

1. Processor will implement and maintain measures to prevent that Personal Data can be read, copied, modified or removed without authorization during electronic transmission or transport, and to enable to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged; and
2. Processor will maintain technology and processes designed to minimize access for illegitimate processing, including technology for the encryption of Personal Data.

5.   Input control:

Processor will maintain system and database logs for access to all Personal Data under its control;

all Processor systems must be configured to provide event logging to identify a system compromise, unauthorized access, or any other security violation. Logs must be protected from unauthorized access or modification; and

Processor will maintain input controls on its systems.

6.   Job control:

1. Processor will implement procedures to ensure the reliability of its employees and any other person acting under its supervision that may come into contact with, or otherwise have access to and process, those Personal Data, such as requiring a certificate of good conduct or any similar type of certificate prior to commencement of employment;   
2. Processor will implement procedures to ensure that its personnel is aware of its responsibilities under the Data Processing Agreement. Processor will instruct and train any persons it authorizes to have access to Personal Data on the applicable Data Protection Legislation as well as on all relevant security standards and will commit them in written form to comply with the data secrecy, the applicable Data Protection Legislation and other relevant security standards;
3. Processor will promptly act to revoke access to Personal Data due to termination, a change in job function, or in observance of user inactivity or extended absence; and
4. Processor will have in place a data protection policy and a document retention policy, with which its personnel must comply. 

7.   Incident management:

1. Processor will implement and maintain an incident management procedure that allows Processor to inform the Client within the required time frame of any security breach;
2. may a security breach (potentially) affect Personal Data, Processor must notify the Client in accordance with article 4 of the Data Processing Agreement; and
3. the incident management procedure includes periodic evaluation of recurring issues that might indicate a security breach.

8.   Availability control:

Processor will protect Personal Data against accidental destruction or loss by ensuring:

1. workstations will be protected by any mean necessary decided as part of Processor’s Security Measures; and
2. upon detection of a virus or malware, Processor will take immediate steps to stop the spread and damage of the virus or malware and to eradicate the virus or malware.

9.   Control of instructions:

Processor will implement and maintain procedures to ensure that Personal Data are processed only in accordance with Client's instructions. 

10.   Separation control:

Processor will implement and maintain procedures to ensure that Personal Data collected for different purposes will be processed separately.

11.   Regular testing of security measures:

Processor will frequently test, assess and evaluate the effectiveness of its technical and organisational security measures.

12.   Security Policy

ViaSay's Security Policy can be accessible on request by the Client at any time.

Schedule 2: Approved Subcontractors 

Please refer to approved subcontractors as mentioned in the Sales Order Form.‍