PRIVACY AND SECURITY POLICY
1. DATA PROTECTION
1.1. General statements
Each Party warrants to the other Party that it shall comply with the Applicable Data
Each Party shall provide to the other Party, on a need to know basis and in a language
understandable to the other Party (either French or English), with complete and updated
documentation and information on the applicable Data Protection Laws.
Licensee acknowledge and agree that all Personal Data processed by the Service
Software, will be treated following dedicated procedures:
– Personal Data processed by the Service Software must be identified during their
importation by the Authorized User;
– Personal Data processed won’t be added to Aggregated Semantic Data.
1.3. Obligations of the Licensee, as a Data Controller
All Personal Data transferred by the Licensee to the Licensor are and shall remain the
property of the Licensee.
The Licensee, as a Data Controller, notably warrants that:
– Prior to any transfer of Personal Data, it has informed the Data Subject(s) and has
complied with any notification and/or registration obligations set forth by the Applicable
Data Protection Laws;
– The intended purposes of the transfer and processing have been communicated to
the Data Subject(s) upon the collection of the Personal Data;
– The transfer to, and processing by, the Licensor, as a Data Processor, pursuant to
this Agreement is not prohibited by applicable Data Protection Laws or by a statutory or
contractual duty of confidentiality.
The Data Controller shall verify that the technical and organizational measures
undertaken by the Data Processor as set forth in this Schedule are sufficient to protect
the transferred Personal Data from any unauthorized processing.
The Data Controller is responsible for the accuracy and completeness of Personal Data.
Data Controller acknowledges that it is aware that the Data Processor shall rely on
Personal Data for the purpose of the performance of the Project and it irrevocably and
unconditionally agrees that the Data Processor shall not have any liability whatsoever to
the Data Controller resulting from inaccurate, incomplete or any other inconsistency in
the Data Controller Data used in the performance of the Project. Nevertheless, if during
the Term, the Data Processor becomes aware of any inconsistency or inaccuracy of the
Personal Data, the Data Processor shall inform the Data Controller as soon as possible. At
Data Controller’s written request, the Data Processor shall immediately cease use of such
data forming the basis of a claim.
The Data Controller is responsible that the Data Subject(s) are provided with their rights
laid down in Chapter III of the EU Regulation 2016/679 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such
data. The Data Processor (and any Subprocessor(s)) will cooperate with the Data
Controller and provide the Data Controller with the necessary services to fulfil such
requests or inquiries of Data Subjects.
1.4. Obligations of the Licensor, as a Data Processor
The Data Processor shall process Personal Data in accordance with this Agreement and
the Applicable Data Protection Laws. The Data Processor undertakes in particular to
comply with the conditions and/or the purpose of the processing concerning the Personal
Data which was communicated by the Data Controller or to which access will be given
under this Agreement.
The Data Processor undertakes:
– To process Personal Data on behalf of the Data Controller and only on its
documented instructions as set forth in this Schedule of this Agreement and as specified
in any other written document issued by the Data Controller and in connection with the
subject matter of the present Agreement. The Data Processor shall not use or process
Personal Data in a way which is not compliant to the instructions of the Data Controller
or the purposes of this Agreement,
– If the Data Processor is required to process Personal Data under legal
obligation(s) defined under applicable Data Protection Laws, the Data Processor shall
inform the Data Controller of that legal obligation(s) before processing the data, unless
that law prohibits such information based on important grounds of public interest;
– Not to proceed to any processing, transfer, storage of the Personal Data outside
the European Economic Area, unless with the prior express consent of the Data
Controller or if required to do so by French Law to which the processor is subject. If the
Data Controller’s consent is obtained, the Data Processor shall give all necessary
information requested by the Data Controller and all warranties regarding the transfer and
the processing and storage of Personal Data.
If the transfer is required by French Law, the Data Possessor shall inform the Data
controller of that legal requirement before processing, unless that law prohibits such
information on important grounds of public interest.
– To comply with the security measures described in this Schedule. The Data
Processor undertakes to implement appropriate security measures in order to preserve the
confidentiality and the integrity of the Personal Data. In this regard, the Data Processor
shall take all measures required pursuant to article 32 of the Regulation (EU) 2016/679
on the protection of natural persons with regard to the processing of personal data and on
the free movement of such data.
– To give access to the Personal Data only to its employees and the Subprocessors
duly authorized to this effect and to limit such access to what is necessary for the purpose
of the Project. The Data Processor ensures that persons authorized to process the Personal
Data have committed themselves to confidentiality or are under an appropriate statutory
obligation of confidentiality.
– Take into account the nature of the processing, assist the Data Controller by
appropriate technical and organizational measures, insofar as this is possible, for the
fulfilment of the Data Controller’s obligation to respond to request for the exercising of
the data subject’s rights laid down in Chapter III of the Regulation (EU) 2016/679 on the
protection of natural persons with regard to the processing of personal data and on the
free movement of such data. Moreover, the Processor shall inform the Data Controller of
all requests addressed directly by a Data Subject with regard to its right and shall not
answer to such request (in a positive or negative sense, totally or partially) unless
explicitly required by the Data Controller.
– Allow for and contribute to audits, including inspections, conducted by the Data
Controller or another auditor mandated by the Data Controller under the provision of this
– To inform and cooperate with the Data Controller if it believes that it may no
longer be able, or no longer is able, to comply with this Agreement, particularly in case it
receives or must reasonably expect to receive a request or order of a competent authority
requiring it to disclose, or refrain from further processing, some or all Personal Data to
which this Agreement applies;
– Assist the Data Controller in ensuring compliance with its security obligations,
notification of a personal data breach to the supervisory authority, communication of a
personal data breach to the Data Subject and data protection impact assessment and prior
consultation of the supervisory authority (pursuant to art 32 to 36 of Regulation (EU)
2016/679) taking into account the nature of processing and the information available to
– Notify the Data Controller without undue delay after becoming aware of a
personal data breach.
– Make available to the Data Controller all information necessary to demonstrate
compliance with the obligations laid down in this Schedule. The Data Processor shall
immediately inform the Data Controller if, in its opinion, an instruction infringes the EU
Once the service provided, the Data Processor shall:
– Return to the Data Controller in the format and via the media used at the date of
such demand, all or part of the Personal Data; and
– Delete all or part of the Personal Data in the possession of the Data Processor and
all copies and shall certify it to the Data Controller.
1.5. Use of subprocessors
Under this Agreement, the Data Controller gives a general authorization to the Data
Processor to engage sub processors.
The Data Processor shall notify by email the Data Controller’s Head of Compliance of
any intended changes concerning the addition or replacement of other processors. The
Head of compliance shall have two weeks to object to such changes. If the Data
Controller doesn’t object to those changes or remain silence within this time limit, the
Data Processor shall consider that the Data Controller has not objected to the changes of
The Data Processor undertakes that:
– The subcontracting of the processing of Personal Data may only consist of the
processing operations agreed in this Agreement;
– Data Processor and Subprocessor shall sign an agreement which will impose
similar obligations on the Subprocessor as those imposed on the Data Processor under
Where the Subprocessor fails to fulfil its data protection obligations under such written
agreement, the Data Processor shall remain fully liable to the Data Controller for the
performance of the Subprocessors’ obligations under such agreement.
During the course of the Agreement, and subject to the terms and conditions described in
this Article, the Data Controller has the right to carry out an audit of the Data Processor
for the purpose of verifying Data Processor’s compliance with its obligations under this
Data Controller shall send to Data Processor, in compliance with the terms of the
following provisions, an Audit Letter which shall cover/provide:
– The scope of the audit including, but not limited to, and to the extent possible, the
detailed list of documentation and/or technical components concerned, in the limit of
what is used in/related to the Services,
– If applicable, the request for onsite audit with details as to the facilities to be
– The timeframe of the audit,
– The selected auditors (subject to the terms of this section),
– The audit methodology (as defined in the following provisions),
– All other requested documentation, insofar as is reasonable.
The audit can be conducted by Data Controller’s internal auditors or by an external party.
In case the audit is to be performed by external auditors, Data Processor reserves the right
to object on reasonable grounds to the selected external auditors. In all cases, such
external auditors must be subject to confidentiality obligations and applicable policies of
Audits shall occur no more than once a year and upon a notification of sixty (60) days to
Data Processor, unless the audit request stems from an incident resulting in the
unauthorized or unlawful processing, loss of, damage to or destruction of Data
Controller’s Personal Data, in which case the notification period is shortened to ten (10)
business days or such shorter period as is reasonably required by Data Controller in the
light of its regulatory obligations. Data Controller acknowledges that onsite audit on less
than ten (10) business days’ notice shall not interfere with the Data Processor’s own
independent investigations of the incident.
In addition, should Data Controller request to access Data Processor’s premises in the
Audit Letter, Data Processor reserves the right to decline such request if such access is
not in fact possible at the relevant time. In such event, Data Processor shall do so within
ten (10) days upon receiving the Audit Letter. For the avoidance of doubt, the lack of
answer shall be construed as a refusal.
The duration of the audit is for a maximum of five (5) business days. It may be
exceptionally extended for no more than five (5) business days.
The audit shall be conducted under the control of Data Processor.
In that respect, Data Controller will provide to Data Processor an audit methodology,
which will be reviewed by Data Processor to ensure the audit will not (1) unreasonably
disrupt or interfere with Data Processor’s business activities and (2) allow Data
Controller auditors to have access to data other than the data owned by Data Controller
(such as, but not limited to, data proprietary to other Licensees of Data Processor).
Data Processor will cooperate with the Data Controller auditors and agrees:
– To submit as soon as possible, the information requested which is in its possession
– To obtain the necessary information that would be under the control of a third
party linked to Data Processor;
– To allow the examination of all documentation and technical equipment in the
scope of the audit;
– To allow for the testing of such equipment and documentation, provided that Data
Controller produces written documentation insuring that the tool used (device connected,
software installed, etc) will not corrupt the environment tested, reduce system
performance or create any form of interference.
Subject to Data Processor’s prior authorization, Data Controller is entitled to collect data
during the performance of the audit.
When present on Data Processor’s premises, Data Controller’s auditors must observe and
comply with all security policies and procedures in effect at the time of the audit.
Auditors must not attempt to break, bypass or circumvent Data Processor’s security
systems, or attempt to obtain access to any environment (be it facilities, hardware,
programs or data) beyond the scope of what Data Processor has determined as sufficient
to perform the audit.
At the conclusion of the audit, a preliminary report shall be established by Data
Controller auditors and shared with Data Processor. Data Processor will submit its
reservations without undue delay and the Parties will meet promptly to discuss all issues
raised by Data Processor and approve the final audit report. If such discussion fail to
achieve a result satisfactory to both Parties, the dispute shall be escalated.
In case the final audit report reveals a violation by Data Processor to the terms of this
Agreement, Data Processor and Data Controller will agree upon an appropriate and
effective manner in which to respond to the deficiencies identified and changes
recommended by the audit report.
The costs of such audit will be borne by the Data Controller.
In case the audit reveals deficiencies, Data Processor undertakes to implement, at its own
costs, the necessary corrective measures agreed between the Parties.
In case the audit does not reveal any irregularities or breaches from the Data Processor,
Data Controller shall compensate Data Processor for the internal and external cost of
such audit. Data Processor shall provide, prior to the beginning of the audit, applicable
rates and charges for resources that might be allocated to the audit.
2.1. Security Measures
Licensor shall implement and maintain a written information security program including
appropriate policies, procedures, and risk assessments that are reviewed at least annually.
Without limiting Licensor’s obligations under Section [3(a)], Licensor shall implement
administrative, physical, and technical safeguards to protect Licensee Data and Personal
Information from unauthorized access, acquisition, or disclosure, destruction, alteration,
accidental loss, misuse, or damage that are no less rigorous than accepted industry
practices and shall ensure that all such safeguards, including the manner in which
Personal Information is created, collected, accessed, received, used, stored, processed,
disposed of, and disclosed, comply with applicable data protection and privacy laws, as
well as the terms and conditions of this Agreement.
At a minimum, Licensor’s safeguards for the protection of Licensee Data and Personal
Information shall include: (i) limiting access of Licensee Data and Personal Information
to Authorized Persons; (ii) securing business facilities, data centers, paper files, servers,
backup systems, and computing equipment; (iii) implementing network, application,
database, and platform security; (iv) securing information transmission, storage, and
disposal; (v) implementing authentication and access controls within media, applications,
operating systems, and equipment; (vi) strictly segregating Personal Information from
information of Licensor or its other Licensees so that Personal Information is not
commingled with any other types of information; (vii) implementing appropriate
personnel security and integrity procedures and practices, including, but not limited to,
conducting background checks consistent with applicable law; and (ix) providing
appropriate privacy and information security training to Licensor’s employees.
During the term of each Authorized Employee’s employment by Licensor, Licensor shall
at all times cause such Authorized Employees to abide strictly by Licensor’s obligations
under this Agreement. Licensor further agrees that it shall maintain a disciplinary process
to address any unauthorized access, use, or disclosure of Licensee Data or Personal
Information by any of Licensor’s officers, partners, principals, employees, agents, or
2.2 Security breach
“Security Breach” means any act or omission that materially compromises either the
security, confidentiality, or integrity of Licensee Data or Personal Data or the physical,
technical, administrative, or organizational safeguards put in place by Licensor, or by
Licensee should Licensor have access to Licensee’s systems, that relate to the protection
of the security, confidentiality, or integrity of Licensee Data or Personal Data. Without
limiting the foregoing, a material compromise shall include any unauthorized access to or
disclosure or acquisition of Personal Data.
– Provide Licensee with the name and contact information to contact the Security
Operation Center of Licensor which shall serve as Licensee’s primary security contact
and shall be available to assist Licensee twenty-four (24) hours per day, seven (7) days
per week as a contact in resolving obligations associated with a Security Breach;
– Notify Licensee of a Security Breach as soon as practicable, but no later than
twenty-four (24) hours after Licensor becomes aware of it; and
– Notify Licensee of any Security Breaches emailing Licensee at [EMAIL
ADDRESSES]], with a copy by email to Licensor’s primary business contact within
The notification shall at least: (a) describe the nature of Personal Data breach including
where possible the categories and approximate number of data subjects concerned and the
categories and approximate number of Personal Data records concerned; (b)
communicate the name and the contact details of the data protection officer or other
contact point where more information can be obtained; (c) describe the likely
consequences of the Personal Data Breach; (d) describe the measures taken or proposed
to be taken to address the Personal Data Breach, including, where appropriate, measures
to mitigate its possible adverse effects.
Immediately following Licensor’s notification to Licensee of a Security Breach, the
parties shall coordinate with each other to investigate the Security Breach. Licensor
agrees to reasonably cooperate with Licensee in Licensee’s handling of the matter,
including, without limitation: (i) assisting with any investigation; (ii) providing Licensee
with physical access to the facilities and operations affected; (iii) facilitating interviews
with Licensor’s employees and others involved in the matter; and (iv) making available
all relevant records, logs, files, data reporting, and other materials required to comply
with applicable law, regulation, industry standards, or as otherwise reasonably required
Licensor shall at its own expense take reasonable steps to immediately contain and
remedy any Security Breach and prevent any further Security Breach, including, but not
limited to taking any and all action necessary to comply with applicable privacy rights,
laws, regulations, and standards.
Licensor agrees to maintain and preserve all documents, records, and other data related to
any Security Breach.
Licensor agrees to reasonably cooperate with Licensee in any litigation, investigation, or
other action deemed reasonably necessary by Licensee to protect its rights relating to the
use, disclosure, protection, and maintenance of Licensee Data or Personal Data.
In the event of any Security Breach, Licensor shall promptly use its best efforts to prevent
a recurrence of any such Security Breach.