Article 1. Purpose
As part of their contractual relationship, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter, the “European Data Protection Regulation” or “GDPR”).
The Parties have therefore agreed to define the terms and conditions relating to the protection of personal data as follows:
Article 2. Description of processing operations
As part of the performance of its services as defined below, SEPTEO IT SOLUTIONS may process personal data, within the meaning of the GDPR, relating to its prospects or to the Client and its Users; in this respect, SEPTEO IT SOLUTIONS acts as Data Controller for its own purposes.
The Client remains the sole Data Controller, within the meaning of the GDPR, of personal data relating to its own clients and/or employees, data which it processes in the course of its professional activity and to which SEPTEO IT SOLUTIONS may have access. In this case, SEPTEO IT SOLUTIONS acts as Data Processor within the meaning of the applicable regulations.
2.1. List of processing operations for which SEPTEO IT SOLUTIONS acts as Data Controller
| Purpose | Data Processed | Legal Basis | Retention Period |
|---|---|---|---|
| Management of the contractual relationship |
| Performance of the contract | Duration of the contractual relationship plus 5 years |
| Use of data for product and service improvement purposes; communication of statistics; data anonymization and aggregation |
| Performance of the contract | Duration of the anonymization operation |
| Commercial prospecting (Client) |
| Performance of the contract | 3 years after the last contact with the person Exercise of the right to object by the data subject. |
2.2. List of processing operations for which SEPTEO IT SOLUTIONS acts as Data Processor
| Purpose | Data Processed | Legal Basis | Retention Period |
|---|---|---|---|
| Provision of remote machine control service |
| Performance of the contract | Contract duration |
| User support Processing of User requests related to the use of the services |
| Performance of the contract | Duration of the intervention |
| Hosting of databases and applications |
| Performance of the contract | Duration of the contractual relationship with the Client |
Article 3. Obligations of the Parties
3.1. Obligations of SEPTEO IT SOLUTIONS
SEPTEO IT SOLUTIONS, acting as Processor, undertakes to:
- Process data only for the purposes that are the subject of the processing agreement;
- Process data in accordance with the documented instructions of the Data Controller. If the Processor considers that an instruction constitutes a violation of the European Data Protection Regulation or of any other provision of Union law or Member State law relating to data protection, it shall immediately inform the Data Controller;
- Guarantee the confidentiality of personal data processed under the present contract;
- Ensure that persons authorized to process personal data under this contract undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality and receive the necessary training in personal data protection;
- Take into account, with regard to its tools, products and applications, the principles of data protection by design and data protection by default.
- Maintain a written register (including in electronic form) of all categories of processing activities carried out on behalf of the Data Controller.
3.2. Obligations of the Client
The Client undertakes, in its capacity as Data Controller, to:
- Document in writing any instruction concerning the processing of data by SEPTEO IT SOLUTIONS;
- Ensure, prior to and throughout the processing, compliance by the Processor with the obligations provided for by the European Data Protection Regulation;
- Supervise processing, including carrying out audits and inspections of the Processor.
Article 4. Data recipients
SEPTEO IT SOLUTIONS may engage processors for the performance of the services under this contract (hereinafter the “Sub-processors”).
In this case, SEPTEO IT SOLUTIONS undertakes to ensure that each of its Sub-processors provides, in accordance with the Client’s instructions, sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that processing meets the requirements of the European Data Protection Regulation.
SEPTEO IT SOLUTIONS undertakes to contractually impose on its Sub-processors compliance with the obligations of this processing clause.
SEPTEO IT SOLUTIONS undertakes to engage only Sub-processors:
- Established in a country of the European Union, or
- Established in a country offering an adequate level of protection within the meaning of European data protection authorities, or
- Providing appropriate safeguards pursuant to Article 46 of the GDPR.
The list of Sub-processors is updated and made available to the Client upon written request. SEPTEO IT SOLUTIONS undertakes to inform the Client of any addition or change of Sub-processor by postal mail or email as soon as possible. The Client shall then have 15 days to object to such choice. Beyond this period and without any response from the Client, the Client acknowledges having authorized the said Sub-processor.
For the performance of this contract, SEPTEO IT SOLUTIONS uses the following Sub-processors:
| Identity of the sub-processor | Address of the sub-processor | Purpose of sub-processing |
|---|---|---|
| PIPEDRIVE | New York, US | CRM |
| OVHcloud | 2 rue Kellermann BP 80157 59053 ROUBAIX CEDEX 1 France | SMS credits for notifications Database storage of information collected through monitoring |
| IONOS | 1&1 IONOS/UNETUN/UN-ET-UN/1ET1/ONEANDONE/ONE-AND-ONE 7 PLACE DE LA GARE, 57200 SARREGUEMINES France | Hosting |
| Sentry | 45 Fremont Street, 8th Floor San Francisco, CA 94105 | Application logs collection tool |
| HUBSPOT | Cambridge, Massachusetts, United States | Marketing email sending tool |
| ZENDESK | 1019 Market St San Francisco, CA 94103 +1-888-670-4887 | Customer ticket tracking and knowledge base |
Article 5. Data security
In accordance with Article 32 of Regulation (EU) 2016/679, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing, as well as the risks, the likelihood and severity of which vary, for the rights and freedoms of natural persons, the Client and SEPTEO IT SOLUTIONS acknowledge that they implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
The technical and organizational measures implemented may include (non-exhaustive list):
- Means to ensure the confidentiality, integrity, availability and ongoing resilience of processing systems and services.
- Means to restore the availability of personal data and access to it in a timely manner in the event of a physical or technical incident.
- A procedure for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure processing security.
SEPTEO IT SOLUTIONS shall make available to the Client, upon written request, documents relating to the security of its personal data, including in particular the necessary technical documentation, current procedures, risk analyses produced, and the detailed list of security measures implemented.
Article 6. Control and audit
If the Client reasonably considers it necessary to carry out an audit to verify the ongoing effectiveness of internal personal data protection systems and procedures, SEPTEO IT SOLUTIONS agrees to submit to such audit, limited to once per year, carried out by an independent, reputable auditor that is not a competitor of its business.
The audit may concern only processing operations carried out on behalf of the Client and within the scope of the Contract, to the exclusion of all other purposes; as such, it shall not include access to systems, information, or data unrelated to the execution of this Contract.
Any request by the Client to carry out an audit must be justified and duly documented.
The audit may only be carried out during SEPTEO IT SOLUTIONS’ opening hours and in a way that does not disrupt its activity.
The Client shall send any audit request to SEPTEO IT SOLUTIONS by registered letter with acknowledgment of receipt to its head office. The request must be reasoned and include the identity of the desired auditing firm.
After receipt of the request, at least 30 days before the desired start date, SEPTEO IT SOLUTIONS and the Client shall jointly confirm, through a memorandum of understanding signed by the Parties, the auditor’s identity, scope and duration of the audit, as well as the security checks and confidentiality levels applicable to any verification.
The Client shall bear all costs incurred by the audit, including, without limitation, auditor’s fees, and shall reimburse SEPTEO IT SOLUTIONS for all expenses and costs generated by the audit based on the average rate of the provider’s staff involved in the audit.
An audit report shall be drafted by the auditor and provided free of charge to each Party.
The Parties shall then consult each other to discuss any consequences to be given to the audit report, in particular the recommended corrective actions, their cost and cost allocation. Information, files or documents collected by the Client or the audit firm, originals or copies, are subject to the confidentiality obligation provided for in the Contract.
Article 7. Cooperation
SEPTEO IT SOLUTIONS undertakes to cooperate with the Client and help it meet the requirements of the Regulation incumbent upon it in its capacity as Data Controller, in particular for carrying out data protection impact assessments and prior consultations with the supervisory authority. At the Client’s request, SEPTEO IT SOLUTIONS shall provide any useful information in its possession for this purpose.
SEPTEO IT SOLUTIONS undertakes to forward to the Client, as soon as possible after receipt, any request of any nature from a natural person concerned by the processing of their personal data carried out in connection with the performance of the contract.
It is the Client’s responsibility, as sole Data Controller, to respond to the data subject. SEPTEO IT SOLUTIONS undertakes, as far as possible, to assist the Client in complying with its obligation to respond to requests to exercise data subject rights: access, rectification, erasure, objection, restriction and portability.
Article 8. Data breach notification
The Processor shall notify the Data Controller of any personal data breach as soon as possible after becoming aware of it and by email addressed to the Data Controller, and where applicable to the administrator. This notification shall be accompanied by any useful documentation to enable the Data Controller, if necessary, to notify this breach to the competent supervisory authority.
Article 9. Exercise of rights
With regard to information concerning it directly, the Client has a right of access, rectification, erasure, restriction, portability and objection. This right may be exercised:
- By email: dpo@septeo.com
- By post: DPO – Septeo, Font de la Banquière, 194 Avenue de la Gare Sud de France, 34970, LATTES
The author of this request must provide contact details (last name, first name, address) and a legitimate reason where required by law (in particular in case of objection).