TERMS AND CONDITIONS OF SALE, APPENDIX 2

This Data Processing Agreement (hereinafter the “DPA”) applies between DataGalaxy and the Customer (hereinafter the “Parties”), each acting for and on behalf of its affiliates.

The Parties wish to define the conditions under which DataGalaxy undertakes to carry out on behalf of the Customer the personal data processing operations resulting from the Contract (as defined below) and the respective responsibilities of the Parties in this matter.

• « Contract »: means the license and/or service agreement concluded between the Customer and DataGalaxy, including personal data processing operations covered by this DPA.
• « PII » : means personal data that directly or indirectly identifies a natural person.
• « Applicable Legislation » : means the regulations in force applicable to the processing of personal data and, in particular, Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (the “GDPR“), as well as any other provision of Union law or of the law of the Member States relating to data protection, with which the Parties undertake to comply.
• « Solution »: means the collaborative data governance software solution of an enterprise’s information system in SaaS mode (Software as a Service) edited, developed and marketed by the company DataGalaxy.
• « Subsequent Subcontractor »: means another subcontractor DataGalaxy itself may engage to carry out specific PII processing activities under the Agreement.
• « User »: means any natural person who is a member of the Customer’s staff and who has been authorized by the Customer to use the Solution under the terms of the Contract, exclusively for professional purposes, regardless of where that person is located and how he or she is connected.

a. Perimeters of the processing

Within the framework of the Contract, DataGalaxy is authorized to process, on behalf of the Customer, the PII necessary for the following treatments:
Customer service management.
Management of the DataGalaxy platform security and confidentiality.
Management of the maintenance and evolution of the DataGalaxy platform.

b. Nature and object of the processing

The purpose of the processing is the implementation by DataGalaxy of collection, recording, conservation, etc., on behalf of the Customer, within the framework of the Contract and when necessary for the execution of the Services.

c. Purposes of the processing

As a subcontractor, DataGalaxy will be required to process PII to perform the following operations:

• Customer Service Management
  • Support on the DataGalaxy application
  • Response to email requests
  • Management of trouble tickets
  • Troubleshooting (access to the Users’ online account)
• Security and privacy management of the DataGalaxy platform:
  • User Identification
  • Authorization management:
    • Adding Users to the DataGalaxy platform
    • Deleting Users’ accounts from the DataGalaxy platform
• Maintenance and evolution of the DataGalaxy application:
  • Improvement of the platform ergonomics
  • Resolution of incidents on the DataGalaxy platform.

d. Categories of PII

The PII processed are :
Identification data: last name, first name.
Professional data: e-mail address, professional status (job and team).
Connection data: logs (time-stamp information, access information (IP, browser), User browsing data on the DataGalaxy platform.

Category of data subjects

The categories of persons concerned by this processing are the employees of the Customer, and its possible service providers.

Duration of the processing

PII shall be processed for the duration of the Contract and for a period of one (1) year following its termination date.

a. Obligations of DataGalaxy

DataGalaxy undertakes, where applicable, to:

• Process the PII only for the sole purpose(s) specified in this DPA and/or the Contract.
• Process PII in accordance with the documented instructions of the Customer and any further instructions communicated by the Customer.
• If DataGalaxy is required to transfer data to a third country or to an international organization according to the Applicable Legislation, it must inform the Customer of this legal obligation prior to the processing, except if this regulation prohibits such information for compelling reasons of public order.
• Inform the Customer without delay if DataGalaxy considers that an instruction constitutes a violation of the Applicable Legislation.
• Guarantee the confidentiality of the PII processed within the framework of the Contract, and in particular to take all measures to prevent them from being distorted, damaged or communicated to unauthorized third parties, throughout the duration of the Contract.
• Ensure that persons authorized to process PII under the Contract:
  • Are committed to confidentiality and/or are subject to an appropriate legal duty of confidentiality.
  • Receive the necessary training in the protection of PII.
• Consider, with respect to its tools, products, applications or services, the principles of protection of PII by design and data protection by default.

b. Obligations of the Customer

The Customer undertakes to :

Provide DataGalaxy with the PII necessary to perform the Services.
Document in writing any instruction concerning the processing of PII by DataGalaxy.
Ensure, beforehand and during the whole duration of the Contract, the compliance with the obligations provided by the Applicable Legislation.
Supervise the processing, including audits and inspections of DataGalaxy.

In its capacity as data controller, it guarantees to be in full compliance with the provisions applicable to the processing operations covered by the present document.

a. Use of a Subsequent Subcontractor

When DataGalaxy has recourse to Subsequent Subcontractors, it informs the Customer in writing beforehand. 

The list of Subsequent Subcontractors approved by the Customer at the date of the present Contract is reproduced hereinafter:

 

Name of the Subsequent Subcontractors	Categories of subcontracted activities	PII processing location
Depending on the Customer’s Offer: Microsoft Azure; or Amazon AWS; or Google Cloud Platform ; or OVH.	Hosting of the Solution	France
Docusign	Management of the certified electronic signature
Freshdesk	Support management
Hubspot	CRM management

 

DataGalaxy is committed to provide, upon request, the updated list of all its Subcontractors.

Furthermore, DataGalaxy commits itself to inform the Customer of any change in the number of Subsequent Subcontractors and will not implement the subcontracting without prior agreement. 

The said written notification shall indicate the elements of the processing activities of the subcontracted PII, as well as the identity and contact details of the Subsequent Subcontractor. 

The Customer shall have a minimum period of eight (8) days from the date of receipt of this information to present any objections to the envisaged change. In the absence of any objections from the Customer within this period, the subcontracting shall be deemed accepted.

b. Guarantees submitted by the Subsequent Subcontractor

In case of subcontracting duly authorized by the Customer, DataGalaxy guarantees the Customer that any Subsequent Subcontractor who is required to process in any way all or part of the PII:

Is contractually bound to respect the same defined conditions as those of DataGalaxy set out in this DPA and DataGalaxy is responsible for the respect of these obligations by its Subsequent Subcontractor.
Presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the outsourced processing meets the requirements of the Applicable Legislation.

If the Subcontractor does not fulfill its data protection obligations, DataGalaxy remains fully responsible to the Customer for the fulfillment of these obligations.

a. Information of the persons concerned

It is the Customer’s responsibility to provide information to the persons concerned by the processing operations at the time of collection of the PII.

b. Exercising the rights of the persons concerned

DataGalaxy assists the Customer, as far as possible, in fulfilling its obligation to comply with the requests for exercising the rights of the data subjects, provided for in Chapter III of the GDPR: right of access, rectification, erasure, opposition, right to limitation of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).

When data subjects request DataGalaxy to exercise their rights, DataGalaxy must send these requests upon receipt by e-mail to the address communicated by the Customer.

DataGalaxy will notify the Customer, by e-mail to the address communicated by the Customer, of any violation of the PII as soon as possible and, if possible, no later than forty-eight (48) hours after becoming aware of it, unless the violation in question is not likely to cause a risk to the rights and freedoms of natural persons. This notification shall be accompanied by any useful documentation to enable the Customer, if necessary, to notify the violation to the competent control authority.

DataGalaxy assists the Customer in the realization of impact analysis related to the protection of PII, as well as in the realization of the prior consultation of the control authority.

It is expressly understood that any intervention of DataGalaxy within the scope of the present DPA, and in particular the assistance in the performance of impact analysis, in the performance of the prior consultation of the control authority or in the exercise of the rights of the persons concerned, will be invoiced to the Customer according to its current tariff.

DataGalaxy undertakes to implement the most appropriate technical and organizational measures to ensure the security of the PII, with respect to the outsourced processing.
DataGalaxy guarantees that the level of security of PII is adequate to the risk of destruction, loss, alteration, unauthorized disclosure or accidental or illegal access, such measures to include, but not be limited to, the measures set forth in the Applicable Legislation.

In this respect, DataGalaxy commits to implement the following security measures, also described in the Contract:

• The implementation of access control and management of authorizations related to business software.
• Pseudonymization, encryption of PII, being specified that the use of encryption by DataGalaxy is in strict compliance with all applicable laws, rules and regulations regarding export.
• No paper documents are kept on the premises containing the Customer’s PII.
• The means to ensure the continued confidentiality, integrity, availability and resiliency of processing systems and services.
• The means to restore the availability of and access to PII in a timely manner in the event of a physical or technical incident; and,
• A procedure to regularly test, analyze, and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.

Furthermore, DataGalaxy will minimize the scope of the employee(s) responsible for the direct processing of PII received, or acquired, in the course of the services provided for in the Contract and of the employee(s) who may be required to access and process Customer’s PII necessary for the performance of the services provided for in the Contract, as well as the scope of the access and processing of Customer’s PII.

It is agreed between the Parties that in the event that the evolution of legal, regulatory and/or supervisory requirements in the field of technical and organizational measures would make DataGalaxy’s obligations more onerous, the Parties undertake to meet in order to find an amicable solution regarding the adaptations to be made to the Contract as a result of these evolutions If within sixty (60) days from DataGalaxy’s notification of such evolution, the Parties have not agreed on the adaptations to be made to the Contract following the above mentioned change, the most diligent Party will be entitled to terminate the Contract by giving sixty (60) days’ notice.

At the end of the Contract, for any reason, DataGalaxy commits, at the Customer’s choice, to:

• Destroy all PII; or,
• Return all PII to the Customer; or,
• Return the PII to the subcontractor designated by the Customer.

The return shall be accompanied by the destruction of all existing copies in DataGalaxy’s information systems unless Applicable Legislation prevents DataGalaxy from returning or destroying all or part of the PII. In this case, DataGalaxy guarantees the confidentiality of the retained PII and will no longer actively process these PII. Once destroyed, DataGalaxy shall justify the destruction in writing.

DataGalaxy has appointed a Data Protection Officer in accordance with the Applicable Legislation. His contact details are as follow:

• Email address : dpo@datagalaxy.com
• Postal address: DataGalaxy – Data Protection Officer, 47 rue Vivienne 75002 Paris France.

DataGalaxy declares to keep a written record of all categories of processing activities carried out on behalf of the Customer including:

• The name and contact details of the Customer on whose behalf it is acting, of any subcontractors and, if applicable, of the data protection officer;
• The categories of processing carried out on behalf of the Customer;
• Where applicable, transfers of PII to a third country or to an international organization, including the identification of such third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the European Data Protection Regulation, the documents attesting to the existence of appropriate guarantees.

DataGalaxy may indirectly transfer, through its Subcontractors mentioned in article 4 of the present document, the PII that are the object of the present document outside the European Union. In such a case, DataGalaxy is committed to obtain the prior written consent of the Customer.

As DataGalaxy is subject to the GDPR, if it plans to engage any Subcontractor for activities that involve a transfer of the Customer’s PII to any country outside the European Union, then it will be required to review the adequacy of PII protection in the destination country prior to such transfer, use a valid means of transfer under the GDPR, and transfer only if substantially equivalent protection to that guaranteed in its home jurisdiction can be assured.
When such a transfer is considered, DataGalaxy commits to ensure that it is covered by:

• Standard contractual clauses issued by the European Commission or a Supervisory Authority in accordance with Article 46 of the European Data Protection Regulation; and/or
• Any binding corporate rules approved by a competent Supervisory Authority under Article 47 of the European Data Protection Regulation; and/or
• An approved code of conduct in accordance with Article 46 of the European Data Protection Regulation; and/or
• An approved certification mechanism in accordance with Article 46 of the European Data Protection Regulation; and/or
• An adequacy decision of the European Commission in accordance with Article 45 of the European Data Protection Regulation.

In any case, DataGalaxy will inform the Customer within a reasonable period of time of any planned transfer and will at the same time provide the Customer with all relevant information allowing the Customer to comply with its obligations in the event of a DCP transfer.

DataGalaxy will make available to the Customer, at its request, the documentation necessary to demonstrate compliance with all its obligations and to allow the performance of audits, including inspections, by the Customer or another auditor appointed by the Customer, and to assist in such audits.

Customer shall inform DataGalaxy of its willingness to perform such an audit, at its own expense, by registered letter or e-mail with acknowledgement of receipt, at least thirty (30) days before the inspection operations.

In any case, such an audit may only be performed by an independent third party auditor chosen by mutual agreement between the Parties and subject to a confidentiality obligation.

The audit may not, under any circumstances, disrupt the normal activity of DataGalaxy. Therefore, the audit may only take place during DataGalaxy business hours.

In case the audit reveals non-conformities, DataGalaxy commits to implement any corrective measure within three (3) months.

In their relationship, each Party shall be solely responsible for the damage caused by any breach of its obligations under this DPA and Applicable Legislation.

Accordingly, each Party shall indemnify the other against any damage resulting from the breach of its obligations.