Appendix B

Data backup and retention policy

This appendix (hereinafter referred to as the "Appendix") forms an integral part of the Contract offered by the Provider to the Policyholder.

In order to provide the Service, the Service Provider (hereinafter referred to as "the Service Provider" or "the Processor") may process Personal Data, as defined below, on behalf of the Subscriber (hereinafter referred to as "the Subscriber" or "the Processor").

The purpose of the Appendix is to :

  • define the conditions under which the Subcontractor undertakes to carry out, on behalf of the Data Controller, the Processing operations defined below;
  • specify the obligations of the Parties with regard to the protection of Personal Data.

Article 1. Definitions

Terms beginning with a capital letter have the following meaning:

"Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "Data Subject"). An "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

The Personal Data are those processed by the Subcontractor (the Service Provider) on behalf of the Controller (the Subscriber) as part of the provision of the Service. They are listed in Appendix A "Description of processing".

"Processing" means any operation or set of operations, whether or not carried out using automated processes and applied to data or sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure or destruction.

"Data Controller": means the natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of the Processing. In the context of the Contract, this is the Subscriber.

"Subcontractor": refers to the natural or legal person, public authority, service or other organization that processes Personal Data on behalf of the Data Controller. In this case, it is the Service Provider.

"Personal Data Breach": means any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure to third parties of Personal Data transmitted, stored or otherwise processed, or unauthorized access to such data.

"Applicable Law" means the laws and regulations relating to the processing and protection of Personal Data, applicable in the country where The Provider is established. Applicable Law means in particular: (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable as from 25 May 2018 (hereinafter "the Regulation"); (b) Loi Informatique et Libertés n°78-17 of 6 January 1978 as amended.

Article 2. Description of the processing to be outsourced

The Data Controller entrusts the Subcontractor with the Processing(s) whose characteristics are defined in Appendix A. This appendix will be completed jointly by the Parties when the Contract is signed.

Article 3. Subcontractor's obligations

General obligations

The Subcontractor must present sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the Processing meets the requirements of the Regulation and guarantees the protection of the Data Subject's rights.

The Subcontractor undertakes to:

  • process Personal Data solely for the purpose(s) for which it is outsourced;
  • subcontract all or part of the Service containing Personal Data, in particular to a country outside the European Union, only after having obtained the prior, written and express agreement of the Subscriber and, in any event, only after having reproduced and obtained, from its authorized subcontractors, the same level of commitment and obligations as its own, and while remaining responsible for them with regard to the Subscriber;
  • process Personal Data in accordance with the Data Controller's documented instructions, as communicated at the time the contract is signed. If the Subcontractor considers that an instruction constitutes a breach of the Regulation or of any other provision of Union or Member State law relating to data protection, it shall immediately inform the Data Controller. Any new instruction will be subject to prior notice as provided for in Article Obligations of the Subscriber and to an agreement between the Parties as to the related terms and conditions;
  • guarantee the confidentiality of the Personal Data processed;
  • ensure that the persons authorized to process Personal Data at the Subcontractor undertake :
    1. to respect confidentiality or are subject to an appropriate legal obligation of confidentiality and,
    2. receive the necessary training in the protection of personal data
  • take into account, with regard to its own tools, products, applications or services, the principles of data protection by design and data protection by default;
  • immediately notify any modification or change of services that may affect the Processing of Personal Data;
  • cooperate with the Subscriber in order to manage requests from data subjects to exercise their rights, and in particular their right to access, rectify, delete and/or object to Personal Data concerning them.
  • cooperate with the Subscriber to ensure compliance with the Subscriber's obligations under these regulations, such as its obligations to notify the CNIL and to communicate a data breach to the persons concerned;
  • return the files and Personal Data to the Subscriber at the end of the Contract, and then destroy all manual or computerized files storing the Data and other information collected, unless otherwise required by mandatory legal provisions, or authorized, or kept for the purpose of managing the end of the Contract, or upon authorization given by the person concerned duly informed of the purposes of the retention, or in accordance with the rules for archiving certain Personal Data.
Subsequent subcontracting

The Subcontractor may call upon another subcontractor (hereinafter "Subsequent Subcontractor") to carry out specific Processing activities. The identity and contact details of Subsequent Subcontractors are specified in Appendix A.

The Subcontractor shall inform the Data Controller in advance and in writing of any planned changes concerning the addition or replacement of other subsequent Subcontractors.

This information must indicate the Processing activities subcontracted, the identity and contact details of the subsequent Subcontractor and the dates of the subcontract.

The Data Controller has a period of fifteen (15) days from the date of receipt of this information to present his objections. This subcontracting may only be carried out if the Data Controller has not raised any objections within the agreed period.

In such an event, the Subcontractor undertakes to enter into a written contract with the subsequent Subcontractor.

It is the Subcontractor's responsibility to ensure that the subsequent Subcontractor presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures, so that the Processing meets the requirements of the Regulation.

If the Subsequent Subcontractor fails to meet its data protection obligations, the Subcontractor remains liable to the Data Controller for the Subsequent Subcontractor's performance of its obligations.

Notification of Personal Data Breaches

The Subcontractor shall notify the Data Controller of any Personal Data Breach within 72 working hours of becoming aware of it, by email to the following address: privacy@tolk.ai.

This notification shall be accompanied by any useful documentation to enable the Data Controller, if necessary, to notify the Violation to the competent supervisory authority.

Assisting the Processor in complying with the Data Controller's obligations

To the extent possible, the Subcontractor shall assist the Data Controller in fulfilling its obligation to comply with requests to exercise the rights of Data Subjects: right of access, rectification, erasure and objection, right to the limitation of the Processing, right to the portability of Personal Data, right not to be subject to an automated individual decision (including profiling).

Where Data Subjects make requests to the Subcontractor to exercise their rights, the Subcontractor must send such requests to the Data Controller, upon receipt, by email to the address indicated by the Data Controller when subscribing to the Service.

Upon request and to the extent possible, the Subcontractor may assist the Data Controller in carrying out impact analyses relating to the protection of Personal Data and in prior consultation with the relevant supervisory authority.

Safety measures

The Subcontractor will take the appropriate technical and organizational measures. It undertakes to implement the security measures listed in Appendix A and to maintain them throughout the term of the Contract.

The Subcontractor undertakes, in the event of any change in the means used to ensure the security and confidentiality of Personal Data, to inform the Data Controller and to replace them with means of equivalent or superior performance. No change may lead to a reduction in the level of security.

Transfer of Personal Data

The Subcontractor undertakes that for the duration of the Contract, and as far as possible, Personal Data will be hosted and processed in data centers located in the European Union.

The Subcontractor shall refrain from any cross-border transfer of Personal Data outside the territory of the European Union, without the prior written consent of the Data Controller.

If the Processor is required to transfer Personal Data to a third country or to an international organization under European Union law or the law of the Member State to which it is subject, it must inform the Data Controller of this legal obligation prior to Processing, unless the law concerned prohibits such information for important reasons of public interest.

Fate of Personal Data

Upon completion of the Services relating to the Processing subject to subcontracting, the Subcontractor undertakes to destroy all copies of the Personal Data existing in its information systems within a maximum period of thirty (30) days. The Subcontractor must provide written proof of the destruction of the Personal Data.

Data Protection Officer

The Subcontractor communicates to the Data Controller the name and contact details of its Data Protection Officer, if it has appointed one in accordance with Article 37 of the Regulation.

Register of categories of processing activities

The Subcontractor declares that it keeps a written record of all categories of Processing activities carried out on behalf of the Data Controller.

Documentation

The Subcontractor shall make available to the Data Controller the documentation necessary to demonstrate compliance with all of its obligations and to allow audits, including inspections, to be carried out by the Data Controller or another auditor appointed by it, and to contribute to such audits.

Article 3. Obligations of the data controller

Obligations towards the Subcontractor

Provision of Personal Data

The Data Controller undertakes to provide the Subcontractor with the Personal Data referred to in Appendix A.

Documented instruction

The Data Controller will provide the Subcontractor, upon signing the Contract, with express instructions concerning the Processing of Personal Data, to be documented in writing. The Data Controller acknowledges that these instructions are necessary in order for the Subcontractor to adequately assist it in fulfilling its obligations under the Applicable Law.

The Data Controller's instructions shall include, as a minimum, the information listed in Appendix A "Description of processing".

If the Data Controller wishes to modify its instructions, it must inform the Subcontractor at least thirty (30) days in advance, so that the Parties can evaluate the proposed modifications. In this respect, the Data Controller acknowledges that such modifications may have a direct impact on :

  • the Services, making it necessary to modify the terms of the Contract, including in particular the Scope of Services and the associated financial conditions. The Parties will negotiate in good faith the modifications to the Contract made necessary, including the deadline for incorporating said modifications;
  • the security measures initially defined and implemented by the Subcontractor, which may no longer be adapted to the risks presented by Processing. These measures may therefore require adaptation, which could have an impact on the provision of Services and the terms of the Contract, particularly with regard to financial provisions.

Monitoring the Subcontractor's compliance with its obligations

The Data Controller undertakes to ensure, beforehand and throughout the duration of the Processing, that the Subcontractor complies with the obligations laid down by the Regulation.

Treatment supervision

The Data Controller undertakes to supervise the Processing, including carrying out any audits and inspections of the Subcontractor. The terms, scope and duration of the audit will be determined in advance by the Parties.

Safety measures

The Data Controller expressly acknowledges :

  • that the security measures defined in Annex A and applied by the Subcontractor are based on the instructions and information received from the Subcontractor, which are used to assess the risks associated with the Processing of Personal Data;
  • that the security measures defined in Appendix A are adequate, taking into account the risks of the Processing and its purposes, as defined in Appendix A.

Warranties

The Data Controller warrants to the Subcontractor that the Personal Data entrusted to it hereunder has been collected fairly and lawfully, in accordance with the provisions of Articles 5, 6, 7 and 9 of the Regulation.

Other obligations under applicable law

The Data Controller undertakes to comply with its obligations under the applicable Law and, in particular, to respond to requests to exercise the rights of Data Subjects in respect of the Processing entrusted to the Subcontractor.

Article 5. Obligations common to all parties

Compliance with regulations

In the context of their contractual relations, the Parties undertake to comply with the regulations in force applicable to the Processing of Personal Data and, in particular, the Regulations.

Cooperation with supervisory authorities

In the event of control by a competent authority, the Parties undertake to cooperate with each other and with the controlling authority.

If the inspection carried out by the Service Provider concerns Processing carried out in the name and on behalf of the Policyholder :

  • The Service Provider undertakes to inform the Subscriber without delay and to make no commitment on his behalf;
  • the Subscriber undertakes to cooperate with the Service Provider and to provide it with any information that the latter may require or that may prove necessary.

In the event of an inspection by a competent authority at the Subscriber's premises concerning the Services provided by the Service Provider:

  • the Subscriber undertakes to inform the Service Provider without delay and not to make any commitment on its behalf;
  • The Service Provider undertakes to cooperate with the Subscriber and to provide any information that the latter may require or that may prove necessary.
Insurance

Each of the Parties declares that it is insured for its professional civil liability with a company known to be solvent, and undertakes to maintain this guarantee throughout the term of this Contract, in order to cover any damage that may be caused to the other Party or to any third party, as a result of the performance or non-performance of this Contract, including in the event of damage resulting from the Processing of Personal Data.

Each of the Parties undertakes to provide, at the first request of the other Party, a certificate showing the name of the company, the number of the insurance policy and the nature and amount of the cover taken out.

Each Party also undertakes to notify the other Party of any modification, suspension or termination of the said insurance policies, for whatever reason, as soon as possible.

Article 6. RGPD Audit

The Subcontractor shall provide the Data Controller with all the information necessary to demonstrate its compliance with its obligations under the applicable Law.

Throughout the term of the Contract, the Data Controller may, subject to forty-five (45) days' notice, check or have checked by a third party subject to confidentiality obligations and not a competitor of the Subcontractor, the representative, at its expense and once (1) a year, compliance with the obligations contained in this Appendix.

The scope and duration of the audit will be determined in advance by the Parties.

The audit will then be carried out on the Subcontractor's premises, during normal working hours and in such a way as not to cause undue inconvenience to the Subcontractor's activities.

In the event of non-compliance and after notification of the audit report by the Data Controller to the Subcontractor, the Parties will meet to study the measures to be implemented through an action plan proposed by the Subcontractor, in response to the non-compliances observed.

Article 7. Liability

As Data Controller, the Subscriber is liable for damages caused by Processing carried out in violation of the applicable Law.

The Subcontractor shall only be liable for damage caused by the Processing if it has failed to comply with its obligations specifically incumbent upon it under the applicable Law or if it has acted outside or contrary to the lawful instructions of the Data Controller.

The Subcontractor may not be held liable in the event of: (i) failure by the Data Controller to comply with its legal, regulatory or contractual obligations; (ii) unlawful instructions from the Data Controller; (iii) more generally, any failure relating to the use of Personal Data.

The Subcontractor shall be exonerated from liability if it demonstrates that it is in no way responsible for the event that caused the damage.

Article 8. Amendment

The present Appendix may only be modified by means of an amendment, under the conditions defined in Article 17 of the Contract.

APPENDIX A :

TREATMENT DESCRIPTION

This appendix defines the characteristics of the Processing implemented by the Data Controller and entrusted to the Subcontractor:

  • Identity of the data controller : The customer signing this contract, or the corporate officer of the company signing this contract, is the data controller.
  • Identity of the Subcontractor and, where applicable, if previously authorized by the Data Controller, its subsequent Subcontractor(s):
  1. a) Subcontractor : The Service Provider
  2. b) Subsequent subcontractor(s): The Host (GCP - Europe)
  • Purpose(s) of Processing :
    • Purpose(s) of Processing :

    The provision to the Subscriber of technical tools designed to automate, in part, to facilitate its own customer relations, in particular through automated conversation tools.

    • Date of treatment :

    For the duration of the subscription

    • Legal basis for processing :

    The processing of personal data by the Service Provider is necessary for the provision of the Service.

    • Persons concerned :

    Customers of the Data Controller.

    • Type of personal data concerned :

    Name, first name, address, email, or any other data provided by the end user of the service in the context of the use of the service, under the responsibility of the Data Controller, actions with management of the follow-up of the actions carried out.

No sensitive personal data revealing a person's alleged racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation are necessary for the operation of the Service.

  • Nature of the operations carried out by the Subcontractor on the data :

The operations consist of storing and analyzing certain Personal Data of the Subscriber and/or User for the purposes of the Service and its improvement. It also involves storing certain Personal Data of the Data Controller's customers, which the latter chooses to store on their customer and/or User space, for the needs of their business and the production of documents offered by the Service. The Service Provider merely stores this Data for the Subscriber's needs, without making any use of it.

  • Duration and methods of retention OR criteria for defining duration by type of data if different :

Processing is carried out only for the duration of the Subscriber's and/or User's subscription, subject to the storage and archiving of certain Subscriber's and/or User's Personal Data (excluding Customer Data), either consented to by the Subscriber and/or User, or necessary for the finalization of the post-contractual relationship, or in accordance with the conditions for archiving useful Personal Data laid down by applicable regulations.

  • Location of data by type of data / by category of data subjects if different :
  • The Service Provider for the Personal Data essential to the Service and for those relating to the Personal Data of the Data Controller's customers;
  • The Service Provider's subcontractors involved in providing the Service and, where applicable with the agreement of the Data Controller, those involved in providing additional services.
  • Information given to persons concerned by :

Information on the rights of the persons concerned is contained in the General Conditions of Use, which are made available to the Subscriber by the Service Provider:

  • On its website;
  • Within the quote ;
  • When subscribing to the Service ;
  • In the Contract ;
  • Simply send a request to: privacy@tolk.ai
  • Transfer of data outside the European Union (permitted / if applicable) :

The Service Provider may only subcontract all or part of the Service containing Personal Data, in particular to a country outside the European Union, after having obtained the prior, written and express agreement of the Subscriber and, in any event, after having reproduced and obtained, from its authorized subcontractors, the same level of commitment and obligations as its own, and while remaining responsible for the latter with regard to the Subscriber.

Organizational safety measures :

The Service Provider undertakes to take all necessary measures to ensure that it and its employees comply with its obligations, and in particular to :

  • Not to process or consult the data or files for any purpose other than the performance of the Services;
  • Not to transfer Personal Data to a third country, unless required to do so by mandatory legal provisions;
  • Where applicable, the Service Provider will inform the Subscriber of this legal obligation in advance;
  • Guarantee the confidentiality of personal data processed under the Contract;
  • Do not insert foreign personal data in files;
  • Take all useful and appropriate measures, particularly of a security, legal and organizational nature, to prevent any misappropriation, malicious or fraudulent use of Personal Data and files, as well as any deformation, alteration, damage, accidental or unlawful destruction, loss, disclosure and/or access by unauthorized third parties beforehand;
  • Take all necessary and appropriate measures to protect the security of Personal Data;
  • Not to carry out any statistical study on the data or any processing other than those requested by the Subscriber or essential to the solution;
  • Notwithstanding the above, personal data may be processed for statistical purposes, subject to prior anonymization;
  • Notify the Subscriber immediately of any modification or change that may affect the processing of personal data;
  • Immediately inform the Subscriber if, in its opinion, an instruction constitutes a violation of data protection regulations.

The Service Provider undertakes to take all necessary measures to ensure that natural persons acting under its authority, involved in the Service and having access to Personal Data, receive the necessary training and information on the subject, respect the confidentiality of Personal Data and do not process them other than for the purposes of the Service.

When collecting Personal Data from its customers, the Subscriber must provide information concerning the subcontracting of certain Personal Data to the Service Provider.

In the event of transmission of sensitive Personal Data, the Subscriber undertakes to use encryption, if possible, to avoid storing such data on the Service.

Technical safety measures

The Subcontractor undertakes to implement the following technical security measures: securing the servers used, managing authorizations, authenticating users, backing up data, tracing access, managing incidents, maintenance and data destruction.