PERSONAL DATA PROCESSING POLICY
Update June 1st, 2023
The purpose of this data protection agreement (the "Agreement"), signed between Vade (Data Processor) and the Client (Data Controller) in accordance with article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC ("GDPR"), is to define the conditions under which the Data Processor processes, upon the instructions of the Data Controller, Personal Data as defined in the GDPR.
This Agreement aims at regulating the processing of data in the context of the performance of services by the Data Processor for the benefit of the Data Controller.
As used in this Agreement, the following terms shall have the following meanings (such meanings to be equally applicable to both the singular and plural forms of the terms defined):
Personal Data: means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Incident: refers to any security incident, of malicious origin or not, occurring intentionally or not, having the consequence of compromising the integrity, confidentiality or availability of Personal Data.
Applicable Laws: means the laws and regulations relating to the processing and protection of Personal Data applicable in the country where the Data Processor is established. Applicable Law means in particular (a) the GDPR, (b) the laws and regulations of a member state of the European Union relating to the processing and protection of Personal Data, integrating or supplementing the GDPR; (c) any other applicable law or regulation relating to the processing and protection of Personal Data under the Agreement.
Services: refers to the services provided by the Data Processor to the Data Controller and which involve Data Processing on behalf of the Data Controller.
Data Processing: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.PURPOSE OF THE AGREEMENT
The purpose of this Agreement is to organize the processing of Personal Data in the context of the performance of the Services provided by the Data Processor to the Data Controller.
The Parties agree to comply with the Applicable Laws as defined in this Agreement.
If the Data Processor believes that all or part of the Data Controller's instructions constitute or may constitute a violation of the Applicable Laws, it shall inform the Data Controller promptly in order to obtain modified instructions, except where the Applicable Laws prohibit the provision of such information.
The Data Controller shall adapt the instructions, with the reasonable assistance of the Data Processor, to ensure compliance with the Applicable Laws. These changes are likely to have a substantial impact on the performance of the Services and may require, in particular, a review of the scope and financial conditions of the provision of the Services. In this case, the Parties shall negotiate in good faith the necessary revisions, including the deadline for implementing the changes requested by the Data Controller.
The Data Controller expressly acknowledges and accepts that the Data Processor shall not be bound by instructions violating the Applicable Laws. The Data Processor reserves the right to suspend the performance of the Services until the Data Processor’s instructions are modified to comply with the Applicable Laws. In such a case, the Data Processor shall inform the Data Controller of the implementation of the suspension, no later than the day of this suspension.
Notwithstanding the foregoing, the Parties acknowledge that the Data Processor cannot be held liable for a violation of the Applicable Laws when processing Personal Data in compliance with the instructions of the Data Controller.
The Data Controller shall ensure that the Data Processing entrusted to the Data Processor has an appropriate legal basis and that the data subjects have previously given, when it is required, their consent to the Data Processing in compliance with the Applicable Laws.
4. OBLIGATIONS OF THE DATA PROCESSOR
The Data Processor acknowledges and agrees that it shall only process Personal Data upon the written instructions of the Data Controller. Accordingly, the Data Processor undertakes not to use the Personal Data of the Data Controller for purposes other than those indicated by the Data Controller, or for the Data Processor’s own activity or for that of a third party.
If the Data Processor can’t comply with the instructions of the Data Controller for any reason, other than non-compliance with the legal obligations of these instructions, the Data Controller shall be informed promptly. In such a case, the Parties shall discuss the modifications that the Data Processor would agree to implement or that the Data Controller could apply to its instructions.
The Data Processor ensures that its authorized personnel have receive an appropriate training and has been made aware of the applicable security procedures before processing Personal Data entrusted by the Data Controller. The Data Processor shall furthermore ensure that its authorized personnel in charge of Data Processing is bound by an appropriate obligation of confidentiality.
The Data Processor further agrees:
- that the technical and organizational security measures described in Exhibit 1 are appropriate with regard to the Data Processing; and,
- that the technical and organizational security measures are adequate considering the processing risks and the defined Data Processing purposes. In particular, the Data Processor undertakes not to reduce the overall security of the Data Processing during the term of this Agreement without the prior consent of the Data Controller; and,
- to provide the Data Controller with reasonably accessible and relevant information concerning the Data Processing carried out, such as the information necessary to conduct a data protection impact assessment on the Data Processing; and,
- to keep a record of processing activities of all categories of Data Processing activity carried out on behalf of the Data Controller and to make such record available to the Data Controller upon request; and,
- to comply with the principles of data protection by design and by default; and,
- to provide the Data Controller with the reasonably cooperation and assistance to answer to requests from data subjects, in particular the rights of access, rectification, erasure, restriction or portability; and,
- to provide the Data Controller with all the documentation justifying the compliance with the Data Processor’s obligations as per this Agreement; and,
- to deal with Incidents in accordance with this Agreement, and in particular in accordance with the Section “Management of Incidents”.
5. OBLIGATIONS OF THE DATA CONTROLLER
The Data Controller ensures that it has all the necessary consents and rights to authorize the Data Processor to process the Personal Data listed here on its behalf and in accordance with this Agreement. If the Data Controller acts on behalf of a third party, the Data Controller shall guarantee to the Data Processor that the instructions provided to the Data Processor concerning the Processing of Data, including the designation of the Data Processor for the performance of the Services, have been authorized by the Data Controller’s own data controller.
The Data Controller provides the Data Processor with all the instructions necessary for carrying out the Data Processing and for creating the record of processing activities with regard to the Data Controller’s Personal Data.
In the event that the Data Controller wishes to modify its instructions, it shall notify the Data Processor at least thirty (30) days in advance in order to allow the Parties to discuss the proposed modifications.
The Data Controller acknowledges that the provision of the instructions by the Data Controller to the Data Processor is necessary so that the Data Processor can adequately carry out the Data Processing.
The Data Controller is solely responsible for the Data Processing carried out by the Data Processor in compliance with the Data Controller’s instructions.
The Data Controller also acknowledges that any modification of the instructions is likely to have a substantial impact on the performance of the Services and require, in particular, a review of the scope and of the financial conditions of the provision of these Services. Accordingly, the Parties shall negotiate in good faith the necessary revisions, including the deadline for implementing the modifications requested by the Data Controller.
6. MANAGEMENT OF INCIDENTS
In the event of an Incident affecting the Personal Data, the Data Processor undertakes to inform the Data Controller, within seventy-two (72) hours of becoming aware of such Incident, indicating: the nature of the Incident, the expected consequences of the Incident, the categories and the estimated number of data subjects and files concerned. This alert must be accompanied by any useful documentation to enable the Data Controller, if necessary, to notify this violation to the supervisory authority. Except as otherwise required by the Applicable Laws, the Data Processor further undertakes not to notify any Incident to a supervisory authority without the prior consent of the Data Controller.
7. TRANSFER OF PERSONAL DATA
The Data Processor undertakes to process the Personal Data of the Data Controller in France and in the countries listed in the list of the sub-contractors.
If the Data Processing by the Data Processor involves a transfer of Personal Data outside the European Union, the Data Processor must first ensure that the third-party processors provide an adequate level of protection under the Applicable Laws for the Data Processing of the Data Controller’s Personal Data.
The Data Processor further undertakes to ensure that any third party data processor duly authorized to process Personal Data outside the European Union has agreed to comply with the appropriate Standard Contractual Clauses for the transfer of Personal Data set by the European Commission (or any competent authority), the European Commission "Data Processor" Standard Contractual Clauses, in accordance with Decision 2021/914, and implements, where appropriate, technical measures, additional organizational and legal measures when the analysis of local laws and data protection practices reveal that they are likely to challenge the effectiveness of the warranties agreed between the Parties. If the Data Processor is unable to comply with the Standard Contractual Clauses, the Data Processor undertakes to implement alternative protections to the Standard Contractual Clauses in order to ensure an adequate level of protection of Data Controller’s Personal Data.
The Data Processor may subcontract the Data Processing of the Data Controller’s Personal Data to the sub-contractors listed in the list of the sub-contractors.
Notwithstanding the foregoing, if the Data Processor decides to subcontract the Data Processing, then the Data Processor agrees to obtain the prior written agreement of the Data Controller, after having informed the Data Controller of the identity and nature of the subcontractor as well as the mission of the subcontractor in the context of the Data Processing.
The Data Processor must impose the same obligations on the subcontractor as set out in this Agreement. This is executed through a contract or another legal act under the Applicable Law. It must be ensured that sufficient warranties are provided from the subcontractor to implement appropriate technical and organisational measures in such a manner that the Data Processing will meet the requirements of the Applicable Laws (“back-to-back” terms).
If the subcontractor fails to fulfil its data protection obligations, the Data Processor remains liable to the Data Controller for the performance of the subcontractor’s obligations.
9. EXERCISE OF RIGHTS
The Data Controller shall define the means for processing data subjects’ requests for the exercise of their rights. The Data Processor shall, in compliance with the Applicable Laws, assist as far as possible the Data Controller in the performance of its obligations in connection with the exercise of rights by data subjects.
In the event that the Data Processor receives a request from a data subject, the Data Processor undertakes not to respond directly to the request but to inform the Data Controller no later than seven (7) working days from the receipt of the data subject’s request. The Data Processor shall not be held liable for consequences that would result from a lack of response, or a response given too late by the Data Controller, to a request for the exercise of rights if such request has been duly transmitted in a timely manner by the Data Processor to the Data Controller.
10. DURATION AND TERMINATION
This Agreement shall come into force as of the last date of signature by the Parties and shall remain applicable for the duration of the provision of the Services by the Data Processor for the benefit of the Data Controller.
The Parties agree that the Section "Deletion and return of Personal Data" shall survive the expiration of the Agreement for whatever reason.
11. DELETION AND RETURN OF PERSONAL DATA
Except as otherwise requested by the Data Controller or provided by the Applicable Laws, the Data Processor undertakes to delete all Data Controller’s Personal Data on any medium whatsoever no later than one (1) month as of the end of the provision of the Services by the Data Processor for whatever reason.
Upon request by the Data Controller, the Data Processor shall provide a certificate of destruction of the Personal Data to the Data Controller.
The Parties agree that the Data Controller has the right to audit, at its sole expense, the Data Processing carried out by the Data Processor to verify the Data Processor compliance with this Agreement (including for the purposes of the audits described in Article 28(3)(h) of the GDPR and Clause 8.9 of the Standard Contractual Clauses). This right of audit shall be subject to the following conditions:
Upon request by the Data Controller, and subject to the confidentiality obligations applicable to the performance of the Services, the Data Processor will make available to the Data Controller the information necessary to demonstrate the Data Processor's compliance with the obligations set out in this Agreement.
The Data Controller may also carry out an on-site audit of the Data Processor, subject to (i) notifying the Data Processor at least ten (10) working days before the date of the audit, and (ii) to only carrying out this audit during the working hours and days applicable to the Data Processor's site. The Parties agree that the duration of an audit shall be limited to two (2) working days.
Notwithstanding the foregoing, the Data Controller shall not schedule more than one (1) compliance audit per year except if there is an imminent risk to the security of the Data Controller’s Personal Data.
13. APPLICABLE LAW AND JURISDICTION
This Agreement shall be governed by and construed in accordance with French law without giving any effect to any principles of conflict of laws that require the application of the law of a different country.
Any and all dispute, controversy, claim or question arising out of or relating to the Agreement including the validity, binding effect, interpretation, performance or non-performance thereof shall first be submitted to the respective authorized management representatives of the Parties for discussion in good faith and amicable resolution. In the event the Parties cannot resolve such dispute on an amicable basis, the Parties agree to submit the matter to the courts of Paris (France).
14.1. Contact and notifications
For the performance of this Agreement, the Parties may contact and notify the other Party at the addresses set in this Section.
For the Data Processor:By email: email@example.com
By post: VADE, Attn: DPO, 2bis Avenue Antoine Pinay, 59510 Hem, France.
For the Data Controller: contact detail defined in agreement
14.2. Entire Agreement
This Agreement contains all the obligations of the Parties regarding to its purpose. Except as otherwise written in this Agreement, in case of contradiction (i) between any commercial contract signed between the Parties for the performance of the Services and this Agreement, this Agreement shall prevail; (ii) between this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
No amendment to this Agreement will be effective unless it is evidenced by a written amendment signed by each of the Parties, expressly stating that it amends this Agreement.
The French version of the personal data procession policy prevails over all other language version.
14.3. List of Exhibits
Exhibit 1: Security measures
Vade currently complies with the Security Measures described in this Exhibit 1. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
a) Access Control
i) Preventing Unauthorized Product Access
Outsourced processing: Vade hosts its Service with outsourced cloud infrastructure providers (infrastructure as a service). Additionally, Vade maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement.
Vade relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: Vade hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for Tiers 3 and ISO 27001 compliance, among other certifications (like SOC 2 type 2 or ISO 27701).
Authentication: Vade implemented a uniform password policy for its products. Customers or Partners who interact with the products via the user/admin interface must authenticate before accessing non-public customer/partner data.
Authorization: Customer/partner Data are stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure.
The authorization model in each of Vade’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options using less privileges principle. Authorization to data sets is performed through validating the user’s permissions against the profile associated with each customer data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth/SAML authorization.
ii) Preventing Unauthorized Product Use
Vade implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Static code analysis: Security reviews of code stored in Vade’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
Penetration testing: Vade maintains relationships with industry recognized penetration testing service providers for annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
Vulnerability testing and Patch management: Vade maintains relationships with industry recognized vulnerability testing service providers for Six annual vulnerability tests on all Vade Assets. The intent of the vulnerability tests is to identify and resolve weakness that could tamper Vade security level. Vade apply monthly security patches delivered by software or infrastructure suppliers on all components of Vade’s infrastructure.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of Vade’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security Incidents and implement data security. All such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are Initiated annualy. Employee roles are reviewed at least once every year.
Background checks: All Vade employees undergo a background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
b) Transmission Control
In-transit: Vade makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Vade products. Vade’s HTTPS implementation uses industry standard algorithms and certificates.
At-rest: Vade stores user passwords following policies that follow industry standard practices for security. Vade has implemented technologies to ensure that stored data is encrypted at rest.
c) Input Control
Detection: Vade designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Vade personnel, including security, operations, and support personnel, are responsive to known Incidents.
Response and tracking: Vade maintains a record of known security Incidents that includes description, dates and times of relevant activities, and Incident disposition. Suspected and confirmed security Incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed Incidents, Vade will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to Customer will be in accordance with the terms of the DPA or Agreement.
d) Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure.
Online replicas and backups: Where feasible, production databases are designed to be clustered on multiple instances. All databases are backed up and maintained using at least industry standard methods.
Vade’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Vade operations in maintaining and updating the product applications and backend while limiting downtime.