PERSONAL DATA PROCESSING POLICY

INTRODUCTION

The purpose of this Personal Data Processing Policy(*) is to provide details on the data processing carried out by Vade, in its role as a processor, for its controller clients, in accordance with the provisions of Regulation (EU) 2016/679 of 27 April 2016, applicable as of 25 May 2018 in all countries of the European Union, known as the General Data Protection Regulation (hereinafter referred to as the "GDPR").

1. DEFINITIONS

The terms whose first letter is capitalized in this document have the meaning assigned to them by Regulation (EU) 2016/679, as given below:

"Contract": means the commercial contract(s) between the Client and the Service Provider;

"Personal Data": means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

"Security incident" or "incident": means any breach of security resulting in the accidental or unlawful, destruction, loss, alteration, unauthorised disclosure to third parties of, or access to, Personal Data transmitted, stored or otherwise processed;

"Applicable Law": means the laws and regulations relating to the processing and protection of Personal Data applicable in the country where the Service Provider is established; Applicable Law means in particular (a) the European Regulation 2016/679 (General Regulation on the Protection of natural persons with regard to the Processing of Personal Data; GDPR); (b) the laws and regulations of a Member State relating to the processing and protection of Personal Data, incorporating or supplementing the GDPR; (c) any other applicable law or regulation relating to the processing and protection of Personal Data under the Contract;

"Identified natural person" or 'Identifiable natural person": means a natural person who can be identified, directly or indirectly, by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

"Processing of personal data": means any operation or set of operations which may or may not be carried out using automated processes and applied to data or sets of Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, limitation, deletion or destruction;

"Controller": means the Client, or, if applicable, the Client's Final Client;

"Processor" or "Service Provider": means Vade.

2.OBLIGATIONS OF THE PARTIES

2.1. OBLIGATIONS OF THE DATA CONTROLLER

2.1.1. INSTRUCTIONS OF THE CONTROLLER

As the Controller, the Client provides the Service Provider with express instructions (hereinafter "the Instructions") concerning the processing of Personal Data. The Parties agree that it is necessary for the Client to provide such Instructions to ensure that the Service Provider can adequately assist the Client in fulfilling its obligations under the Applicable Law.

The Instructions shall include, at least, a description of the purposes of the Processing, the type of Processing carried out, the list of categories of Personal Data processed, the categories of Data Subjects whose Data are processed, and the retention periods of such Data.

If the Client wishes to modify its Instructions, it shall notify the Service Provider at least thirty (30) days in advance to allow the Parties to assess the proposed modifications. Consequently, the Client acknowledges that:

The integration of the changes may have a direct impact on the Services, making it necessary to modify the terms of the contract between the Client and the Service Provider, including in particular the scope of the service and the associated financial conditions;
The Parties shall negotiate in good faith with regard to any amendments to the Contract that may be necessary, including the deadline for incorporating such amendments;
The Parties shall use the amendments control procedures in accordance with the Contract to implement the changes referred to in the above two points.

2.1.2. PROCESSING GUARANTEES

The Client, in its capacity as Controller, shall ensure that any Personal Data processed on its behalf by the Service Provider under the terms of the Contract shall be processed in accordance with the Applicable Law.

Therefore, the Client confirms that:

All processing of Personal Data shall be based on an adequate legal basis, as resulting from the applicable Personal Data Protection Laws;
All processing is carried out for a defined, express and legitimate purpose;
All processing of Personal Data shall be relevant and non-excessive to the purpose of the processing;
All Personal Data are and will be maintained for the duration of the provision of the services;
The retention period for storing data is legitimate in view of the purpose and the nature of the data concerned;
Full, clear and accurate information shall be provided to Data Subjects regarding the data processed under the Contract, including, where applicable, information regarding the fact that data is transferred outside the EU;
The Data Subjects whose Personal Data is processed pursuant to the Contract shall be provided with adequate and effective means to exercise their rights with respect to the data processing carried out, in accordance with the applicable legislation (the rights of access, rectification, updating, deletion, etc., where applicable). Where the Data Subject's request is addressed directly to the Service Provider, the Service Provider shall inform the Client. The Service Provider shall not be liable if the Client fails to provide a complete, accurate and timely response.

The Client considers that the Service Provider provides sufficient guarantees for the processing of the Client's Personal Data in accordance with the Applicable Law, particularly regarding the security measures described in the compliance matrix.

2.1.3. SERVICE PROVIDER'S OBLIGATIONS

The Parties expressly agree that the Service Provider is the Processor within the meaning of the Applicable Law and processes (for the purpose of storing) Personal Data on behalf of the Client in the context of the performance of the Services covered by the Contract.

2.1.4. PROCESSING IN ACCORDANCE WITH INSTRUCTIONS

The Service Provider processes Personal Data on behalf of the Client exclusively and solely in accordance with the instructions provided by the Client.

If, for any reason, the Service Provider is unable to comply with these Instructions, the Client shall be informed immediately. In such a case, the Parties shall agree on the amendments that the Service Provider shall be able to implement.

If the Service Provider believes that all or part of the Client's Instructions constitute or may constitute a breach of the Applicable Law, it shall inform the Client immediately to obtain amended instructions, unless the Applicable Law prohibits the provision of such information. The Client shall amend the Instructions, with the reasonable assistance of the Service Provider, to comply with Applicable Law. These amendments may have a substantial impact on the provision of the Services, which may require a review and amendment of the terms of the Contract, including, inter alia, the scope of the Services and the financial terms.

In this case, the Parties shall negotiate in good faith the necessary revisions, if any, including the deadline for implementing the requested changes.

The Service Provider shall not be liable for any breach of the Applicable Law if the processing complies with the Client's instructions.

In any event, the Client expressly acknowledges and agrees that the Service Provider shall not be bound by the Client's instructions in violation of the Applicable Law (including the Applicable Data Protection Law). As such, the Service Provider reserves the right to suspend the performance of the Services until the Instructions are amended to comply with the Applicable Law. In such a case, the Service Provider shall inform the Client of the implementation of the suspension.

2.1.5. ASSISTANCE

2.1.5.1. RIGHTS OF DATA SUBJECTS

The Client establishes the means used to address requests from Data Subjects wishing to exercise their rights. However, the Service Provider shall, in accordance with the Applicable Law and considering the type of processing, assist the Client as far as possible in the performance of its obligations, through the implementation of adequate technical and organisational measures.

Where the Data Subject's request is addressed directly to the Service Provider, the Service Provider shall inform the Client without undue delay. In such a case, and unless otherwise agreed, the Service Provider shall not respond directly to data requests.

The Service Provider shall not be liable if the Client fails to respond to a properly transmitted request in a timely manner.

2.1.5.2. ASSISTANCE WITH PROCESSING SECURITY

Where requested and deemed necessary by the Client, the Service Provider shall, in accordance with the Applicable Law, and in light of the type of processing considered, assist the Client in complying with its obligation to define adequate technical and organisational measures to ensure the security and confidentiality of the Personal Data processed under the terms of the Contract.

2.1.5.3. IMPACT ASSESSMENT ON PERSONAL DATA

The Service Provider shall provide the Client with reasonably accessible and relevant information concerning the processing carried out, to allow the Client to complete the required documents such as the Personal Data impact assessment, and to comply with its obligations to demonstrate the implementation of adequate technical and organizational security measures.

The Service Provider's assistance will be invoiced to the Client under the applicable pricing conditions.

2.1.5.4. OTHER OBLIGATIONS

The Service Provider confirms that its employees who oversee the processing of Personal Data are bound by an appropriate non-disclosure obligation. The Service Provider shall ensure that the employees have undergone compulsory training in the processing and protection of Personal Data.

The Service Provider shall inform the Client of any substantial changes to the provision of the services that may have a significant impact on the processing of Personal Data.

2.2. JOINT OBLIGATIONS

2.2.1. COOPERATION WITH THE AUTHORITIES

In the event of control by a competent authority, the Parties undertake to cooperate with each other and with the controlling authority.

If the control carried out concerns only the Processing implemented by the Service Provider as the controller, the Service Provider shall be responsible for such control and shall refrain from communicating or reporting the Client's Personal Data.

If the control carried out by the Service Provider concerns Processing carried out in the name and on behalf of the Client, the Service Provider undertakes to inform the Client immediately and not to make any commitment on its behalf.

In the event of a control by a competent authority at the Client's premises concerning the services provided by the Service Provider, the Service Provider undertakes to cooperate with the Client and to provide it with any information which the latter may require or which may prove necessary.

2.2.2. INSURANCE

Each of the Parties declares that it is insured for its professional civil liability with a company known to be solvent and undertakes to maintain this guarantee throughout the duration of the Contract, in order to cover any damage that may be caused to the other Party or to any third party, as a result of the performance or non-performance of the Contract, including in the event of damage resulting from the Processing of Personal Data.

The Service Provider undertakes to provide, at the Client's first request, a certificate with the name of the company, the number of the insurance policy, and the nature and amount of the guarantees.

It also undertakes to inform the Client at the earliest possible opportunity of any modification, suspension, or cancellation of the said insurance policies, whatever the cause.

2.3. REPORTING OF VIOLATIONS AND COMPLAINTS

The Service Provider undertakes to take all necessary measures to remedy a Personal Data breach or complaint.

The Service Provider undertakes to inform the Client by all available means of any breach of Personal Data, even if the breach is the result of an instruction issued by the Client itself, as well as the occurrence of any complaint addressed to the Service Provider by any individual affected by the processing carried out under the terms of the Contract.

This information must be issued as soon as possible, and no later than forty-eight (48) hours following the identification of the incident likely to lead to a breach of personal data and must be accompanied by any useful documentation in order to allow the Client to act accordingly and, if necessary, to notify this breach to the competent control authority.

The Client, in its role as the Controller, expressly acknowledges that it is responsible for compliance with the requirements of the Applicable Law (including, inter alia, formalities such as notifications).

2.4. DATA PROTECTION OFFICER

In case of question(s) or request(s), the Client may contact the Data Protection Officer at the following addresses:

By post at the following address: VADE, for the attention of the DPO, 2 bis avenue Antoine Pinay, 59510 Hem, France;
By e-mail at the following address: dpo@vadesecure.com.

2.5. AUDITS

The Client reserves the right to make any verification that it deems useful to ascertain, by means of an audit, the Service Provider's compliance with its obligations under the Agreement.

The Client undertakes to give the Service Provider at least fifteen (15) days' notice of its decision to carry out an audit and to carry out the audit only during office hours on working days.

The Service Provider undertakes to reply to the Client's audit requests, which are made solely through the intermediary of an auditor. This auditor must:

Have been selected and engaged by the Client, who will bear the costs alone;
Be independent of the Service Provider;
Have the appropriate qualifications;
Be free to provide the Client with details of its audit observations and findings.

The audits should enable an analysis of compliance with the Contract and Applicable Law, including:

By checking all the security measures implemented by the Service Provider;
By checking data location, copy, and deletion logs.

Finally, the audit must be able to ensure that the security and confidentiality measures put in place cannot be circumvented without this being detected and reported.

The audit may only cover the scope of the Contract.

3. PRIVACY AND SECURITY

3.1. DATA PRIVACY

The Service Provider undertakes to guarantee the privacy of the data hosted for the Client, in particular regarding personal data.

The Service Provider acknowledges that it is subject to professional secrecy concerning the data hosted in the context of the performance of the Contract.

The Service Provider undertakes to ensure that this obligation of secrecy is respected by the persons under its authority, and to train these persons in the protection of personal data.

3.2. DATA SECURITY SAFEGUARDS

In the performance of the Contract, the Service Provider shall act solely on the instructions of the Client. In this respect, the Service Provider undertakes not to use the data for its own account or for a third party.

Only qualified, authorised employees who have been made aware of the security procedures by the Service Provider may be called upon to intervene at the Client's request.

The Service Providers undertakes:

Not to use the data for its own purposes or those of a third party;
Not to insert in the files any extraneous data other than those authorised in the performance of the Contract, and to refrain from consulting and processing data other than those concerned with the performance of the Contract, even if it has access thereto;
To process the said data in a professional manner and with the same care as it processes its own data;
To preserve the security of the said data and, more specifically, their confidentiality, i.e. to protect them against any destruction (accidental or illicit), accidental loss, accidental or unauthorised modification, alteration, dissemination or unauthorised access, in particular when the processing involves data transmissions in a network, as well as against any other form of illicit processing or communication to unauthorised persons, and this in accordance with the provisions of Article 34 of French Law No. 78-17 of 6 January 1978, known as the "Data Protection Act";
To inform the Client immediately of any binding request for disclosure of personal data from a law enforcement authority (save as otherwise provided), as well as any request received directly from data subjects, without responding to such a request, unless it has been expressly authorised to do so by the Client;
To deal promptly and appropriately with all requests from the Client regarding its processing of personal data.

The Service Provider also undertakes to comply with the security measures defined in Annex 1 of this Personal Data Processing Policy.

The digital media and documents provided by the Client to the Service Provider remain the property of the Client.

The data contained in these media and documents are strictly covered by the rules of professional secrecy (in accordance with Article 226-13 of the Penal Code). The same provisions apply to any data of which the Service Provider becomes aware during the performance of the Contract.

The Service Provider undertakes to comply with the following obligations and to ensure that its employees do likewise:

Not to make any copies of the documents and information entrusted to it, except those necessary for the performance of the service provided for in the Contract;
Not to use the processed documents and information for purposes other than those specified in the Contract;
Not to disclose such documents or processed information for purposes other than those specified in the Contract (it being understood that disclosure by the Service Provider of information relating solely to the Client's identity shall not be deemed to constitute a breach of the confidentiality rules defined herein);
To take all measures to avoid any misuse or fraudulent use of computer files during the performance of the Contract.

3.3. APPLICATION OF TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

The Service Provider shall apply appropriate technical and organisational security measures to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to the Client's Personal Data, as described in Annex 1 of this Personal Data Processing Policy.

The Client expressly acknowledges that:

The technical and organisational security measures defined and applied by the Service Provider are based on the Instructions and information received from the Client which are used to assess with the Client the risks associated with the processing of the Client's Personal Data;
The Client considers the technical and organisational security measures to be appropriate considering the risks of the processing and the purposes thereof. The Service Provider shall not reduce the overall security of the Service during the term of the Contract without the prior written consent of the Client.

3.4. MODIFICATION OF TECHNICAL AND ORGANISATIONAL SECURITY MEASURES FOLLOWING A CHANGE IN THE CLIENT'S INSTRUCTIONS

The Client acknowledges and accepts that, if it modifies its Processing Instructions, the technical and organisational security measures, initially defined in Annex 1 of this Personal Data Processing Policy and implemented, may no longer be adequate to address the risks of processing.

In such a case, the Client acknowledges and accepts that technical and organisational security measures may require adaptations and that such adaptations may have an impact on the provision of the Service and the terms of the Contract, including the financial provisions.

4. SUBCONTRACTING

The Service Provider subcontract and may subcontract part of its services under the Contract to sub-processor, and in accordance with the regulations provided for under the GDPR.

If the Service Provider uses new sub-processors, Service Prover shall obtain the Client's written consent, after informing the Client of the identity and nature of the processor and its mission under the Contract.

The Service Provider shall remain solely responsible to the Client for the performance of the subcontracted Services and for the compliance of its sub-processors with the full terms of the Contract.

The Service Provider shall have previously signed an agreement with the processor setting out the obligations of the Contract, in particular with regard to presenting sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the processing complies with the requirements of the RGPD, and with regard to the confidentiality and security of the information communicated to it.

In the event of subcontracting, the Service Provider remains the sole guarantor of the proper performance of the Contract and the sole contact for the Client.

5. DATA TRANSFER

Except for the Personal Data necessary for the conclusion, the life of the contract, the maintenance of the Service Provider's solutions and the invoicing of the service, the Service Provider shall not transfer Personal Data to a country outside the European Union. The Service Provider shall provide a list of processors outside the European Union on request.

Where the Service Provider transfers the Client's Personal Data to an undertaking located outside the EU, and where the Client has approved, the Client expressly authorises the Service Provider to enter into any relevant agreement designed to ensure that the recipient undertaking applies an adequate level of protection for the Client's Personal Data.

The Service Provider shall ensure that third party processors provide an adequate level of protection when processing the Client's Personal Data. To this end, the Service Provider shall:

Either, ensure that any processor duly authorised to process Personal Data outside the EU enters into and complies with the obligations set out in the appropriate standard contractual clauses for the transfer of personal data established by the European Commission (or any competent authority), in particular the European Commission's standard contractual clauses for "Subcontractors" in accordance with Decision 2010/593, with the Client or with the Service Provider in accordance with the above-mentioned authorisation;
Or, implement alternative means to the standard contractual clauses in order to ensure an adequate level of protection for personal data if the European or local competent authorities recognise this as appropriate.

6. INCOMPATIBILITY

In the event of a conflict between the Contract and the present Personal Data Processing Policy, the provisions of the Personal Data Processing Policy shall prevail over those of the Contract.

7. CONTINUITY

This Personal Data Processing Policy will not affect the performance of the Contract and does not change the initial term of the Contract.

ANNEX 1

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

VADE currently respects the security measures described in this Annex.

1. Access control

1.1. Prevention of unauthorised access to products

Outsourced processing: VADE hosts its Service with outsourced cloud infrastructure providers (infrastructure as a service). In addition, VADE maintains contractual relationships with suppliers to provide the Service in accordance with our Security Policy.

VADE relies on vendors' contractual agreements, privacy policies, and compliance programs to protect data processed or stored by those vendors.

Physical and environmental security: VADE hosts the infrastructure of its products with outsourced and multi-tenant infrastructure providers. Physical and environmental security controls are audited to verify compliance in accordance with Tier 3 and ISO 27001 standards, among other certifications (such as SOC 2 type 2 or ISO 27701).

Authentication: VADE has implemented a uniform password policy for its products. Partners or third parties who interact with the products through the user/admin interface must authenticate before accessing non-public data of Partners and third parties.

Permission: The data of Partners/partners/third parties is stored in multi-tenant storage systems accessible to Partners and third parties only through user interfaces and application programming interfaces. Partners and third parties are not permitted to directly access the underlying application infrastructure.

The authorization model of each of VADE's products is designed to ensure that only appropriately designated individuals can access relevant functions, views and customization options using the principle of least privilege. Dataset access authorization is performed by validating user permissions against the profile associated with each dataset.

Access to Application Programming Interface (API): The products' public APIs can be accessed using an API key or by Oauth/SAML authorization.

1.2. Prevention of unauthorised use of products

VADE implements industry-standard access controls and detection capabilities for internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorised protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include virtual private cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Static Code Analysis: Security reviews of code stored in VADE's source code repositories are performed, checking for coding best practices and identifiable software flaws.

Penetration Testing: VADE maintains relationships with industry-recognized penetration testing service providers to perform annual penetration testing. The goal of penetration testing is to identify and address predictable attack vectors and potential abuse scenarios.

Vulnerability Testing and Patch Management: VADE maintains relationships with industry-recognized vulnerability testing service providers to perform six annual vulnerability tests on all VADE assets. The objective of the vulnerability tests is to identify and remedy the weaknesses which could alter the level of security of VADE. VADE applies monthly security patches provided by software or infrastructure providers to all components of VADE's infrastructure.

1.3. Limitations on privileges and authorisation requirements

Product Access: A subset of VADE employees have access to Partner products and data through controlled interfaces. The purpose of accessing a subset of employees is to provide effective Partner support, troubleshoot potential issues, detect, and respond to Security Incidents, and implement data security. All these requests are recorded. Employees are granted access based on their role, and high-risk privilege reviews are initiated annually. Employee roles are reviewed at least once a year.

Background Checks: All VADE employees are subject to background checks prior to receiving an offer of employment, in accordance with and to the extent permitted by Applicable Laws. All employees are expected to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements and ethical standards.

1.3.1. Transmission control

In transit: VADE makes HTTPS encryption (also called SSL or TLS) available on each of its connection interfaces and free of charge on each Partner site hosted on VADE products. VADE's implementation of HTTPS uses industry standard algorithms and certificates.

At Rest: VADE stores user passwords under policies that follow industry standard security practices. VADE has implemented technologies to ensure that stored data is encrypted at rest.

1.3.2. Input control

Detection: VADE has designed its infrastructure to record detailed information about system behaviour, received traffic, system authentication and other application requests. Internal systems aggregate log data and alert appropriate employees to malicious, unintentional, or abnormal activity. VADE personnel, including security, operations and support staff, are responsive to known incidents.

Response and follow-up: VADE maintains a register of known Security Incidents which includes the description, the dates and times of the relevant activities, and the registering of the Incident. Suspected and confirmed Security Incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed Incident, VADE will take appropriate measures to minimize damage to the product and the Partner or unauthorized disclosure. Notification to the Third Party will be in accordance with the terms of the Policy.

1.3.3. Availability control

Infrastructure Availability: Infrastructure providers use commercially reasonable efforts to ensure a minimum uptime of 99.95%. Vendors maintain a minimum of N+1 redundancy for power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to provide redundancy and failover protections in the event of a significant processing failure.

Online replicas and backups: Wherever possible, production databases are designed to be clustered across multiple instances. All databases are backed up and maintained using at least industry standard methods.

VADE's products are designed to provide redundancy and seamless failover. The server instances that support the products are also designed to avoid single points of failure. This design helps VADE operations maintain and update product applications and backends while minimizing downtime.

(*) the French version of the personal data procession policy prevails over all other language version

Personal Data Processing Policy Agreement - Vade