Data Processing Agreement

EFFECTIVE DATE: September 7, 2022 (Version 1.0.2)

1. Context of the Agreement

1. The contract between ExcelWay SAS, 11 rue Léon Frot, 75011, (the “Processor”) and the Customer (both referred as “the Parties”) governs the provision of the Processor’s software (the “Contract”).

2. During the fulfillment of this Contract, the Processor may handle personal data as defined by the General Data Protection Regulation (“GDPR”), Art 4.1. This data referred to as “Customer Data”, is information about an identified or identifiable individual, such as names, addresses, or phone numbers of the Customer’s customers, for which the Customer acts as a data protection law controller.

3. This Agreement outlines the Parties’ rights and obligations regarding the Processor’s use of Customer Data in providing services under the Contract.

2. Data Processing

1. The Processor shall process Customer Data in accordance with the Customer’s instructions, as specified in Annex 1 of this Agreement. The processing relates to the types of personal data and categories of data subjects defined in the Annex, and lasts for the duration of the Contract.

2. The Processor may anonymize or aggregate Customer Data to eliminate individual identification and use it for designing, development, optimization, and rendering services as agreed in the Contract. The Parties agree that anonymized and aggregated data is not considered Customer Data under this Agreement.

3. The Processor may also process and use Customer Data for its own purposes as a controller, but this Agreement does not apply to such processing.

4. The Processor shall primarily process Customer Data within the European Union or another European Economic Area (EEA) contracting state. However, the Processor may process Customer Data outside the EEA if it informs the Customer in advance and if the requirements of Art. 44 to 48 GDPR are fulfilled or if an exception under Art. 49 GDPR applies.

3. Instructions of the Customer

1. The Processor follows the Customer’s instructions for processing Customer Data, unless legally compelled to act differently. In such cases, the Processor will inform the Customer of the legal requirement before processing, unless the law prohibits such disclosure for important public interest reasons.

2. The Customer’s instructions are specified and documented in this Agreement. Deviations from or additional requirements specified in individual instructions require the Processor’s consent.

3. The Processor shall ensure that Customer Data is processed in accordance with the Customer’s instructions.
If the Processor believes that a Customer instruction violates this Agreement or relevant data protection law, it may suspend the execution of the instruction after informing the Customer.

4. Responsibility of the Customer

1. The Customer is responsible for ensuring the legality of processing Customer Data and protecting the rights of data subjects in the Parties’ relationship.

2. If third parties bring claims against the Processor due to processing Customer Data under this Agreement, the Customer must indemnify the Processor from such claims upon request.

3. The Customer must promptly provide the Processor with the necessary Customer Data for services to be rendered according to the Contract and is responsible for the accuracy of the Customer Data.

4. If the Customer discovers errors or violations of data protection provisions or instructions during examining the Processor’s results, they must immediately inform the Processor.

5. The Customer must provide the Processor with the information specified in Art. 30 para. 2 GDPR upon request, if not already available to the Processor. If the Processor is required to supply information to government bodies or individuals regarding the processing of Customer Data or participate in other ways, the Customer must assist the Processor in providing such information and fulfilling relevant cooperation obligations upon request.

5. Obligations for Personnel and Security Measures

1. The Processor will enforce confidentiality on all staff involved in handling Customer Data.

2. To ensure adequate protection of Customer Data as required by Art. 32 GDPR, the Processor will take necessary and appropriate technical and organizational measures, taking into consideration the state-of-the-art, the cost of implementation, and the nature, scope, context, and purpose of the Customer Data, as well as the potential risks to data subjects’ rights and freedoms. The measures implemented include those outlined in Annex 2.

3. The Processor reserves the right to make changes to these technical and organizational measures during the term of the Agreement, so long as they remain compliant with regulatory requirements.

6. Engagement of Additional Processors

1. The Customer gives the Processor the authority to engage additional processors to process the Customer Data. The list of processors engaged at the time of signing this Agreement is in Annex 3.

2. No authorization is needed for service providers who maintain data processing systems or perform additional services, but the Processor must ensure the confidentiality of Customer Data.

3. The Customer can receive notifications of adding or replacing subprocessors by subscribing to the mailing list in this link: . The Customer can object within 14 days if notified, but if no objections are raised, the Customer’s right to object lapses. If objections are raised, the Processor may terminate the Contract and this Agreement with a 3-month notice.

4. The Agreement between the Processor and the additional processor must be equal to this Agreement. This applies if a processor in a third country is involved. The Customer hereby authorizes the Processor to sign an agreement with the standard clauses for transferring personal data to third-party processors (decision of the European Commission of February 5th, 2010).

5. The Customer agrees to cooperate with fulfilling the requirements of Art. 49 GDPR if necessary.

7. Data Subjects’ Rights

1. The Processor is required to assist the Customer, to the extent reasonable and necessary, in meeting their obligation to respond to data subjects’ rights requests. If a data subject submits a rights request directly to the Processor, the Processor will promptly forward it to the Customer.

2. The Processor must also provide the Customer with information about stored Customer Data, such as recipients and storage purpose if the Customer does not already have this information and is unable to obtain it.

3. The Processor is also required to help the Customer make corrections, deletions, or restrictions to the processing of Customer Data, or carry out these actions at the Customer’s request if the Customer is unable to do so.
The Processor may charge the Customer for any expenses incurred in this process.

4. Finally, if a data subject has the right to data portability, the Processor must help the Customer transfer the Customer Data in a structured, commonly used and machine-readable format, if the Customer is unable to obtain the data elsewhere. The Processor may charge the Customer for any expenses incurred in this process.

8. Processor’s Notification and Support Responsibilities

1. If the Customer has a legal obligation to notify a breach of security regarding the Customer Data, the Processor will promptly inform the Customer of any relevant events that occur within the Processor’s area of responsibility. The Processor will assist the Customer in fulfilling their notification obligations, if requested and to a reasonable extent, and will be reimbursed for any expenses incurred in doing so.

2. The Processor will, to a reasonable extent, assist the Customer with conducting data protection impact assessments and any necessary consultations with the supervisory authority as required by the GDPR, Art 35 and 36. The Processor will be reimbursed for any expenses incurred in this regard.

9. Deletion of Customer Data

1. Upon the end of this Agreement, at the Customer’s discretion, the Processor must either delete or return the Customer Data and erase existing copies unless they are required by law to retain the data.

2. The Processor may keep records to prove the proper handling of the Customer Data after the agreement has ended.

10. Evidence

1. The Processor agrees to provide the Customer with all relevant information to prove compliance with obligations under the Agreement upon request.

2. The Customer has the right to audit the Processor’s compliance with the Agreement and access business premises during usual business hours with advance notice, at the Customer’s expense. However, the Processor may choose not to disclose sensitive information or data unrelated to the audit.

3. The Customer can commission a third party to conduct the audit but must ensure the third party is bound by confidentiality.

11. Termination

1. This Agreement duration and ending is determined by the Contract’s terms for duration and ending. If the Contract ends, this Agreement automatically terminates and cannot end independently.

12. Liability

1. The Processor is liable under this Agreement according to the limitations and exceptions outlined in the Contract.

2. If third parties make claims against the Processor due to the Customer’s deliberate violation of this Agreement or their obligations as a data protection controller, the Customer must compensate and defend the Processor from these claims.
The Customer must compensate the Processor for any fines imposed on them, for which the Customer is responsible, for violating data protection laws.

13. Final clauses

1. If any clause of this agreement is invalid or becomes invalid or has a gap, the rest of the clauses will still remain in effect. The parties agree to replace the invalid clause with a legally acceptable one that resembles the purpose of the invalid clause and meets the requirements of Article 28 of the GDPR.

2. In the event of any conflicts between this agreement and any other agreements of the parties, particularly the Contract, the provisions of this agreement will take precedence.

Annex 1.

Information on the Processing of Customer Data

Purpose and extent of Data Processing

Provision of the ExcelWay software as a web application or mobile application, and which functions as a platform for collaborating in workshops and projects; fulfillment of the Processor’s obligations under the Contract.

Types of personal data

Contact data; usage data; any data filled in by the Customer in the Software; Employee Data; Customer Data; Supplier Data; User-generated Data; User data; Profile data; Usernames; password; email; logfiles.

Categories of data subjects

Users of the ExcelWay Software; possibly other data subjects mentioned or included in data filled in by the Customer in the Software.

Annex 2.

Technical and Organizational Measures according to Art. 32 GDPR

Art. 32 (1) a) GDPR : Encryption

Protective measures are in place to ensure the secure transfer of information, both internally and externally, through the use of hashing. The company website is encrypted to safeguard “data in motion.” Additionally, laptops, notebooks, and mobile data carriers are encrypted to secure “data at rest.”

Art. 32 (1) b) GDPR: Confidentiality – physical access control

Security measures to ensure that unauthorized individuals are prevented from accessing data processing systems where personal data is processed or used. This includes an alarm system for the security of the buildings, windows and doors, a digital key management system, and a combination of an automated access control system and manual locking system with safety locks.

 Art. 32 (1) b) GDPR: Confidentiality – data access control

Steps taken to prevent unauthorized usage of data processing systems include:

  • Login authentication using username/password and/or biometric 
  • Methods defining user rights and profiles, assigning passwords, and linking them to IT systems
  • Prompt revocation of authorization when employees depart the company
  • Use of locked casings and security locks
  • Deployment of password-protected screensavers and automatic screen locking due to inactivity, as well as two-factor user authentication
  • Establishment of virtual networks to separate data streams.

Art. 32 (1) b) GDPR: Confidentiality – data usage control

Steps to maintain the security of personal data include:

  • Limited access only to authorized individuals: 
  • Destruction of documents through shredding or outsourcing to reliable providers and secure deletion of data storage devices before reuse. 
  • Creation of a comprehensive authorization plan that outlines varying levels of permission for reading, editing, or deleting data and password protocols. 
  • Assignment of access rights by the system administrator.

Art. 32 (1) b) GDPR: Confidentiality – transmission control

Steps to ensure the privacy of personal information during its electronic transmission or storage onto data carriers include documenting all interfaces, documenting the recipients of the data and the scheduled surrender or agreed deletion time frames.

Art. 32 (1) b) GDPR: Confidentiality – separation control 

Steps to make sure that data collected for various purposes can be processed independently include division of duties (production and testing), establishment of a system for granting authorization and logical client separation.

Art. 32 (1) b) GDPR: Integrity – input control

Measures taken to ensure integrity include:

  • Full documentation of data management and maintenance 
  • Only authorized individuals are allowed to make input changes.
  • Data modification and deletion are done according to the authorization policy.

Art. 32 (1) b) GDPR: Availability – availability control 

Measures to ensure the safety and security of personal data from any accidental harm such as destruction or loss are as follows:

  • Climate control in the server rooms through air conditioning
  • Alarm system activated in case of unauthorized access to the server rooms
  • Fire protection through fire extinguishers, fire/smoke detection systems and uninterrupted power supply (UPS)
  • Regular data backups at secure external locations
  • Temperature, humidity and power monitoring, along with surge protection in the server rooms
  • An emergency plan and disaster recovery plan are in place, and in areas prone to floods, the server rooms are located above the waterline
  • The server rooms are separate from any sanitation facilities.

Art. 32 (1) b) GDPR: Resilience 

Measures to ensure resilience of systems include testing of the storage, access, and network capacities to ensure the ability to handle high peak and continuous loads of processing.

Art. 32 (1) c) GDPR: Restoration of availability

Measures to ensure rapid restoration of data accessibility in the event of technical or physical incidents include the implementation of redundant infrastructure design, such as a RAID system for hard disks, a backup plan, and the use of cloud services. The data restoration process must also be tested.

Art. 32 (1) d) GDPR: Data protection management

Measures to establish a routine for evaluating the effectiveness of technical and organizational measures aimed at ensuring the security of data processing, including reviewing the Data Security Board and IT audit.

Annex 3.

Further Processors

– Functional Software, Inc.

45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA.

Application monitoring solution designed to identify, monitor and alert Customer to problems that are occurring in a Customer Application.

– Amazon Web Services Inc.

410 Terry Avenue North, Seattle, WA 98109-5210, USA.

Secure cloud service platform for database storage.

– SendinBlue 

7 rue de Madrid, 75008 Paris, France.

Solution relating to marketing and transactional emails.

– Mixpanel, Inc.

One Front Street, 28th Floor, San Francisco, CA 94111, USA.

Product Analytics tool.

– Stripe Technology Europe, Limited

The One Building, 1, Lower Grand Canal Street, Dublin 2, Ireland.

Payment processing platform.

– Crisp IM SAS

2 Boulevard de Launay, 44100 Nantes, France.

Customer support and messaging service.