Data Processing Agreement
Last edited: 07/06/2024
Recitals
The CUSTOMER, depending on its activities, collects and processes personal data relating to different categories of data subjects (“Personal Data”) either as a Controller or as a Processor.
The CUSTOMER wishes to engage the COMPANY as a Service Provider and use services offered by the COMPANY (the “Services”). In order to do so, the Parties have signed a Service Agreement.
For the purpose of performing the Services, the COMPANY may need to process the Personal Data.
The CUSTOMER and the COMPANY will only communicate and process Personal Data when this is necessary to achieve a clearly defined purpose compatible with Applicable Data Protection Legislation.
The purpose of this agreement is to provide a legal framework for the processing of Personal Data performed by the COMPANY on behalf of the CUSTOMER.
This agreement is thereafter referred to as the “Data Processing Agreement”, or “DPA” and is incorporated within the Agreement.
Capitalized terms not defined in the DPA shall have the meaning given to them by the GDPR.
I. General Data Processing Terms
The Parties acknowledge and agree that the CUSTOMER is a Controller within the meaning of the Applicable Data Protection Legislation with respect to the Processing of Personal Data.
The Parties acknowledge and agree that the COMPANY is a Processor within the meaning of the Applicable Data Protection Legislation with respect to the Processing of Personal Data.
II. Description of the processing
The description of the processing is defined in ANNEX 1.
III. Commencement and termination
This DPA is entered for the same duration as the Agreement governing the Services provided by the COMPANY. Given the interdependence of this DPA and the Agreement, termination of the latter, for any reason whatsoever, shall result in the termination of this DPA.
In case of a breach to the obligations set out in the DPA, each Party may terminate the DPA within the conditions of termination for breach defined in the Agreement.
IV. Controller and Processor obligations
IV. (a) CUSTOMER’s obligations
The CUSTOMER, as the Data controller of CUSTOMER Personal Data, is the sole party responsible for establishing the lawful basis for the processing of CUSTOMER Personal Data by the COMPANY under this DPA. Following this responsibility, the CUSTOMER will ensure that it has all necessary and appropriate legal basis and notices in place to enable the lawful processing of CUSTOMER Personal Data by the COMPANY for the duration and per the purposes of the Agreement.
The CUSTOMER, as the Data controller of CUSTOMER Personal Data, is the sole party responsible for the accuracy,quality, and lawfulness of CUSTOMER Personal Data processed by the COMPANY to fulfill its obligations.
In particular, the CUSTOMER must:
provide the COMPANY with the personal data mentioned in the article “Description of the processing,” except any improper, disproportionate, or unnecessary personal data, and except any “particular” personal data within the meaning of the Applicable Data Protection Legislation. The CUSTOMER acknowledges and agrees that the COMPANY is not liable in case of processing of particular Personal Data transmitted by the CUSTOMER to the COMPANY;
collect under its liability, lawfully, fairly and in a transparent manner the CUSTOMER Personal Data provided to the COMPANY, for the performance of the Service, and in particular, to ensure the lawfulness of processing and the information due to data subjects;
maintain a record of processing activities carried out and more generally, comply with the principles of the Applicable Data Protection Legislation;
ensure, before and throughout the processing, compliance with the obligations set out in the Applicable Data Protection Legislation.
IV. (b) COMPANY’s obligations
When processing CUSTOMER Personal Data according to this DPA, the COMPANY undertakes to:
process CUSTOMER Personal Data only on the documented instructions of the CUSTOMER, as set out in the Order Form and this DPA, and as otherwise necessary for the COMPANY to provide the Services to the CUSTOMER or to comply with Applicable Data Protection Legislation unless the COMPANY is required to process CUSTOMER Personal Data for other legitimate purposes under applicable EU or EU Member State law or another particular non-EU applicable law, in which case the COMPANY shall notify the CUSTOMER of that legal requirement before such processing occurs or is permitted except where that law prohibits such notification on important grounds of public interest. Each of the parties agrees that any additional instructions outside the scope of the Agreement or this DPA will be mutually agreed between the parties;
ensure that all personnel authorized to process CUSTOMER Personal Data are subject to confidentiality obligations in respect of CUSTOMER Personal Data;
taking into account the nature of the processing, assist the CUSTOMER (at the CUSTOMER’s expense) by appropriate, technical and organizational measures, insofar as this is possible, for the fulfillment of the CUSTOMER’s obligations to respond to data subject data protection rights requests. The COMPANY shall not respond directly to a request from a data subject concerning data subjects’ personal data. However, the COMPANY shall notify the CUSTOMER if the COMPANY receives such a request;
taking into account the nature of the processing and the information available to the COMPANY, assist the CUSTOMER in ensuring compliance with its obligations under Articles 32 to 36 GDPR;
implement and maintain appropriate technical and organizational Security Measures to ensure the security of CUSTOMER Personal Data, taking into account. In the case Security Measures are not set out in the Agreement, the COMPANY undertakes to take all the measures to ensure the conformity to the requirements set out in the article 32 of the GDPR;
at the choice of the CUSTOMER, delete or return all CUSTOMER Personal Data after the end of the provision of Services relating to the processing of CUSTOMER Personal Data, and delete existing copies unless EU or EU Member State law or another particular applicable law requires the COMPANY to retain such CUSTOMER Personal Data; and
notify the CUSTOMER without undue delay upon becoming aware of any personal data breach.
IV. (c) International transfers
The COMPANY is authorized to transfer CUSTOMER Personal Data to a country which is outside of the European Economic Area (“EEA”), in particular to the Sub-processors listed in ANNEX 1 (which may be updated to reflect the COMPANY’s current sub-processors following the process described below). In case of any change in the Sub-Processors listed in ANNEX 1, the COMPANY shall inform the CUSTOMER. The CUSTOMER has a period of 30 (thirty) calendar days from the date of receipt of this information to submit its legitimate and justifiable objections. In the absence of notification of objections after this period, the CUSTOMER shall be deemed to have authorized the transfer of CUSTOMER Personal Data outside the EEA. In case of persistent objections by the CUSTOMER, the parties will meet in good faith and use their best efforts to discuss a resolution. In the event that the Parties are unable to find such a resolution, either party may terminate the DPA upon a 30 (thirty) days’ notice.
Where the CUSTOMER authorized such transfer, it shall be conditional on any export being carried out (i) on the terms of a binding agreement related to personal data processing and (ii) appropriate safeguards (e.g. the EU Standard Contractual Clauses on the transfer of personal data).
IV. (d) Sub-processors
The CUSTOMER provides a general authorization to the COMPANY to use third parties (“Sub-processors”) to process CUSTOMER Personal Data and perform the Services, in particular the Sub-processors listed in ANNEX 1 (which may be updated to reflect the COMPANY’s current Sub-processors following the process described below).
The COMPANY will ensure that Sub-processors meet the requirements set out in the data protection obligations that protect CUSTOMER Personal Data to the same standard provided for by this DPA and, at a minimum, compliant with the requirements of the Applicable Data Protection Legislation and shall remain liable for a breach caused by a Sub-processor but only to the same extent that the COMPANY would be liable if it had provided the Services of the Sub-processor directly under the terms of this DPA.
The COMPANY may add or make changes to its Sub-processors. In case of any change in the Sub-Processors listed in ANNEX 1, the COMPANY shall inform the CUSTOMER. The CUSTOMER has a period of 30 (thirty) calendar days from the date of receipt of this information to submit its legitimate and justifiable objections. In the absence of notification of objections after this period, the CUSTOMER shall be deemed to have authorized the use of the relevant Sub-processor(s). In case of persistent objections by the CUSTOMER, the parties will meet in good faith and use their best efforts to discuss a resolution. The COMPANY may choose, in its sole discretion, to (i) not hire the Sub-processor(s), (ii) take the corrective action requested by the CUSTOMER in connection with the objections before hiring the Sub-processor(s), or (iii) not take any corrective action. In the event that the Parties are unable to find such a resolution, either party may terminate the DPA upon a 30 (thirty) days’ notice.
IV. (e) CUSTOMER’s Audit Rights
The COMPANY shall make available information reasonably requested by the CUSTOMER to demonstrate its compliance with the Applicable Data Protection Legislation.
The CUSTOMER (and/or via its third-party representatives, a data protection authority, or any other regulatory body) shall be permitted to require the COMPANY information pertaining to its compliance regarding the processing of the CUSTOMER Personal data.
The COMPANY has 14 (fourteen) Business days to hand to the CUSTOMER the required information.
In the case the CUSTOMER may ask for additional information, the CUSTOMER shall notify the COMPANY with a motivated request. The COMPANY shall provide additional information to the extent they are deemed reasonable.
IV. (f) Suspension of Processing
The COMPANY has no obligation to review the lawfulness of any instruction received from the CUSTOMER.
The COMPANY will notify the CUSTOMER if it is no longer able to comply with its obligations according to the Applicable Data Protection Legislation and/or this DPA (including the SCCs). The parties will meet in good faith and use their best efforts to discuss a resolution. If the Parties are unable to find a resolution, either Party may terminate the DPA upon a 30 (thirty) days’ notice.
IV. (g) Liability
Any claims brought in connection with this DPA will be subject to the limitations set out in the Agreement.
IV. (h) General Provisions
In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with regard to the processing of CUSTOMER Personal Data. In the event of any conflict or inconsistency between this DPA and the SCCs, the SCCs shall prevail.
Capitalized terms not defined in this DPA shall have the meaning given to them in the Agreement.
Any notice to be given by either Party for the purposes of this DPA shall be sent by e-mail to the following email address legal@mindflow.io and will be deemed received on the next working day after transmission.
In the event that any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability while preserving the parties intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained in this DPA.
This DPA shall enure to the benefit of and be binding upon the respective parties to this DPA and their respective successor’s personal representatives and assigns.
No modification of any provision of this DPA shall be binding unless it is evidenced in writing and duly executed by or on behalf of each of the parties to this DPA.
This DPA and all disputes arising from this DPA, whether contractual or non-contractual in nature, shall be governed by and construed under the laws of France. The parties irrevocably submit to the exclusive jurisdiction of the French courts concerning all matters arising out of or in connection with this DPA.
Annex 1 – Data processing details
I. COMPANY’S Governance
Data Protection Officer
Hugo David:
Hugo.david@mindflow.io
Representative
Evan Bourgouin:
Evan.bourgouin@mindflow.io
II. Data Processing Details
Categories of Data Subjects
☐ Employees of the CUSTOMER
☐ Prospects of the CUSTOMER
☐ Clients of the CUSTOMER
☐ Users of the CUSTOMER
Categories of Personal Data
☐ Identification data (e.g. name, e-mail address, phone number)
☐ Data related to professional life (e.g. role)
☐ Economical and/or financial data (e.g. IBAN)
☐ Connection data (e.g. logs, passwords)
☐ Other: To be filled if necessary.
Collecting;
Organizing/structuring;
Recording;
Storing;
Consulting/using;
Retrieving;
Disclosing; and,
Erasing.
Purposes
Purpose n°1: User account creation
Purpose n°2: Providing the Service
Purpose n°3: Providing support
Purpose n°4: Providing training
Duration and retention periods
Purpose n°1: 90 days upon account closure.
Purpose n°2: Deletion: As long as the contract is active, then 90 days following the end of the contractual relationship.
Purpose n°3: Deletion: as long as the contract is active for tracking purposes (SLAs, bugs, complaints, etc.) and 90 days following the closure of the contract.
Purpose n°4: Deletion: As long as the contract is active, then 90 days following the end of the training.
Transfer Outside the EEA
The COMPANY is located inside the EEA. It may process data outside the EEA (see Permitted Sub-contractors).
III. Permitted Sub-contractors
Identity of Sub-contractors
Purposes
Processing Operations
Location of Processing Operations
Transfers Outside the EEA
Amazon Web Services EMEA SARL38 Av John F Kennedy L 1855 99137 LuxembourgRCS: 831 001 334
Platform Hosting.
Data transferred to the COMPANY: Storage of credentials, secrets, API keys, relevant data submitted to fulfill the Flows created on Mindflow.
According to data transferred, it may contain PII or sensitive information.
AWS:Germany Ireland
N/A.
Intercom R&D Unlimited Company55 2nd Street, 4th Floor San Francisco, CA 94105 USACompany number: 10917030
Customer Support system.
Data exchanged between the COMPANY and CUSTOMER. May contain PII or Confidential/Restricted data.
AWS US.
Data Processing Addendum signed between Intercom and the COMPANY.
Adequacy decision EU-US Data Privacy Framework 10/07/2023
OpenAILLCPioneer building, 3180 18th St, San Francisco, USA
AI Assistant
Data transformed and sent to OpenAI via the AI feature.
Azure US.
Data Processing Addendum signed between OpenAI and the COMPANY.
Adequacy decision EU-US Data Privacy Framework 10/07/2023