DATA PROCESSING AGREEMENT

I. Recitals

1. The CUSTOMER, depending on its activities, collects and processes, personal data relating to different categories of data subjects (“Personal Data”) either as a Controller or as a Processor.
2. The CUSTOMER wishes to engage the COMPANY as a Service Provider and use services offered by the COMPANY (the “Services”). In order to do so, the Parties have signed a Service Agreement.
3. For the purpose of performing the Services, the COMPANY may need to process the Personal Data.
4. The CUSTOMER and the COMPANY will only communicate and process Personal Data when this is necessary to achieve a clearly defined purpose compatible with applicable Data Protection Legislation.
5. In addition, the laws of some of the countries in which the CUSTOMER operates impose controls on the processing of personal data about individuals and restrict the transfer of such personal data to other countries except under adequate safeguards.
6. The purpose of this agreement is to provide a legal framework for the processing of Personal data by the COMPANY and, when applicable, to enable the Transfer of Personal Data and provide appropriate safeguards.
7. This agreement is thereafter referred to as the “Data Processing Agreement,” or “DPA” and is composed of the Framework Agreement and of the relevant Schedule depending on their applicability as defined below.
8. The purpose of this DPA is to cover the relationships between the CUSTOMER and the COMPANY, with respect to the processing of personal data carried out, as further described below.

II. General Data Processing Terms

1. The Parties acknowledge and agree that, depending on the specific situation and on the relevant data processing activities, the CUSTOMER is a Controller or a Processor in respect of the Processing of Personal Data.
   
2. The Parties acknowledge and agree that, depending on the specific situation and on the relevant data processing activities, the COMPANY is a Processor, in respect of the Processing of Personal Data. 

III. Description of the processing

Categories of data subjects: Employee of the CUSTOMER, Users, and Clients of the CUSTOMER.

Categories of personal data: The types of personal data collected are dependent on the CUSTOMER’s use of and interaction with the Services. Examples include first name, last name, e-mail address, credentials API, issues, or queries, or any set of data relevant to the fulfillment of the Agreement (“CUSTOMER Personal Data”).

Categories of sensitive data: dependent on the CUSTOMER’s use of and interaction with the Services provided to them.

Nature and subject matter of the processing: The nature of the processing of CUSTOMER Personal Data is carried out using computers and/or IT-enabled tools, following organizational procedures and modes strictly related to the purposes indicated. The nature of the processing of CUSTOMER Personal Data includes the following actions undertaken by automated means:

• Collecting; 
• Organizing/structuring; 
• Recording; 
• Storing; 
• Consulting/using;
• Retrieving;
• Disclosing; and 
• Erasing.
  

Purposes of the processing and transfer: CUSTOMER Personal Data are collected and transferred by the COMPANY for the purposes of providing the Services to the CUSTOMER, according to the Agreement concluded between the CUSTOMER and the COMPANY, which include:

• Detecting any malicious or fraudulent activity;
• Contacting the CUSTOMER;
• Managing the CUSTOMER database;
• Managing contacts and sending messages; and 
• Session recording.

IV. Commencement and termination

1. This DPA shall take effect on the Commencement Date and shall continue in force until such time as the COMPANY ceases to Process the Personal Data.
   
2. The CUSTOMER may terminate the Service Agreement and the DPA with immediate effect by written notice if:
   
   1. The COMPANY commits a material breach of any provisions of this DPA and such breach is irremediable or (if such breach is remediable) or remains uncured for a period of 30 days after being notified in writing to remedy such breach;
      
   2. The COMPANY cannot rectify the vulnerabilities, deficiencies or breaches in accordance with its commitments under this DPA; or
      
   3. the Parties cannot agree changes to this Agreement to give effect to any change in the Data Protection Legislation to the reasonable satisfaction of the CUSTOMER.
      
3. If any of events described in the section above takes place, the CUSTOMER may instruct the COMPANY to, and the COMPANY shall immediately, stop any Processing of Personal Data and the COMPANY shall promptly amend, transfer, vary and/or delete any Personal Data held by or on behalf of the COMPANY in accordance with the CUSTOMER’s written instructions.
   
4. The provisions of this DPA that, by their nature and content, must survive the completion, rescission, termination or expiration of this DPA in order to achieve the fundamental purposes of this DPA, shall survive and continue to bind the Parties. 

V. Schedule – Controller to processor

V. (a) CUSTOMER’s obligations

The CUSTOMER, as the Data controller of CUSTOMER Personal Data, is the sole party responsible for establishing the lawful basis for the processing of CUSTOMER Personal Data by the COMPANY under this DPA. Following this responsibility, the CUSTOMER will ensure that it has all necessary and appropriate legal basis and notices in place to enable the lawful processing of CUSTOMER Personal Data by the COMPANY for the duration and per the purposes of the Agreement.

The CUSTOMER, as the Data controller of CUSTOMER Personal Data, is the sole party responsible for the accuracy and quality of CUSTOMER Personal Data processed by the COMPANY to fulfill its obligations.

In particular, the CUSTOMER undertakes to:

1. provide the COMPANY with the personal data mentioned in the article “Description of the processing,” except any improper, disproportionate, or unnecessary personal data, and except any “particular” personal data within the meaning of the Applicable Regulation;
   
2. collect under its liability, lawfully, fairly and in a transparent manner the CUSTOMER Personal Data provided to the COMPANY, for the performance of the Service, and in particular, to ensure the lawfulness of processing and the information due to data subjects;
   
3. maintain a record of processing activities carried out and more generally, comply with the principles of the Applicable Regulation;
   
4. ensure, before and throughout the processing, compliance with the obligations set out in the Applicable Regulation.

V. (b) COMPANY’s obligations

When processing CUSTOMER Personal Data according to this DPA, the COMPANY will:

1. process CUSTOMER Personal Data only on the documented instructions of the CUSTOMER, as set out in the Order Form and this DPA, and as otherwise necessary for the COMPANY to provide the Services to the CUSTOMER or to comply with Applicable Regulation unless the COMPANY is required to process CUSTOMER Personal Data for other legitimate purposes under applicable EU or EU Member State law or another particular non-EU applicable law, in which case the COMPANY shall notify the CUSTOMER of that legal requirement before such processing occurs or is permitted except where that law prohibits such notification on important grounds of public interest. Each of the parties agrees that any additional instructions outside the scope of the Agreement or this DPA will be mutually agreed between the parties in writing;
   
2. ensure that all personnel authorized to process CUSTOMER Personal Data are subject to confidentiality obligations in respect of CUSTOMER Personal Data;
   
3. taking into account the nature of the processing, assist the CUSTOMER (at the CUSTOMER’s expense) by appropriate, technical and organizational measures, insofar as this is possible, for the fulfillment of the CUSTOMER’s obligations to respond to data subject data protection rights requests;
   
4. taking into account the nature of the processing and the information available to the COMPANY, assist the CUSTOMER in ensuring compliance with its obligations under Articles 32 to 36 GDPR;
   
5. The COMPANY shall not respond directly to a request from a data subject concerning data subject’s personal data. However, the COMPANY shall notify the CUSTOMER if the COMPANY receives such a request;
   
6. implement and maintain appropriate technical and organizational Security Measures (as set out in the Agreement between the two parties or according to the relevant standards) to ensure the security of CUSTOMER Personal Data, taking into account: (a) the state-of-the-art; (b) the costs of additional implementations; (c) the nature, scope, context and purposes of the processing; and (d) the inherent risk of the processing activities to data subjects. In the case Security Measures are not set out in the Agreement, the COMPANY undertakes to take all the measures to (i) ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services (ii) to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident and (iii) to regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
   
7. at the choice of the CUSTOMER, delete or return all CUSTOMER Personal Data after the end of the provision of Services relating to the processing of CUSTOMER Personal Data, and delete existing copies unless EU or EU Member State law or another particular applicable law requires the COMPANY to retain such CUSTOMER Personal Data; and
   
8. notify the CUSTOMER without undue delay upon becoming aware of any personal data breach.

V. (c) International transfers

The COMPANY is authorized to transfer CUSTOMER Personal Data to a country which is outside of the European Economic Area (“EEA”), in particular to the Sub-processors listed in ANNEX 1 (which may be updated to reflect the COMPANY’s current sub-processors following the process described below). The COMPANY shall notify the CUSTOMER by email, in writing beforehand, of any intended new transfer outside the EEA. This notification shall clearly indicate the recipient of the transfer, the country of destination, the subject matter of the transfer, and the appropriate safeguards put in place pursuant to the Applicable Regulation. The CUSTOMER has a period of thirty (30) calendar days from the date of receipt of this notification to submit its legitimate and justifiable objections. In the absence of notification of objections after this period, the CUSTOMER shall be deemed to have authorized the transfer of CUSTOMER Personal Data outside the EEA. In case of persistent objections by the CUSTOMER, the parties will meet in good faith to discuss a resolution. In the event that the parties are unable to find such a resolution, either party may terminate the Agreement.

Where the CUSTOMER authorized such transfer, it shall be conditional on any export being carried out (i) on the terms of a binding agreement related to personal data processing and (ii) appropriate safeguards (e.g. the EU Standard Contractual Clauses on the transfer of personal data). The COMPANY shall promptly provide the CUSTOMER, upon request, proof and/or copies of (i) and/or (ii).

V. (d) Sub-processors

1. The CUSTOMER provides a general authorization to the COMPANY to use third parties (“Sub-processors”) to process CUSTOMER Personal Data and perform the Services, in particular the Sub-processors listed in ANNEX 1 (which may be updated to reflect the COMPANY’s current sub-processors following the process described below).
   
2. The COMPANY will impose on such Sub-processors data protection obligations that protect CUSTOMER Personal Data to the same standard provided for by this DPA and, at a minimum, compliant with the requirements of the Applicable Regulation and shall remain liable for a breach caused by a Sub-processor but only to the same extent that the COMPANY would be liable if it had provided the Services of the Sub-processor directly under the terms of this DPA.
   
3. The COMPANY may, by giving reasonable notice to the CUSTOMER, add or make changes to its Sub-processors. If the CUSTOMER objects to the appointment of an additional Sub-processor within thirty (30) calendar days of such notice on reasonable grounds relating to the protection of CUSTOMER Personal Data, the COMPANY will make its best efforts with the CUSTOMER to find an alternative solution. In the event that the parties are unable to find such a solution, either party may terminate the Agreement.

V. (e) CUSTOMER’s Audit Rights

1. The COMPANY shall make available information reasonably requested by the CUSTOMER to show that the COMPANY is complying with its data protection obligations under this DPA.
   
2. The CUSTOMER (and/or via its third-party representatives, a data protection authority, or any other regulatory body) shall be permitted to audit the COMPANY’s premises, systems, and facilities during regular business hours provided that the following requirements are cumulatively met:
   
   1. the CUSTOMER shall provide at least 14 days prior written notice of its intention to carry out an audit;
      
   2. the CUSTOMER shall promptly discharge all expenses incurred by the COMPANY;
      
   3. The COMPANY may request that any third-party representative performing an audit on behalf of the CUSTOMER shall provide written confidentiality undertakings. The COMPANY shall be entitled to refuse access to any of its premises or records (in any form) until it has received such undertakings;
      
   4. The COMPANY shall be entitled to refuse the appointment of any third-party auditor if it belongs to a competing company; and
      
   5. nothing in this DPA shall entitle the CUSTOMER to access or inspect any records which contain information relating to any other customers of the COMPANY. The COMPANY shall be entitled to restrict or prevent access to any part of its premises that it considers that, in its sole discretion, could compromise the security of any information or data relating to other customers;
      
   6. The audit shall not threaten technical and organizational security measures implemented by the COMPANY.

V. (f) Suspension of Processing

1. The COMPANY will notify the CUSTOMER if it comes to its attention that any instructions received in respect of this DPA infringe the provisions of the Applicable Regulation or other EU or EU Member State data protection provisions. Notwithstanding the preceding, the COMPANY shall have no obligation to review the lawfulness of any instruction received from the CUSTOMER.
   
2. The COMPANY will notify the CUSTOMER if it is no longer able to comply with its obligations according to the Applicable Regulation and/or this DPA (including the SCCs). The parties will meet in good faith and use their best efforts to discuss a resolution. If the parties are unable to find a resolution, either party may terminate the Agreement upon a thirty (30) days’ notice. 

V. (g) Liability

Any claims brought in connection with this DPA will be subject to the terms including, but not limited to, the exclusions and limitations set out in the Agreement.

V. (h) General Provisions

1. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with regard to the processing of CUSTOMER Personal Data. In the event of any conflict or inconsistency between this DPA and the SCCs, the SCCs shall prevail.
   
2. Capitalized terms not defined in this DPA shall have the meaning given to them in the Agreement.
   
3. Any notice to be given by either party for the purposes of this DPA shall be sent by e-mail to the following email address legal@mindflow.io and will be deemed received on the next working day after transmission.
   
4. In the event that any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability while preserving the parties intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained in this DPA.
   
5. This DPA shall ensure to the benefit of and be binding upon the respective parties to this DPA and their respective successor’s personal representatives and assigns.
   
6. No modification of any provision of this DPA shall be binding unless it is evidenced in writing and duly executed by or on behalf of each of the parties to this DPA.
   
7. This DPA and all disputes arising from this DPA, whether contractual or non-contractual in nature, shall be governed by and construed under the laws of France. The parties irrevocably submit to the exclusive jurisdiction of the French courts concerning all matters arising out of or in connection with this DPA.

Annex 1 to Schedule – Data processing details

I. COMPANY’S Governance

II. Data Processing Details

III. Permitted Sub-contractors