Privacy Reeport

Protection of personal Data

1 The CLIENT is solely responsible for the processing of Data

1.1 The CLIENT guarantees that it is the sole owner of the Data, particularly the personal data, which are processed by the Service, including Data transmitted to the software by service providers subscribed to by the CLIENT. In order to maintain Data confidentiality, the CLIENT agrees to send only pseudonymized Data to UPTILAB (Art. 4.5. of EU Regulation 2016/679) by means of a unique identifier which the CLIENT assigns to each of its clients/prospects, so that UPTILAB would not be able to directly identify the natural person to whom the unique identifier was assigned. In no circumstances does UPTILAB have the technical means to allow them to make a connection of any kind whatsoever between the unique identifier assigned by the CLIENT and the Data allowing them to directly identify each natural person in question.

1.2 It is hereby stated that UPTILAB does not carry out any data collection on behalf of the CLIENT. On the Platform, UPTILAB only processes pseudonymized Data, either directly transmitted by the CLIENT, or transmitted indirectly by the representatives of the service providers chosen by the CLIENT. It is solely up to the CLIENT (i) to choose which data providers to subscribe to, and (ii) to confer with the latter to determine the nature and volume of the Data to be processed by the Service. UPTILAB shall not be responsible for an interruption in Data provision by the service providers that the CLIENT subscribes to.

1.3 The CLIENT agrees to unequivocally remind the persons whose Data are processed, even after pseudonymization and possibly encryption, that all the rights of the persons in question (right to access, to correction, etc.) must be exercised by such persons directly with the CLIENT, UPTILAB agreeing to comply with any reasonable and legitimate written instruction from the CLIENT in this regard.

2 CLIENT guarantees regarding Personal Data

2.1 In accordance with European and French legislation on the protection of personal data and in particular, Regulation 2016/679 of April 27, 2016 (together the "General Data Protection Regulation " or "GDPR"), prior to the CLIENT using the Software or Service and for the duration of the Contract, the CLIENT guarantees UPTILAB:

(i) that it has collected and processed personal Data in a lawful, fair and transparent manner for specific, explicit and legitimate purposes which UPTILAB is in no way aware of, and of which the CLIENT declares to have duly informed the persons concerned. Consequently, any obligation of prior declaration concerning the processing of its personal Data to a supervisory authority is its sole responsibility, and the CLIENT guarantees UPTILAB that it has done so;

(ii) that it is solely responsible for the processing of personal Data collected by it, directly or indirectly, or processed during its use of the Service, in particular when this Data is transmitted directly or indirectly to the Platform by service providers subscribed to for this purpose, whether free of charge or paid for;

(iii) that it alone determines the purposes and means for the processing of its personal Data, in particular through the use of the Service. Consequently, it is the CLIENT's responsibility, prior to using the Service, to verify that the request for the processing of personal Data addressed to UPTILAB is in accordance with the purpose and means of personal Data processing implemented by the CLIENT.

2.2 The guarantees given by the CLIENT to UPTILAB under this clause are substantial or essential conditions for which the CLIENT is responsible so that UPTILAB cannot be held responsible in this regard, on any basis whatsoever. In the opposite case, the CLIENT agrees to absolve UPTILAB from, and guarantee against, without restriction or reservation, any consequences, in particular pecuniary, charged to UPTILAB.

3 UPTILAB is a sub-contractor for the processing of the CLIENT's personal Data

3.1 UPTILAB acts as a sub-contractor in the processing of the CLIENT's personal Data in the sense of Article 28 GDPR and Article 35 of Act No. 78-17 of January 6, 1978. Consequently, UPTILAB agrees (i) not to process the CLIENT's personal Data other than under the terms of the Contract and (ii) not to carry out any other processing of the CLIENT's personal Data not provided for in the Contract, except (i) on written and legitimate instructions from the CLIENT and (ii) within the following limits.

3.2 UPTILAB reminds the CLIENT that, pursuant to Art. 28.3. h) par. 2 GDPR, any new request for processing of the CLIENT's Personal Data by UPTILAB, even on the express instructions of the CLIENT, which could lead to non-compliance with the GRDP, requires UPTILAB to inform the CLIENT immediately. UPTILAB reserves the right to refuse instructions from the CLIENT that they might seem to be unlawful within the meaning of Articles 82.2 and 82.3 GDPR. In this case, a documented written refusal by UPTILAB does not allow the CLIENT to terminate the Contract, unless the CLIENT accepts its liability vis-à-vis UPTILAB for the early and unfounded termination of the Contract.

3.3 UPTILAB's obligations, especially the Platform services, may be carried out by another sub-contracted company. UPTILAB remains solely responsible to the CLIENT for the provision of the services entrusted to a subcontractor and guarantees, within the meaning of Article 1204 [new]) Civil Code, the Platform's strict compliance with the provisions of the Contract. If the third party sub-contractor does not deliver the services that it was contractually charged with by UPTILAB, UPTILAB may be ordered to pay damages (Art. 1204 [new] Civil Code) to the CLIENT.

3.4 In accordance with Law No. 75-1334 of December 31, 1975, by signing the Contract, the CLIENT expressly approves the Platform identified in the Purchase Order as a sub-contractor for the hosting services included in the Service. The payment terms agreed to between the Platform and UPTILAB are detailed in the Purchase Order. Due to the large number of clients using its Service via the Platform, it is not possible for UPTILAB to submit a change of Platform to the CLIENT for prior approval. The CLIENT acknowledges and accepts that UPTILAB may freely and at any time change the Platform, provided that they inform the CLIENT and that (i) the new Platform offers at least the same performance as the Platform identified in the Purchase Order, (ii) the switch to the new Platform would be performed by UPTILAB without interruption of the Service provided to the CLIENT, (iii) the Platform complies with all UPTILAB's commitments in terms of GRDP and (iv) UPTILAB does not change the Subscription fee.

3.5 In accordance with Art. 30.1 GDPR and no later than 25 May 2018, UPTILAB agrees to maintain an up-to-date list of the CLIENT's personal data processing including:

a) the name and contact details of the data processor and, where applicable, the data protection officer;

b) the purposes of the processing;

c) a description of the categories of persons concerned and the personal Data categories;

d) the categories of recipients to whom personal Data have been or will be sent, including recipients in third-party countries or international organizations;

e) if applicable, transfers of personal Data to a third-party country or to an international organization, including the identification of this third-party country or this international organization;

f) to the extent possible, the time limits for the deletion of the different Data categories;

g) as far as possible, a general description of the technical and organizational security measures concerning the Service in accordance with the provisions set out in the clause "4. Security and Confidentiality of Personal Data".

4 Security and Confidentiality of Personal Data

4.1 UPTILAB agrees to technically process the CLIENT Data solely in order to render the Service, to the exclusion of any other use for the benefit of UPTILAB or third parties. In accordance with the GRDP, the CLIENT'S Personal Data is processed by UPTILAB on servers located exclusively within the territory of the European Union and are not subject to any transfer outside the EU, except pursuant to an adequacy decision by the European Union (Argentina, Canada, Israel, New Zealand, Switzerland, Uruguay and "Privacy Shield").

4.2 UPTILAB agrees to ensure the security and protection of confidentiality of the CLIENT's personal Data in particular to prevent it from being misrepresented, damaged or distributed to an unauthorized third party. The details of the internal technical measures to ensure the security and confidentiality of CLIENT Data appear in the clause "Protection of personal Data". UPTILAB agrees to adhere to and to ensure that all technical service providers responsible for the implementation of the Service, in particular the Platform, adhere to the strictest levels of confidentiality and security in the processing of the CLIENT's personal Data, in accordance with industry standards and in strict adherence to the GDPR.

5 Notification of security breaches

5.1 Pursuant to Art. 33.1 and 33.2 GDPR and no later than 25 May 2018, UPTILAB undertakes to inform the CLIENT in writing and without delay of any breach of personal Data security transmitted or processed through the Service where such a breach involves unauthorized access, disclosure, alteration, loss or destruction of this Data, either accidentally or unlawfully. It is then up to the CLIENT alone to inform (i) the supervisory authority to whom it reports, and (ii) the persons concerned when this breach of personal Data security "is likely to generate a high risk to rights and freedoms".

5.1 If the CLIENT is classified as a supplier "to the public, of electronic communications services on electronic communications networks open to the public" within the meaning of Article 34 bis of Law 78-17 of January 6, 1978, UPTILAB agrees to inform the CLIENT immediately of any "breach of security resulting in accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access" to the CLIENT's personal Data; it is the CLIENT's responsibility to inform the CNIL [French National Commission for Data Protection]) and, where applicable, the persons concerned. In the event of a security breach, UPTILAB agrees (i) to promptly implement all the appropriate corrective technical measures regarding the Software and/or Service to put an end to the identified security breach, in particular to render the Data incomprehensible to any person not authorized to have access, and apply these to the Data affected by this security breach and (ii) to explain it to the CLIENT in writing as soon as possible.

6 CLIENT Data Encryption

Pursuant to Law No. 2015-912 "Intelligence" of July 24, 2015 and where UPTILAB would have encrypted all or part of the CLIENT's Data pursuant to the Contract, UPTILAB reminds the CLIENT that under penalty of penal sanctions, "[service providers] providing cryptology services to ensure confidentiality shall be obliged to provide, within 72 hours, to [specialized intelligence services] agents, at their request, the deciphering mechanism of the processed data by means of the services provided by them. Agents [of specialized intelligence services] may request suppliers [of cryptology services] to implement these mechanisms themselves within 72 hours unless [the provider of the cryptology services] demonstrates that it is not able to satisfy these requisitions".