Data processing agreement.

The Controller determines the purposes and means of processing personal data about its employees, contractors, and other individuals whose assignments are tracked in the Service ("Data Subjects"). The Processor processes that data solely to provide the Service under the Controller's instructions, as set out in the Terms of Service and this DPA.

We will:

• · Process personal data only on the Controller's documented instructions, including with regard to transfers, unless required to do so by EU or Member State law. In that case, we will inform the Controller unless that law prohibits such notice.
• · Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
• · Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 8.
• · Assist the Controller, by appropriate technical and organizational measures, in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).
• · Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to us.
• · At the Controller's choice, delete or return all personal data to the Controller after the end of the Service, and delete existing copies unless EU or Member State law requires storage.
• · Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable confidentiality and scheduling arrangements.

The Controller:

• · Warrants that it has a valid legal basis for the processing carried out through the Service and that its instructions comply with applicable data protection law.
• · Is responsible for informing its Data Subjects about the processing and for handling their rights requests in first line.
• · Shall not submit to the Service any personal data that it is not authorized to process, nor any special categories of data.

The Controller provides general written authorization for the Processor to engage the sub-processors listed in Annex A. We will inform the Controller of any intended addition or replacement of sub-processors at least 30 days in advance, giving the Controller the opportunity to object on reasonable grounds related to data protection. If the Controller objects and the parties cannot agree on a solution, the Controller may terminate the affected Service.

We impose on each sub-processor, by contract, data protection obligations equivalent to those set out in this DPA. We remain fully liable to the Controller for the performance of our sub-processors' obligations.

Some sub-processors are established in the United States (see Annex A). Transfers of personal data outside the European Economic Area are performed under the Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914), together with any supplementary technical and organizational measures required by case law and EDPB guidelines.

We implement at minimum the following measures:

• ·Encryption of personal data in transit (TLS 1.2+).
• ·Password hashing using industry-standard algorithms.
• · Authentication and session management: rotating refresh tokens, security stamp invalidation, rate limiting on authentication endpoints, account lockout after repeated failed attempts.
• · Role-based access control at the application level and row-level security at the database level to isolate each organization's data.
• ·Least-privilege database access for application services.
• · Infrastructure security provided by our hosting sub-processors (network isolation, DDoS protection, hardened hosts, patched runtimes).
• · Structured logging with sensitive-data masking and correlation IDs for incident investigation.
• ·Regular review of dependencies and security updates.

We will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any confirmed personal data breach affecting the Controller's data. Our notification will include, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed.

Liability under this DPA is subject to the limitations set out in the Terms of Service, to the extent permitted by law. In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA prevails.

This DPA is governed by French law, in line with the Terms of Service.

For any question regarding this DPA or to submit data protection requests, contact [email protected].