APPENDIX 1
PERSONAL DATA PROCESSING AGREEMENT
Within the framework of their contractual relationship, the parties undertake to comply with their obligations under the applicable regulations governing the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable from 25 May 2018 (hereinafter, "the European regulation on data protection" Or "»GDPR") and under the Contract and in particular this appendix. The responsibilities of each party are detailed below.
Processing of Personal Data by the Service Provider acting as a subcontractor for the Client
The Provider (hereinafter, the "subcontractor") is authorized to process on behalf of the Client (hereinafter the "data controller") the Personal Data necessary to provide the Services and Optional Services, in accordance with the details provided below.
1.1. Description of the processing subject to subcontracting
The persons concerned are: survey respondents, the Client's customers and prospects, authorized users of the platform, as well as, where applicable, the Client's employees, partners or representatives whose data is collected in the context of the use of the Services.
The Personal Data processed is:
- Identification data: name, surname, pseudonym or user ID
- Contact details: email address, phone number - Professional data: function, organization or company
- Survey participation data: responses to questionnaires, evaluations, comments and other information entered by respondents
- Technical and usage data: IP address, technical identifiers, connection logs, browsing data, timestamp
- Statistical and analytical data: Survey results, scores, indicators and aggregated data generated through the use of the Services
The types of processing carried out on Personal Data are as follows: collection, recording, organization, structuring, hosting, storage, consultation, extraction, statistical analysis, aggregation, anonymization or pseudonymization, modification, making results available to the Client, deletion or destruction of Personal Data in the context of the performance of the Services.
The purposes of the processing are:
- data collection through questionnaires, surveys or forms
- the analysis and presentation of the results of studies, surveys or barometers
- improving knowledge of the Client's customers, prospects, users or employees
- conducting satisfaction surveys, marketing studies or internal studies
- managing and fostering relationships with the Client's customers, prospects, or users
- the dissemination of information, communications, newsletters or information campaigns
- the implementation of prospecting or communication operations (including email campaigns or other electronic communications)
- the production of statistics, indicators and dashboards
- the technical administration, security and improvement of the Services provided by the Provider
1.2. Obligations of the Service Provider, in its capacity as a subcontractor
The subcontractor agrees to:
a) process Personal Data only for the purposes for which the subcontracting is carried out;
b) process Personal Data in accordance with the following documented instructions from the data controller:
The subcontractor processes Personal Data only to the extent necessary for the provision of the Services and Optional Services provided for in the Contract and the associated Commercial Proposal and in accordance with this Annex.
If the processor considers, without being required to actively monitor the matter, that an instruction constitutes a violation of the GDPR or any other provision of Union or Member State law relating to data protection, it shall immediately inform the data controller. Furthermore, if the processor is required to transfer personal data to a third country or an international organization under Union or Member State law to which it is subject, it must inform the data controller of this legal obligation before processing, unless the law in question prohibits such notification for important reasons of public interest.;
c) make its best efforts to ensure the confidentiality of Personal Data processed under the Contract;
d) ensure that the persons authorized to process Personal Data under the Contract:
- undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
- receive the necessary awareness regarding the protection of Personal Data;
e) take into account, with regard to its tools, products, applications or Services, the principles of data protection by design and data protection by default.
f) Subcontracting: the subcontractor is authorized to use the following entities (hereinafter, the « subsequent subcontractor ») :
OVHcloud
- Company name: OVH SAS
- Address: 2 rue Kellermann, 59100 Roubaix, France
- Server location: European Union (mainly France)
- Processing provided: data hosting, cloud infrastructure, data storage and backup (as part of the Services, when this option is subscribed to by the Client)
Sellsy
- Company name: Sellsy SAS
- Address: 50 avenue du Lazaret, 17000 La Rochelle, France
- Server location: European Union (France)
- Services provided: customer relationship management, support ticket management (ticketing), sending communications and emails (including support and information related to the Services)
If additional subcontractors are subsequently engaged, the subcontractor must inform the data controller in writing beforehand of the proposed change, including the name of the new subcontractor, their contact details, the date of the subcontracting agreement, and the processing activities to be subcontracted. If the data controller does not object within eight (8) days of receiving this notification, they are deemed to have accepted the change, and the subcontracting may be implemented.
The subsequent sub-processor is required to comply with the obligations of the Contract on behalf of and according to the instructions of the data controller. It is the Provider's responsibility to ensure that the subsequent sub-processor offers the same guarantees regarding the implementation of appropriate technical and organizational measures that comply with the requirements of the GDPR. If the subsequent sub-processor fails to fulfill its data protection obligations, the Provider remains fully liable to the data controller for the subsequent sub-processor's performance of its obligations.
g) Right of information of the persons concerned: it is the Client's responsibility to provide information to the persons concerned by the processing operations at the time of collection or transmission of Personal Data to the subcontractor, including the processing relating to the notification of vulnerabilities by its service providers in application of Articles L2321-4-1 and Article R2321-1-16 et seq. of the Defence Code.
h) Exercise of data subject rights: where possible, the subcontractor must assist the controller in fulfilling its obligation to respond to requests to exercise the rights of data subjects: right of access, rectification, erasure and objection, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision.
The Client will communicate with the data subjects to invite them to contact the Client to exercise their rights. If, despite this, the data subjects submit requests to the subcontractor to exercise their rights, the subcontractor must forward these requests immediately upon receipt by email to the address provided for this purpose by the Data Controller or, failing that, to their contact person at the Data Controller.
(i) Notification of Personal Data Breaches: The processor shall notify the controller of any personal data breach within a maximum of 24 working hours of becoming aware of it, by email to the address provided for this purpose by the controller or, failing that, to the address of its usual contact person at the controller. This notification shall be accompanied by all relevant documentation to enable the controller, if necessary, to notify the competent supervisory authority of the breach. The data controller is informed that in the event of a finding of significant vulnerability affecting one of its products or in the event of a computer incident compromising the security of its information systems and likely to significantly affect one of its products, the Provider has a legal obligation to notify ANSSI, and may be required, if circumstances require, to notify any person considered to be a user of its products, pursuant to Articles L2321-4-1 and R2321-1-16 et seq. of the French Defence Code.
j) Assistance to the data processor in the context of the data controller's compliance with its obligations: the data processor assists the data controller in carrying out data protection impact assessments when required. The data processor assists the data controller in conducting the prior consultation with the supervisory authority when required. This assistance may be billed at the current rate for project management assistance if the data controller places excessive demands on the data processor, namely more than one person-day per year for these matters, even though the data processor has provided all relevant information regarding its services.
k) Security measures: the subcontractor undertakes to make its best efforts, within commercially reasonable limits, to implement security measures in accordance with good practices and in particular those documented and transmitted to the Client before the signing of the Contract.
l) Handling of Personal Data: Personal Data may only be processed by the subcontractor in accordance with the instructions of the data controller and this appendix. Upon termination of the Contract, the Personal Data will be returned to the Client or destroyed, in accordance with the provisions of the "Termination" clause of the Contract.
m) Data Protection Officer: any request related to this annex should be sent by email to the contact designated by the Data Controller for this purpose or, failing that, to the usual contact person of the subcontractor at the Data Controller.
n) Register of processing activity categories: the subcontractor declares that it keeps a written register of all categories of processing activities carried out on behalf of the controller;
o) Documentation: the subcontractor shall make available to the controller the documentation necessary to demonstrate compliance with all its obligations and to allow for audits, including inspections, by the controller or another auditor appointed by the controller, and contribute to these audits.
1.3. Obligations of the Client, the data controller
The data controller undertakes to:
a) Provide the subcontractor with the Data necessary for the subcontractor to enable the latter to implement the Services;
b) Ensure a determination of the roles and rights of Users accessing Personal Data in accordance with the principle of "privacy by default" and inform the subcontractor of the departure of a User within eight (8) days of leaving its staff at the latest so that his account can be deleted;
c) Document in writing all instructions concerning the processing of data by the subcontractor and verify their compliance with the GDPR beforehand. In this respect, the data controller cannot evade its responsibility by claiming the subcontractor failed to provide warnings, and cannot validly hold the subcontractor liable in this context;
d) Ensure, beforehand and throughout the duration of the processing, compliance with the obligations provided for by the GDPR; ;
e) To present oneself as the interlocutor for the persons concerned for the exercise of their rights;
f) Do not send personal data to the Database Provider by email or other unsecure means of transmission.
Furthermore, the data controller declares and warrants that:
- Personal data transmitted to the Provider, or collected via the Services, is collected and processed in compliance with applicable regulations;
- he has validly informed the persons concerned, in accordance with the GDPR;
- where applicable, it has obtained the consent of the persons concerned for the envisaged processing at the time of collection or at any appropriate time;
- it allows the persons concerned to exercise their rights in accordance with the regulations, by informing them that the exercise of rights is carried out directly with the Client;
- the information is accurate, complete, unambiguous and up-to-date, without any request from the persons concerned to prohibit its collection, use, communication or storage; failing that, it undertakes to rectify, complete, clarify, update or delete it.
Updated on 31/03/2026
