🛡️vCISO🏢SMB & Mid-cap

Data Processing Agreement

Between:

Articule, a simplified joint-stock company (société par actions simplifiée), registered with the Paris Trade and Companies Registry under number 843 409 954, with its registered office at 231 rue Saint-Honoré, 75001 Paris, operating under the trade name QONTROL (hereinafter the "Processor")

And:

Any legal entity or natural person having subscribed to QONTROL's Services in accordance with the terms of service (hereinafter the "Controller" or the "Client")

1. Purpose

This data processing agreement (hereinafter the "DPA") sets out the conditions under which QONTROL, as a data processor within the meaning of Article 28 of Regulation (EU) 2016/679 (hereinafter the "GDPR"), processes personal data on behalf of the Client, as data controller, in connection with the provision of the Services described in the terms of service (the "ToS").

This DPA forms an integral part of the contractual framework consisting of the ToS, the AUP, and the Personal Data Protection Policy.

2. Description of processing

2.1 Purposes of processing

QONTROL processes Personal Data solely on behalf of the Client and for the following purposes only:

  • Enabling the Client to measure and monitor the effectiveness of cybersecurity measures in the practices of its organization and employees;
  • Assisting the Client in selecting and implementing appropriate cybersecurity measures;
  • Enabling dynamic monitoring of the implementation of cybersecurity measures within the Client's organization;
  • Providing the Services as described in the ToS.

2.2 Categories of personal data processed

  • Identification data: surname, first name, professional email address;
  • Connection data: credentials, connection logs, IP address;
  • Usage data: data generated by the Users' interaction with the Platform;
  • Business data: documents uploaded by the Client or its Users in connection with the Services.

2.3 Categories of data subjects

  • Employees, staff, and corporate officers of the Client;
  • Any User designated by the Client to access the Platform.

2.4 Duration of processing

Processing is carried out for the entire duration of the Client's Subscription to the Services. The provisions relating to the return and deletion of data upon termination of processing are set out in Section 10 of this DPA.

3. Obligations of QONTROL

QONTROL undertakes to:

  1. Process Personal Data only on documented instructions from the Client, including with regard to transfers to a third country, unless required to do so by applicable law. In such case, QONTROL shall inform the Client of that legal requirement before processing, unless applicable law prohibits such notification;

  2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under a statutory obligation of confidentiality;

  3. Take all security measures required under Article 32 of the GDPR, as described in Section 5 of this DPA;

  4. Comply with the conditions set out in Sections 6 and 7 of this DPA for the engagement of sub-processors;

  5. Assist the Client, insofar as possible, by appropriate technical and organizational measures, in fulfilling its obligation to respond to requests from data subjects exercising their rights (access, rectification, erasure, portability, restriction, objection);

  6. Assist the Client in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR (security, breach notification, impact assessment), taking into account the nature of the processing and the information available to QONTROL;

  7. At the Client's choice, delete or return all Personal Data upon termination of the service, in accordance with Section 10 of this DPA;

  8. Make available to the Client all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits, in accordance with Section 9 of this DPA.

4. Obligations of the Client

The Client, in its capacity as data controller, undertakes to:

  1. Document in writing all instructions relating to the processing of Personal Data;

  2. Ensure that the processing is based on an appropriate legal basis and that data subjects have been duly informed of the processing of their data;

  3. Ensure, prior to and throughout the duration of processing, compliance with the obligations set out by the GDPR;

  4. Supervise the processing, including by carrying out audits and inspections in accordance with Section 9 of this DPA.

5. Security

QONTROL implements appropriate technical and organizational measures, in accordance with the state of the art, to ensure the security of Personal Data processed on behalf of the Client, and in particular to:

  • Protect data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access;
  • Ensure the confidentiality, integrity, and availability of data;
  • Ensure the ability to restore the availability of data in a timely manner in the event of an incident.

Personal Data is hosted on servers operated by OVH, located in France, within the European Union.

QONTROL undertakes to regularly assess the effectiveness of these measures and to adapt them in light of evolving risks and the state of the art.

6. Sub-processors

6.1 General authorization

The Client authorizes QONTROL to engage sub-processors for the performance of the Services, subject to compliance with the conditions set out in this section.

The list of sub-processors is that published in the Personal Data Protection Policy, available on the Personal Data Protection Policy page.

6.2 Information and right to object

The list of sub-processors is kept up to date in the Personal Data Protection Policy. It is the Client's responsibility to consult this list regularly. In the event of disagreement with a sub-processor, the Client may terminate the relevant Subscription in accordance with the ToS.

6.3 Obligations of sub-processors

QONTROL undertakes to impose on its sub-processors, by contract, the same data protection obligations as those set out in this DPA. QONTROL shall remain fully liable to the Client for the performance of obligations by its sub-processors.

7. Transfers outside the European Union

Certain sub-processors may be established outside the European Union. Transfers of Personal Data to these sub-processors are governed by the following mechanisms:

  • The EU-US Data Privacy Framework (DPF), where the sub-processor is certified, pursuant to the European Commission's adequacy decision of July 10, 2023;
  • Standard contractual clauses approved by the European Commission, as implemented by the relevant sub-processor;
  • Any applicable adequacy decision of the European Commission.

QONTROL shall not carry out any transfer of Personal Data to a third country outside of these mechanisms, except on documented instruction from the Client or as required by applicable law.

8. Data breach notification

In the event of a Personal Data breach within the meaning of Article 33 of the GDPR, QONTROL undertakes to:

  1. Notify the Client within seventy-two (72) hours of becoming aware of the breach;

  2. Provide the Client, insofar as possible, with the following information:

    • the nature of the breach, including the categories and approximate number of data subjects and data records affected;
    • the name and contact details of the point of contact at QONTROL;
    • the likely consequences of the breach;
    • the measures taken or proposed to remedy the breach and mitigate its effects;

  3. Document any data breach and make such documentation available to the Client;

  4. Cooperate with the Client and assist it in notifying the supervisory authority and, where applicable, the data subjects.

9. Audits

The Client, or a third-party auditor appointed by the Client, may carry out audits to verify QONTROL's compliance with the obligations set out in this DPA, subject to the following conditions:

  • The Client shall submit an audit request to QONTROL with reasonable notice of at least thirty (30) days;
  • The audit shall be conducted during business hours and shall not disproportionately disrupt QONTROL's activities;
  • Any third-party auditor must be subject to appropriate confidentiality obligations;
  • The Client shall bear the costs of the audit;
  • Audits shall be limited to one (1) per calendar year, except in the event of a proven breach or a requirement from a supervisory authority.

QONTROL shall make available to the Client all information necessary to demonstrate compliance with its obligations and shall contribute in good faith to the conduct of the audit.

10. Fate of data upon termination

Upon termination of the Subscription, for whatever reason, QONTROL undertakes to:

  1. Return: upon request from the Client made within ninety (90) days following the end of the Subscription, QONTROL shall return all Personal Data in a structured, commonly used, and machine-readable format;

  2. Deletion: upon expiry of the ninety (90) day period referred to above, or upon instruction from the Client, QONTROL shall delete all Personal Data and any existing copies, unless required by law to retain them. QONTROL shall provide the Client with a certificate of deletion upon request;

  3. Anonymized data: data that has been irreversibly anonymized is no longer considered Personal Data and is not subject to the obligations of return or deletion.

11. Artificial intelligence features

When the Client enables the AI Features of the Platform (as defined in the ToS), the following conditions apply:

  • Activation constitutes a documented instruction from the Client within the meaning of this DPA;
  • Personal Data contained in business data may be transmitted to Anthropic, as a sub-processor, for the processing necessary for the operation of the AI Features;
  • When the AI Features are disabled by the Client, no data is transmitted to artificial intelligence providers;
  • QONTROL applies a principle of minimization of Personal Data transmitted to artificial intelligence providers.

12. General provisions

This DPA shall enter into force on the date the Client subscribes to the Services and shall remain in force for the entire duration of the processing of Personal Data by QONTROL.

In the event of a conflict between this DPA and the ToS, the provisions of this DPA shall prevail for matters relating to the protection of Personal Data.

This DPA is governed by French law. Any dispute relating to its interpretation or performance shall be submitted to the competent court in Paris.

Point of contact: privacy@qontrol.io