When processing Personal Data, the Parties shall strictly respect the requirements of the Data Protection Regulations.
This Data Processing Agreement (hereinafter "DPA") is concluded between SCALINGO and the Client; its purpose is to define the obligations and responsibilities of the Parties with respect to the Processing of Personal Data carried out for the execution of the Agreement.
SCALINGO acts as a Subcontractor of the Client who uses the Platform to host, in particular, the Personal Data of its own clients, employees and/or other partners. SCALINGO agrees to respect its obligations as a Subcontractor and specified in Part II of the DPA.
When Processing the Personal Data of the Client's staff, subscribers to the Services, and Users of the Platform, SCALINGO acts as the Controller of such Personal Data. SCALINGO undertakes to respect its obligations as a Data Controller and specified in Part III of the DPA.
The DPA is an integral part of the Agreement concluded between SCALINGO and the Client.
The DPA takes effect at the same time as the Agreement takes effect and remains in force for the duration of the Agreement.
In the event of any inconsistency between the provisions of the DPA and those of the Agreement, the terms of the DPA shall prevail to the extent of their subject matter.
The Parties have agreed as follows:
All terms identified in the DPA that begin with a capital letter, if not defined herein, shall have the meaning given to them in SCALINGO's General Terms and Conditions of services (hereinafter the "GTC").
In addition to SCALINGO's security obligations stipulated in Article 13 of the GTC and in the PSSI, SCALINGO implements and maintains appropriate technical and organizational security measures to protect the confidentiality of the Personal Data it processes, in accordance with the requirements of the Data Protection Regulation.
These measures include the potential risks to the data subjects as a result of the processing operations carried out. These security measures comply with the state of the art and industry best practices in security, and take into account the guidelines of the Data Protection Authorities.
SCALINGO uses its best efforts to:
In case of server failure, SCALINGO will make its best efforts to restore the service as soon as possible, within the limits of the service level commitments made by the hosting provider.
These technical and organizational measures are detailed in the PSSI and regularly tested, analyzed and evaluated by SCALINGO, as part of the certified ISMS set up by the latter, to ensure their effectiveness.
SCALINGO agrees to purchase and maintain during the term of the contract an appropriate insurance policy with a leading insurance company to cover its obligations under this DPA.
The contact points of the Parties referenced for the purpose of executing the DPA are
The Parties undertake to keep each other informed in the event of a change in the above-mentioned contact points.
This DPA is governed by French law. It shall be applied and interpreted in accordance with such law.
Any dispute concerning the execution, validity or interpretation of the PAD shall be settled in the first instance by mutual consent between the duly authorized representatives of the Parties. Failing amicable resolution, any dispute shall be submitted to the jurisdiction of the courts designated in the GTC.
For the performance of the Services and, more generally, for the performance of any other task that may be entrusted to SCALINGO by the Client under the Agreement, SCALINGO may process the Personal Data that the Client may include in the Resources hosted on the Platform.
| Person concerned | Any person whose Personal Data are processed by the Client through the Resources |
|---|---|
| Purpose of the processing | Hosting of Resources on the Platform |
| Legal base | Execution of the Agreement |
| Categories of data processed | All categories, according to the processing activities carried out by the Client as Data Controller |
| Shelf life | Agreement duration + 30 days (data return period) or any other retention period requested by the Client |
As a Subcontractor, SCALINGO undertakes to respect the following obligations and to ensure that its staff complies with the following obligations, in accordance with Article 28 of the GDPR:
(a) To process Personal Data hosted by the Client on the Platform strictly for the purpose of providing the Services defined in the Agreement ;
(b) Ensure the confidentiality of the Personal Data and that its personnel authorized to process it are bound by an obligation of confidentiality;
(c) To take into account, with regard to the Platform, and more generally, its tools, products, applications or services, the principles of protection of Personal Data from the outset (privacy by design) and by default (privacy by default);
(d) Not to use Personal Data for any purpose other than those set forth in this DPA and/or the Agreement and not to retain it beyond the term of the Agreement or any other period specified by the Client.
(e) Return the Personal Data as set forth in ARTICLE 15 below;
(f) Not license, rent, lease or otherwise transfer the Personal Data, in whole or in part, to any third party without the prior written consent of Client;
(g) To reasonably assist Client in the performance of privacy impact assessments and prior consultation with the relevant supervisory authority. The Client acknowledges and agrees that such assistance will be subject to a specific quote from SCALINGO ;
(h) To answer as soon as possible to any request from the Client concerning the Personal Data processed in order to enable it to take into account, within the time limits set, any requests from the Data Subjects (right of access, rectification, deletion, opposition, etc.); the Client acknowledges and agrees that this assistance will be the subject of a specific quote from SCALINGO;
(i) Notify and assist the Client in guaranteeing compliance with obligations relating to the security of Personal Data, in particular in the context of procedures for notifying security breaches, in the conditions set out in ARTICLE 10 below. The Client acknowledges and agrees that this assistance may be subject to a specific quote from SCALINGO;
(j) Implement the necessary technical and organizational measures enabling the Client to fully respect the rights of the Concerned Persons, in particular the right of access, the right to obtain rectification or deletion of Personal Data or limitation of the processing of their Personal Data, the right to object to decisions based on profiling, as well as the right to data portability, if applicable.
(k) Define and formalise a policy for the provision and return of personal data as well as their destruction, and make it available to the Customer on request.
The Client is informed that if SCALINGO is required to disclose Personal Data to a law enforcement agency, SCALINGO will use its best efforts to provide the Client with reasonable notice and to allow the Client to seek any protective order or other appropriate remedy, unless SCALINGO is prohibited from doing so by law or by the relevant Data Protection Authority.
The Personal Data are stocked by SCALINGO in data centers of the company OUTSCALE, located in different places according to the region chosen by the Client in its Order.
The selected region can be osc-fr1 or osc-secnum-fr1.
For the region osc-fr1. The data are stocked by SCALINGO in data centers located in FRANCE managed by OUTSCALE in its eu-west-2 region (OUTSCALE DPO, 1 rue Royale, 319 bureaux de la Colline, 92210 Saint-Cloud, personal-data@outscale.com). The data centers are located in : Paris-Pantin & Magny-les-Hameaux, France. OUTSCALE's OOS storage services are located in France in OUTSCALE's eu-west-2 region and are provided to SCALINGO for database backups and log backups.
For the osc-secnum-fr1 region. The data are stocked by SCALINGO in data centers located in FRANCE managed by OUTSCALE in its cloudgouv-eu-west-1 region (OUTSCALE DPO, 1 rue Royale, 319 bureaux de la Colline, 92210 Saint-Cloud, personal-data@outscale.com). The data centers are located in: Paris-Pantin & Magny-les-Hameaux, France. OUTSCALE's OOS storage services are located in France in OUTSCALE's cloudgouv-eu-west-1 region and are provided to SCALINGO for database backups and log backups.
SCALINGO has put in place directly on the Platform, the necessary tools to allow the Client to manage alone and autonomously the requests for exercising rights, requests and/or complaints from Data Subjects, Supervisory Authorities or any other regulatory authority, within the deadlines and conditions provided for by the Data Protection Regulations.
Where necessary, SCALINGO will assist the Client which so requests, through the Support available on the Platform.
SCALINGO will do its best to implement the appropriate technical and organizational measures that the Client may request. These additional services will, if necessary, be subject to an additional price, which the Client acknowledges and accepts.
If SCALINGO becomes aware of a Personal Data breach, it will inform the Client as soon as possible after becoming aware of such a breach and provide all necessary information so that the Client can assess the breach.
In accordance with Article 33 of the GDPR, unless the violation does not result in any risk to the rights and freedoms of the Data Subjects, Client, as the Controller, shall assume responsibility for notifying the Supervisory Authority and, if the violation is likely to cause a high risk to their rights and freedoms, the affected individuals, in each Member State affected by the violation. Such notification shall be made without undue delay and no later than seventy-two (72) hours after the Client becomes aware of a breach of Personal Data.
Such notification by Client to the Supervisory Authority shall:
SCALINGO shall keep a register of processing activities carried out on behalf of the Client, identifying for itself and each of its subsequent subcontractors the processing activities carried out on behalf of the Client, the location from which the service is rendered and any transfers of Personal Data outside the European Economic Area (EEA). The register maintained by SCALINGO will also document, where applicable, the implementation of appropriate safeguards to ensure an adequate level of protection, and any other information required by the Data Protection Regulation. The register will be accessible to the Client and the Data Protection Authority at all times.
The general security requirements are set out in ARTICLE 2. - above.
With regard to the security of Personal Data processed for the purposes of performing the Services, SCALINGO implements additional measures resulting from the Data Protection Regulations. In particular, SCALINGO undertakes to implement the following measures:
By signing this DPA, the Client expressly authorizes SCALINGO to subcontract the execution of the tasks entrusted to it that involve the processing, in whole or in part, of Personal Data in the course of performing the Services.
SCALINGO undertakes to inform the Client of any planned change in the appointment or replacement of a subsequent subcontractor and to give the Client the opportunity to contest such change in writing within eight (8) calendar days. The Client may object to the new subcontractor for the Services only on the following grounds: (i) the new subcontractor is a direct competitor of the Client; (ii) the new subcontractor is involved in an ongoing dispute with the Client; (iii) the Client legitimately believes and justifies that the new subcontractor is not in compliance with the Data Protection Regulations; (iv) the replacement of the subcontractor would result in a reduction of the existing security measures.
In any case, SCALINGO guarantees that any subsequent processor it appoints offers sufficient guarantees to implement the appropriate technical and organizational measures so that the processing operations it carries out comply with the prescriptions and requirements set forth in this DPA and, more generally, the Data Protection Regulation.
Processing by an ulterior subcontractor shall be governed by a contract between SCALINGO and the subcontractor that sets forth the same rights and obligations as set forth herein, to the extent applicable, including but not limited to the obligation to ensure the security of the processing, the protection of Personal Data and the right to audit. SCALINGO will regularly ensure, including through audits, that its own ulterior subcontractors comply with the above obligations.
SCALINGO shall maintain a list of subcontractors specifying (i) their name and contact details, as well as (ii) the nature of the tasks entrusted to them, (iii) the location of the processing and ( iv) the dates of previous audits.
In any event, SCALINGO remains fully responsible to the Client for the performance of the obligations of its subsequent subcontractors.
As of the date of signature of the DPA, the subcontractors designated by SCALINGO are:
| Name | OUTSCALE |
|---|---|
| Contact details | 1 rue Royale 92210 SAINT-CLOUD |
| Purpose of the processing | Database hosting |
| Legal base | Execution of the contract concluded between SCALINGO and the subcontractor |
| Categories of data processed | All the Client's databases hosted by SCALINGO as part of the subscription to the Services |
| Location | Cf ARTICLE 8. |
| Transfers outside the EU | N/A (no transfer) |
SCALINGO will provide the Client, subject to confidentiality obligations, with all information necessary to demonstrate its compliance with the obligations of the Data Protection Regulation.
To monitor SCALINGO's compliance with the aforementioned Regulation, SCALINGO will allow audits, conducted by the Client or an independent auditor appointed by the Client, provided that such auditor does not compete with SCALINGO's activities, and limited to one audit per year.
To request an audit, Client will be required to submit a detailed audit plan at least four (4) weeks prior to the proposed audit date, describing the proposed scope, duration and start date of the audit. SCALINGO will review the audit plan and notify Client of any concerns or issues (for example, any requests for information that may violate SCALINGO's security and privacy policies).
The Parties acknowledge that all reports and information obtained during this audit are confidential information, the disclosure of which constitutes a material breach of contract.
The audit may only be conducted during SCALINGO's business hours and in a manner that does not disrupt its business. The audit does not include access to systems, information or data that are not related to the processing of Personal Data operated by the Client through the Platform. Furthermore, access to these systems shall only concern the parts specifically dedicated to the Client, excluding shared spaces. Upon express request by the Client in the context of the audit, the certification audit reports and external and internal penetration tests carried out will be communicated and available for consultation on site at SCALINGO.
The Client shall bear all costs incurred by the audit, including but not limited to the auditor's fees, and shall reimburse SCALINGO for all costs and expenses incurred by such audit, including time spent on the audit, based on the average hourly rate of the SCALINGO personnel who worked on the audit.
SCALINGO allows the Client to authorize one or more Users to export, at any time, all or part of the Data, including Personal Data, processed through the Platform, directly from the Account, in the formats of standard market tools.
At the end of the Agreement, SCALINGO undertakes to delete the Data from its systems in accordance with the conditions set out in article 10 of the GTC.
As a Data Controller, the Client ensures that Users and Data Subjects have been informed of the processing of their Personal Data for the purposes specified in this GDPR and have given their consent, if applicable. The Client warrants to SCALINGO in this regard that it complies with the Data Protection Regulation (including, but not limited to, complete, intelligible and easily accessible information to Data Subjects; an appropriate basis for the processing; and compliance with all required procedures and formalities, such as conducting an impact assessment where applicable, etc...).
The Client is exclusively responsible for selecting the Services, ensuring that the Services are adapted to operate its activities and for processing of Personal Data. In this respect, it is the Client's responsibility to take all necessary security and insurance measures to protect the Personal Data it processes through the Platform, adapted to the risks incurred, due to the processing, on the fundamental rights and freedoms of the persons concerned.
If the Client acts as a subcontractor of a third party controller, the Client guarantees to SCALINGO that
(i) it has obtained all necessary authorizations to enter into this DPA ;
(ii) the contract entered into with the Controller complies with this DPA;
(iii) that the instructions given to SCALINGO are in accordance with the instructions of the Controller;
(iv) that it remains fully responsible to SCALINGO for the proper performance of the Controller's obligations under this DPA.
The Client guarantees having obtain and to maintain, for all duration of the Agreement, all necessary consents and/or declarations/authorizations to lawfully process the Personal Data of Users and Data Subjects and more generally, to execute this DPA. The Client will indemnify and hold SCALINGO harmless from any claim or action by any User or Data Subject relating to the protection of their Personal Data.
It is reminded that SCALINGO is subject to an obligation of means in the provision of the Platform and Services to the Client. SCALINGO's responsibility towards the Client may only be sought, in accordance with article 15 of the GTC, in the case of direct damage suffered by the Client and caused by a proven contractual violation by SCALINGO committed in or during the performance of its obligations.
In any event, SCALINGO's responsibility will be capped, for all causes combined, at the amount of payments made by the latter over the last twelve (12) months of the Agreement. It is specified that in the event of loss or deterioration of the Data, and if such loss or deterioration is exclusively attributable to SCALINGO, SCALINGO's responsibility shall be limited to the reinstallation of the last backup made.
Without prejudice to the foregoing, the Client expressly acknowledges and accepts that SCALINGO shall not be liable under any circumstances for the processing of Personal Data carried out by the Client through the Platform. The Client, as the Data Controller, is exclusively responsible towards third parties for compliance with the Data Protection Regulations and guarantees SCALINGO against any action, claim or recourse from third parties (data subjects, supervisory authorities or other third parties) in this regard.
According to Article 82 of the GDPR, the responsibility of SCALINGO, as a subcontractor, is strictly limited to the contractual obligations undertaken within the framework of the DPA, SCALINGO excluding any extended responsibility in this respect. If both Parties are jointly liable for any damage caused to a person concerned as a result of the processing of his/her Personal Data through the Platform, SCALINGO may only be required to compensate the damage in proportion to its contractual responsibility towards the Client.
SCALINGO processes the following Personal Data, as data controller:
| Person concerned | Client contact, subscriber of the Services; DPO contact; Contact point able to designate a health professional; |
|---|---|
| Purpose of the processing | Client Relationship Management |
| Legal base | Execution of the Agreement |
| Categories of data processed | Last name, first name; Position; Business phone number and email address ; Company mailing address |
| Shelf life | Duration of the Agreement + archiving: 5 years (legal prescription in contractual matters) |
| Person concerned | Client contact, subscriber of the Services |
|---|---|
| Purpose of the processing | Billing |
| Legal base | Performance of the Agreement and legal obligation of SCALINGO |
| Categories of data processed | Last name, first name |
| Shelf life | 10 years from the date of the invoice |
| Person concerned | Client contact, subscriber of the Services |
|---|---|
| Purpose of the processing | Prospecting (communication of SCALINGO offers) |
| Legal base | SCALINGO's legitimate interest |
| Categories of data processed | Last name, first name; Business phone number and email address ; Company mailing address |
| Shelf life | Duration of the Agreement |
| Person concerned | User |
|---|---|
| Purpose of the processing | Account Creation |
| Legal base | Execution of the Agreement |
| Categories of data processed | Last name, first name ; Company mailing address |
| Shelf life | Duration of the Agreement + archiving: 5 years (legal prescription in contractual matters) |
| Person concerned | User |
|---|---|
| Purpose of the processing | User support system |
| Legal base | Execution of the Agreement |
| Categories of data processed | Last name, first name; Position; Professional email; connection logs; all data that the User could communicate in the framework of the support. |
| Shelf life | Duration of the Agreement + archiving: 5 years (legal prescription in contractual matters) |
| Person concerned | User |
|---|---|
| Purpose of the processing | Fraud prevention and detection, malware and security incident management |
| Legal base | SCALINGO's legitimate interest |
| Categories of data processed | Last name, first name; Position; Work email; Connection logs (activity logs); IP address; |
| Shelf life | Duration of the Agreement + archiving: 5 years; In case of discovery of an infringement during this period, duration of the criminal statute of limitations applicable to the infringement. |
The Client is informed that the Personal Data collected are further processed by SCALINGO, in order to improve the functionality and performance of the Platform and the Services and to carry out statistics. In accordance with the Data Protection Regulation, SCALINGO guarantees that the statistical results will not contain any personal data but only anonymous aggregated data. SCALINGO shall be free to use these statistical results for institutional publications concerning its products, services, and activities and for marketing purposes.
For the execution of the Agreement, SCALINGO uses third party service providers, acting as Sub-processors of SCALINGO, within the meaning of the Data Protection Regulations, on the instructions of SCALINGO, under contractual conditions signed with SCALINGO which may not derogate from the present and which comply with the Data Protection Regulations.
SCALINGO reserves the right to engage any other Sub-processors of its choice and/or change the Sub-processors at any time. The Client will be informed of this as soon as possible.
In any event, SCALINGO shall ensure that any Sub-processors it calls upon offers sufficient guarantees to implement the appropriate technical and organizational measures so that the processing it carries out on behalf of SCALINGO complies with the prescriptions and requirements set out in this DPA and, more generally, the Data Protection Regulations
As of the date of signature of the Agreement, SCALINGO's Sub-processors are:
| Name | OUTSCALE |
|---|---|
| Contact details | 1 rue Royale 92210 SAINT-CLOUD |
| Purpose of the processing | Hosting services |
| Legal base | Execution of the Agreement |
| Categories of data processed | All databases |
| Location | Cf ARTICLE 8. |
| Transfers outside the EU | N/A (no transfer) |
| Security measures in case of transfer | N/A (no transfer)> |
| Name | INTERCOM |
|---|---|
| Contact details | 5 2nd Street, 4th Floor, San Francisco, CA 94105 |
| Purpose of the processing | User’s Support |
| Legal base | Execution of the Agreement |
| Categories of data processed | Name, first name, professional email address of the User; Company, position, location; Connection data (Date of first connection, date of authentication, date of last contact, date of last email opening, browser language, browser version, operating system); Location data (IP geolocation, time zone). |
| Location | USA |
| Transfers outside the EU | Yes (USA) |
| Security measures in case of transfer | EU Standard Contractual Clauses (June 2021) |
| Name | STRIPE |
|---|---|
| Contact details | C/O A & L Goodbody, Ifsc, North Wall Quay Dublin D01 H104, Ireland |
| Purpose of the processing | Payment |
| Legal base | Execution of the contract; legal obligation (LCB-FT regulation: anti-fraud controls and management of disputes in the context of transactions) |
| Categories of data processed | Client details and bank details of the Client who uses the STRIPE service when paying by credit card or SEPA direct debit |
| Location | EU |
| Transfers outside the EU | Yes |
| Security measures in case of transfer | EU Standard Contractual Clauses (June 2021) |
| Name | PAYPAL |
|---|---|
| Contact details | 21 rue de la banque 75002 PARIS |
| Purpose of the processing | Payment |
| Legal base | Execution of the contract; legal obligation (LCB-FT regulation: anti-fraud controls and management of disputes in the context of transactions) |
| Categories of data processed | Client details and bank details of the Client who uses the PAYPAL service when paying by credit card or SEPA transfer |
| Location | USA |
| Transfers outside the EU | Yes |
| Security measures in case of transfer | EU Standard Contractual Clauses (June 2021) |
In addition to the above-mentioned Sub-processors, SCALINGO may communicate the Personal Data it processes to the following categories of recipients :
SCALINGO undertakes to process the Client's and Users' Personal Data in strict compliance with the Data Protection Regulations. To this end, SCALINGO implements and maintains security measures for the Platform and, more generally, for its computer system, in accordance with the aforementioned Regulations, as more fully specified in ARTICLE 2 above.
The Personal Data are strictly confidential and are intended exclusively for SCALINGO, which is prohibited from using the Personal Data for purposes other than those set out above. Only the recipients mentioned in ARTICLE 21 may have access to the Personal Data, for the sole purpose of performing their duties.
SCALINGO undertakes to keep the Personal Data processed for the retention period mentioned in the table identifying the processing operations in ARTICLE 19.
The Client expressly acknowledges that some Subprocessors, mentioned in ARTICLE 20, are affiliated companies of foreign groups located outside the European Economic Area. Therefore, Personal Data may be transferred outside the EEA for technical reasons (e.g. platform management, remote maintenance, etc.) or due to a legal or regulatory request. SCALINGO will notify the Client as soon as possible if such a request is made and will only transmit the Personal Data to the authorities with the Client's express consent. If such notification is not authorized (to preserve confidentiality or for judicial investigation), SCALINGO will notify the Client as soon as it is legally authorized to do so.
Except for these cases, SCALINGO undertakes to take all legal measures recognized as appropriate by the Data Protection Regulation to control the transfer concerned and to ensure that it meets the requirements of the aforementioned Regulation.
The Client and each User has the following rights:
The rights of the Client and the Users regarding their Personal Data may be exercised at any time by contacting SCALINGO by email at the following address: dpo@scalingo.com.
The Client, through one or more authorized Users, is free to export at any time, directly from its Account on the Platform, the Personal Data of the Users, in the formats of standard tools on the market.
At the end of the Agreement, for any reason whatsoever, SCALINGO will archive the Personal Data of the Client and Users in a secure environment in accordance with the Data Protection Regulations, for the legal period of limitation applicable, for the purposes of proof for the establishment, exercise or defence of a right in the context of a judicial procedure or an administrative or extrajudicial procedure.