Data Privacy Agreement for the Power-user software

As of 2021 12 20

This Data Processing Agreement ("Agreement" or “DPA”) forms part of the Software License Agreement ("License Agreement") between:

  • Power-User SAS, Société par Actions Simplifiée with a share capital of 4,000 euros, registered with the Paris trade and commercial register under number 813 623 733, with its registered office located at 4, avenue Stéphane Mallarmé, 75017 Paris, France (the “Licensor” or “Data Processor”),

  • And the acquirer of the Licensed Materials (the “Licensee”, or “You”).

 

(together as the “Parties”)

 

WHEREAS

 

  • The Licensee acts as a Data Controller.

  • The Licensee wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.

  • The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

  • The Parties wish to lay down their rights and obligations.

 

IT IS AGREED AS FOLLOWS:

1.Definitions and Interpretation

 

Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

  • "Agreement" or “DPA” means this Data Processing Agreement and all Schedules;

  • "Licensee Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of Licensee pursuant to or in connection with the License Agreement;

  • "Contracted Processor" means a Subprocessor;

  • "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

  • "EEA" means the European Economic Area;

  • "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

  • "GDPR" means EU General Data Protection Regulation 2016/679;

  • "Data Transfer" means:

    • a transfer of Licensee Personal Data from the Licensee to a Contracted Processor; or

    • an onward transfer of Licensee Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor,

    • in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

  • "Services" means all obligations, as listed forth in the License Agreement provided by the Data Processor to the Licensee.

  • Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Licensee in connection with the Agreement.

The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

 

2.Processing of Licensee Personal Data

 

Processor shall:

  • comply with all applicable Data Protection Laws in the Processing of Licensee Personal Data; and

  • not Process Licensee Personal Data other than on the relevant Licensee’s documented instructions (relating to the categories of Data Subjects for the provision of the Services and for the specific purposes as set out in Annex 1 to this Agreement). The Licensee instructs Processor to process Licensee Personal Data.

 

3.Processor Personnel

 

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Licensee Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Licensee Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4.Security

 

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Licensee Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. Data Processor shall implement and maintain each of the technical and organizational measures listed in Annex 2 (Technical and Organizational Measures).

  2. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

 

5.Subprocessing

 

  1. Processor shall not appoint (or disclose any Licensee Personal Data to) any Subprocessor unless required or authorized (even tacitly) by the Licensee.

  2. Licensee hereby authorizes Data Processor to engage those Sub-processors set out in Annex 3 (Authorized Sub-processors).  

6.Data Subject Rights

 

  1. Taking into account the nature of the Processing, Processor shall assist the Licensee by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Licensee obligations, as reasonably understood by Licensee, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

  2. Processor shall:

    1. promptly notify Licensee if it receives a request from a Data Subject under any Data Protection Law in respect of Licensee Personal Data; and

    2. ensure that it does not respond to that request except on the documented instructions of Licensee or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Licensee of that legal requirement before the Contracted Processor responds to the request.

 

7.Personal Data Breach

 

  1. Processor shall notify Licensee without undue delay, upon Processor becoming aware of a Personal Data Breach affecting Licensee Personal Data, providing Licensee with sufficient information to allow the Licensee to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

  2. Processor shall co-operate with the Licensee and take reasonable steps as are directed by Licensee to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

 

8.Data Protection Impact Assessment and Prior Consultation

 

Processor shall provide reasonable assistance to the Licensee with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Licensee reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Licensee Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9.Deletion or return of Licensee Personal Data

 

The Processor shall (and shall ensure that each of the Sub-processors shall) without undue delay, at the Licensee’s written request, either securely delete or securely return all Licensee Personal Data to the Licensee in such form as the Licensee reasonably requests and securely delete existing copies (except to the extent that storage of any such data is required by Data Protection Laws and/or Applicable Laws and, if so, Processor shall inform the Licensee of any such requirement).

10.Audit rights

 

Processor shall make available to the Licensee on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Licensee or an auditor mandated by the Licensee in relation to the Processing of the Licensee Personal Data by the Contracted Processors.

11.Data Transfer

 

  1. The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior information of the Licensee (excluding data centers and sub-processors listed in Appendix 3). If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

  2. The Licensee consents to the Processing of Licensee Personal Data by the Data Processor or Sub-processor (as may apply and according to the list consented to by the Licensee in Annex 3) in any country which is considered to be an Adequate Country for the purposes of Processing Licensee Personal Data by the European Commission.

12.Termination

 

  1. Subject to Section 14.1, the Parties agree that this DPA and the Standard Contractual Clauses shall terminate automatically upon (i) termination of the Agreement; or (ii) expiry or termination of all service contracts, statements of work, work orders or similar contract documents entered into by Data Processor with the Licensee and/or Licensee’s Affiliates pursuant to the Agreement, whichever is later.

  2. Any obligation imposed on Data Processor under this DPA in relation to the Processing of Licensee Personal Data shall survive any termination or expiration of this DPA.

 

13.Governing Law and Jurisdiction

 

  1. This Agreement is governed by the laws governing the License Agreement.

  2. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts referenced in the License Agreement.

 

14. Miscellaneous 

 

  1. Order of precedence. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements (including but not limited to the License Agreement) between the Parties, the provisions of this DPA shall prevail with regard to the Parties’ data protection obligations. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses (if entered into), the Standard Contractual Clauses shall prevail.

  2. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

  3. Variation. The Parties covenant that in the event post execution of this DPA, that if either Party wishes to vary this DPA and any of its terms, no variation shall be valid or effective unless it is in writing and is duly signed or executed by, or on behalf of, each Party. Each Party shall pay its own costs and expenses incurred in connection with the negotiation, preparation, signature and performance of any such variation to this DPA (and any documents referred to in it).

  4. Notices. All notices and communications given under this Agreement must be in writing and delivered by email to the email address set out or such other address as notified from time to time by the Parties changing address. For the Licensor: hello@powerusersoftware.com.

 

 

 

 

ANNEX 1: DETAILS OF PROCESSING OF THE LICENSEE PERSONAL DATA

 

This Annex 1 includes certain details of the Processing of the Licensee Personal Data as required by Article 28(3) GDPR.

The subject matter and duration of the Processing of the Licensee Personal Data are set out in this DPA.

Nature and Purpose of the Processing of Licensee Personal Data:

Data Processor is engaged to provide Services to the Licensee which involve the Processing of the Licensee Personal Data. The scope of the services are set out in the Agreement, and the Licensee Personal Data will be Processed by the Data Processor to deliver those Services and to comply with the terms of this DPA.  

 

The Types of Personal Data to be Processed:

  • Basic identification data (e.g. name, username, email address, organization name),

  • Technical data (software version number, Office version number),

  • Log files,

  • Basic usage data,

  • When set up by the Licensee, metadata of shared files (names, versions, storage path), being explicitly specified that by design, the Data Processor does not have access to any of the documents of the Licensee or its Affiliates.

These types of Personal Data can relate either to the Licensee or the Licensee Affiliates. The obligations and rights of the Licensee and Licensee Affiliates are set out in this DPA.

Processing Operations Carried Out in Relation to the Licensee Personal Data:

The following Processing operations carried out in relation to the Licensee Personal Data, for the purposes of providing Services to the Licensee, the scope of which are set out in this Agreement are as follows:

  • Collecting and recording the data,

  • Hosting the data,

  • Organizing the data,

  • Adapting or altering the data,

  • Analyzing the data for diagnosis, support, update and licensing purpose,

  • Consulting or retrieving the data,

  • Disclosing or transferring the data.

 

 

 

ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES

1. Data Processing

The Data Processor must assess and reduce the scope of data access and processing limited to what is strictly necessary for the performance of the Agreement.

 

2. Confidentiality

The Data Processor shall ensure:

  1. Access to Personal Data stored or Processed by the Data Processor is limited to members of its personnel on a strict need-to-know basis.  For the avoidance of doubt, “personnel” includes employees, agents and contractors of Data Processor.

  2. Access to facilities where information systems are located is limited to authorized personnel who are specifically identified.

  3. Relevant personnel who are authorized to grant, alter or cancel authorized access to data and resources have been appropriately identified.

  4. Authorization profiles are defined according to the roles and responsibilities of its personnel in order to restrict access to Personal Data to duly authorized users.

 

3. Backups

The Data Processor shall ensure:

  1. Backups are performed frequently, tested regularly and stored off-site.

  2. Backup storage is maintained at a secure location.

 

4. Security of Infrastructure and Applications

The Data Processor shall ensure:

  1. Software patches are applied frequently and promptly.

  2. It performs regular penetration testing, vulnerability management, and intrusion prevention.

  3. Applications, servers, storage, network devices, etc. are protected with complex passwords.

  4. Critical software updates are installed without delay.

  5. Users of the Data Processor's systems are required to notify a supervisor immediately if information is lost or stolen.

  6. It has dedicated points of contact responsible for dealing with reports of information security breaches or failures.

  7. Audit logs and records of security incidents are maintained, are subject to periodic review.

 

5. Development and Change Management Process

The Data Processor shall ensure it follows standardized procedures for coding, configuration management, patch installation, and change management for all systems involved in delivery of contracted services.

 

6. Availability

The Data Processor must:

  1. Offer a guaranteed service level for availability.

  2. Have disaster recovery and backup-and-restore processes in place.

  3. Have a business resiliency program that addresses the prompt restoration of the availability of and access to the Licensee Personal Data.

 

7. Test and Development Environments

The Data Processor shall ensure that only anonymized or dummy data are used in a non-production environment, and that these environments are secured to the same standard as production.

 

8. Miscellaneous

The Data Processor must:

  1. Have policies and procedures relevant to Personal Data and IT security in place.

  2. Have technical mechanisms and operational procedures in place to allow for the prompt retrieval, erasure, blocking and restriction of the Licensee Personal Data relating to a particular individual (i.e. an individual's personal data).

  3. Be able to port an individual's Licensee Personal Data (i.e. their personal data) to a designated third party in a structured, commonly used, machine readable format.

  4. Provide security awareness training for all personnel.

 

 

 

 

 

ANNEX 3: AUTHORIZED SUBPROCESSORS

 

Please list all data sub-processors in table below, as well as the location of their service center:

  • OVH: 59820 Gravelines, Nord-Pas-de-Calais-Picardie, France

  • GoogleMultiple data centers around the world

  • WixMultiple data centers around the world

  • Freshworks: European Economic Area

  • Chargebee: Personal data stored on AWS infrastructure in the US and data recovery in Frankfurt, Germany.

  • Stripe: Multiple data centers around the world