Introduction
The parties agree that this Addendum on the subcontracting of Personal Data processing activities (“DPA”) provides a framework for the data processing relationship arising from the processing of some Personal Data carried out by Memority (“Memority” or the “Data Processor”) on behalf of and in accordance with the instructions of the Customer (“Data Controller”) in the context of the Services. The DPA is incorporated by reference into the General Terms and Conditions for the Provision of Services (“GTCPS”).
In the event of any conflict or inconsistency between the terms and conditions set out in the DPA and any other term of the contract relating to the Services that may be concluded between the Parties (“SaaS Contract”), the terms of the SaaS Contract shall prevail.
The terms of this DPA are binding on Memority in relation to all its Customers for whom Memority provides all or part of the Services.
This DPA sets out the terms and conditions applicable to the Services currently available. For previous versions of the DPA, the Customer may contact Memority.
1. Definitions
Terms beginning with a capital letter which are used but not defined in this DPA shall have the meaning ascribed to them in the GTCPS. The following definitions of terms apply to this DPA:
- GTCPS: refers to Memority’s General Terms and Conditions for the Provision of the Services, which can be accessed from here.
- Customer: refers to any natural or legal person who has placed an Order for Memority to provide all or part of the Services.
- SaaS Contract: refers to the contract concluded between Memority and the Customer, the purpose of which is to define the legal, technical, organisational and commercial conditions for the provision by Memority of the Services subscribed to by the Customer, in particular the Platform.
- DPA: refers to this Addendum on the subcontracting of Personal Data processing activities to Memority as part of the Services subscribed to.
- Memority: refers to MEMORITY, a simplified joint stock company registered in the Nanterre Trade and Companies Register under number B 920 613 478, with its registered office at 11-13 Cours Valmy, PUTEAUX (92800).
- Platform: refers to the Platform edited by Memority, the purpose of which is to provide Customers with the Services they have subscribed to, in relation to digital identity management. The conditions of access to the Platform and the nature of the Services subscribed to by the Customer are defined in the Order and/or the SaaS Contract.
- Data Controller: refers to the Customer.
- Regulations: means the regulations governing the protection of Personal Data that are applicable to the processing carried out in the context of the DPA, which includes, but is not limited to, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) as well as French law n°78-17 of 6 January 1978 as amended.
- Services: means not only the Services provided by Memority, from the Platform and subscribed to by the Customer as part of his Order, which covers, in particular, the provision of the Platform, the activation of the “My Identity”, “My Access” and “My-Keys” modules, any modification, adaptation, parameterization, interconnection, improvement, addition, extension, translation and any work derived from the latter and/or any other element of the Platform, at the Customer’s request, but also any additional service, in particular consulting, configuration, parameterization and/or change support services, subscribed by the Customer to Memority, subject to a separate service contract.
- Data Processor: refers to Memority.
- Sub-Processors: refers to the data processor(s) that Memority may use, under the conditions set out in article 3 of the DPA, to carry out specific processing activities in connection with the performance of this DPA.
Terms in lower case used but not defined in this DPA have the meaning attributed to them in the GDPR.
2. Purpose and description of the processing being subcontracted
The Data Controller is solely responsible for choosing the purposes for which Personal Data is or will be processed and the modalities of such processing.
The processing of Personal Data carried out by the Data Processor, on behalf of and in accordance with the instructions of the Data Controller, follows the following procedures:
| Purpose(s) of processing | Provision and hosting of a SaaS platform |
|---|---|
| Category or categories of personal data to be processed | ☒ Civil status (surname, first name, etc.) ☒ Contact details (postal address, e-mail address, etc.) ☒ Identification or access data (identifier, password, customer number, etc.) ☐ Data relating to financial and/or economic information (income, credit card number, bank details) ☐ Official documents (passports, IDs, etc.) ☒ Location data ☒ Other (please specify): connection logs. Are sensitive data being processed? ☒ No ☐ Yes If so, which ones? ☐ Data relating to racial or ethnic origin ☐ Data relating to political opinions ☐ Data relating to philosophical or religious opinions ☐ Data relating to trade union membership ☐ Data relating to sexual orientation ☐ Health data ☐ Biometric data ☐ Genetic data |
| Categories of data subjects involved in the processing operation(s) | ☒ Employees ☒ Users ☐ Customers (current or potential) ☐ Minors ☐ Students ☐ Other (please specify): |
| Duration of the processing | The processing of Personal Data carried out by the Data Processor on behalf of the Data Controller begins when the SaaS Contract takes effect. The duration of the processing operation(s) entrusted by the Data Controller to the Data Processor may not exceed the duration of the SaaS Contract. |
3. Subsequent subcontracting
The Data Processor is authorised to use the services of Thales Cloud Sécurisé (brand name S3NS), a simplified joint stock company with its registered office at 54-56 avenue Hoche – 75008 PARIS (the “Sub-Processor“) to carry out the processing activities relating to the hosting of the Platform made available under the SaaS Contract.
If other Sub-Processors are used, the Data Processor must obtain the specific prior written authorisation of the Data Controller.
In any event, the Sub-Processors(s) is/are contractually bound to comply with the obligations of this DPA on behalf of and in accordance with the instructions of the Data Controller. It is the responsibility of the Data Processor to ensure that the Sub-Processors(s) present(s) the same sufficient guarantees regarding the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the Regulations, in particular the GDPR. If the Sub-Processor fails to fulfil its data protection obligations, the Data Processor remains fully liable to the Data Controller for the Sub-Processor’s performance of its obligations.
4. Security measures
Without prejudice to the provisions of Article 9 of the DPA, the Data Processor undertakes to implement the following security measures:
| Technical and organisational measures implemented by the Data Processor | |
|---|---|
| Measures to ensure data confidentiality | • Data is encrypted at rest and in transit • Sensitive data is encrypted in • The Platform is developed/operated according to devsecops principles (risk analysis, automatic design and code reviews (SAST and DAST), regular penetration tests, supervision by an external SOC). • The architecture is based on the principle of defence in depth in three distinct zones • The principle of least privilege is systematically applied • An automatic audit of vulnerabilities is carried out daily and reported to the external SOC • Memority administrator/operator access is achieved via a VPN and a bastion recording all actions (mouse and keyboard movements). • All Memority workstations benefit from specific security measures: encryption of hard disks, antivirus, EDR, management of privileged rights, confidentiality filters, use of MFA for all access, etc. • Memority is subject to regular internal or external reviews/audits: clearance reviews, penetration tests, architecture/configuration/code reviews, etc. |
| Measures to ensure data integrity | • Any data modification is traced (old value, new value, who, when, what) • Data imports are subject to technical and functional checks (for the latter, the rules are defined by the Customer). • Introduction of thresholds for mass changes to allow human verification prior to these changes |
| Measures to ensure data availability and the resilience of processing systems and services | • The Memority Platform is deployed in three data centers in the same region of the cloud provider. The three data centers operate in active/active/active mode. Within each datacenter, each service is at least doubled. • Non-reporting data is backed up every 4 hours for a period of thirty days and at our cloud hosting provider. • Reporting data is backed up every 24 hours for a period of thirty days and at our cloud hosting provider. |
5. Informations and rights of the data subjects
(1) Information of data subjects
At the time of data collection, the Data Processor undertakes to provide the data subjects with information relating to the processing of Personal Data that it carries out.
(2) Exercise of data subjects’ rights
The Data Processor undertakes to assist the Data Controller in fulfilling its obligation to respond to requests to exercise the rights of data subjects in accordance with the Regulations in force (which refers in particular to the rights of access, rectification, erasure and objection, the right to restrict processing, the right to data portability, the right not to be subject to an automated individual decision including profiling).
In particular, the Data Processor undertakes to modify or delete Personal Data, in accordance with the Data Controller’s written instructions, especially following the exercise by a data subject of his rights, so that the data is accurate and up to date.
Where the data subjects directly make requests to the Data Processor to exercise their rights, the Data Processor must send these requests as soon as possible by e-mail to the address(es) indicated by the Customer.
6. Obligations of the data processor
The Data Processor undertakes to:
- Process data solely for the purpose(s) for which it is subcontracted.
- Process the data in accordance with the Data Controller’s documented instructions. If the Data Processor considers that an instruction constitutes a breach of the GDPR or any other provision of Union or Member State law relating to Personal Data protection, it shall immediately inform the Data Controller. In addition, if the Data Processor is required to transfer Personal Data to a third country or to an international organization, by virtue of Union law or the law of the Member State to which it is subject, it must inform the Data Controller of this legal obligation prior to processing, unless the law concerned prohibits such information on important grounds of public interest.
- Guarantee the confidentiality of the Personal Data processed under this DPA. To this end, the Data Processor undertakes to ensure that the persons authorised to process Personal Data under the DPA:
- undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality; and
- receive the necessary training in the protection of Personal Data.
- To take into account, with regard to its tools, products, applications or Services, the principles of data protection by design and data protection by default.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing and the risks to the rights and freedoms of natural persons;
- Helping and, if necessary, assisting the Data Controller in carrying out data protection impact assessments;
- Inform the Data Controller of the name and contact details of its Data Protection Officer, if it has appointed one in accordance with Article 37 of the GDPR.
- Notify the Data Controller immediately of any control measures initiated by a supervisory authority or of any other legally binding request from a public authority concerning the processing operation covered by this DPA. This notification shall include information on the Personal Data concerned, the identity of the requesting authority, the legal basis of the request and the response provided.
Keep and make available to the Data Controller a record of the processing activities carried out on the latter’s behalf.
7. Obligations of the data controller
The Data Controller undertakes to:
- Document in writing (e.g. by e-mail) its instructions concerning the processing of Personal Data by the Data Processor;
- To ensure, as far as reasonably possible, that the Data Processor complies with the obligations laid down in the GDPR beforehand and throughout the processing period;
Supervise the processing, including carrying out or having carried out audits and inspections of the Data Processor. In this context, the Data Controller shall inform the Data Processor in writing with acknowledgement of receipt of the audit to be carried out at least 30 (thirty) calendar days prior to said audit, specifying the purpose of the planned checks, which shall be limited to the processing of Personal Data necessary for the performance of the SaaS Contract. The Data Processor undertakes to cooperate actively with the Data Controller and/or the third party(ies) appointed by the latter. In the event that the audit report reveals a lack of compliance of the processing of Personal Data entrusted to it as a data processor, the Data Processor undertakes to implement the required corrective actions within the period agreed with the Data Controller. The Parties undertake to limit the duration of the audits as much as possible. Only one audit may be organized per year of performance of the Contract. If this audit reveals substantial failings, a compliance verification audit may be organized. The costs of the audit shall be borne by the Data Controller, with the exception of the costs of any compliance verification audit, which shall be borne by the Data Processor.
8. Transfer of personal data to countries outside the European Union
The Data Processor undertakes to make its best efforts to avoid any transfer of Personal Data to countries outside the European Union.
In the event that such a transfer is however necessary, the Data Processor undertakes to inform the Data Controller prior to implementing the processing and to provide a legal framework for such transfers in compliance with the applicable regulations (in particular the GDPR).
In the event of a transfer to a country, territory or sector of a country that does not benefit from an adequacy decision by the European Commission finding that the latter ensures an adequate level of protection of Personal Data or, in the absence of such a decision but if this is deemed appropriate by the Parties, the Data Processor undertakes to (i.) implement appropriate safeguards within the meaning of Article 46 paragraph 2 of the GDPR and (ii.) ensure that data subjects have enforceable rights and effective legal remedies.
| In general, the Data Processor will systematically base the transfer(s) of Personal Data to one or more countries outside the European Union carried out in connection with the DPA on the following transfer tool(s): |
|---|
| ☒ Adequacy decision [1] from the European Commission (if available) ☒ European Commission standard contractual clauses (SCC) ☐ Approved internal company rules (BCR) ☐ Standard contractual clauses adopted by a supervisory authority and approved by the European Commission ☐ Approved certification ☐ Approved code of conduct ☐ Legally binding and enforceable instruments between public authorities and bodies ☐ Derogation under Article 49 of the RGPD. Specify : …………………………………………… During the performance of the DPA, the Parties may agree in writing on new arrangements for one or more transfers of Personal Data to third countries carried out in connection with the DPA (for example, in the event that the adequacy decision on which the transfer was based is invalidated by a European institution). |
The Data Processor undertakes to provide the Data Controller with any document demonstrating the implementation of appropriate safeguards.
[1] The term “adequacy decision” refers to a decision by the European Commission establishing that the third country, territory or one or more specified sectors of that third country to which the Personal Data is to be transferred ensures an adequate level of protection of Personal Data (Article 45(1) of the GDPR).
9. Data security and confidentiality
In the performance of this DPA, the Data Processor will act solely on and in accordance with the instructions of the Data Controller. In this respect, the Data Processor undertakes not to use the data entrusted to it by the Data Controller for its own account or for that of a third party.
In accordance with the Regulations in force, the Data Processor undertakes to take all appropriate measures to protect the security of the Personal Data and in particular to protect it against any accidental or unlawful destruction, accidental loss, alteration, unauthorized distribution or access, in particular when the processing involves the transmission of data over a network, as well as against any other form of unlawful processing or communication to unauthorized persons. To this end, it undertakes in particular to implement the technical and organisational measures listed in Article 4 of this DPA.
The Data Processor undertakes to integrate the protection of privacy and the related data security requirements into the design of the service and at each stage of development.
10. Data retention period
Subject to any legal or regulatory obligation, the Data Processor undertakes not to keep the data entrusted to it by the Data Controller beyond the retention periods set by the latter in relation to the purposes for which they were collected.
11. Deletion of personal data upon termination of the SaaS contract
In the event of termination of the SaaS Contract, for whatever reason and including in the event of early termination of the SaaS Contract, the Data Processor undertakes to destroy, no later than one month after full completion of the reversibility phase, all the Personal Data hosted in connection with the SaaS Contract as well as any copies thereof existing in its information systems, subject to any legal retention and/or archiving obligations. The Data Processor undertakes to provide the Data Controller with proof of such destruction.
11. Notification of personal data breaches
If the Data Processor becomes aware of a breach of Personal Data resulting in particular, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or processed in any other way, the Data Processor shall inform the Data Controller without delay by e-mail to the e-mail address(es) provided by the Data Controller.
The Data Processor shall provide the Data Controller with the following information as soon as possible, and no later than 48 (forty-eight) hours after becoming aware of the data breach:
- The nature of the incident;
- The categories and approximate number of people affected by the breach;
- The categories and approximate number of records of Personal Data involved.
- A description of the likely consequences of the data breach;
- A description of the measures taken or proposed to be taken by the Data Processor to remedy the data breach including, where appropriate, measures to mitigate any negative consequences; and
- The name and contact details of the Data Protection Officer or other contact point from whom further information can be obtained.
If, and insofar as, it is not possible to provide all this information at the same time, the information may be provided in stages without undue delay.
Where applicable, the Data Processor undertakes to cooperate with and assist the Data Controller in notifying the competent authorities and/or data subjects of security breaches.
13. Documentation
The Data Processor shall make available to the Data Controller the documentation necessary to demonstrate compliance with all its obligations and to allow audits, including inspections, to be carried out by the Data Controller or another auditor appointed by it, and to contribute to such audits.
14. Applicable law and competent jurisdiction
This DPA is governed by French law.
In the event of any difficulty in the performance of the DPA, each of the Parties undertakes to first seek an amicable solution to the dispute between them. To this end, the Parties shall appoint two persons duly authorized for this purpose. These persons will meet on the initiative of the most diligent Party within thirty (30) days of receipt of the registered letter with acknowledgement of receipt requesting the holding of a conciliation meeting. The agenda for this meeting is set by the Party initiating the conciliation. The decisions taken by the Parties during this meeting will be the subject of an amendment dated and signed by the Parties.
IN THE EVENT OF ANY DISPUTE RELATING TO THE FORMATION, INTERPRETATION, PERFORMANCE OR EXPIRATION OF THE DPA, AND IN THE EVENT OF FAILURE TO REACH AN AMICABLE SETTLEMENT BETWEEN THE PARTIES WITHIN A MAXIMUM PERIOD OF THIRTY (30) DAYS FROM NOTIFICATION OF THE GRIEVANCES BY THE MOST DILIGENT PARTY, EXCLUSIVE JURISDICTION IS ASSIGNED TO THE COMPETENT COURTS OF PARIS, NOTWITHSTANDING PLURALITY OF DEFENDANTS OR THE INTRODUCTION OF THIRD PARTIES, EVEN FOR EMERGENCY PROCEEDINGS OR PROTECTIVE PROCEEDINGS BY WAY OF SUMMARY PROCEEDING (‘REFERE’) OR PETITION (‘REQUÊTE’).