DATA PROCESSING AGREEMENT

For the purposes of this DPA the terms "Controller", "Processor", "Personal Data", "Processing" shall have the meaning given to these terms in Regulation (EU) 2016/79 of the European Parliament and of the Council of 27 April 2016 repealing Directive 95/46/EC, applicable from 25 May 2018 (hereinafter "GDPR").

In accordance with Article 28 of the GDPR, the following provisions shall apply to all Personal Data processed by COMBODO while performing the Services.

It does not apply to Personal Data directly processed by COMBODO for the purposes of the Subscription, such as Owner’s Data. COMBODO shall be considered as data controller of Owners’ Personal Data (e-mail, surname, first name and telephone number), as well as all User’s IDs, collected and processed for the sole purpose of performing its obligations and monitoring the commercial relationship, in compliance with CNIL "Commercial Management" Reference Tool of December 28, 2018.

The following SPA applies to all User’s Personal Data, as well as all Personal Data hosted in the Client’s Instance of the Application.

Article 1. Status of the Parties

The Client shall be considered as data controller of Users Personal Data and all other Personal Data processed by the Application; under applicable regulations on the protection of personal data, COMBODO being considered as "processor" in its capacity as Service provider (specifically, hosting services provider and Support Services provider).

COMBODO shall only be held liable, as processor, for potential breaches of its obligations specifically provided for in the Agreement, or by the applicable regulations on protection of Personal Data; or if it has not complied or acted beyond specific instructions of the Client.

COMBODO shall not be held liable for any failure by the Client to comply with these regulations, and which would not be attributable to him under the Agreement, pursuant to Article 82.3 of the GDPR.

In any event, COMBODO's liability to the Client, in the event of claim by a User under the joint liability instituted by Article 82.4 of the GDPR, is limited to the amount set forth in the "Liability " section of these General Terms and Conditions.

Article 2. Client Warranty

The Client represents and warrants to COMBODO that it has fulfilled all of its obligations towards Users under the terms of the French law of January 6, 1978, known as the "Informatique & Libertés" law, as well as under Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“GDPR”), and under other applicable French and European laws and regulations. In particular, COMBODO shall not be held liable for defaulting or lack of information of Users by the Client on the use and processing that is made of their personal data and on the rights granted to them (right of opposition, right of access and rectification, right of portability, right of deletion, right to limit processing), in connection with the use of the Application.

More specifically, the Client represents and warrants that he will not process any special categories of personal data, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation; or yet that, if he chooses to process such data, he has obtained specific and explicit consent of the Data Subjects.

Consequently, the Client shall hold harmless and indemnify COMBODO against any claim, action, or proceedings brought by a User whose Personal Data is hosted by the Application or processed in any way by COMBODO under this Agreement and related to a breach by the Client of its own legal obligations.

Article 3. Processing of personal data

COMBODO is authorized to process Personal Data within the limits described below:

• Purpose of Processing: Hosting and supply of a software application in SaaS mode; Corrective and Evolutionary maintenance, User Assistance and Support,
• Duration of Processing: duration of the Subscription + 60 days
• Nature of the Processing: Storage and Hosting of Personal Data, Access to Personal Data and extraction of Personal Data for Support or Maintenance purposes;
• Type of Personal Data processed: name, first name, email address, telephone and mobile numbers of the Users; HR data (such as, but not limited to: User’s pay slips, employment contracts, annual assessment reports, leaves and holidays), shared corporate schedule, resumés, emails with Client’s employees and staff, instant messaging discussions; administrative and technical documents (meeting minutes, reports, etc);
• Data Subjects: Users of the Application, Client’s personnel (non-Users employees); Client’s own customers;

Article 4. COMBODO’s commitments

As regards the authorized Processing, COMBODO commits to:

i) process the data solely for the purpose(s) that is/are the subject of the processing,

ii) process the data in accordance with the Client's documented instructions .

iii) guarantee the confidentiality of the personal data processed under the Agreement

iv) ensure that persons authorized to process personal data under this Agreement :

• are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality

• receive the necessary training in the protection of personal data

v) not use, allow or facilitate the use of Personal Data by third parties, Subprocessors or any person acting under the authority of and/or on behalf of COMBODO, for any purpose other than the performance of the Services

vi) inform the Client of any action and/or measures instigated by the supervisory authority relating to the Processing of Personal Data carried out in the course of its business

vii) immediately notify the Client of any modification or change that may affect the Processing of Personal Data,

viii) inform the Client immediately if, in COMBODO's opinion, an instruction constitutes a breach of the applicable Personal Data Regulations or is not technically feasible.

Accordingly, COMBODO shall not:

• access and/or process Personal Data other than those necessary to implement the Processing provided for in the Subscription, even if access to such data is technically possible;
• disclose, in any form whatsoever, all or part of the Personal Data used to non authorized third parties.

Article 5. Subprocessors

COMBODO may engage Subprocessors to perform specific processing activities.

A list of current Subprocessors hired by COMBODO for the purpose of the Service, and corresponding processing activities subprocessed, is attached in Exhibit 2.

Where COMBODO hires other Sub-processors, it shall first inform the Client in writing of the processing activities subcontracted, the identity and the details of the sub-processor. The Client may send its objections to the choice of such Subprocessor within 15 days from this written information. If no such objection is raised, the sub-processor shall be deemed accepted by the Client.

It is COMBODO’s responsibility to ensure that the sub-processor provides the same sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing meets the requirements of the General Data Protection Regulation.

In any event, if the Sub-processor fails to fulfil its data protection obligations, COMBODO remains fully liable towards the Client for the sub-processor’s performance of its obligations.

Article 6. Data Location - Transfers

COMBODO undertakes that the Data will be hosted in servers located in the European Union..

COMBODO shall not disclose or transfer Personal Data, even for transit purposes or by means of remote access, to any third party or Subcontractor operating in a country outside the European Economic Area or not acknowledged as providing an adequate level of protection by the European Commission, and shall ensure that its Subcontractors and any persons acting under its authority or on its behalf do the same.

COMBODO is authorized, subject to the Client's prior express written consent and within the strict limits of what is necessary for the performance of the Services, to transfer Personal Data outside the European Economic Area only if COMBODO, and where applicable, COMBODO's Subcontractors, have previously entered into a data transfer agreement with the Client in the form and manner provided for in the European Commission's decision of 5 February 2010 on standard contractual clauses for the transfer of Personal Data to subcontractors established in third countries (hereinafter the "Standard Clauses"). COMBODO shall ensure that its own Subcontractors sign and comply with the Standard Clauses. If required by local law or the supervisory authority, the transfer of Personal Data shall be subject to prior authorization by the competent supervisory authority, the fulfillment of the latter condition being considered suspensive to the performance of the services concerned.

Article 7. Safety of Personal Data

COMBODO undertakes to implement and maintain, throughout the term of the Subscription, appropriate technical measures and procedures to ensure that all of the Client's Personal Data that will be processed as part of the Services will be well protected, in view of its nature and the risks presented by the Processing, against alteration, loss, accidental or unlawful destruction, unauthorized disclosure or access or any other unlawful form of Processing, in accordance with the state of the art, best practices and the highest technical standards.

These measures and procedures to ensure the security and confidentiality of Personal Data are described in the GTCs and in the Offer; they may vary depending on the level of Support Services that the Client chose to benefit from (such as backup frequency and retention for instance).

Article 8. Rights of Data Subjects

During the term of the Agreement and subject to a written request to that effect from the Client, COMBODO undertakes to rectify, delete, return or destroy, in accordance with the procedures and methods agreed upon in advance by the Parties, the Client's Personal Data processed on behalf of the Client under this Agreement, unless otherwise required by European Union law or by the law of a Member State of the European Union applicable to the Processing and communicated to the Client in advance by COMBODO.

If a data subject should contact COMBODO directly to exercise his or her right of access, rectification, deletion and/or opposition, COMBODO undertakes to transmit such request directly to the Client as soon as it becomes aware of it, subject to applicable law.

In any event, upon termination of the Agreement for any reason whatsoever, COMBODO undertakes to destroy, or where applicable, upon the instructions of the Client, to return to the Client the Personal Data communicated and/or the media containing the same and to provide evidence thereof to the Client by means of a certificate of destruction. In the event that the law prevents COMBODO from returning and/or destroying all such Personal Data, COMBODO shall proceed to anonymise or pseudonymise such data, if permitted by law and depending on the nature of the applicable legal obligations, and shall guarantee the confidentiality of such data and undertake to no longer actively process them.

Article 9. Data Breaches

COMBODO undertakes to notify the Client as soon as possible after becoming aware of it and at the latest within 48 hours from that date, of any proven or suspected breach of Personal Data or any breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed.

Such notification shall be sent to the Owner, by telephone and by e-mail, and confirmed by registered letter with acknowledgement of receipt. COMBODO undertakes to carry out all necessary investigations into breaches of the above-mentioned protection rules and/or any threats in order to remedy the said breaches and/or threats and to prevent their recurrence in the future. COMBODO undertakes to remedy such breaches and/or threats as quickly as possible and to minimize the impact of such breaches and/or threats on the persons concerned.

Where possible, COMBODO will specify the number of persons likely to be affected by the breach in question.

COMBODO undertakes to cooperate with and assist the Client in fulfilling its obligations, especially vis à vis data protection authorities.

Article 10. Data Retention

The Application allows the setting of retention periods and retention of personal data of Users. By default, this data will be deleted when the User Account is closed.

In all cases, it is the Client's responsibility to carry out all declarations or impact studies required by law or European regulations, in order to determine the length of time the data will be kept, and to inform COMBODO of this so that the latter can make the necessary adjustments to the Applications, if necessary.

Article 11. Client’s Assistance

COMBODO will make its best efforts to assist the Client in order to ensure that the processing of personal data complies with the regulations in force. To this end, COMBODO will make available to the Client all necessary information in the event of any compliance or security audit, or any impact assessment undertaken by the Client.

However, the Services subscribed by the Client do not include the performance of specific actions, such as the drafting of Privacy Impact Assessments, or the declaration to data protection authorities of a data breach, which may be done, if applicable, under prior quotation.