Data Processing Agreement
Revision: August 21, 2024
J2S3 SAS
www.merci-app.com
dpo@merci-app.com
SIREN: 884 606 328
Address: 295 BOULEVARD SAINT-DENIS,
92400 COURBEVOIE
Parties
Customer (the “Controller”)
Company Name:
Office Address:
Country:
Registration NB:
Represented By:
Provider (the “Processor”)
Company Name: J2S3 SAS
Office Address: 295 BOULEVARD SAINT-DENIS 92400 COURBEVOIE
Country: France
Registration NB: 884 606 328 RCS NANTERRE
Represented By: Arthur Ollier
1. Definitions
• “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
• “Data Subject” means the individual to whom Personal Data relates. • “Instruction” means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
• “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
• “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.
• “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
2. Data Processing
The Processor shall process Personal Data for the Purpose as described in the J2S3 Privacy Policy.
• Before or at the time of collecting personal information, the processor identifies the purposes for which information is being collected.
• The processor will collect and use of personal information solely with the objective of fulfilling compatible purposes, unless the Processor obtains the consent of the controller or as required by law.
• The Processor will only retain personal information as long as necessary for the fulfillment of those purposes.
• The processor can collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the Controller.
• Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to date.
• The processor shall protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or
modification.
• The Processor may only process the Personal Data on documented instructions from the Controller, including with regard to transfers to third countries or international organizations, unless required to do so by Union or member state law to which the Processor is subject (in such a case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).
The data is only hosted, processed and hosted within a member of the European Union.
• Core infrastructure (Databases, APIs) is hosted in Paris, France
• The Processor’s server backups are hosted in France only. Those backups are encrypted and redundant within the data center to prevent any data loss.
Depending on how the Controller uses the service, the matter of Processing of personal data may cover the following types/categories of data:
- Email address (if provided by end-user, thus involving a consent)
- Phone number (if provided by end-user, thus involving a consent)
- Activity Status (online / offline)
- Activity Date and Time
- IP Address
- Device Type (operating system and browser)
- Geographic Location, City, Country (guessed from the IP address)
- Preferred language
- Timezone
- Texts corrected by MerciApp
- Redaction statistics
- Professional Life Data (Position, Employer, Business Address)
- Data guessed from public information on Google (Avatar, Twitter/Facebook handle) The categories of Data Subjects whose Personal Data are Processed are as follows: • MerciApp users
3. Technical and organizational provisions
1. The Processor will, taking into account the nature of the Processing and insofar as this is reasonable possible, assist the Controller in ensuring compliance with the obligations pursuant to the GDPR to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. The Processor will in any case take measures to protect Personal Data against accidental or unlawful forgery, unauthorized distribution or access, or any other form of unlawful Processing.
• Two Factor Authentication on third-party services J2S3 uses
• Our SSH keys are all password-protected
• All the features are designed around security and reliability
• Computers and servers running J2S3 development tools are secured and up to date • J2S3 employees, agents, and providers are trained in data-security practices • All our servers and services are running latest security updates and patched immediacy when a vulnerability is published
• All domains are protected using DNSSec
• Abusing IPs get automatically banned or rate limited (prevents brute-force attacks on accounts.
• We use strong encryption techniques on all public network channels.
2. The Processor can’t be held responsible when The Controller is using the software or processing data without following the technical guidelines or documentation provided by the Processor.
3. The Processor ensures that its personnel and contractors are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality.
4. The Controller can contribute or request audits and inspections but may not conduct an audit more than once per calendar year. This shall be proceeded by an independent company, which is not a competitor of the Processor or related. The Controller shall reimburse the Processor for any cost or expenses incurred as a result of the audit.
4. Data Breaches
1. In the event the Processor becomes aware of any incident that may have an impact on the protection of Personal Data, i) it will notify the Controller without undue delay and ii) will take all reasonable measures to prevent or limit (further) violation of the GDPR.
2. The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.
3. The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.
4. The Processor will, insofar as reasonable, assist the Controller with the Controller’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) GDPR. Processor is never held to report a personal data breach with the Data Protection Authority and/or the data subject.
5. Processor will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects, as meant in Section 33 and 34 GDPR.
5. Sub-Processors
1. The Processor is entitled to outsource the implementation of the Processing on the Controller’s instructions to Sub-processors, either wholly or in part. The Processor will inform the Controller of any intended changes concerning the addition or replacement of other processors.
2. The Controller reserves the right to object to any Sub-processor, provided that, in its opinion, Sub-processor data does not provide sufficient guarantees to implement appropriate technical and organizational data protection measures.
3. Processor obligates each Sub-processors to contractually comply with the confidentiality obligations, notification obligations and security measures relating to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor’s Agreement.
4. Sub-processing in the meaning of this agreement does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of the data Processing equipment.
5. Where the controller, based upon the obligations under the GDPR, is obliged to provide information to a Data Subject about the Processing of his or her Personal Data, the Processor shall assist the Controller in making this information available. The Processor shall as soon as possible and in the most detailed manner possible, refer the requests (of complaints) of the Data Subject to the Controller and shall assist the Controller with any request from a Data Subject Requests concerning his or her rights under Applicable Legislation and in particular – but not only – his or her right of access, rectification, correction, objection, restriction of processing and the right to be forgotten the right of data portability. The Processor shall rectify, erase or process any other way when the Controller instructs so to enable the latter to comply with the request of the Data Subject.
6. The Controller agrees to the commissioning of the following sub-processor on the condition of a contractual agreement in accordance with applicable data protection laws:
| Infrastructure Subprocessors | |||
| Entity Name | Subprocessing Activities | Entity Country | Address |
| Amazon Web Services, Inc. | Cloud Service Provider | France (storage location: Paris, France) | Amazon Web Services EMEA SARL 38 avenue John F. Kennedy, L-1855 LUXEMBOURG |
| Microsoft Corporation Text Analysis Subprocessors | Cloud Service Provider (only for text reformulation if activated on the account) | United-States (storage location: France) | One Microsoft way, Redmond, Washington 98052, USA |
| Entity Name Diagonal SAS Microsoft Corporation | Subprocessing Activities Text Analysis and Mistakes Detection Services Text reformulation services | Entity Country France (storagelocation: EU) United-States (storage location: France) | Address Éditions Diagonal Traverse des Brucs – Arep Center BP 173 06903 SOPHIA ANTIPOLIS Cedex FRANCE One Microsoft way, Redmond, Washington 98052, USA |
| Other Subprocessors | MerciApp may use the following Subprocessors to perform other Service functions: | ||
| Entity Name | Subprocessing Activities | Entity Country | Address |
| Crisp SAS | Cloud-based Customer Support Services | France | Crisp IM SAS 2 Boulevard de Launay 44100 Nantes FRANCE |
| Segment.io, Inc. | Cloud-based Customer Analytics Distribution Service | United-States (storage location: EU) | Twilio Inc. 01 Spear Street, 1st Floor, San Francisco, California, 94105, United States of America |
| Stripe, Inc. | Cloud-based Payments Processor | Ireland (storage location: EU) | C/O A & L Goodbody, Ifsc, North Wall Quay Dublin D01 H104, Ireland |
| Rollbar, Inc. | Cloud-based Logfile Monitoring | United-States (storage location: EU) | Rollbar Inc. 548 Market St, Suite #60587, San Francisco, California 94104-5401 |
| Refiner SAS | Cloud-based User Surveys | France | Refiner SAS 10 rue de Penthièvre 75008 Paris, France |
| Customer.io, Inc. | Cloud-based User Analytics Service | United-States (storage location: EU) | Customer.io, Inc. 921 SW Washington St No 820, Portland, Oregon, 97205, United States |
| Chartmogul, Ltd. | Cloud-based Financial Metrics Services | Germany | ChartMogul CMTDE GmbH & Co. KG c/o WeWork Kemperplatz 1 10785 Berlin Germany |
| Sellsy SAS | Cloud-based CRM | France | Sellsy Avenue du Lazaret 17000 La Rochelle, France |
6. Duration
1. This agreement shall commence on the Commencement Date and shall continue in full force and effect until the termination of the Purpose.
2. The Controller will adequately inform the Processor about the (statutory) retention periods that apply to the Processing of Personal Data by the Processor.
7. Rectification, restitution and erasure of data
1. The processor may not on its own authority rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of the Controller (unless if this is required by law), but shall only do so on documented instructions from the Controller and in accordance to data retention rules associated to the Controller subscription plan. Upon expiry of the DPA, the Processor shall, at the choice of the Controller, return all the Personal Data transferred and the copies thereof to the Controller or shall delete and/or anonymize all the Personal Data in an irreversible manner and certify to the Controller that it has done so, unless the Applicable Legislation imposed upon the Processor prevents it from returning or destroying all or part of the Personal Data Processed.
2. If a Data Subject should apply directly to the Processor to the request the rectification, erasure, or restriction of his Personal Data, the Processor must forward this request to the Controller without delay
SIGNED on behalf of the Controller
Signature:
Company:
Name:
Title:
Date:
SIGNED on behalf of the Processor
Signature:
Company: J2S3
Name: Eric LY
Title: DPO
Date: August 21, 2024