Data Processing Agreement
Under the Agreement concluded between ELEMENTS APPS and the Client, ELEMENTS APPS (as the Processor) processes Personal Data on behalf of the Client (as the Controller).
ELEMENS APPS is a French Société par Actions Simplifiée, with a share capital of 803 625 euros, with registered office in France office at Esplanade Compans Caffarelli, 2, Bât E, 31000 Toulouse, France, with the Trade and Companies Register of in Toulouse under number 834 024 390 and duly represented by Mr Alexandre Alquier, acting in his capacity as chief executive officer.
ELEMENTS APPS and the Client shall be referred either individually as a “Party” and together as the “Parties”.
This agreement with its Annexes (together the “Data Processing Agreement” or “DPA“) sets out the obligations of the Parties regarding the processing of Personal Data.
Article 1. Definitions
In this DPA, the following terms have the following meanings:
“Data Protection Laws“: means the data protection laws of the country in which the Controller is located (including Regulation (EU) 2016/679 (General Data Protection Regulation “GDPR“) and the French law n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés);
“Personal Data”: means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing”: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Under this DPA, the Controller is the Client;
“Processor”: means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. Under this DPA, the Processor is ELEMENTS APPS;
“Subprocessor“: means a third party engaged by the Processor as another processor to provide services directly related to the provision of the principal service;
“Transfer of Personal Data”: means the communication, copying or moving of Personal Data, regardless of the medium, to a country outside the European Economic Area or to an organization established outside the European Economic Area;
“Personal Data Breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
All other terms defined in Article 4 of the GDPR and used in this DPA have the meaning defined in the GDPR.
Article 2. Description of Processing(s)
The details of the processing operations, in particular the categories of Personal Data and the purposes of processing for which the Personal Data is processed on behalf of the Client, are specified in Annex I.
Article 3. Process of Client’s Personal Data
3.1. Client’s warranties
The Client guarantees to ELEMENTS APPS it has collected and processed Personal Data in a lawful, fairly and in a transparent manner in compliance with the GDPR, for explicit, legitimate and determined purposes of which ELEMENTS APPS has no knowledge, and of which the Client declares having duly informed the persons concerned.
The Client alone determines the purposes and means of the Processing of its Personal Data resulting from the Agreement. As a result, it is up to the Client, before the Agreement’s entry into force, to verify that the Processing operated by ELEMENTS APPS will be compliant with the purposes and the means of the Processing of its Personal Data. In this regard, the Client undertakes to communicate any documented information related to the Processing.
3.2 ELEMENTS APPS’s obligations
ELEMENTS APPS undertakes (i) not to process the Client’s Personal Data other than in accordance with the Agreement and this DPA and (ii) not to carry out any other Processing of the Client’s Personal Data that is not provided for in the contract, except on the Client’s prior, written, documented and legitimate instructions.
ELEMENTS APPS undertakes to assists the Client with reasonable assistance, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising the Data Subject’s rights according to the GDPR. ELEMENTS APPS shall not respond to the request itself, unless authorized to do so by the Client. Upon the Client’s instructions, ELEMENTS APPS shall provide access, rectify, erase or restrict the Processing of the Personal Data.
Article 4. Personal Data security
ELEMENTS APPS warrants that it has implemented appropriate technical and organizational measures specified in Annex II, to ensure the confidentiality, integrity, availability and resilience of Processing. The technical and organizational measures are subject to changes in the state of the art such as technical progress and developments. ELEMENTS APPS reserves the right to change the technical and organizational measures from time to time.
ELEMENTS APPS undertakes to:
- Assist the Client in preventing the fraudulent use of its Personal Data, the endangerment of its integrity or the impossibility to access it;
- Ensures that persons authorized to process the Client’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Article 5. Personal Data Breach
In the event of a Personal Data Breach, ELEMENTS APPS shall:
- Notify the Client without undue delay after becoming aware of the Personal Data Breach;
- Provide the Client with the necessary support regarding the measures to be taken in response to the Personal Data Breach.
Article 6. Information and audit rights
ELEMENTS APPS shall provide the Client, upon request, all information and/or certificates reasonably required to demonstrate compliance with the obligations set out in this DPA.
Where ELEMENTS APPS does not provide sufficient information or certificates, or where required by Data Protection Laws or a data protection authority, ELEMENTS APPS shall allow for, cooperate and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
ELEMENTS APPS shall forward to the Client all requests from data protection authorities concerning the ELEMENTS APPS’ Processing of the Client’s Personal Data. ELEMENTS APPS shall support the Client in any data protection authority proceedings.
ELEMENTS APPS shall be entitled to adequate compensation for providing information, certificates and/or support under this article 6 “Information and audit rights”.
Article 7. Unlawful instructions
If any instruction from the Client to ELEMENTS APP is likely to lead to non-compliance with Data Protection Laws, ELEMENTS APPS has the obligation to immediately inform the Client.
ELEMENTS APPS reserves the right to refuse the Client’s instruction which would appear to be illicit in the sense of Article 82.2 of the GDPR.
Article 8. Subprocessing
According to the Agreement, the Client hereby agrees that ELEMENTS APPS may subcontract certain Processing activities relating to the Client’s Personal Data to Subprocessors.
The Subprocessors which are hereby approved by the Client are listed in Annex I, (7).
If ELEMENTS APPS engages new Subprocessors or replaces or removes existing Subprocessors, it shall (i) give due notice to the Client and (ii) enter into a written contract with the Subprocessor imposing on the Subprocessor the same data protection obligations set out in this DPA. The ELEMENTS APPS’s contract with the Subprocessor must comply with the requirements of the Data Protection Laws, especially with Article 28 GDPR.
The Client may object in writing within 30 days, stating its reasons, if the engagement violates this DPA and/or the Data Protection Laws. In case the Client objects to the engagement of a new Subprocessor or to the renewal or replacement of a Subprocessor, ELEMENTS APPS may be entitled to terminate this DPA under the conditions provided for in Article 10.
Article 9. Transfer of Personal Data
The Client agrees that the ELEMENTS APPS and the Subprocessors may transfer the Client’s Personal Data to and from countries outside the European Economic Area (“Third Countries“).
All transfers of Personal Data to and from a Third Country must be carried out, to the extent required by Data Protection Laws, with appropriate safeguards in accordance with Articles 45 and 46 GDPR and in accordance with Data Protection Laws. To the extent Personal Data are transferred to a Third Country for which no adequacy decision pursuant to Article 45 GDPR exists, the Standard Clauses shall apply.
Article 10. Support and Maintenance Services
This DPA shall terminate automatically upon the termination of the Agreement. The Client may exercise its rights under this DPA as long as ELEMENTS APPS processes the Client’s Personal Data.
Either Party may terminate this DPA at any time with reasonable notice for good cause if the other Party is in material breach of this DPA.
In the event of an objection to the removal or replacement of a Subprocessor or to the engagement of a new Subprocessor, ELEMENTS APPS may, 30 days after receipt of the objection notice from the Client, (i) cease performance of its services and (ii) terminate this DPA without notice and with immediate effect, provided that continued performance of the services is unreasonable for ELEMENTS APPS without the intended change.
Article 11. Liability
If legal claims are asserted against one Party due to the Processing of Personal Data, the claiming Party shall immediately inform the other Party thereof. This shall only apply to the Client if the asserted claim is based on a breach of duty by ELEMENTS APPS.
The provisions on the liability of the Parties set out in the Agreement shall apply to this DPA.
Article 12. Severability clause
Should individual provisions of this DPA be or become ineffective, invalid or unenforceable, this shall not affect the validity of the remaining provisions of this DPA.
Article 13. Choice of law and place of jurisdiction
This DPA is subject to French law. The exclusive place of jurisdiction for all disputes in connection with this DPA is, as far as legally permissible, Paris, France.
ANNEX I – DESCRIPTION OF THE PROCESSING
DESCRIPTION OF THE PROCESSING
1. Categories of Data Subjects whose Personal Data is processed:
2. Categories of Personal Data processed:
- First and last name;
- Contact information;
- Session data.
3. Sensitive data:
No sensitive data are being processed.
4. Nature of the Processing:
Collection, recording, organization, storage, use, processing of Personnel Data for the purposes mentioned below.
5. Purpose(s) for which the Personal Data is processed on behalf of the Client:
The Personal Data will be processed to:
- answer and process Client’s requests regarding support ;
- comply with legal obligations.
6. Duration of the Processing
|Amazon Web Services, Inc.|
|USA||• App configurations|
• Jira issues attributes (id, key, comment IDs)
• Atlassian configuration information (Workflow & custom fields IDs)
• Jira Project & Confluence Space IDs
• User information (client key, account ID)
• Atlassian host base url
• Anonymized usage statistics
|Technical and organizational measures||Description of the technical and organizational security measures implemented by the sub-processor|
|Measures of pseudonymization and encryption of personal data|
• In our databases:
◦ All customer data is pseudonymized.
◦ All sensitive data is encrypted.
|Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services|
• Only necessary data is stored and processed.
• Most of the infrastructure has been built around a serverless approach and an auto-scaling mechanism.
• Infrastructure is isolated and access is restricted and controlled.
|Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident|
• Customer data is stored in a secure production environment in the Cloud.
• By default, our Cloud provider ensure a durable infrastructure to store important data and is designed for durability of 99.999999999% of objects.
• Automatic backups of all customer and system data are performed to protect against catastrophic loss due to unforeseen events that impact the entire system.
|Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing|
The principle of continuous delivery is implemented, with testing and validation phases ensuring that a feature is deployed to production once it has successfully completed all the testing and security validation checks.
|Measures for user identification and authorization|
• The use of generic/shared user accounts is forbidden by default.
• A specific password policy is defined and documented. The policy includes requirements on password length, reuse, duplication and complexity.
• A Multi Factor Authentication system is enabled at the Identity Provider level.
• All employees are required to utilize the organization’s password manager for storing their credentials.
|Measures for the protection of data during transmission|
• We use a certificate using a TLS RSA SHA256 2020 CA1 algorithm.
• This certificate is used on all connections to our infrastructure.
• Elements network is monitored by a firewall and a cyber security solution is installed on all laptops in order to ensure web traffic security.
• A secure VPN connection is required to get access to critical tools.
|Measures for the protection of data during storage|
• The most up-to-date antivirus software is used on all computers.
• All databases are encrypted.All computer disks are encrypted.
|Measures for ensuring physical security of locations at which personal data are processed|
• All personal data in the Cloud where measures are in place for ensuring physical security to Data Centers.
• Regarding our headquarter office, every access is logged and is only possible with a key fob.
|Measures for ensuring events logging|
• Any action performed in our infrastructure is logged for 90 days.
• Any action performed through our Identity Provider is logged for 90 days.
• Any suspicious activity in our Intranet is logged and notified.
|Measures for ensuring system configuration, including default configuration|
• All IT systems are purchased from a unique vendor.
• Configuration of assets is performed following the same procedure.
|Measures for internal IT and IT security governance and management|
• All Elements’ policies are available to all employees.
• All employees must read and approve them annually.
|Measures for certification/assurance of processes and products|
• We have started the SOC-2 process:
◦ Type 1 is planned for 2023.
◦ Type 2 is planned for 2024.