Data Processing Agreement model

BETWEEN

Neostore, French simplified joint stock company (Société par Actions Simplifiée), having its head office and its principal place of business located at 465 Avenue Chemin des sables 01600 Reyrieux (France), registered in the Bourg-en-Bresse Corporate and Trade Register (RCS) under n° 892 973 348, Duly represented by Davy DAUVERGNE acting as CEO,

Hereinafter referred to as "Neostore";

AND

_________, company [...] with share capital of [...] euros, having its head office and its principal place of business located at [...], registered in [...] under No [...], Duly represented by [...] acting as [...],

Hereinafter referred to as the "Client";

The Client and Neostore hereinafter referred individually as a "Party" and collectively as "Parties".

PREAMBLE

In accordance with the General Data Protection Regulation EU 2016/679 (the “GDPR”), the Parties sought to delineate their obligations regarding the processing of the Client's personal data carried out under the contract signed and in force between Neostore and the Client relating to the services provided by Neostore (hereinafter referred to as the 'Contract'). As such, the Parties have decided to conclude this agreement in accordance with the obligations of Article 28 of the GDPR (hereinafter referred to as the 'Agreement').

IT IS AGREED AS FOLLOWS:

ARTICLE 1 – PURPOSE OF THE AGREEMENT

The present Agreement aims to supplement the Contract and delineate contractual provisions concerning the protection of Personal Data in accordance with the Applicable Regulations.

ARTICLE 2 – OBLIGATIONS OF THE PARTIES REGARDING THE PROTECTION OF PERSONAL DATA

1. Definitions: The Parties give to the terms used in the Agreement the definitions referred to by the Applicable Regulations, such as in particular but not exclusively "Personal Data", "Processing", "Controller", "Processor", "Recipient", "Supervisory authority", “Data Subject” etc.

2. Compliance: Each Party undertakes to comply with the applicable regulations and in particular the European provisions and regulations on the protection of personal data for which it is responsible, in particular European Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of individuals with regard to the Processing of Personal Data and the free movement of such data (hereinafter the "GDPR"), as well as any applicable national or European regulations and all recommendations, deliberations and other standards issued by the competent Supervisory Authority (hereinafter as a whole the “Applicable Regulations”).

3. Neostore's Obligations: In the context of the services as defined in the Contract (hereinafter “Services”), Neostore acts as Data Processor, and the Client as Data Controller. Thus, the Parties agree that Neostore must process Personal Data on behalf of the Client and according to the latter's instructions, in accordance with the description of the Processing appearing below.

   To this end, Neostore undertakes to:

   • Process Personal Data only for the sole purpose(s) which are / are the subject of the Contract;

   • Process Personal Data in accordance with the Client's documented instructions. If Neostore considers that an instruction constitutes a violation of the Applicable Regulations or any other provision of European Union law or of the law of the Member States relating to the protection of personal data, it shall immediately inform the Client thereof;

   • Guarantee the confidentiality of Personal Data processed as part of the Services;

   • Delete Personal Data at the end of the Contract, unless Union law or the law of the Member State requires the retention of Personal Data;

   • Keep a processing register under the conditions of Article 30 of the GDPR;

   • Provide the Client with all the information necessary to demonstrate compliance with the obligations set out in this Agreement, and to allow audits, including inspections, to be carried out by an independent auditor appointed by the Client, within the limit of one time a year, and contribute to these audits. Where applicable, the Client must notify Neostore in writing of the audit at least 30 (thirty) days in advance and will have Neostore validate the audit plan, it being specified that the audit can only be carried out by an independent third party. and can only relate to the Client's data. The auditor will provide Neostore with a pre-audit report so that Neostore can provide comments. The audit will be at the Client's sole expense, it being specified that Neostore reserves the right to invoice the Client for any audit lasting more than 2 (two) days;

   • To help the Client, to the extent possible, in fulfilling his obligation to respond to requests from Data Subject.

4. Security: In addition, Neostore guarantees that it has put in place the appropriate technical and organizational measures so that the processing meets the requirements of the Applicable Regulations, and in particular to fight against the destruction, loss, alteration, unauthorized disclosure of Personal Data, or unauthorized access to such data, accidentally or unlawfully.

   As such, Neostore guarantees the Client:

   • That persons having access to Personal Data are subject to an obligation of confidentiality;

   • Have the appropriate means in place to guarantee the confidentiality, integrity, availability and constant resilience of processing systems and services.

5. Data Breaches: Neostore undertakes to notify the Client of any Personal Data Breach as soon as possible after becoming aware of it.

   In said notification, Neostore undertakes to describe:

   • The nature of the Personal Data Breach;

   • The likely consequences of the Personal Data Breach;

   • The steps taken to remedy the Personal Data Breach, including, where applicable, steps to mitigate any negative consequences.

6. Subprocessing: The Client grants Neostore a general authorization to subprocess all or part of the Processing relating to the Services. Neostore undertakes to sign contracts with its Subprocessors containing obligations at least as binding as those provided for in this Agreement.

   In any event, Neostore will ensure that said Subprocessors present sufficient guarantees, in particular in terms of security, and remain responsible to the Client for the Services contracted out.

   On the date of signature of the Agreement, the Subprocessors of Neostore are:

   • Microsoft Azure: hosting of the Application (datacenters located in the European Union).

   • Cloudflare: securing the Application (datacenters located closest to the place of the Data Subject: for a Data Subject using the Application at a Point of Sale in the European Union, no transfer outside the European Union).

   Neostore will inform the Client of any planned change of subsequent Subprocessor as soon as possible before the implementation of said new Subprocessor. The Client will then have 8 (eight) days to raise reasoned objections to the envisaged subsequent Subprocessor.

7. Transfer Outside the European Union: In the event that Neostore is required to transfer Personal Data to a country recognized as "not providing an adequate level of Personal Data protection" by the European Commission, Neostore undertakes to sign the standard contractual clauses of the European Commission in their latest applicable version, subject to the application of any other mechanism in accordance with the Applicable Regulations.

8. Description of Processing:

   • Nature of Processing operations: collection, reading, transfer to and/or from the CRM tool, depending on the use of the Services made by the Data Subject.

   • Purpose of Processing: the creation and management of the Client's customer account, the display and/or installation of their loyalty card in the virtual wallet of their smartphone.

   • Categories of data collected: identification data and, where applicable, personal life (depending on the configuration of the form by the Client).

   • Categories of Data Subject: customers and prospects of the Client.

   • Data retention period: the duration of a Data Subject's session on the Application.

   • Recipient of the data: the CRM tool.

9. Obligations of the Client: For its part, the Client guarantees Neostore:

   • That it will inform Data Subject of Processing operations in accordance with the Applicable Regulations;

   • That the collection of Personal Data carried out by the Client through the Application complies with the Applicable Regulations, in particular with regard to the collection of Data Subject’s consent for the sending of promotional offers;

   • Make it their business to inform Data Subject of their rights and to respond within the time limits set by the Applicable Regulations to any request from them.

   For the sake of clarity, it is recalled that the registration form present within the Application is entirely created by the Client, under his sole responsibility. It is the Client's responsibility to ensure that they comply with their obligations in accordance with the Applicable Regulations.

10. Contact Information: For any questions relating to the Processing of Personal Data, the Client is invited to contact Neostore at [email protected].

11. Anonymous Statistics: In addition, in order to establish anonymous statistics on the use of the Services and to optimize them, the Client expressly authorizes Neostore to use the technical data collected by it as part of the Service. Said data will be aggregated by Neostore before any use.

ARTICLE 3 – ENTRY INTO FORCE

This Agreement comes into effect upon its signature and will remain valid until for the duration of the Contract.

ARTICLE 4 – MISCELLANEOUS PROVISIONS

All the provisions of the Contract not expressly amended under this Agreement shall remain unchanged and in force between the Parties.

In two (2) original copies, in _____ on ________

For Neostore

*Signature