Data Protection Agreement (DPA)

PLEASE NOTE THE FOLLOWING: 

SFBX is the developer of a consent collection and storage solution, the Consent Management Platform (CMP), known as AppConsent®. 

The Client is the Data Controller of the Client Data (hereinafter referred to as the “Client” or the “Data Controller”), and SFBX is the Processor of the Client Data in accordance with Article 28 of GDPR hereinafter referred to as “SFBX” or the “Processor”), pursuant to the AppConsent®Xchange Framework Agreementsigned by the parties and this DPA. Hereinafter, individually or collectively, SFBX and the Client shall be referred to as the “Party(ies).”

SFBX is in no way responsible for determining the purposes for which Customer Data is processed.

The Data Controller engages the expertise of the Processor to perform the following services, hereinafter referred to as “the Services”: collection, management, and storage of consent forms and data from website visitors.

To the extent that, in the course of providing the Services, the Processor is required to process personal data, the Parties have agreed to enter into this Data Protection Agreement (hereinafter the “Agreement”), which defines their roles and obligations under applicable data protection laws. The practical details of the processing carried out by the Processor are set forth in the Appendix titled “Description of the Processing of Personal Data Carried Out by the Processor.”

Accordingly, the following is agreed and decided :

ARTICLE 1 – PURPOSE OF THE AGREEMENT

In the context of their contractual relationship, the Parties agree to comply with applicable laws and regulations governing the processing of Personal Data, and in particular the GDPR.

The purpose of this Agreement is to define the practical arrangements for the processing of Personal Data that the Processor undertakes to perform on behalf of the Data Controller.

ARTICLE 2 – CONTRACTUAL DOCUMENTS

To best define and govern this Agreement, the Parties intend to give contractual effect to the following documents, in descending order of priority:

1. This Agreement

2. The following appendices:

• APPENDIX 1 – Description of the Processing of Personal Data Carried Out by the Processor
• APPENDIX 2 – Minimum Safety Requirements
• APPENDIX 3 – Template for a Sub-Contractor’s Declaration
• APPENDIX 4 – Data Breach Report Template

In the event of any conflict between the provisions of this document and those contained in the Annexes, the provisions of this document shall prevail.

These documents constitute the entire agreement between the Parties with respect to the subject matter of this Agreement and supersede all prior agreements entered into by the Parties.

Any amendment to this Agreement between the Parties may only be made by means of a written amendment signed by a duly authorized representative of each Party and shall be attached to this Agreement.

If any provision of this Agreement is found to be invalid under any applicable law or regulation, such provision shall be deemed unenforceable, but shall not render the Agreement as a whole invalid, unless such provision is of a decisive nature for either Party as of the date of execution of this Agreement. In such a case, the Parties shall negotiate in good faith to replace that provision with a valid provision that reflects their original intent.

The section headings are for reference only; in the event of any conflict between the headings and the text, the text shall prevail.

It is expressly agreed between the Parties that any forbearance or waiver by a Party in the performance of all or part of the obligations set forth in the Agreement, regardless of its frequency or duration, shall not constitute an amendment to the Agreement nor give rise to any rights whatsoever.

ARTICLE 3 – TERM

This Agreement is entered into for the duration of the services and shall take effect as of the date of its execution, unless terminated early in accordance with the terms set forth in the section titled “Breach of Contract” below.

ARTICLE 4 – DEFINITIONS

For the purposes of this Agreement, the following terms and expressions shall have the meanings set forth below, or, in the absence thereof, the meanings given to them in any other provision of this Agreement.

Supervisory Authority or Regulator: Refers to the French Data Protection Authority (CNIL) (or any successor thereof) or any other competent authority in the relevant country or countries, pursuant to data protection regulations, with respect to all or part of the processing of personal data.

Standard Contractual Clauses: Refers to a contract containing the standard contractual clauses approved by the European Commission for the transfer of personal data outside the EEA pursuant to the European Commission Decision of February 5, 2010, on standard contractual clauses for the transfer of personal data to processorsprocessors established in third countries in accordance with Directive 95/46/EC of the European Parliament and of the Council (or the approved successor clauses adopted at any time).

Data: Means all Personal Data that SFBX processes as a data processor in the provision of services to the Client, and that the Client has requested SFBX to process under this Agreement.

Personal data: Refers to any information relating to an identified or identifiable natural person; an identifiable person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, geolocation data, an online identifier, or to one or more factors specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

Data Protection Laws: Refers to the GDPR, the implementing acts adopted by European Union member states, and/or any other applicable laws or regulations relating to the protection of personal data, personally identifiable information, or protected health information.

Data subject, Data Controller, Data Processor, Processing: have the meanings defined in the GDPR.

Regulation or GDPR: Refers to the General Data Protection Regulation (GDPR) No. 2016/679, effective as of May 25, 2018.

Website: Refers to the Client’s website(s), mobile site(s), application(s), or software (such as Chatbot).

Sub-processor: Refers to a third party engaged by the Processor to assist in the performance of the Services, which involves the processing of the Client’s data.

Device: Refers to computer hardware, smartphones, IoT devices, or any other device on which consent collection would be technically possible, used by the Visitor to access the Site.

Visitor: Refers to any individual (user), whether an end customer of the Client or a general internet user, who accesses the Client’s Website using their Device to use the Services.

Unless the context requires otherwise, terms in the singular include the plural and vice versa, and any reference to one gender includes a reference to the other gender.

In addition, a reference to a law or legal provision refers to that law or provision as amended, extended, or codified, and includes all regulations adopted pursuant to such legislation.

It is understood by the Parties that any reference to “in writing” includes emails and faxes.

ARTICLE 5 – OBLIGATIONS OF THE PARTIES

The Data Controller agrees to notify the Data Processor, as soon as it becomes aware of any regulatory or legal changes in data protection laws that affect the Services. The Parties shall use commercially reasonable efforts to comply with such requirements and shall negotiate and revise the Services accordingly. The Parties shall jointly decide on the appropriate measures to be implemented and the allocation of related costs. Furthermore, in the event that a specific obligation related to the Data Controller’s business becomes mandatory, the Data Controller undertakes to provide full assistance in implementing such measures and, in particular, to bear all costs associated therewith.

5.1. OBLIGATIONS OF THE DATA CONTROLLER

The Data Controller undertakes to:

• Provide the Processor with the Personal Data referred to in the section titled “Description of the processing subject to the processing arrangement”;
• Document in writing any instructions regarding the processing of data by the processor;
• Ensure, both prior to and throughout the duration of the processing, GDPR the Processor complies with the obligations set forth in the GDPR ;
• Oversee the processing, including conducting audits and inspections at the subcontractor’s premises.
• Notify the Subcontractor of any errors or irregularities related to this Agreement that it detects;

In addition, the Data Controller confirms:

• That it has fulfilled all obligations incumbent upon the Data Controller under the GDPR including, in particular, maintaining a record of its processing activities and conducting any necessary impact assessments);
• That it has complied with the principle of data minimization by collecting only what is strictly necessary in relation to the purpose for which the data is processed;
• That it informed individuals at the time of data collection about the use of their personal data and any transfers to third parties, and that it obtained the necessary consent for processing where required.

The Data Controller undertakes to document in writing any instructions regarding the processing of Data by the Data Processor under the conditions set forth below. The Data Controller may provide the Data Processor with general or specific instructions regarding data protection, in particular concerning the nature and scope of data processing, as well as instructions regarding technical and organizational measures and the rectification, erasure, or restriction of data. The Parties have mutually agreed that, where instructions are exceptionally given orally due to special circumstances, they must be systematically and immediately confirmed in writing by the Data Controller so that the Processor may carry out the requests. It is specified that, failing this, the Parties agree to define the concept of an instruction as having been given when the Processor acts within the scope of the performance of this Agreement and the Services.

5.2 OBLIGATIONS OF THE SUBCONTRACTOR

It is hereby reiterated that the data covered by this Agreement remain the full and exclusive property of the Data Controller, and the Data Processor shall have no rights whatsoever with respect to such data.

They may not be disclosed, transferred, leased, or in any way assigned or exploited—whether for commercial or non-commercial purposes—by the Subcontractor other than for the purposes of the Services.

It is specified that, where applicable, any data collected as a result of an analysis or monitoring conducted by the Processor in connection with the Services may include Personal Data, which shall remain the property of the Data Controller.

The Subcontractor agrees to:

• To process Personal Data exclusively on behalf of the Data Controller and solely for the specific purpose(s) covered by the processing agreement, and not to use the Personal Data and information processed for any other purposes;
• not to make any copies of the information and data entrusted to it, except for those necessary for the performance of the Services provided for in the Agreement, without the prior written consent of the Data Controller;
• To process all personal data in accordance with the Data Controller’s documented instructions as set forth in the appendix titled “Description of the processing of personal data carried out by the processor,” applicable law, and the obligations contained in this Agreement. In this regard, if the Data Processor is unable to comply for any reason, it agrees to notify the Data Controller without delay, in which case the Data Controller has the right to suspend the processing of data.
• to respond appropriately and as soon as possible to all requests from the Data Controller regarding the processing carried out by the Processor on behalf of the Data Controller;
• If the Processor considers that any of the instructions constitutes a violation of the Regulation or any other provision of Union law or the law of the Member States relating to data protection, it shall immediately inform the Controller;
• To ensure the confidentiality of personal data processed under this Agreement and not to disclose such data to any persons other than its employees, staff, or agents, or authorized subcontractors, whether private or public entities, natural or legal persons;
• Ensure that persons authorized to process personal data under this Agreement:

– Have agreed to maintain confidentiality or are subject to an appropriate legal obligation of confidentiality;

– Receive the necessary training in personal data protection;

• Take into account the principles of data protection by design and data protection by default with regard to its tools, products, applications, or services;
• Provide the Data Controller with the name and contact information of its Data Protection Officer, if it has appointed one in accordance with Article 37 of the European General Data Protection Regulation;
• In accordance with data protection laws and European regulations, to ensure that all necessary precautions and security measures—whether physical, technical, or organizational—are implemented (i) to prevent such information from being obtained or disclosed to unauthorized persons; (ii) to prevent any misuse or fraudulent access to the files; (iii) to protect against any loss, destruction, or alteration of Confidential Information, whether accidental, unauthorized, or illegal. The measures implemented and the guarantees provided by the Processor take into account the state of the art, implementation costs, and the risks associated with the Data. In any event, the Processor undertakes, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with means of equal or superior performance. No changes may result in a reduction in the level of security without the prior consent or instruction of the Data Controller;
• To process data within France and not to transfer any personal data outside the European Union without the prior written consent of the Data Controller. In the event of a transfer of Personal Data to a country outside the European Union, the parties acknowledge that measures must be taken to ensure that such data transfers comply with data protection laws, including compliance with procedures, any necessary authorization from the supervisory authority, and, if required, the conclusion of one or more contracts to govern cross-border flows of personal data. The parties acknowledge that identical or similar obligations may apply to international transfers of personal data from a third country and must, in good faith, take the necessary measures, where applicable, in accordance with applicable data protection laws. The Data Controller undertakes to cooperate with the Processor for the purpose of signing any Standard Contractual Clauses. If the applicable data transfer mechanism ceases to be valid, the Processor may, at its discretion: (i) enter into and/or ensure that subsequent processors enter into an appropriate alternative data transfer mechanism; (ii) modify the Services so that they can be provided without requiring the relevant transfer, and without significantly deviating from the overall provision of the Services.
• If the Processor is required to carry out a mandatory data transfer to an entity, a third country, or an international organization under Union law or the law of the Member State to which it is subject, it must inform the Controller of this legal obligation prior to processing;
• To cooperate with any national or international supervisory authority. The Processor undertakes to inform the Controller of any request from a supervisory authority for disclosure of the Data and not to respond directly to such a request without instructions from the Controller, unless prohibited by law. Where the Processor is legally prohibited from notifying the Data Controller, it shall make reasonable efforts to request that the public authority direct the request directly to the Data Controller;
• To cooperate in good faith with any Third-Party Partner designated by the Data Controller to whom the Partner must provide or requires access to the Data;
• Upon termination or expiration of the Services or this Agreement, to cease processing the data and either destroy all manual or computerized files containing the information and provide proof thereof to the Data Controller; or to return all data media in full in accordance with the terms set forth in this Agreement, delete all copies, and provide proof thereof to the Data Controller. The Processor shall ensure that its subprocessors comply with this clause.

The Processor shall cooperate with the Controller at its own expense without delay and shall assist the Controller in order to enable the Controller to:

• Conduct data protection impact assessments;
• Consult with the supervisory authority in advance;
• Demonstrate compliance with all obligations through the necessary documentation;
• Conduct audits, including inspections, and assist with such audits;
• Respond to any request from a supervisory authority, particularly in the event of an investigation.

The Subcontractor shall bear the costs associated with the time spent by its teams responding to the Client’s requests for assistance, up to a limit of two (2) days per year. Beyond this limit, any request for assistance from the Client will be billed by the Subcontractor as Additional Services under the terms set forth in the Framework Agreement.

The Processor declares that it maintains a written record of all categories of processing activities carried out on behalf of the Data Controller, including:

• The name and contact information of the data controller on whose behalf the data processor is acting, any data processors, and, where applicable, the data protection officer;
• The categories of processing carried out on behalf of the data controller;
• Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the European General Data Protection Regulation, the documents demonstrating the existence of appropriate safeguards;
• To the extent possible, a general description of the technical and organizational security measures, including, among other things, as appropriate:

– Pseudonymization and encryption of personal data;

– Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

– Measures to restore the availability of and access to personal data within a reasonable timeframe in the event of a physical or technical incident;

– A procedure designed to regularly test, analyze, and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.

The Data Controller reserves the right to conduct any verification it deems necessary to verify the Subprocessor’s compliance with the aforementioned obligations, in accordance with the terms set forth in the “Audit” section below.

ARTICLE 6 – SUBCONTRACTING 

The Processor may engage another processor (hereinafter, “the subprocessor”) to carry out specific processing activities. In such cases, the Subprocessor must first request, in writing, the Data Controller’s authorization for any proposed changes regarding the addition or replacement of sub-subprocessors. This notification must clearly specify the outsourced processing activities, the identity and contact details of the sub-subprocessor, and the dates of the subcontract. The Data Controller has a minimum period of fifteen (15) business days from the date of receipt of this information to raise any objections. Such subcontracting may only take place if the Data Controller has given its express consent within the agreed timeframe.

It is the responsibility of the original subcontractor to ensure that the subsequent subcontractor provides sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing complies with the requirements of the European General Data Protection Regulation.

SFBX may subcontract only pursuant to a written agreement with the subprocessor, which imposes on the subprocessor obligations equivalent to those incumbent upon SFBX under this Agreement. The subprocessor is required to comply with the obligations of this Agreement on behalf of and in accordance with the instructions of the data controller.

If the subsequent processor fails to fulfill its data protection obligations, the original processor remains fully liable to the controller for the subsequent processor’s performance of its obligations.

The processors already approved by the Data Controller are listed in the Appendix titled “Description of the processing of personal data carried out by the processor” to this Agreement.

ARTICLE 7 – EXERCISE OF DATA SUBJECTS’ RIGHTS

The Processor must assist the Controller by taking appropriate technical and organizational measures to ensure that the Controller can fulfill its obligation to respond to any request from data subjects to exercise their rights: the right of access, rectification, erasure, and objection; the right to restrict processing; the right to data portability, and the right not to be subject to an automated individual decision (including profiling).

Accordingly, SFBX undertakes to forward to the Data Controller, within two (2) business days, any request for access submitted by any individual or by an association or other organization representing an individual—where permitted by national law—whose personal data is included in the Data Controller’s records.

The Processor undertakes to follow the Data Controller’s instructions regarding any such request, inquiry, or notification. The Processor must ensure that its authorized subcontractors immediately forward any requests, inquiries, or notifications they receive directly to the Data Controller, without responding to them.

Only the Data Controller is authorized to respond directly to the data subject.

As the processor of visitor consent, the Subcontractor agrees to:

• provide a final version of the Notice of Prior Consent prior to obtaining the Visitor’s consent in accordance with the terms set forth in the Contract, with the Client agreeing not to modify the content of said final version of the Notice of Consent;
• immediately implement any changes made by the Visitor regarding the consent obtained in connection with the Services;
• assist the Client in fulfilling its obligations regarding Visitors’ rights, in particular by, within 5 business days of the Client’s request,

– the provision of Visitors’ personal data in a readable format when they exercise their right of access,

– the extraction of Visitors’ personal data in a structured, commonly used, and machine-readable format when they exercise their right to data portability,

– the anonymization of Visitors’ personal data by deleting the mapping table and/or restricting access to personal data linked to their consent in the event that they exercise their rights to object or to erasure, and/or upon expiration of the retention period for personal data processed as part of the Visitors’ data processing.

ARTICLE 8 – NOTIFICATION OF PERSONAL DATA BREACHES 

The Processor agrees to notify the Data Controller within 24 hours of becoming aware of, or receiving information from any other processor regarding, a confirmed or suspected security breach resulting in a personal data breach—such as accidental or unauthorized access, a complaint, or, more generally, any compromise of data integrity.

This notification shall be accompanied by all relevant documentation to enable the data controller, if necessary, to report this breach to the competent supervisory authority. In particular, the Processor shall complete and submit to the Data Controller the security breach notification document provided in the Appendix “Personal Data Breach Report Template.” If, and to the extent that it is not possible to provide all this information at once, the information may be provided in stages as soon as it becomes available.

In the event of a personal data breach, the Processor agrees, at its own expense, to:

Launch a prompt and thorough investigation into the circumstances surrounding the violation

Take the necessary or reasonably expected steps to minimize the impact of the breach

Maintain records of all information related to the breach, including the results of its own investigations and the corrective actions taken

Take all necessary steps to prevent a recurrence of such a violation.

The recurrence of incidents or the severity of a single incident attributable exclusively to a Party that results in a data breach in a production environment shall, where applicable, constitute grounds for early termination of the Agreement due to the sole fault of said Party.

ARTICLE 9 – AUDIT

During the term of the Agreement, the Client may, at its own expense, conduct or have conducted an audit of all or part of the Services currently being performed by an independent third party that is not a direct competitor of SFBX or by the ACPR. Such third-party auditor shall be bound by professional confidentiality. To this end, the auditor must sign a personal confidentiality agreement in favor of SFBX. The Client must notify the Subcontractor of the identity of the auditor or the selected audit firm if it is an external firm.

This audit will be conducted provided that the sole purpose of the audit is to verify the Subcontractor’s compliance with its obligations under this Agreement. In any event, the audit may not cover SFBX’s financial, accounting, or commercial data.

The audit must take place during the Subcontractor’s working hours and under conditions that do not place an unreasonable workload on the Subcontractor’s employees.

The Client agrees to notify the Service Provider in writing of any audit engagement at least five (5) Business Days in advance, specifying the purpose and anticipated duration of the engagement, as well as the names of the assigned experts.

The Subcontractor agrees to cooperate in good faith and without reservation with any auditor so designated. In particular, the Subcontractor shall provide auditors with access to any documents, information, or other materials necessary for the proper conduct of the audit and shall facilitate their work, specifically by answering any questions and granting them access to all tools and resources necessary for the proper conduct of the audit. A copy of the audit report will be provided to the Subcontractor free of charge.

Any time spent by SFBX staff on the audit, provided it is properly documented, shall be borne by the Subcontractor.

Any necessary corrective actions resulting from the audit shall be carried out at the Subcontractor’s expense and shall be the subject of a joint review by the Subcontractor and the Client to develop a detailed corrective action plan, which shall be submitted to the Client for approval, without prejudice to the Client’s other rights.

The Subcontractor guarantees that its subcontractors will comply with the obligations set forth herein for the purpose of allowing the Client or the ACPR to conduct an audit at their premises and on their systems, and ensures such compliance.

ARTICLE 10 – CONFIDENTIALITY

This clause applies to all documents, information, and data—whether technical, strategic, commercial, financial, or otherwise—as well as any Personal Data that may be disclosed by any means, including in writing, orally, or electronically, or that the Parties may become aware of in connection with this Agreement (hereinafter referred to as “Confidential Information”).

The term “Personal Data” refers to any information relating to an identified natural person or a natural person who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to that person. To determine whether a person is identifiable, all means available to or accessible by the data controller or any other person that could enable identification must be considered. It is understood that Personal Data requires the utmost care on the part of the Parties, particularly with regard to the various regulations applicable to them.

The following are not considered Confidential Information for the purposes of this section:

• Information that entered the public domain prior to its disclosure and/or communication, or that will enter the public domain after its disclosure and/or communication through no fault or negligence on the part of either Party;
• Information already in the possession of one Party at the time it is disclosed by the other Party;
• Information that a Party is required to disclose in compliance with a clear legal or regulatory obligation, a court order, or a request from an administrative authority that the Party cannot refuse, provided that the other Party is notified immediately.

Each Party hereby undertakes, both on its own behalf and on behalf of its employees, agents, members, and/or advisors, for whom it assumes full responsibility, not to disclose Confidential Information in any form whatsoever to third parties and not to use such information for personal purposes outside the scope of this Agreement, except with the express, prior, and written consent of the other Party. “Third party” means any natural or legal person other than the Parties to this Agreement.

Each Party further agrees to take all necessary precautions to preserve the confidentiality of Confidential Information, as if it were its own information, including:

• To communicate and disclose Confidential Information only to those members of its staff, advisors, and subcontractors who need to know such information in connection with the performance of the Agreement and the Services, provided that such persons are informed of the need to comply with the confidentiality obligations set forth in this Agreement. It is understood that the Party receiving the Confidential Information expressly guarantees that its personnel or any subcontractor approved by the other Party will comply with the obligations set forth in this Agreement;
• To ensure the security and physical integrity of Confidential Information by all appropriate means, including by storing it in secure locations, restricting access, and taking any other measures deemed necessary, and in all cases by applying security measures no less stringent than those SFBX applies to its own confidential information;
• The Confidential Information shall not be copied, reproduced, and/or duplicated, in whole or in part, for one’s own purposes, where such copies, reproductions, or duplications have not been authorized by the other Party and go beyond the scope of the Parties’ collaboration.

The Parties’ obligations regarding confidential information shall remain in effect throughout the term of this Agreement and for a period of ten (10) years following the termination of this Agreement.

The burden of proof regarding the disclosure of confidential information rests with the Party claiming such disclosure.

ARTICLE 11 – LIABILITY – FORCE MAJEURE

11.1. Liability

Each Party shall be liable to the other Party for the performance of its obligations under the Agreement and the Services and hereby agrees to indemnify the other Party for any direct damages caused to it as a result of its own faults, errors, or omissions, or those of its subcontractors, if any.

Each Party may be exempt from liability—provided it can demonstrate this—for any damages caused:

• Due to a force majeure event as defined in the “Force Majeure” section;
• Due to the actions of a third party other than a subcontractor as defined in the section titled “Subcontracting”;
• Provided that they qualify as indirect damages.

Under no circumstances shall this Agreement exclude or limit in any way the liability of either Party in cases of fraud, death or personal injury, negligence, gross negligence, or safety-related matters.

Each Party agrees to maintain general liability insurance and professional liability insurance and to keep such insurance in force throughout the term of this Agreement.

11.2. Force Majeure

Force majeure refers to any event beyond the control of the affected Party that is both unforeseeable and insurmountable and that prevents either Party from fulfilling all or part of the obligations imposed on it by the Agreement.

In any event, the affected Party must do everything in its power to minimize the duration and impact of the unforeseeable event, force majeure, or external cause.

If the event is extended beyond a period of thirty (30) consecutive days, this Agreement may be terminated automatically fifteen (15) days after the sending of a registered letter with return receipt requested, unless the Parties expressly agree otherwise.

ARTICLE 12 – BREACH OF CONTRACT

In the event of a breach of any of the obligations set forth in this Agreement, including those in the sections titled “Confidentiality,” “Obligations of the Parties,” “Subcontracting,” “Exercise of Data Subjects’ Rights,” “Notification of Personal Data Breaches,” this Agreement shall be automatically terminated following a formal notice sent by letter with acknowledgment of receipt that remains unanswered for fifteen (15) days.

Notice period:

In any case, during the notice period, the relationship between the Data Controller and the Data Processor must continue in a fair, sincere, and normal manner, so as to ensure the same level of service until the end of the relationship.

Any provisions that, by their nature, continue to be effective upon the expiration of this Agreement shall survive the termination of this Agreement, regardless of the cause.

ARTICLE 13 – PERSONAL DATA OF THE PARTIES’ EMPLOYEES

Each Party shall collect and process Personal Data relating to the other Party’s personnel involved in the administration and monitoring of this Agreement (hereinafter “Personnel”).

In order to ensure effective and straightforward communication with its Personnel, each Party agrees to inform its Personnel of the processing and any transfer of their Data by the other Party and to provide them with the information set forth in this Article.

For the purposes of this provision, the Data Controller is:

• The Client with respect to the Personal Data of SFBX staff;
• SFBX regarding the Client’s employees’ personal data.

This Processing is carried out for the purposes of performing and managing the Agreement and pursuing the respective legitimate interests of the Parties in the conduct of their business activities.

The Personal Data subject to this processing consists solely of the last names, first names, business contact information, and job titles of the Parties’ Personnel involved in the performance and management of the Agreement and the Services (hereinafter “Personnel Data”). Personnel Data will be retained for the entire duration of the Services and will be archived for a period of ten (10) years following the expiration of the Agreement. Access to Personnel Data will be limited to authorized Personnel and/or its service providers responsible for managing the Agreement and relations with service providers and suppliers.

SFBX employees have the right to access the personal data processed by the Client in order to have such data corrected if the employee can demonstrate that the data is inaccurate, to request its erasure, to object to its processing for reasons related to their personal circumstances, or to request the restriction of its processing. SFBX staff also have the right to provide instructions regarding the processing of their Data after their death.

SFBX employees may exercise their rights by sending a request to the Client DPO email address. Client employees have the same rights with respect to SFBX. They may exercise their rights by sending a request to juridique@dipeeo.com

ARTICLE 14 – GOVERNING LAW AND JURISDICTION

This Agreement is governed by French law. The language applicable for the interpretation of this Agreement and its consequences is French.

Any dispute shall first be subject to an attempt at amicable resolution. If no amicable resolution is reached within three (3) months, the Commercial Court of Bordeaux shall have exclusive jurisdiction to hear any dispute relating to the interpretation or performance of this Agreement, notwithstanding multiple defendants or third-party claims, including in emergency or protective proceedings, whether in summary proceedings or by petition.

Done in Bordeaux, April 2, 2026