New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

General terms and conditions of sale

  1. General Terms and Conditions of Sale

     Service

    The Contract consists of the following contractual documents, presented in descending hierarchical order of legal value:

    • The technical and financial proposal, 
    • These are our General Terms and Conditions of Sale.
    • Purchase order(s) 

    In the event of a conflict between one or more provisions contained in any of these documents, the higher-ranking document shall prevail.

    ARTICLE 1 – PURPOSE:

    The purpose of these General Terms and Conditions of Sale is to define the contractual conditions under which the Service Provider provides the Client with the Services described within the Technical and financial proposal accepted by the Client.

    Any firm order accepted by the Provider implies for the Client unreserved acceptance of these General Terms and Conditions of Sale notwithstanding any contrary clauses and stipulations appearing in particular on the correspondence or any other document of the Client, unless expressly agreed otherwise in writing by the Provider.

    ARTICLE 2 – ENTRY INTO FORCE DURATION:

    The General Terms and Conditions of Sale come into effect on the date of signature by the parties. It is concluded for an initial term specified in the Technical and financial proposal or the Purchase order

    In the absence of termination of these Conditions one (1) month before the end of the initial term, they will be tacitly renewed under the same terms. 

    ARTICLE 3 – FINANCIAL CONDITIONS:

    The Provider's remuneration is set as indicated in the Appendix « Technical and financial proposal »The prices stipulated are fixed, lump sum, and final for the scope of the Services provided for in the Contract. Remuneration is understood to be in euros excluding taxes. Prices are subject to VAT at the rate in effect on the date of invoicing. Prices are inclusive of all costs, including those related to personnel assigned to the performance of the Services. Payment must be made at the Provider's registered office. Any payment made to the order of representatives or agents of the Provider does not constitute a discharge of the obligation. Unless otherwise stipulated:

    • Invoicing is done in a single payment after the Service Provider receives the purchase order.
    • Invoices are payable within thirty (30) days net, from the invoice date; ;
    • Without prejudice to any other rights and remedies of the Provider, sums unpaid by the Client on their due date shall give rise to the application of late payment interest of three times the legal interest rate and a fixed compensation of 40 euros for recovery costs; ;

    In the event of the Client's failure to meet any payment deadline, the Provider will grant the Client a period of fifteen (15) business days from the invoice due date to settle the outstanding amount. Upon expiry of this period, without prejudice to its other rights, the Provider reserves the right to send the Client a formal notice to fulfill its payment obligation by registered letter with acknowledgment of receipt. At the end of this period, the Provider may also suspend the performance of the Services, terminate the Contract automatically, and demand the return of any equipment, software, data, documents, or files made available to the Client in connection with the performance of the Contract and of which the Provider has retained ownership, until the Provider has fulfilled all of its obligations. In this respect, the Provider shall not be held liable for any damages suffered by the Client.

    All orders imply full and complete acceptance of this clause.

    ARTICLE 4 – CUSTOMER OBLIGATIONS:

    The Client is subject to an obligation to cooperate; as such, the Client must: 

    • Transmit any information and document necessary for the performance of the Services, either on its own initiative or at the express request of the Provider, subject to their availability and confidentiality with regard to the purpose of the Contract; ;

    The Client is informed, and accepts, that the addition of hardware or software to its information system during the term of this Contract may result in a change to the nature, scope, and/or cost of the Services. The Client has determined, under its own responsibility or with the assistance of its advisors, its own objectives and the suitability of the Services to those objectives. In particular, it is the Client's responsibility to ensure that: 

    • Having qualified staff; ; 
    • If the Services so provide, attend all monitoring committees, and sign or justify the absence of signature on the acceptance reports 
    • Provide the Provider with all the information, documents and resources necessary for the proper execution of the Services, and immediately inform the Provider of any event that may hinder, prevent or delay the performance of the Services. 
    • Guarantee to the Provider that it holds all ownership and access rights or has obtained the agreement of any third parties whose information systems fall within the scope of the Service. 

    Furthermore, in the case of Services of the type "« penetration tests »" And "« security audits »The Client warrants to the Provider that it has taken all necessary security measures to prevent any incident affecting the elements within the scope of the Services (such as data alteration, unavailability, or loss). In particular, the Client warrants to the Provider that it has performed all necessary backups of data and software configurations.

    ARTICLE 5 – OBLIGATIONS OF THE SERVICE PROVIDER 

    Unless otherwise stipulated, the Provider undertakes an obligation of means. Notwithstanding the foregoing, the following obligations constitute obligations of result for the Provider: 

    • the performance of the Services; ; 
    • the provision of Deliverables defined as such; ; 
    • compliance with the financial conditions agreed upon by the Parties; ; 
    • compliance with its confidentiality obligation as stipulated in Article "« Confidentiality » 

    The Service Provider is also subject to an obligation to provide information, advice, and warnings regarding the subject matter of these General Terms and Conditions of Sale. In this respect, the Service Provider must:

    • To request any information or details that it deems necessary for the execution of the Contract, and to ensure that the information provided meets its request;
    • Notify the Client, as soon as it becomes aware of it, of any element, event or action likely to affect the proper performance of the Contract, take all necessary measures within its power to remedy it and monitor the implementation of these measures

    Furthermore, the Provider undertakes to perform the Services in strict compliance with applicable regulations and best practices. In particular, the Provider must implement all appropriate technical and organizational security measures to ensure the secure performance of the Services. 

    In the case of "Services of the type« penetration tests »" And "« security audits »The Provider guarantees to the Client that these Services exclude any social engineering operations and assessments of the availability of components of the Client's information system (such as a "DDoS attack"). Notwithstanding the foregoing, the Client is informed and accepts that the Services may involve access and maintenance operations within its information system. 

    In the case of services of the type "« RedTeam »" Or "« Threat Hunting »The Client is informed and agrees that the Services involve operations to gain access to and maintain control of its information system (including phishing attempts), social engineering, and physical intrusion into its premises. The Provider guarantees to the Client that these operations are not fraudulent and are carried out by qualified, experienced, identified, and authorized personnel. Furthermore, the Provider is prohibited from any unlawful use, for its own benefit or the benefit of third parties, of security vulnerabilities discovered during the performance of the Services. In the case of technical assistance services, the Provider is solely responsible for defining the required profile and the number of team members assigned to perform the Services. All personnel assigned, in whole or in part, to perform the Services remain, under all circumstances, under the sole hierarchical and disciplinary authority of the Provider, who is solely responsible for their administrative and human resources management. 

    ARTICLE 6 – PROMOTIONAL USE OF THE CLIENT'S BRANDS AND LOGO 

    Unless explicitly objected by the Client, the Service Provider may use references to the Client (including logo, trade name, trademarks, existence of the Contract, etc.) in its promotional or institutional communications. The Service Provider agrees not to disclose any details of the actions actually performed during the execution of the Services, and to comply with the graphic charter and all conditions communicated to it. This authorization to use the trademark and logo will continue for a period of five years after the expiration of the General Terms and Conditions of Sale.

    ARTICLE 7 – LIABILITY:

    The Parties expressly agree that the Service Provider shall be liable for all direct, tangible and intangible damages caused to the Client resulting from a delay or failure to perform its contractual obligations as defined in the Contract. The Service Provider shall not be liable for indirect damages.  

    • The Provider's contractual liability is limited, per event giving rise to the claim (all direct damages combined), to one (1) times the total amount excluding VAT of the Contract.

    This limitation of liability does not apply to personal injury, nor to damages resulting from gross negligence or willful misconduct, or to actions relating to intellectual property or the protection of personal data, as well as to other cases usually recognized by law and the courts.

    ARTICLE 8 – PENALTY 

     The Client acknowledges that delaying the start of the Services causes harm to the Provider. Therefore, if the Client decides to postpone the start of the Services less than thirty (30) calendar days before the scheduled date, it agrees to pay a penalty of fifty (50) percent of the total Contract amount excluding VAT. 

    If the Services cannot begin on the scheduled date because the Client has not provided all the necessary information and/or data within a sufficient timeframe, the Service Provider will also be entitled to apply the penalty.  

    ARTICLE 9 – REGULATIONS CONCERNING LABOR LAW

    The Service Provider declares that it complies with the provisions of Articles L. 8221-1 et seq. of the French Labor Code concerning undeclared work and the provisions of Articles L. 8251-1 et seq. of the French Labor Code concerning foreign workers, with respect to the individuals it employs. Consequently, the Service Provider undertakes to comply with, and ensure that its potential subcontractors comply with, the labor laws applicable at the location where the Services are performed. In particular, the Service Provider agrees not to use undocumented labor.

    Furthermore, the Provider certifies that it, its suppliers and/or subcontractors do not use child labor or any other type of labor in violation of the fundamental principles accepted by the International Labour Organization. 

    ARTICLE 10 – PROFESSIONAL LIABILITY INSURANCE:

    The Provider declares that it is insured for civil, operational and professional liability, so as to cover the financial consequences for the Client of bodily injury, material and intangible damage, whether consequential or not, for which the Provider would be liable, caused by any event due to the Provider and which would be in particular due to its employees or possible subcontractors during the performance of the Services, which are the subject of the Contract.

    This insurance was taken out with a reputable and solvent insurance company and, at the Client's request, a certificate of the policy taken out and proof of renewal on each anniversary date of the policy subscription must be provided.

    Such insurance must be maintained for the entire duration of the Contract.

    In the event of any modification to all or part of its insurance policies which is not attributable to the Provider, the latter undertakes to take all necessary steps, at its own expense, to ensure without any interruption the coverage as specified in its certificate and to provide a new certificate to the Client.

    If the Service Provider, for reasons beyond its control, can no longer be covered by an insurance policy, it undertakes to notify the Client immediately upon becoming aware of this fact. The Client may then, as of right, invoke the "Termination" clause below to terminate the Contract immediately.

    ARTICLE 11 – CONFIDENTIALITY:

    The Parties agree that all written or oral information obtained from the other Party during the negotiation and performance of this Contract is confidential. The Parties undertake to take all necessary measures to protect the confidentiality of this information.

    In particular, information relating to the Contract and Services and/or data of a scientific, technical, technological, commercial, social, financial, legal or any other nature whatsoever, patentable or not, such as but not limited to plans, drawings, specifications, processes, know-how, design, methods, studies, volumes of requirements, software or computer software packages, prospects, names of Clients or partners communicated directly or indirectly to the other Party, in any form, on any medium, and in any way whatsoever, including orally, in writing, in the form of printed or computer documents, electronically, in the form of samples or models, or in the form of visual data (hereinafter collectively referred to as "Confidential Information").

    The confidentiality of this information and/or data will be maintained as much as possible:

    • Materialized by appropriate mentions on their communication materials; ; 
    • This must be reiterated, by all means, at the time of each communication, along with the date of this communication and the reference to the General Terms and Conditions.

    It is nevertheless specified that the absence of such mentions and/or reminders when one of the Parties communicates Confidential Information will have no impact on its classification as Confidential Information and on the obligations incumbent upon the other Party relating to its processing in accordance with the terms defined by these stipulations.

    • Each Party undertakes to use the Confidential Information of the other Party only for the purposes set out in the General Terms and Conditions.
    • Each Party undertakes not to reproduce, represent, or disclose this information to persons other than its employees who need to know it in order to achieve the objectives set out in the General Terms and Conditions of Sale, except with the prior written consent of the other Party.
    • Each Party undertakes to ensure that its employees comply with this clause.
    • Each Party undertakes to take all necessary measures to protect the Confidential Information of the other Party and shall refrain from reproducing, representing, or disclosing it to any third party without the prior written consent of the other Party. "Third party" means any natural or legal person other than the Service Provider or the Client.
    • Each Party retains full and complete ownership of the Confidential Information it communicates to the other Party under the General Terms and Conditions of Sale.

    This clause shall in no way be interpreted as conferring on the Party receiving the Confidential Information any right whatsoever (under a license or by any other means) to all or part of such Information.

    • Each Party undertakes not to acquire any industrial and/or intellectual property rights on the basis of Confidential Information received from the other Party.

    In cases where some of this information is particularly sensitive, a confidentiality agreement may be concluded between the Client and the Service Provider, which will include details of the measures referred to in paragraph 1 of this article. The provisions of this confidentiality agreement will prevail over those of this article.

    • Each Party undertakes to comply with the obligations arising from this article for the entire duration of this Contract and for five (5) years following its expiry.

    The Provider also undertakes to apply these confidentiality commitments to all its subcontractors involved during the term of the Contract.

    ARTICLE 12 – INTELLECTUAL PROPERTY:

    The Provider hereby assigns to the Client, upon their complete and final delivery, all proprietary rights it holds in each Deliverable as defined by the Parties, produced under this Agreement solely for the Client's benefit. This assignment is granted on an exclusive and non-transferable basis, worldwide, and for the entire legal term of protection of the intellectual property rights relating to the Deliverables. The Parties have agreed that the price of the assignment is included in the monthly price of the Services.

    The rights transferred include, in particular:

    • The right to reproduce or have reproduced the Deliverables, without limitation of number, in whole or in part, by all means and processes both current and future, known or unknown; on all media and materials both current and future, known or unknown, and in particular on paper or derivative media, plastic, digital, magnetic, electronic or computer media, by download, videogram, CD-Rom, CD-I, DVD, disk, floppy disk, network; ;
    • The right to represent or have represented the Deliverables, by all current or future means of dissemination and communication, known or unknown, in particular by any online telecommunication network, such as the Internet, intranet, digital television network, terrestrial transmission, satellite, cable, wap, interactive telematics system, downloading, teletransmission, wired or wireless telephone networks; ;
    • The right to adapt, modify, transform, develop, in whole or in part, the Deliverables, to record them, to store them, to archive them, to develop them, to digitize them, in any form, modified, amputated, condensed, extended, to integrate all or part of them into existing or future works, and this on any paper, digital, magnetic or optical medium and in particular the Internet, disk, floppy disk, tape, CD-Rom, listing; ;
    • The right to translate or have translated the Deliverables, in whole or in part, into any language, and to reproduce the resulting Deliverables on any medium, paper, digital, magnetic, optical or electronic, and in particular on the Internet, disk, floppy disk, tape, CD-ROM, listing; ;
    • The right to use the Deliverables solely for the needs of its own activities exclusively and for the preservation or defense of its legitimate interests.

    Notwithstanding the foregoing, the rights granted expressly exclude the rights to market, distribute, sell, disseminate the Deliverables, or exploit the Data, by any means, including sale, rental, and loan, whether free of charge or for a fee. As an exception, the Client may disclose the Deliverables to any third party that needs to know them for the protection of its information system, as well as to any third party that needs to know them for the Client's compliance with a regulatory or legal obligation. 

    In consideration and from the moment of the transfer of the intellectual property rights of each Deliverable, the Client authorizes the Provider to use the Deliverables, exclusively, non-transferably, worldwide, on any medium and by any means, for the entire duration of the Contract and solely for the purpose of performing the Services.

    ARTICLE 13 – WARRANTY AGAINST EVICTION 

     The Provider warrants that it holds all rights relating to the Deliverables, including intellectual property rights. The Provider warrants that the Deliverables do not constitute infringement and that this assignment does not infringe upon the rights of any third party. Under these conditions, the Provider guarantees the Client's peaceful enjoyment of the Deliverables against any disturbance, claim, or eviction, and against any action for infringement and/or unfair or parasitic competition relating thereto. 

    The Provider will not be bound by this guarantee if: 

    • The Client did not notify the Provider in a timely manner of the existence of such an allegation, action or claim by providing all the information, details, documentation in its possession relating to said allegation, action or claim, to enable it to intervene in any possible judicial or arbitration proceedings and to provide the necessary assistance to the Client.  
    • The allegation, action, or claim relates to all or part of a Deliverable modified by the Client without the Provider's prior written authorization. 
    • The Client has made use of the Deliverables in a manner inconsistent with the purpose of this Contract. 

    In the event that a prohibition on the use of one or more Deliverables is issued following legal action or as a result of a settlement, the Provider undertakes, without prejudice to any damages that the Client may be entitled to claim from the Provider, to:

    • to obtain, at its own expense, the right for the Client to continue to exploit the offending element, without limitation and without payment by the Client of any sum whatsoever; or
    • Failing that, modify or replace, at its own expense, the offending item so that it ceases to be subject to the claim, it being understood that such modification or replacement must not impair the characteristics and performance of the offending item; or
    • subject to the Provider demonstrating the impossibility of implementing one or the other of the solutions referred to above, reimburse the Client on first request for all sums received in consideration of the Client's purchase of the item in question and any associated service.

    ARTICLE 14 – TERMINATION:

    • ARTICLE 14.1 – TERMINATION FOR BREACH:

    In the event of a breach of contract by either Party, the aggrieved Party shall send a registered letter with acknowledgment of receipt formally requesting that the breach be remedied within thirty (30) business days of receipt of said letter. If, after this period, the defaulting Party has not remedied its breach, the aggrieved Party may terminate the Contract automatically by sending a further registered letter with acknowledgment of receipt, without any compensation being due to the defaulting Party, and without prejudice to any damages to which it may be entitled.

    Notwithstanding the foregoing, if the Client terminates this Agreement for breach of the Provider's contractual obligations, the Client shall pay the remaining balance due for the licenses purchased by the Client from the Provider. 

    Receipt of this letter will automatically trigger the Reversibility procedure stipulated in the Contract. If requested by the relevant departments, the termination will take effect upon signature of the minutes of the Reversibility phase.

    • ARTICLE 14.2 – TERMINATION WITHOUT FAULT:

    Each Party may also terminate the Contract by registered letter with acknowledgment of receipt, without prior notice or formal demand and without any compensation being due to the other Party in the following cases:

    • The other Party may file for bankruptcy, unless the court-appointed administrator decides within the time limits set by law to continue the Contract; ;
    • Change of control (within the meaning of Article L. 233-3 of the Commercial Code) of the other Party which would come to be held directly or indirectly by a competitor of the Party invoking the termination; ;
    • Non-performance of the Contract by the other Party, for a period of more than thirty (30) calendar days, due to a case of force majeure, during the performance of the Contract.
    • ARTICLE 14.2 – TERMINATION:

    Notice of non-renewal / termination

    The Client undertakes to notify the Provider in writing of its intention not to renew the Contract (or to cease the Services at expiry) at least two (2) months before the Expiry Date.

    If this minimum notice period is not respected, the effective date of termination of the Services will be automatically postponed to cover a full notice period of two (2) months from the date of receipt of the notification by the Provider, unless otherwise agreed in writing by the Parties. Fees applicable during this period will remain due.

    Reversibility – duration and scope

    Upon cessation of the Services, for whatever reason, the Provider shall implement a reversibility phase of a minimum duration of one (1) month from the effective date of cessation, in order to allow the Client to ensure the continuity of its SOC operations with a third party or internally.

    Reversibility covers at a minimum:

    The development and execution of a reversibility plan including governance, planning and dependencies.

    Knowledge transfer (handover sessions, runbooks, playbooks, escalation matrices).

    Any additional reversibility service requested by the Client beyond the scope above will be subject to written validation (service order and additional invoicing according to the financial conditions defined below).

    Financial conditions of reversibility

    The Client undertakes to pay the Provider, for reversibility purposes, a minimum package equivalent to one (1) month of services, calculated on the basis of the average of the recurring monthly fees billed during the last three (3) months (excluding variable usage, third-party fees and exceptional discounts).

    External costs and expenses (third-party licenses, temporary storage, media transport, couriers, etc.) incurred for reversibility purposes are billed at cost.

    The reversibility fee is payable on the start date of the reversibility phase, regardless of whether the Client decides to use all or part of the reversibility services. [Option to be discussed: in the event of termination due to serious and exclusive fault on the part of the Provider, this fee may not be charged.]

    Service levels during reversibility

    Unless otherwise agreed, the service levels (SLAs) applicable to the SOC Services remain applicable during the reversibility period, to the extent compatible with the cutover and disengagement operations validated by the Parties.

    Client's Cooperation Obligations

    The Client shall provide in a timely manner the resources, technical access, information, contacts and validations necessary for the proper execution of the reversibility.

    The Client guarantees the availability of its successor provider (if applicable) and the conformity of its technical environments with the prerequisites communicated by the Provider.

    Data, security and compliance

    At the Client's instruction, the Service Provider will securely delete any remaining data and provide a certificate of deletion. The confidentiality obligations remain in effect after the termination of the Contract.

    The processing of personal data carried out within the framework of reversibility is carried out under the same data protection conditions as those applicable during the performance of the Contract.

    Effect of failure to respect the notice period

    The Client's failure to comply with the minimum notice period of two (2) months does not affect the enforceability of the reversibility fee provided for in Article 3 and may result in the extension of the Services until the completion of a full notice period, with billing of the corresponding fees.

    Hierarchy and consistency

    This clause prevails over any conflicting provision relating to the notice of non-renewal and reversibility contained elsewhere in the Contract, unless expressly amended. 

    ARTICLE 15 – ASSIGNMENT OF CONTRACT:

    The Parties agree that the Contract was entered into intuitu personae. Consequently, neither Party may assign the Contract, in whole or in part, to a third party without the prior written consent of the other Party, particularly in the event of a change of control (within the meaning of Articles L. 233-1 and L. 233-3 of the French Commercial Code) or partial transfer of assets. 

    Failure by one Party to comply with the obligations arising from this article entitles the other Party to terminate the Contract, by sending a registered letter with acknowledgment of receipt, and without any compensation being due to the defaulting Party.

    ARTICLE 16 – CYBER THREAT INTELLIGENCE OPTION 

     If, as part of its Services, the Client has also subscribed to a CTI option, it is informed that during the implementation of this option, the Provider's robots may incidentally consult sites of a pedopornographic or discriminatory nature, inciting violence, terrorism, crimes against humanity or attacks on human dignity, or serving as a platform for the trade of weapons, drugs or other. 

    The Client is informed that these consultations are in all cases the result of the accidental actions of robots participating in the provision of the Services. In any event, the Provider undertakes not to store any illegal content originating from such websites. However, the Provider will comply with its legal obligation to report illegal content to the National Gendarmerie and the Police via the PHAROS platform, should it become aware of such content potentially concerning one or more of the Client's Data items listed in the Technical and Financial Proposal.

    The Client agrees not to take any action that may hinder or prevent the Provider from fulfilling this obligation. 

    Furthermore, the Client agrees not to be notified by the Provider if the latter is required to make the aforementioned report. Under the CTI option, the Provider will conduct ongoing data collection from open sources on the internet, based on the scope (keywords and areas of interest) of the Client's service, using predefined and regularly updated methods and actions, in strict compliance with applicable laws and regulations. 

    The Client is informed that this research and data collection phase is essential for the performance of the Services. To this end, the Client authorizes the Provider, for the duration of the Contract, to carry out the following actions on its behalf, without this list being exhaustive and with the exception of acts expressly prohibited, in particular Articles 323-1 et seq. of the French Penal Code: 

    • to access, on an ad-hoc and targeted basis, all or part of an open storage space accessible on the Internet, 
    • to reproduce, collect and analyze data within the scope to be supervised, regardless of the nature or type of data, in accordance with the regulations applicable to the protection of said data. 

    Data collection operations using open sources remain strictly aligned with the objectives of the Contract and are governed by access and storage procedures implemented by the Provider in compliance with security and confidentiality requirements. Also within the framework of the CTI option, the Client indemnifies the Provider against any claim or action that may be brought against it as a result of the use of the data or Deliverables resulting from this option, by the Client or a third party, that is non-compliant with the Contract, fraudulent, unlawful, or illegal. 

    If the CTI option is an advanced verification service or any one-off service related to a digital investigation concerning a suspected or confirmed data breach, the Provider reserves the right to refuse it if it deems the actions requested by the Client to be disproportionate to the risk incurred by the Client due to the suspected or confirmed data breach. The Client acknowledges that an advanced verification service or any service related to a digital investigation may constitute criminal offenses, including offenses such as unauthorized access to an automated data processing system, receiving stolen goods, and breach of trade secrets, and that these offenses may be attributed to both the Client and the Provider. 

    In this respect, and notwithstanding the provisions of the Liability clause, the Client agrees to assume full responsibility in the event of any legal or extrajudicial dispute concerning any of the cases mentioned above. Specifically, in the event of any legal or extrajudicial dispute involving or initiated against the Service Provider, the Client must intervene in the proceedings and bear all costs of the Service Provider's defense (proceedings, bailiffs, lawyers, etc.), as well as any compensation resulting from a judgment or settlement. 

    ARTICLE 16 – PERSONAL DATA:

    • ARTICLE 16.1 – COMMITMENT OF THE PARTIES:

    Within this article the terms, "« data controller »" And "« subcontractor »", have the meaning given by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, the "« GDPR »).

    In this regard, it is expressly stipulated that the Client acts as the data controller and the Service Provider as the data processor.

    In this respect, the subcontractor only processes personal data on documented instructions from the data controller, and within the framework of the specific purpose(s) of the processing, unless instructed by the data controller or if it is obliged to carry out the processing under Union law or the law of the Member State to which it is subject.

    The subcontractor implements technical and organizational measures to ensure the security of personal data against destruction, loss, alteration, and unauthorized disclosure. Access to personal data is granted only to personnel performing the processing necessary for the execution of the Services covered by this Contract, and the subcontractor ensures that personnel authorized to process the data commit to respecting its confidentiality. 

    The Parties must be able to demonstrate their compliance with this article. The processor shall provide the controller with the information necessary to demonstrate compliance with the obligations described in this article. The processor shall allow the controller, at the request of the controller, to conduct audits of processing activities, limited to once a year and subject to thirty (30) days' notice. The controller may conduct this audit itself or appoint an independent auditor. In the case of an independent auditor, the processor has the right to object if it engages in economic activities that compete with its own. 

    The Parties also undertake to make available to the competent supervisory authority the necessary information, including the results of any audit. 

    In the event that the subcontractor is authorized to use a subsequent subcontractor for processing operations, it shall ensure that the subsequent subcontractor complies with the obligations to which it is itself subject under the GDPR. 

    More generally, the subcontractor undertakes to comply with its obligation to provide assistance. In particular, it assists the data controller in complying with its obligation to carry out an impact assessment, its obligation to consult the supervisory authority if the impact assessment indicates that the processing presents a high risk, as well as all the obligations provided for in Article 32 of the GDPR. 

    In the event of a personal data breach, the processor shall cooperate with the controller and assist the controller in complying with its obligations under Articles 33 and 34 of the GDPR. 

    If the subcontractor fails to meet its obligations, the data controller may order the subcontractor to suspend the processing of personal data until it complies with these obligations. The data controller is entitled to terminate the Contract under the conditions set forth in the Termination for Breach clause if the subcontractor has not complied with its obligations.

    If, after being informed by the subcontractor that its instructions infringe or are contrary to the GDPR, the data controller insists that said instructions be carried out anyway, the subcontractor is entitled to terminate this Contract. 

    Upon termination of the Contract, for whatever reason, the subcontractor, at the controller's discretion, shall delete or return all personal data and certify to the controller that it has indeed deleted the data and all existing copies. The subcontractor shall continue to ensure its compliance with this article until the data is deleted or returned.

    • ARTICLE 16.2 – DESCRIPTION OF THE TREATMENT 

    People concerned : the employees, the service providers, the Client's customers. 

    Personal data processed The following information is collected: first and last names, usernames (login) and passwords, nicknames, email addresses, and IP addresses. This processing does not involve the handling of sensitive data. 

    Nature of the treatment : access, analysis, collection, storage and deletion of data. 

    Purpose of the processing : ensure the level of security and the absence of technical anomalies on the processing information system. 

    Treatment duration : The time required to complete the service stipulated in the Contract.  

    To perform these services, the subcontractor uses hosting centers for its IT equipment. These subcontractors will store the data for the duration of the service; these subcontractors are listed in article List of subsequent subcontractors

    • ARTICLE 16.3 – TECHNICAL AND ORGANIZATIONAL MEASURES

    The subcontractor implements technical and organizational security measures, including:  

    A user authentication and authorization procedure: Access rights are assigned to individual accounts, each with profiles tailored to its specific needs, based on the principle of least privilege. Password policies comply with CNIL recommendations. Access is deactivated upon employee departure or transfer to another department and is reviewed regularly.

    A data minimization process : the results of the treatment are communicated to the CLIENT in the form of a report containing conclusions and statistics in the absence of any raw, non-anonymized data. 

    Various encryption mechanisms During transport (during internal communications within the information system, as well as during external communications). During storage, the most security-sensitive elements can be encrypted. At the infrastructure level, the volumes used for backup storage are encrypted to prevent access to the data by unauthorized administrators.

     

    Securing data exchange (TLS protocol or other) Client access to the systems is via a state-of-the-art configured HTTPS tunnel. Technical administrative access and application communications within the infrastructure are encrypted using TLS (1.2 and 1.3) or SSH. Remote access is performed via a dedicated IPsec VPN.

     

    Backup Daily backups of the information system are performed. Backup volumes are encrypted and require intervention from a business administrator to unlock access to the backups. Backups are cross-referenced between the two data centers. The data centers hold state-of-the-art security and quality certifications: TIER 3+, ISO 9001, and ISO 27001.

     

    Business continuity plan The information system underlying the processing is designed to be resilient and relies on a set of mechanisms providing replication and high availability across the different layers (networks, infrastructure, systems). Information is backed up using a cross-referencing system, with a daily backup plan. Restoration tests are performed regularly. The entire information system is subject to a continuous improvement plan driven by development needs and event processing.

     

    Antivirus and firewall software: All Intrinsec Security workstations are protected locally by a forced automatic update mechanism, antivirus software, a local firewall, and a policy to enforce full encryption. Servers are protected at a minimum by an update process, antivirus software for applicable systems, a local firewall for critical servers, a security policy, and log processing.

     

    Employee training and awareness The security management structure is outlined in internal regulations, an attached IT charter, and a code of ethics and professional conduct. Operational staff receive specific awareness training tailored to their operational context, at a minimum during the onboarding process and then through regular face-to-face meetings. All non-technical staff receive cybersecurity awareness training through a MOOC that addresses the topic from the perspective of IT system users.

     

    Premises protection : Access to the premises is secured by a nominative access control, associated with a register, an alarm and video surveillance system and fire detection is deployed, a security zone classification policy is established with adaptation of access control means, visitors are only allowed accompanied, and in certain areas only, the equipment associated with the information system is protected in the datacenter.

     

    Incident reporting : Intrinsec has defined, as part of its GDPR compliance, a process for handling incidents specific to personal data, taking into account the time requirements stipulated by the GDPR.

    In addition to these security measures, the Service Provider reminds the Client that it is PASSI LPM certified by ANSSI

    • ARTICLE 16.4 – LIST OF SUBSEQUENT SUBCONTRACTORS

    Interxion PAR-7 1-3 rue Râteau, 93120 La Courneuve, FRANCE: Computer equipment hosting center for the subcontractor

     EQUINIX 6 10 rue Waldeck Rochet, Building 520, 93300 Aubervilliers, France: Subcontractor's IT equipment hosting center

    CYCLAD FRANCE, SARL,  885 avenue du Docteur Julien Lefebvre Villeneuve Loubet (06270): access, analysis, and collection for part or all of the services in the event of subcontracting thereof. 

     

    ARTICLE 17 – GENERAL PROVISIONS:

    The Contract is governed by and construed in accordance with French law.

    The invalidity of any article of this Agreement shall not render the entire Agreement invalid. Any dispute arising from the interpretation or performance of this Agreement and its consequences shall first be subject to an attempt at amicable resolution. Should this pre-litigation procedure fail, the dispute shall be submitted to the Commercial Court of Nanterre and shall be adjudicated in accordance with French law.

Contact