DATA PROTECTION AGREEMENT

Last update: 19/12/2022.

This data protection agreement (hereinafter referred to as the "Agreement") applies to the processing carried out by Nabla Technologies (hereinafter referred to as "NABLA" or the "DATA PROCESSOR"), a simplified joint stock company whose registered office is located at 22 rue Chapon 75003 Paris and which is registered in the Paris Trade and Companies Registry under number 838 878 155, on behalf of a client (hereinafter referred to as the "CLIENT") who has signed a license and maintenance contract (hereinafter referred to as the "Contract") for the use of the communication solution developed by NABLA.

NABLA and the CLIENT are hereinafter together referred to as the "Parties".


The terms reproduced below shall be understood within these provisions as defined in Article 4 of the GDPR:

"Agreement"

:

this Data Protection Agreement, as set forth in the header hereof, together with any annexes and riders thereto;

"Controlling Authority".

:

The competent control authority in France is the Commission Nationale de l'Informatique et des Libertés (CNIL), an independent administrative authority in charge of regulating the use of personal data. It assists professionals in their compliance and helps individuals to control their personal data and exercise their rights;

"Consent" of the Data Subject

:

Any free, specific, informed and unambiguous expression of will by which the Data Subject accepts, by a declaration or by a clear positive act, that Personal Data concerning him or her be processed;

"Recipient"

:

The natural or legal person, public authority, service or any other body that receives communication of Personal Data, whether or not it is a Third Party;

"Personal data".

:

Any information relating to an identified or identifiable natural person (referred to as the “data subject”);is deem to be an”identifiable natural person” a natural person who can be identified directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, online identifier, or one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity);

"Health-related Data" or "Health Data”

:

Personal Data relating to the physical or mental health of a natural person, including the provision of health care services, that reveal information about the individual's health status;

"Right to limitation of processing".

:

Right of a person to obtain from the DATA CONTROLLER the limitation of processing, under certain conditions;

"Right to portability"

:

The right of an individual to receive Personal Data concerning him or her that he or she has provided to a DATA CONTROLLER in a structured, commonly used and machine-readable format and to transmit such data to another DATA CONTROLLER, without the DATA CONTROLLER to whom the Personal Data has been communicated having any objection;

"Right to be forgotten and digitally erased”

:

The right of an individual to obtain from the DATA CONTROLLER the deletion, as soon as possible, of Personal Data concerning him or her, under certain conditions;

"Right of access of the data subject"

:

The right of an individual to obtain from the DATA CONTROLLER confirmation as to whether or not Personal Data relating to him or her are being processed and, when they are, access to such Personal Data and to certain information;

"Right to request the rectification"

:

The right of an individual to obtain from the DATA CONTROLLER, as soon as possible, the rectification of Personal Data concerning him/her that are inaccurate, or that incomplete data be completed;

"Right to object and delete"

:

Right of an individual to object at any time, on grounds relating to his or her particular situation, to certain processing of Personal Data concerning him or her, including profiling;

"Right to organize the fate of one's personal data after death"

:

The right of an individual to define general or specific directives regarding the retention, erasure and communication of his or her Personal Data after his or her death;

"Purpose of the processing".

"Third countries”

:

Processing objectives defined in Annex 1 of this Agreement ;

Countries outside the European Union not subject to an adequacy decision by the European Commission under Article 45 of the GDPR;

"Regulation"

:

all legal and regulatory texts applicable in France and in the European Union regarding the protection of Personal Data and in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "GDPR") and Law No. 78-17 of January 6, 1978, as amended, relating to information technology, files and freedoms as it exists and as it will be amended during the term of the Contract (hereinafter referred to as the "LIL Law") (collectively referred to as the "Regulation") ;

"DATA CONTROLLER"

:

The natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing. Annex 1 to this Agreement lists the various Data Controllers, the processing operations and their purposes implemented within the framework of the Project which is the subject of the Contract;

"DATA PROCESSOR" or "Tier 1 DATA PROCESSOR"

:

Natural or legal person, public authority, service or other body that processes Personal Data on behalf of the DATA CONTROLLER; Annex 1 of this Agreement lists the various Data Processors and their purposes implemented within the framework of the Project that is the subject of the Contract;

"Tier 2 DATA PROCESSOR" or “SUBSEQUENT DATA PROCESSOR”.

:

Data Processor hired by a DATA PROCESSOR to carry out specific processing activities on behalf of said DATA CONTROLLER; Annex 1 to this Agreement lists the various Tier 2 Data Processors and their purposes implemented under the Project that is the subject of the Contract ;

"Third Party"

:

Any natural or legal person, public authority, service or body other than the Data Subject, the DATA CONTROLLER, the DATA PROCESSOR and persons who, under the direct authority of the DATA CONTROLLER or the DATA PROCESSOR, are authorized to process Personal Data within the meaning of Article 4.10 of the RGPD ;

"Processing of Personal Data" or "Processing".

:

Any operation or set of operations carried out or not by means of automated processes and applied to data or sets of Personal Data, such as collection, recording, organization, structuring, retention, adaptation or alteration, retrieval, consultation, use, communication by transmission, publication or any other form of provision, alignment or interconnection, limitation, erasure or destruction within the meaning of Article 4.2 of the GDPR. The Processing operations are described in Annex 1 to this Agreement and, more generally, to the Contract concluded between the Parties;

" Personal Data Breach"

:

A breach of security, resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of Personal Data transmitted, retained or otherwise processed within the meaning of Article 4. 12 of the GDPR.

Capitalized terms not defined in this Article shall have the meaning given to them in Article 1 "Definition" of the Contract.

NABLA has designed and developed a digital solution composed of various functional modules processing health data, hereinafter referred to as the "Solution". These modules include SDKs (Software Development Kits) and APIs with artificial intelligence functionalities as well as a Communication Console whose functionalities are described in the Documentation made available to its clients by NABLA.

The Parties have entered into a Contract (hereinafter referred to as the "Contract") involving the implementation of Personal Data Processing by NABLA as a DATA PROCESSOR on behalf of the CLIENT acting either as a DATA CONTROLLER or as a DATA PROCESSOR, NABLA being a subsequent DATA PROCESSOR in the latter for the purposes and in the context of the deployment of the Solution.

As the Contract is executed, the Processing of Personal Data may change.

The Processing operations covered by this Agreement in the performance of the Contract are described in Annex 1 of this Agreement. In the event of changes in said processing during the performance of the Contract, the Parties agree to update Annex 1 of this Agreement, which shall be deemed to be an amendment to this Agreement and to the Contract.

This Data Protection Agreement (hereinafter the "Agreement") applies between the Parties to ensure compliance with the provisions of Article 28 of the GDPR.

In this context, the Parties agree to process the Personal Data collected, exchanged, produced, administered and hosted under the Agreement in accordance with :

The Parties declare in particular:

- that they are aware of the obligations arising from the Regulation ;

- that they have all the necessary skills and sufficient financial resources to implement and comply with all the obligations arising from the Regulation for all the services performed in execution of the Contract ;

NABLA undertakes not to process and/or consult the Personal Data or files used under the Contract for any purpose other than the performance of its services under the Contract, subject to the provision of article 12.

  1. PURPOSE OF THE AGREEMENT

The provisions of this Agreement shall apply to all processing operations defined in Annex 1 to this Agreement.

The purpose of this Agreement is to define the conditions under which NABLA undertakes to carry out, on behalf of the CLIENT acting either as the DATA CONTROLLER or as a DATA PROCESSOR of the DATA CONTROLLER, the personal Data Processing operations defined in the Contract and in Annex 1 of this Agreement.

This Agreement is drafted in compliance with, among others, the provisions of Articles 28, 32, 33, 34 and 47 of the GDPR.

Within the framework of their contractual relations, the Parties undertake to comply with the Regulation in force applicable to the Processing of Personal Data. In particular, the CLIENT warrants that he has got the consent of the Users and End Users when it is required by the Regulation for the processing of personal health data carried out by the DATA PROCESSOR in the context of the use of the Solution.

  1. CONTRACTUAL DOCUMENTS

The relationship between the Parties shall be governed by the Contract and this Agreement.

The invalidity of a provision of one of the above-mentioned contractual documents, judged by a competent court, will not affect the validity of the other documents.

Any waiver of any provision of this Agreement or any of the Contract Documents between the Parties shall not constitute a final waiver of the entirety of the relevant document and the other Contract Documents.

The Parties may amend the Agreement in particular to take into account any change in the data processing entrusted by the CLIENT to the DATA PROCESSOR. These changes will be enforceable against the CLIENT after being published by any means whatsoever.

The Parties acknowledge that acceptance of the Agreement by electronic means has the same evidentiary value between the Parties as a paper agreement.

  1. ENTRY INTO FORCE AND DURATION

This Agreement shall be in full force without reservation between the Parties from the date of signature of the Contract, and shall be concluded for the duration of the Contract.

The obligations set forth in this Agreement that have a legal basis in the Regulation shall survive the term of this Agreement until the statutory limitation period for any liability action that may be brought under the Regulation.

  1. PROCESSING DESCRIPTION

The DATA PROCESSOR is expressly authorized by the CLIENT, where applicable in the name and on behalf of the DATA CONTROLLER, to process on its behalf the Personal Data necessary to perform the operations on the Personal Data specified in the Contract and in Annex 1 of this Agreement.

Annex 1 "Processing description" of this Agreement defines:

The duration of the Processing performed by the DATA PROCESSOR may not exceed the duration of the Contract.

When the Processing requires a formality with a local control authority such as the CNIL in France, the CLIENT, where applicable on behalf of the DATA CONTROLLER who shall be solely responsible for this, undertakes to provide the DATA PROCESSOR with all copies of the formalities and receipts and, where applicable, authorizations issued by this local control authority.

  1. OBLIGATIONS OF THE DATA PROCESSOR

The DATA PROCESSOR undertakes :

  1. SUBSEQUENT DATA PROCESSING

The DATA PROCESSOR may use subsequent data processor to perform the data processing entrusted by the CLIENT. The DATA PROCESSOR warrants that it imposes on SUBSEQUENT DATA PROCESSOR confidentiality and security obligations at least equivalent to those agreed under the Agreement.

It is the responsibility of the DATA PROCESSOR to ensure that the SUBSEQUENT DATA PROCESSOR(s) present the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures in order for the Processing to meet the requirements of the GDPR and other applicable data protection laws. If the SUBSEQUENT DATA PROCESSOR(s) fail to meet their data protection obligations, the DATA PROCESSOR shall remain fully liable to the CLIENT and the DATA CONTROLLER for the SUBSEQUENT DATA PROCESSORS(s) performance of their obligations.

The DATA PROCESSOR may add or replace a SUBSEQUENT DATA PROCESSOR. In this case, he undertakes to inform the CLIENT by the means of his choice. The CLIENT will then have a period of ten (10) calendar days from the notification to present its objections on a valid reason relating to the protection of Personal Data. If the CLIENT does not object within this period, the subsequent data processor will be considered as accepted by the CLIENT, subject to the establishment of a contract imposing to him obligations of confidentiality and security at least equivalent to those of the Agreement before the transfer of the Data to the subsequent data processor.

SUBSEQUENT DATA PROCESSOR(s) shall be responsible for fulfilling the obligations of the Contract including the obligations of this Agreement, on behalf of and as directed by the CLIENT acting when applicable on behalf of the DATA CONTROLLER.

If the CLIENT objects to the appointment of a subsequent data processor under the conditions described above, each of the Parties may terminate the Contract with one (1) month notice following the terms of Article 15 of the Contract.

The CLIENT, when applicable in the name and on behalf of the DATA CONTROLLER, already authorizes the use of GOOGLE Ireland for the provision of hosting services for health data within the meaning of Article L 1111-8 of the French Public Health Code for the 6 levels of service. The list of SUBSEQUENT DATA PROCESSOR is in appendix 1.

The CLIENT acknowledges that by complying with its obligations under this Article, NABLA complies with its obligations under Article 28.2 of the GDPR.

  1. EXERCISE OF THE RIGHTS OF THE DATA SUBJECTS

To the extent possible, the DATA PROCESSOR shall assist the CLIENT in fulfilling its obligation to comply with requests to exercise the rights of Data Subjects: right of access, right to request the rectification and erasure, right to object, right to limit Processing, right to data portability, right not to be subject to an automated individual decision (including profiling).

In the event that the DATA PROCESSOR receives requests from the Data Subjects, the DATA PROCESSOR undertakes to forward such requests to the CLIENT and when applicable to the DATA CONTROLLER without delay, at the e-mail address provided by the CLIENT.

The services of managing the exercise of the rights of individuals in the name and on behalf of the DATA CONTROLLER shall be billed to the CLIENT according to the rates defined in the Contract.

A procedure for the management of the exercise of rights shall be agreed upon by the Parties and referred to in Annex 2 to this Agreement.

  1. NOTIFICATION OF PERSONAL DATA BREACH

The DATA PROCESSOR shall notify the CLIENT of any Personal Data Breach within a maximum of 48 hours from the discovery of the breach by sending the following information to the e-mail address provided by the CLIENT:

This notification shall be accompanied by any useful documentation to enable the CLIENT and when applicable the DATA CONTROLLER, if necessary, to notify the Control Authority of the breach.

Given the nature of the Processing and the information available to it, the DATA PROCESSOR also assists the CLIENT and when applicable the DATA CONTROLLER in notifying the Data Subjects of Personal Data breach.

  1. ASSISTANCE OF THE DATA CONTROLLER BY THE DATA PROCESSOR IN FULFILLING ITS OBLIGATIONS

If necessary, and upon request of the CLIENT, the DATA PROCESSOR shall assist the CLIENT in carrying out data protection impact assessments, mainly with regard to the identification of the protection measures in place or planned for the Processing.

If necessary, and upon request of the CLIENT, the DATA PROCESSOR shall assist the CLIENT and when applicable the DATA CONTROLLER in making the request for prior authorization to the CNIL or the competent control authority.

  1. SECURITY MEASURES

The DATA PROCESSOR undertakes to implement adequate security measures to protect the Processing.

When the operations carried out by the DATA PROCESSOR on the Data relate to Data hosted by an approved/certified host of personal health data designated by the DATA PROCESSOR in Article 6 of this Agreement, the CLIENT undertakes to comply strictly and to make the Users and End Users comply strictly with the security measures defined by this host, including in particular access to the Data by strong authentication.

  1. FATE OF THE DATA

At the end of the services relating to the Processing, the DATA PROCESSOR undertakes, upon request and at the option of the CLIENT or of the DATA CONTROLLER when applicable, to return the Personal Data to the CLIENT or to the DATA CONTROLLER in a secure manner defined by the CLIENT or the DATA CONTROLLER when applicable or, by default, to delete all Personal Data.

  1. REUSE

Due to the substantial financial, material and human investments made by NABLA within the framework of the Contract for the development and updating of the Solution, NABLA wish to be allowed to reuse the data processed within the framework of the Contract.

The CLIENT, when applicable in the name and on behalf of the DATA CONTROLLER, warrants that the Data Subjects have been informed of their rights and have given their consent for the use of their data within the framework of the Contract when required by applicable laws or the Regulation and  authorizes the DATA PROCESSOR to reuse the Data processed within the framework of the Contract, as long as the latter undertakes to comply with the Regulation for all of this Data, for the uses listed below:

 - research and development of the Solution,

- improving the performance, models and algorithms developed and trained by NABLA in the context of the Solution or any other solution published by NABLA,

without the CLIENT and the DATA CONTROLLER being able to claim any intellectual property right relating to these elements.

 

The CLIENT declares that he/she has assessed and validated the compatibility of the said uses within the meaning of the Regulation with the initial purposes of the data processing carried out within the scope of this Contract, in accordance with the conditions set out in this Agreement. NABLA is a producer in the sense of article L. 341-1 of the Intellectual Property Code for the constitution of databases in the context of the reuse uses defined in this article.

  1. REGISTER OF PROCESSING ACTIVITIES

The DATA PROCESSOR declares that he or she maintains a written record of all Processing activities performed on behalf of the CLIENT including:

  1. AUDITS AND CONTROLS

The DATA PROCESSOR undertakes to make available to the CLIENT all information necessary to demonstrate compliance with its obligations to comply with the Regulation and this Agreement, and to permit audits, including inspections, to be conducted by the CLIENT or another auditor appointed by the CLIENT and to assist in such audits.

The CLIENT, on his or her initiative, reserves the right to carry out any verification that it deems useful to ascertain the compliance of the DATA PROCESSOR with his or her obligations. Any non-compliance with the Regulation and/or this Agreement shall be the subject, upon simple notification by the CLIENT, of a corrective action plan to be implemented by the DATA PROCESSOR within 21 (twenty-one) days maximum.

The DATA PROCESSOR undertakes to notify the CLIENT and when applicable the DATA CONTROLLER as soon as possible of any control or notification of any nature whatsoever addressed to it by the Supervisory Authority or by a Data Subject and directly or indirectly involving the Processing described in this Agreement, to strictly follow all instructions from the CLIENT and when applicable from the DATA CONTROLLER and to collaborate with the Supervisory Authority, and with the CLIENT and the DATA CONTROLLER where applicable.

If the DATA PROCESSOR receives an injunction, demand, warrant or other document requiring or seeking to compel the production of Personal Data (including, for example, by oral questioning, interrogatories, requests for information or documents during legal proceedings, subpoenas, civil investigations, regulatory inspections or similar proceedings), the DATA PROCESSOR shall immediately notify the CLIENT and when applicable the DATA CONTROLLER, unless otherwise required by applicable Regulation, and in any event no later than two (2) business days.

  1. CONFIDENTIALITY - BUSINESS SECRECY - PROFESSIONAL SECRECY

The DATA PROCESSOR is subject to the strictest secrecy, including confidentiality, professional secrecy and business secrecy (hereinafter the "Secrecy") on the Processing, including in particular personal Data, implemented in the context of the provision of services.

The DATA PROCESSOR undertakes, (i) during the term of the Contract and for a period of ten (10) years from its termination for any reason whatsoever, provided that the CLIENT has entrusted it with the task of data retention, (ii) for the entire duration of this task of retention, to keep the Secrecy of all Personal Data and, consequently:

In general, the DATA PROCESSOR warrants that it will maintain the strictest secrecy, under the same conditions, of all information that comes to its knowledge or to any of its staff member, which is the subject of this Agreement and the rest of the Contract.

  1. LAW AND JURISDICTION

The Agreement is governed by French law.

FOR ANY DISPUTE ARISING BETWEEN THEM CONCERNING THE INTERPRETATION OR EXECUTION OF THE CONTRACT AND AFTER AN ATTEMPT AT AMICABLE CONCILIATION, THE EXPRESS JURISDICTION IS GIVEN TO THE COMMERCIAL COURT OF PARIS NOTWITHSTANDING MULTIPLE DEFENDANTS OR WARRANTY CLAIMS, EVEN FOR EMERGENCY OR PRECAUTIONARY PROCEDURES, IN SUMMARY PROCEEDINGS OR ON REQUEST.


ANNEX 1  PROCESSING DESCRIPTION

Each Party appoints a Data Protection Officer and communicates to the other Party his or her contact details.

For NABLA the contact details are as follows: dpo@nabla.com

The CLIENT is the DATA CONTROLLER or Tier 1 DATA POCESSOR.

The purposes of the Processing entrusted to the DATA PROCESSOR :

The DATA PROCESSOR can use the data for this additional purposes:

The legal basis for the Processing is :

The categories of Personal Data processed may include :

Users Data is kept for the duration of the Contract and of the use of the Solution by the User or End User, then archived according to the rules set by the CLIENT, in compliance with the recommendations of the applicable local regulations.

Users and End Users as defined in the Contract.

Subsequent data processor

Purpose / activity

Type of data

Google Irlande

Hosting of Data

All type of Data, including Health Data

PagerDuty

Datadog

To administer and protect our business and the Solution

Technical data (for example : adresse IP)

Mixpanel

Data analysis of the use of the Solution

Technical data (for example : adresse IP)

Postmark

To communicate with you in the course of your use of the Solution

Contact data (for example : email address)

OpenAI

Natural language processing for some features of the Solution

All type of Data, including Health Data

The Data is not processed or transferred outside the European Union. However, in the event that personal information is transferred outside the European Union, particularly at the request of the CLIENT, NABLA will ensure that the third country concerned has a level of protection deemed adequate by the European Commission with respect to European regulation (RGPD). When this is not the case, NABLA will ensure that the transfer is carried out in accordance with the Standard Contractual Clauses (SCC) adopted by the European Commission or the supervisory authorities, including the CNIL in France, in order to guarantee the protection of this information.


APPENDIX 2 - PROCEDURE FOR MANAGING THE EXERCISE OF RIGHTS

Pursuant to Chapter III of the GDPR, the CLIENT, in its capacity as DATA CONTROLLER or as representative of the DATA CONTROLLER, must facilitate the exercise of the rights conferred on the data subject.

To this end, the CLIENT shall inform the data subjects of the procedures for requesting access to their personal data or for exercising their right to request rectification, erasure, limitation of processing, data portability and their right to object.

The CLIENT may request the support of the DATA PROCESSOR to answer the requests from the Data Subjects. It is hereby agreed between the Parties that the CLIENT warrants he has checked the identity of the requester to ensure that the requester is entitled to access the personal data or to exercise a right.

Once the CLIENT has verified the identity of the requestor and that he/she is the account holder, he/she will forward when needed the request to NABLA using the address dpo@nabla.com.

NABLA will examine the request for the exercise of rights and will respond without delay and at the latest within one month of its receipt.

If necessary, this period may be extended by two months, depending on the complexity and number of requests. NABLA will inform the data subject or the CLIENT, at the CLIENT’s option, of this extension and the reasons for the postponement within one month of receiving the request.

If NABLA does not comply with the data subject's request, NABLA will inform the data subject or the CLIENT, a the CLIENT’s option, without delay and at the latest within one month of receipt of the request, which may be extended by two months if NABLA has informed the data subject of such an extension, of the reasons for its inaction and of the possibility of lodging a complaint with a supervisory authority and of filing a legal appeal.

NABLA will inform the CLIENT of the response provided to the data subject if requested.

No payment is required to respond to the data subject's requests. Where a data subject's requests are manifestly unfounded or excessive, particularly because of their repetitive nature, NABLA may:

require the DATA CONTROLLER to pay a reasonable fee that reflects the administrative costs incurred in providing the information or taking the action requested;

or refuse to act on these requests.