Data Processing Agreement

Preamble. This data processing agreement (the “Data Processing Agreement” or the “DPA”) is established under Article 28 of the GDPR and forms part of this Agreement (as defined below) between Ultrasafe AI and the Customer. By accepting the applicable Service Agreement, the Customer also agrees to be bound by this DPA.

When Customer uses the Services available on the Platform:

  • The Customer is the Data Controller;
  • Ultrasafe AI processes the Personal Data provided by the Customer as Data Processor. Such processing activities are described in Exhibit 1 of this DPA.

When Customer subscribes to Our Services through a Cloud Provider:

  • The Customer is the Data Controller;
  • The Cloud Provider processes the Personal Data provided by the Customer as Data Processor for the purpose of making the Models available to the Customer on the Cloud Provider’s Infrastructure.
  • Ultrasafe AI will only process Personal Data provided by the Customer as Data Processor for the purpose of providing technical support to the Customer, at the Customer’s request, and only if the Customer grants Ultrasafe AI access to such Personal Data. Such Processing activities are described in Exhibit 1 of this DPA.

1. Definitions

The capitalized words in this Agreement shall have the meaning given below:

  • “Agreement”: means the service agreement entered into by and between the Parties, governing the provision of the Services by Ultrasafe AI to the Customer.
  • “Applicable Data Protection Law”: means (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable since 25 May 2018 (the “GDPR”) and (ii) the data protection laws and regulations applicable in France.
  • Authorized Recipient”: means (i) Ultrasafe AI’s affiliates, (ii) Ultrasafe AI’s team members, (ii) Ultrasafe AI’s Sub-processors or (iv) any third party that is authorized by the Applicable Data Protection Law to access the Personal Data.
  • Authorized Purpose”: means the authorized purpose for the Processing as mentioned in Exhibit 1.
  • Customer”: means any legal person who subscribes to the Services and, where applicable, its affiliates.
  • “Data Controller”: means the person who determines the purposes and the means of the Processing.
  • Data Processing Agreement” or “DPA”: means this data processing agreement governing the Processing carried-out by the Parties, that forms part of the Agreement.
  • Data Processor”: means the person who carries-out the Processing on behalf of the Data Controller and under its documented instructions.
  • Data Subjects”: means the person whose Personal Data is processed.
  • Ultrasafe AI”: means Ultrasafe AI, a French simplified joint-stock company, registered at the Trade register of Paris under number 952 418 325, having its corporate seat at 15 rue des Halles 75001, Paris, France and its affiliates.
  • Personal Data”: means any data relating to an identified or identifiable Data Subject.
  • Personal Data Breach”: means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, likely to result in a risk for the rights and freedoms of Data Subjects.
  • Processing”: means the processing of Personal Data described in Exhibit 1.
  • Restricted Country”: means any country located outside of the European Economic Area (EEA) and that does not benefit from an adequacy decision from the European Commission.
  • Services”: means the services provided by Ultrasafe AI to the Customer under the Services Agreement.
  • Sub-processor”: means any Data Processor appointed by Ultrasafe AI to carry-out all or part of the Processing on behalf of the Customer.
  • Supervisory Authority”: means any independent authority competent to supervise the Processing.

Any capitalized word that is not defined in this DPA shall have the meaning given in the Services Agreement.

2. Role of the Parties

Ultrasafe AI as Data Processor. With respect to the Processing described in Exhibit 1, the Customer shall act as the Data Controller and Ultrasafe AI shall act as the Data Processor.

Description of the Processing. Ultrasafe AI processes the Personal Data on behalf of the Customer in order to provide the Customer with the Services it ordered under the Agreement. A description of the Processing is available in Exhibit 1 of this DPA. The Customer agrees that Ultrasafe AI may update the description of the Processing from time to time to reflect new Services, features or functionalities. Ultrasafe AI will notify the Customer of any update to the description of the Processing by email no later than fifteen (15) days prior to the effective date of the modification. The Customer may object to this modification or update during the notice period on reasonable grounds pertaining to the Applicable Data Protection Law. The Parties will consult and negotiate in good faith in a view of achieving a satisfactory resolution. Failing that, the Customer will be entitled to terminate the Agreement for convenience.

Ultrasafe AI as Data Controller. The Customer authorizes Ultrasafe AI to process the Prompts and the Outputs as Data Controller for the purpose of (a) monitoring abuse, (b) treating voluntary reports, (c) research purposes, and (d) to improve the training of the Models. Ultrasafe AI only processes the Prompts and Outputs of Customer to improve the training of the Models if (a) Customer uses the free Chat Services and did not opt-out of having Customer’s Prompts and Outputs used to improve Ultrasafe AI Training Data, which option is available only if the Customer subscribed to the Paid Chat Services or (b) if Customer uses the free version of Codestral and Customer did not opt-out of the Ultrasafe AI Training Data. In this last case, Customer can opt-out of the Ultrasafe AI Training Data at any time by making a request via Our Support Chatbot available directly on the Platform. If the Customer opted-out of the Ultrasafe AI Training Data under applicable Terms, Ultrasafe AI will not use information resulting from Customer’s Prompts and Outputs to improve the training of its Models. The Customer’s opt-out may only be effective for future Prompts and Outputs, as technical limitations inherent to the Chat Services may prevent Ultrasafe AI from deleting all previously provided Prompts and Outputs from Ultrasafe AI Training Data, even if the Customer has opted out. Ultrasafe AI will inform the Data Subjects of such processing activities in its Privacy Policy.

3. General obligations of the Parties

Each Party shall comply with their respective obligations under the Applicable Personal Data Protection Law and shall not, by any act or omission, cause the other to be in breach of any such obligations under the Applicable Data Protection Law.

3.1. General obligations of Ultrasafe AI

Ultrasafe AI shall:

  • Process the Personal Data only in accordance with the documented lawful instructions of the Customer as set forth in this DPA, the Agreement or by email and for no other purpose, unless required to do so by the applicable laws. In such a case, Ultrasafe AI shall promptly inform the Customer of that legal requirement, unless prohibited to do so by applicable law and/or on important grounds of public interest,
  • Promptly inform the Customer if, in its opinion, the Customer’s instructions infringe the Applicable Data Protection Law. In such an event, Ultrasafe AI is entitled to refuse to perform the Processing of Personal Data that it believes to be in violation of the Applicable Data Protection Law,
  • Ensure that any person Ultrasafe AI authorizes to process Personal Data (including Ultrasafe AI team members and the Subprocessors), are subject to a duty of confidentiality, whether by contract or statutory, and must not allow any person to process Personal Data who is not under such confidentiality obligations, and
  • Taking into account the nature of the Processing and the information available to Ultrasafe AI, upon the Customer’s written request and to the extent that is commercially reasonable and required by the Applicable Data Protection Laws, provide the Customer with reasonable and timely assistance (i) in the event of an investigation from a Supervisory Authority related to the Processing, (ii) to conduct a data protection impact assessment, a prior consultation with a Supervisory Authority, (iii) to comply with its obligations under Article 32 GDPR.

3.2. General obligations of the Customer

The Customer agrees that:

  • It will comply with its obligations under the Applicable Data Protection Law regarding the Processing and any Processing instruction it issues to Ultrasafe AI,
  • It is responsible for providing guidance to Authorized users regarding the use of the Services, and in particular the use of Personal Data within the Services,
  • It is responsible for applying filters to prevent any unauthorized use of Personal Data by the Authorized Users,
  • Ultrasafe AI’s security obligations under this DPA apply without prejudice to the Customer’s own security obligations under the Applicable Data Protection Law, and
  • It has provided notice and obtained all consents and rights necessary under the Applicable Data Protection Law for Ultrasafe AI to process Personal Data under this DPA.

4. Data Subjects

Information. As Data Controller, the Customer is solely responsible to provide the Data Subjects with any information required by the Applicable Data Protection Law.

Data Subject requests. Taking into account the nature of the Processing and upon the Customer’s request, Ultrasafe AI shall provide the Customer with commercially reasonable assistance to enable the Customer to respond to any request from Data Subjects to exercise any of their rights under the Applicable Data Protection Law.

Requests made directly to Ultrasafe AI. In the event that any request is made directly to Ultrasafe AI, Ultrasafe AI will not respond to such request directly without the Customer’s prior consent, unless required to do so by applicable law. Instead, Ultrasafe AI will transfer that request to the Customer who will then be solely responsible to respond to such request. If Ultrasafe AI is legally required to respond to the Data Subjects’ request, Ultrasafe AI will promptly notify the Customer and provide it with a copy of the request unless prohibited to do so by applicable law.

5. Security and Personal Data Breach

5.1. Security measures

Security measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Ultrasafe AI shall implement and maintain appropriate technical and organizational measures to protect Personal Data from any Personal Data Breach and to preserve the security and confidentiality of the Personal Data.

Evolution of the security measures. The Customer acknowledges that such security measures are subject to technical progress and development and that Ultrasafe AI may update them from time to time, provided that such updates do not materially decrease the overall security of the Processing.

5.2. Personal Data Breach

Personal Data Breach. Taking into account the nature of the Processing and the information available to Ultrasafe AI, Ultrasafe AI shall notify the Customer of any Personal Data Breach without undue delay and where feasible no later than seventy-two (72) hours after becoming aware of such Personal Data Breach. Ultrasafe AI’s notification of or response to a Personal Data Breach in accordance with this Section 6.2. will not be construed as an acknowledgment by Ultrasafe AI of any fault or liability with respect to the Personal Data Breach.

Notification to the Customer. This notification shall include:

  • (a) The name and contact details of Ultrasafe AI’s point of contact point where more information can be obtained;
  • (b) The nature of the Personal Data Breach, including but not limited to the categories and number of Data Subjects and Beneficiaries Personal Data concerned by the Personal Data Breach;
  • (c) A description of the measures the Beneficiaries could take to mitigate the possible adverse effects of the Personal Data Breach and to prevent from another potential Personal Data Breach;
  • (d) The likely consequences of the Personal Data Breach;
  • (e) The measures proposed or taken by the Company following the Personal Data Breach, including to prevent from any new occurrence.

Notification to the Supervisory Authority and Communication to the Data Subject. The Customer is solely responsible for notifying the Personal Data Breach to the Supervisory Authority and/or to the Data Subjects.

Assistance. Upon the Customer’s written request, taking into account the nature of the Processing and the information available to Ultrasafe AI, Ultrasafe AI shall provide the Customer with commercially reasonable assistance with respect to the Customer’s compliance with its obligation to communicate the Personal Data Breach to Data Subjects, when required by the Applicable Data Protection Laws. If necessary, Ultrasafe AI shall provide the Customer with commercially reasonable and timely assistance to mitigate or remediate the Personal Data Breach.

6. Sub-processing

General authorization. The Customer provides a prior and general authorization allowing Ultrasafe AI to appoint any Subprocessors to assist Ultrasafe AI in the provision of the Services and in the Processing, in accordance with the terms of this DPA. This authorisation is subject to the following:

  • Ultrasafe AI will maintain an up-to-date list of its Sub-processors on the Platform,
  • Ultrasafe AI will notify the Customer of any changes to this list,
  • Ultrasafe AI will enter into a written agreement with each Subprocessor imposing data protection terms that require the Subprocessor to protect the Personal Data to the same standards provided by this DPA, and
  • Ultrasafe AI will remain liable to the Customer if such Subprocessor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the DPA.

Changes to the list of Sub-processors. Ultrasafe AI will provide notice to the Customer of any changes to the list of Sub-processors as soon as reasonably practicable and no later than thirty (30) days prior to engaging such Sub-processor. The Customer may object in writing to Ultrasafe AI’s appointment of a new Sub-processor during this notice period, provided that such objection is based on reasonable grounds relating to the Applicable Data Protection Laws. In such an event, the Parties will consult and negotiate in good faith to find an amicable resolution that allows the Customer to keep benefiting from the Services. If no resolution is achieved during this notice period, the Customer may, as its sole and exclusive remedy, terminate all or part of the Agreement for convenience.

7. Transfers of Personal Data to a Restricted Country

The Customer is located in a Restricted Country. Where the Customer is located outside in a Restricted Country, the transfer of Personal Data between the Customer and Ultrasafe AI is governed by the standard contractual clauses attached to this DPA.

An Authorized Recipient is located in a Restricted Country. The Customer provides a prior and general authorization allowing Ultrasafe AI to transfer the Personal Data to any Authorized Recipients located in a Restricted Country by using the standard contractual clauses adopted by the European Commission or any other appropriate safeguard provided by the GDPR. If the standard contractual clauses are suspended, terminated or no longer provide an appropriate safeguard in compliance with the Applicable Personal Data Protection Laws, Ultrasafe AI will (i) promptly notify the Customer and (ii) suspend the applicable transfer until an alternative safeguard for the transfer of Personal Data has been implemented.

8. Audit

Documentary audit. Upon the Customer’s written request, Ultrasafe AI will make available all documents and information to demonstrate that the Processing carried-out by Ultrasafe AI complies with this DPA in a timely manner, to the extent that is commercially reasonable and required by the Applicable Data Protection Laws.

Audit on Ultrasafe AI’s premises. Only to the extent the Customer cannot reasonably be satisfied with Ultrasafe AI’s compliance with this DPA through the exercise of a documentary audit, the Customer may conduct up to one (1) audit per year to verify Ultrasafe AI’s compliance with this DPA, under the conditions defined below:

  • This audit must me conducted with reasonable advance written notice of at least thirty (30) calendar days,
  • This audit shall be carried out by an independent auditor selected jointly by the Parties for its expertise, independence and impartiality and which is, in any event, not a direct or indirect competitor of the Ultrasafe AI,
  • The selected auditor shall be bound by a confidentiality agreement and/or by professional secrecy,
  • This audit shall be conducted during Ultrasafe AI’s regular business hours,
  • This audit shall restrict its findings to only information and/or Personal Data relevant to the Customer,
  • The audit shall not unreasonably impair or slow down the Services offered by Ultrasafe AI or affect the organizational management of the Company,
  • An identical copy of the audit report shall be given to both Parties following the completion of the audit. Each Party may make observations regarding the audit report,
  • The costs of this audit shall be borne exclusively by the Customer.

9. Return or destruction of Personal Data

After the end of the provision of the Services, Ultrasafe AI will delete or return to the Customer all Personal Data processed on the Customer’s behalf, in accordance with Ultrasafe AI’s deletion policies and procedures. The Customer acknowledges that the Personal Data will no longer be accessible upon the expiry of a thirty (30) days period following the termination of the Customer’s access to and use of the Services.

10. Term

This DPA shall commence on the effective date of the Agreement and will continue for the duration of the Agreement.

11. Limitation of Liability

The liability of each Party and each Party’s affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

EXHIBIT 1 – Description of the Processing

Ultrasafe AI may update the description of the Processing from time to time to reflect new Services, features or functionality.

  • Ultrasafe AI privacy contact: privacy@ultrasafe.ai
  • Categories of Data Subjects: the Customer, the Authorized Users and any other natural person whose Personal Data is used by the Customer or the Authorized User as a User Data.
  • Categories of Personal Data:
    • The Customer’s and Authorized User’s account data, the Customer’s Ultrasafe AI ID (unique user ID attributed by Ultrasafe AI,
    • The API Key (where applicable),
    • Any Personal Data that is used by Customer (i) to generate an Output, (ii) as part of User Input Data, and/or (iii) that may be accessed by Ultrasafe AI as part of the Services (including the technical support services). This also includes the metadata associated with such personal data (for instance, the date and hour of the Customer’s Prompt, etc).
  • Special categories of Personal Data: None. Customer shall not process sensitive data under this DPA. In case Customer wishes to process sensitive data, please contact privacy@ultrasafe.ai
  • Authorized Purposes: Subject to the Customer’s Subscription, (i) the provision of the API Services (Technical Support, Generation of Outputs, Fine-Tuning a Model, Building an Agent, Authorized User’s Account management), and (ii) the provision of the Chat Services (Technical Support, Generation of Outputs, display of the Prompts and Outputs history, use of an Agent on Le Chat, Authorized User’s Account management).
  • Duration of the Processing: the term of this DPA
  • Retention Periods:
    • If the Customer has subscribed to the API Services, (i) the Prompts and the Outputs are only processed by Ultrasafe AI for the duration of the generation of the Outputs, and (ii) User Input Data is retained until deletion of User Input Data and/or Customer’s Account by Customer.
    • If the Customer subscribed to the Chat Services: the Prompts and the Outputs are stored for the term of this DPA or until the Customer deletes such Prompts and Outputs from its history.
    • Ultrasafe AI may process the Prompts and the Outputs as a Data Controller. The applicable retention periods are mentioned on the Privacy Policy.
    • The Personal Data provided by Ultrasafe AI for the purpose of technical support are stored for the duration necessary to process the technical support request, and for five (5) additional years for evidential purposes.
  • Sub-processors:
    • Azure: our hosting provider. The Personal Data are stored in Sweden.

EXHIBIT 2 – Standard contractual clauses

These standard contractual clauses only apply when the Customer is located in a Restricted Country.

SECTION I

Clause 1

Purpose and scope

  • (a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
  • (b) The Parties:
    • (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ’entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
    • (ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

  • (c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
  • (d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

  • (a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
    • (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
    • (ii) Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
    • (iii) Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
    • (iv) Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
    • (v) Clause 13;
    • (vi) Clause 15.1(c), (d) and (e);
    • (vii) Clause 16(e);
    • (viii) Clause 18 – Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
  • (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

  • (a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
  • (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
  • (c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 – Optional

Docking clause

  • (a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
  • (b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
  • (c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

  • (a) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.
  • (b) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.
  • (c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.
  • (d) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2 Security of processing

  • (a) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data (reference), the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
  • (b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.
  • (c) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3 Documentation and compliance

  • (a) The Parties shall be able to demonstrate compliance with these Clauses.
  • (b) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9

Use of sub-processors

N/A

Clause 10

Data subject rights

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11

Redress

  • (a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject

Clause 12

Liability

  • (a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
  • (b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
  • (c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
  • (d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
  • (e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

N/A

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

  • (a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
  • (b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
    • (i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
    • (ii) the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards
    • (iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
  • (c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
  • (d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
  • (e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). For Module Three: The data exporter shall forward the notification to the controller.
  • (f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfill its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three:, if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

  • (a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
    • (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
    • (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
  • (b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
  • (c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.]
  • (d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
  • (e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

  • (a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
  • (b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
  • (c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

  • (a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
  • (b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

  • (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
  • (ii) the data importer is in substantial or persistent breach of | these Clauses; or
  • (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

  • (d) The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
  • (e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law mentioned in the Agreement.

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of mentioned on the Agreement.

APPENDIX

ANNEX I

A. LIST OF PARTIES

The Data Exporter is Ultrasafe AI. The Data Importer is the Customer.

B. DESCRIPTION OF TRANSFER

The description of the transfer is mentioned in Appendix 1 of this DPA.