Personal Data Outsourcing Contract

BETWEEN :

This Personal Data Outsourcing Agreement (hereinafter "DPA") is applicable to the business relationship between RINGO (operating under the name MODJO), a simplified joint stock company with a capital of 38.640.11 euros, registered in the Nanterre Trade and Companies Register under number 879 606 283, and whose registered office is located at 59, avenue Sainte-Foy - 92200 Neuilly-sur-Seine, France (hereinafter referred to as "RINGO") and its Client (hereinafter referred to as the "Client") as identified in the Order Form. 

‍

Preamble:‍

In the context of the execution of the Order Form(s) and the Modjo General Terms and Conditions of Sale concluded between RINGO and the Client, the Client, in its capacity as Data Controller, entrusts RINGO, in its capacity as Subcontractor, with the processing of Personal Data.

‍

This Data Processor Agreement is an integral part of the Modjo Order Form(s) and Terms and Conditions. 

‍

The Parties intend to comply with all applicable regulations regarding the Processing of Personal Data, and in particular the Law n°78-17 of January 6, 1978 (known as "Informatique et Libertés") as amended and the General Regulation on the Protection of Personal Data n°2016-679 dated April 27, 2016 ("RGPD").

‍

The Parties have agreed to this Agreement in order to comply with the provisions of Article 28, in particular paragraphs 3 and 4, of the GDPR. This Agreement applies to the processing of personal data as specified in Article 1. 

‍

It is expressly agreed that the terms used in this Agreement with a capital letter (e.g. Controller, Personal Data, Service...) correspond to the definitions contained in the GDPR and in the GTC. This Agreement shall be read and interpreted in light of the provisions of the GDPR. 

‍

It is agreed as follows:

‍

1. Description of the treatments

‍

The specificities of the processing of personal data, in particular the categories of personal data and the purposes of processing for which personal data are processed on behalf of the Client, in its capacity as Data Controller, are: 

• Categories of persons concerned by the processing of their personal data: the Client's staff and employees using the services provided by RINGO as well as the Client's contacts, prospects and customers. 
• Categories of personal data processed: data relating to the identification of data subjects (name, surname, contact details and email), data relating to recordings of telephone calls and video conferences, data relating to the use of services such as comments, reviews, translations and intelligent summaries made from the services, data relating to emails exchanged between data subjects and data relating to networks.

• Purpose of the processing: the provision by RINGO of the services agreed with the Client, and their use by the Client, in accordance with the Purchase Order(s) and the attached GTC concluded between RINGO and the Client.  
• Nature of the processing: the collection and analysis of data, including Personal Data, on behalf of the Customer.

• Purposes of processing: the provision by RINGO, on behalf of the Customer, of the Service, principally the collection, recording and analysis of recordings of telephone calls and videoconferences and the filling of customer relationship management software, as well as assistance, back-up, security and maintenance services related to the Service.

• Duration of processing: Personal Data is processed by RINGO for the duration of the Client's contractual relationship. Logs are kept for a period of one (1) year. When the AI Notes Beta functionality is activated by the Client, the data is kept by Open AI for a maximum of 30 days for the purpose of content moderation and abuse prevention. 

‍

2. Instructions

‍

RINGO will only process personal data on the documented instruction of the Client and in accordance with the above provisions, unless it is required to do so under Union law or the law of the Member State to which it is subject. In this case, RINGO will inform the Client of this legal obligation prior to processing, unless it is prohibited by law on important grounds of public interest. Instructions may also be given subsequently by the Client throughout the processing of the personal data. These instructions must always be documented.

‍

If RINGO believes that an instruction from the Client constitutes a violation of the applicable regulations on the protection of personal data, it will immediately inform the Client. RINGO is in no way responsible for the Client's instructions and decisions and their possible consequences.

‍

The provisions of this Agreement, as well as the activation by the Client, its Administrators or Users of the translation and AI Notes BETA features, constitute documented instructions from the Client to RINGO. 

‍

3. Purpose limitation

‍

RINGO processes personal data only for the purposes of processing as set out in Article 1 of this Agreement, unless RINGO receives other documented instructions from the Client. 

‍

4. Duration of treatment

‍

RINGO will only process personal data for the period defined in Article 1 of this contract, unless RINGO receives other documented instructions from the Client. 

‍

5. Security measures

‍

RINGO undertakes to put in place appropriate technical and organizational security measures to ensure the security of the Personal Data it processes against destruction, loss, alteration, unauthorized disclosure or access, or any other form of unauthorized processing. In determining the appropriate level of security, RINGO shall take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing and the risks to data subjects.

‍

A description of these measures has been drawn up by RINGO in accordance with Article 32 of the GDPR and is available upon written request.

‍

When the AI Notes BETA functionality is activated by the Customer, the Customer agrees that the security measures implemented are those of the OpenAI security policy. 

RINGO will only grant members of its staff access to the personal data being processed to the extent strictly necessary for the performance, management and monitoring of the Service. RINGO ensures that the persons authorized to process personal data are subject to a contractual obligation of confidentiality. 

‍

6. Documentation and compliance 

‍

RINGO shall make available to the Client all information necessary to demonstrate compliance with the obligations set forth in this Agreement and which arise directly from the GDPR.

‍

At the request of the Client and in the presence of serious indications of non-compliance, RINGO will allow and assist in the performance of audits of the processing activities covered by these clauses. 

‍

The audit may be conducted at the rate of one (1) time per calendar year, and upon sixty (60) days written notice to RINGO. 

‍

This audit shall be conducted in a manner that respects the security and confidentiality of RINGO's documentation and procedures. It shall not exceed one (1) day in duration and shall be conducted during normal business hours at RINGO's premises.

‍

The Client may decide to carry out the audit itself or to appoint an independent auditor, chosen by mutual agreement between the parties and subject to an obligation of confidentiality. 

‍

Notwithstanding anything to the contrary, Customer shall be responsible for all costs and/or expenses incurred as a result of such visit.     

‍

The parties shall make available to the competent supervisory authority(ies), upon request, the information set forth in this clause, including the results of any audit.

‍

7. Subsequent subcontractors

‍

RINGO has the Client's general authorization to engage the further subcontractors listed in Appendix 1. 

‍

RINGO undertakes to provide an updated list of its subcontractors and their processing activities upon request by the Client.

‍

RINGO shall notify Client of any planned changes to this list through the addition or replacement of subsequent subcontractors at least eight (8) days prior to the anticipated date of addition or replacement of the affected subsequent subcontractor.

‍

Client may object to RINGO's use of a new Subsequent Subcontractor by promptly notifying RINGO in writing (by email) and prior to the date of addition or replacement of the affected Subsequent Subcontractor. In the event that Client objects to the appointment of a new subcontractor, RINGO will use reasonable efforts to make available to Client a modification to the Services or recommend a commercially reasonable change in the configuration or use of the Services that avoids the processing of Personal Data by the new subcontractor to which Client objects, without imposing an unreasonable burden on Client. If RINGO is unable to make such changes within a reasonable period of time, which shall not exceed thirty (30) days, then Client may terminate the applicable Agreement, but only with respect to those services that cannot be provided by RINGO without the use of the new subcontractor, by providing RINGO with written notice by registered mail with return receipt requested.

‍

The absence of objection by the Customer shall be deemed to be acceptance by the Customer of the changes affecting the list of subsequent subcontractors. 

‍

Each subsequent subcontractor of RINGO is obliged to comply with the obligations of this contract on behalf of and according to the instructions of the Client. It is RINGO's responsibility to ensure that the sub-processor provides the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures for the processing to meet the requirements of the GDPR. 

‍

RINGO shall remain fully liable to the Client for the performance by the subsequent subcontractor of its obligations.

‍

Some subcontractors only process Customer data when the functionality for which they are acting is activated by the Customer's Administrator or User. 

‍

Thus, the subsequent subcontractor OpenAI only processes Customer data when the Administrator has activated the AI Notes BETA functionality. When this feature is enabled, OpenAI will process Client data for the provision of intelligent summaries.  

‍

Deepl's subcontractor also only processes customer data when the user activates the translation feature for a particular record. When the translation feature is activated, Deepl will process the customer's data for this record in order to provide a translation.

‍

8. Customer Assistance 

‍

It is the Customer's responsibility to inform the Persons concerned of the processing of their data and of their rights under the French Data Protection Act and the RGPD. In particular, the Client shall inform its own employees and their correspondents of the recording of their telephone and video-conference conversations, as well as of the fact that they may object to such recording at any time. RINGO cannot be held responsible for these obligations. 

‍

RINGO will notify the Client without delay of any request, including the exercise of rights, that it receives from the Data Subject. The Client undertakes to respond to requests from the Data Subject within one (1) month.

‍

As a processor, RINGO assists the Client in fulfilling its obligation to respond to requests from data subjects to exercise their rights, taking into account the nature of the processing and the Client's instructions. 

‍

RINGO also assists the Client in ensuring compliance with the following obligations, given the nature of the processing and the information available to RINGO: 

‍

• the obligation to carry out an assessment of the impact of proposed processing operations on the protection of personal data ("data protection impact assessment") where a type of processing is likely to present a high risk to the rights and freedoms of natural persons and, where appropriate, the obligation to consult the competent supervisory authority prior to processing
• the obligations set out in Article 32 of the GDPR. 

‍

9. Inspections, controls or audits by public authorities

‍

In the event of an inspection, control or audit by a public authority, including a Control Authority, each Party undertakes to provide all necessary assistance to the other.

‍

If the public authority considers that the processing carried out violates the applicable regulations on the protection of Personal Data, the Parties undertake to communicate and take the necessary measures immediately to remedy the violation.

‍

10. Notification of Personal Data Breaches

‍

In the event of a personal data breach, RINGO shall cooperate with and assist the Client in complying with the Client's obligations under Articles 33 and 34 of the GDPR, taking into account the nature of the processing and the information available to RINGO.

‍

In the event of a breach of personal data not caused by the Client, RINGO undertakes to take immediate remedial action.

‍

RINGO shall notify the Client of any breach as soon as possible after its discovery, by e-mail addressed to the Client. 

‍

Such notification shall contain all relevant information about the breach, in order to enable the Customer, if necessary, to notify the relevant Supervisory Authority and/or the data subjects of the breach, in accordance with its obligations as a Data Controller.

‍

The Parties undertake to cooperate fully to bring the breach to an end as soon as possible.

‍

11. Data hosting and transfers

‍

The personal data processed by RINGO on behalf of the Client and the RINGO websites and databases are hosted by Amazon Web Services on servers located in the European Economic Area ("EEA").

‍

Any transfer of data to a third country or international organization by RINGO will only be made on the basis of this Agreement or in order to meet a specific requirement of Union or Member State law to which the processor is subject and will take place in compliance with Chapter V of the GDPR.

‍

Prior to a transfer authorized by the Client, RINGO undertakes to put in place the necessary measures to ensure that the recipient located in the country outside the European Economic Area presents an adequate level of protection. When the Customer has activated the AI Notes BETA functionality, he or she agrees that his or her data will be processed by OpenAI in accordance with its processing conditions and that it will be transferred to the United States in accordance with the standard contractual clauses adopted by the European Commission.  

‍

RINGO may transfer personal data to the authorized sub-processors identified in Appendix 1 "List of authorized sub-processors". These sub-processors may be located outside the EEA. In this case, RINGO ensures that the further processor can guarantee compliance with Chapter V of the GDPR by presenting an adequate level of protection, such as the use of standard contractual clauses adopted by the Commissions or approved by the BCR.  

‍

A complete list and information on our subsequent subcontractors is provided in Appendix 1.

‍

12. Changes and updates

‍

RINGO reserves the right to modify this PAD at any time. Customer will be notified of such changes by email (sent to the Modjo Administrator's email address) or at www.modjo.ai or on the Modjo conversational analytics business platform, as RINGO may decide.

With the exception of amendments relating to subcontractors governed by Article 7 of the DPA, amendments to this DPA will apply to Customer, even if its commitment predates the amendments, eight (8) days after the information is given to it. In the event that the changes to the DPA would cause significant harm to the Client and are not required by laws, regulations, directives, recommendations or deliberations of a European data protection authority or by a court decision, the Client shall inform RINGO of its opposition and its reasons within eight (8) days of the information. If the Parties do not reach an agreement within thirty (30) days of receipt of the Client's objection, the Client may terminate, without penalty, the Service affected by the change by sending written notification to RINGO. Any use of the Service after Client's notification will be deemed to be Client's acceptance of the updated PAD. 

‍

13. Data Fate

‍

At the end of the relationship between the Parties, the Client has a period of one (1) month in which to request in writing the return, in raw format and under its responsibility, of its recordings; failing such a request within this period, RINGO may proceed with the definitive destruction of all the data, including the logs and back-ups.

‍

14. Data Protection Officer

‍

RINGO has a data protection officer, who can be contacted by e-mail at the following address: dpo@modjo.ai

‍

15. Register of Processing Activities

‍

RINGO undertakes to keep an up-to-date Register of processing activities carried out in its capacity as a Subcontractor and including the following:

• the name and contact details of the Data Controller, any sub-processors and the Data Protection Officer
• the categories of Processing carried out on behalf of the Data Controller
• the possible transfers of personal data to countries outside the European Union and the elements attesting to the existence of appropriate guarantees
• a general description of the technical and organizational security measures in place

‍

16. RINGO's commitments

‍

During the term of the Contract between RINGO and the Client : 

‍

• RINGO guarantees the confidentiality of the Personal Data processed in its capacity as a Subcontractor and ensures that its staff members, authorized to process Personal Data, respect this principle of confidentiality and have received the necessary training in this regard
• RINGO undertakes to take into account the principle of protection of Personal Data by design and by default, with regard to the tools, products, applications or services it uses.

‍

17. Customer's commitments 

‍

The Customer undertakes to collect and process Personal Data in compliance with applicable labor law and data protection regulations, in particular with regard to the methods, basis and purposes of processing, the length of time Personal Data is kept, the rights of Data Subjects and the information given to them. 

‍

In particular, the Customer undertakes to comply with all regulations and obligations applicable to the processing of employee data and to the processing of special categories of Personal Data (such as health data, religious beliefs, sexual orientation, etc.) and to carry out, prior to their Processing, the necessary verifications, studies and impact analyses, to inform the Data Subjects in accordance with Articles 12, 13 and 14 of the RGPD and to obtain, where appropriate, the consent of the Data Subjects.) and to carry out, prior to their Processing, the necessary verifications, studies and impact analyses, to inform the Data Subjects in accordance with Articles 12, 13 and 14 of the GDPR and to obtain, where applicable, the consent of the Data Subjects with respect to the collection and processing of their Personal Data and, in particular, the recording of their voice.

‍

The Client undertakes to provide RINGO with all information necessary to carry out the intended processing activities in compliance with the applicable regulations and to document any instructions regarding the processing.

‍

The Client undertakes to provide RINGO with the Personal Data identified in Article 1 of this Agreement and to ensure the lawfulness and accuracy of the data. The Client also undertakes to ensure the effectiveness of the rights of the Persons concerned. 

‍

The Client indemnifies RINGO against any claim or action in this regard.

‍

Customer agrees to supervise the Processing, including conducting at its own expense any necessary audits and inspections of RINGO or conducting or defending the interests of the Parties in any action, proceeding or control.

‍