Data Processing Agreement

1. DEFINITIONS

1.1 For the purposes of this DPA, the terms “Personal Data”, “Data Subject”, “Personal Data Breach”, “Processing”, “Transfer”, “Supervisory Authority”, “Controller” and “Processor” shall have the definitions set forth by Article 4 of the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”).

1.2 Any capitalized terms in this DPA that are not defined in this Article 1 shall have the meaning set forth in the GTC.

2. REVEALS’ OBLIGATIONS AS A PROCESSOR

2.1 Reveal will only process Personal Data on behalf of and under the documented and lawful instructions of Customer, for the purposes of the Contract.

2.2 The Parties acknowledge that the fulfillment of the purpose of the Contract and the use of the Services and its features are considered to be the documented instructions of Customer.

2.3 Any additional instruction from Customer must be made in writing, specifying the purpose concerned and the operation to be carried out, being understood that the implementation of any additional instruction may be conditional on Customer's acceptance of the corresponding estimate issued by Reveal.

2.4 Reveal undertakes to inform Customer if, in its opinion, the instruction amounts to a breach of the Applicable Data Protection Regulations.

2.5 If Reveal receives a request from a data subject whose Personal Data has been Processed under the Contract on behalf of Customer, Reveal shall promptly inform Customer of such request without responding to it directly. Reveal shall provide prompt assistance to Customer, at Customer’s cost, in order to allow Customer to fulfill its obligation to comply with valid data subject requests for the right of access, to object, to restriction of Processing, to rectification, to erasure, or to portability of the Customer Data Processed on Customer’s behalf by Reveal.

2.6 Reveal will cooperate with Customer and provide Customer, at Customer’s cost, with all necessary assistance and documentation to enable it to comply with its obligations under Articles 32 to 36 of GDPR to which it is subject, including assistance in carrying out data protection impact assessments, and prior consultations with supervisory authorities.

2.7 Reveal undertakes to inform Customer of any request of access or communication from a third party invoking an authorisation resulting from the application of the Applicable Data Protection Regulations.

3. SUB-PROCESSOR

3.1 Customer authorizes Reveal to use sub-Processors to carry out the Customer Data Processing activities on behalf of Customer that are strictly necessary for the performance of the Contract.

3.2 Reveal maintains an up-to-date list of its sub-Processors, which it updates on a regular basis. The list of Reveal’s sub-Processors is provided upon written request by Customer

3.3 Reveal undertakes to inform Customer of any addition or replacement of sub-Processors as soon as possible. Customer may express its objections in writing within ten (10) working days of receiving the information. Customer acknowledges and agrees that the absence of objections within this period is equivalent to acceptance of the sub-Processor.

3.4 Where such a sub-Processors are engaged, Reveal will:

• use sub-Processors with sufficient guarantees as to the implementation of appropriate technical and organizational measures in order to meet the requirements of the Applicable Data Protection Regulations.
• contractually impose on its sub-Processors a level of requirements that is at least as high as that provided for in this DPA and in the Applicable Data Protection Regulations with regard to Customer Data protection.

4. CONFIDENTIALITY AND SECURITY

4.1 Reveal will keep Customer Data belonging to or transmitted by Customer strictly confidential and will not disclose such Customer Data to third parties without prior and explicit authorization of Customer. Reveal will ensure that persons authorized to process such Customer Data (its staff, directors, affiliates, suppliers and any potential Authorized Processors) have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality.

4.2 Reveal will implement and maintain appropriate technical and organizational measures to protect Customer Data against (i) unauthorized or unlawful Processing and (ii) accidental loss, damage, destruction, alteration, unauthorized disclosure of, or access that, at a minimum, meet the requirements set forth in the measures referred to in Article 32 of GDPR.

5. DATA BREACHES

5.1 Reveal shall notify in writing Customer, without undue delay, after becoming aware of any breach of security of Personal Data resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed.

5.2 Reveal shall provide Customer with all reasonable assistance in investigating and mitigating the impact of any such Data Breach. Reveal will also provide all reasonable assistance to Customer in relation to its obligations to providing adequate notifications to the relevant Supervisory Authorities and affected Data Subjects.

6. CUSTOMER DATA TRANSFERS

6.1 Where there are Transfers of Customer Data from a Member State of the EU or from a Member State of the EEA to a third country outside the EU and outside the EEA (the “Third Country”), the Parties acknowledge that steps must be taken to ensure that such data transfers comply with Applicable Data Protection Regulations.

6.2 In order to ensure that adequate safeguards are in place for Processing and Transfer of Customer Data, Reveal undertakes it complies with one of the following derogatory conditions: 

• legislation of the Third Country offers an adequate level of protection of Personal Data which is recognized as such by a decision of the European Commission;
• Reveal or one of its representatives has entered into a Personal Data transfer agreement with the Third Country-based sub-Processor in accordance with the latest version in force of the standard contractual clauses drawn up by the European Commission;
• Reveal's Third Country-based sub-Processor has subscribed to an authorized Personal Data transfer mechanism validated by the European Union's institutions;
• Reveal’s Third Country-based sub-Processor has adopted "Binding Corporate Rules" validated by an authorized European Personal Data protection authority.

7. CUSTOMER DATA RETENTION

7.1 Upon termination of the Contract for any reason whatsoever, Reveal (including its employees, directors, affiliates, suppliers and sub-Processors) shall cease all Processing of Customer Data carried out for performance of the Contract and provision of the Services to Customer, except for Processing necessary for compliance with its own accounting, tax and employment legal obligations.

7.2 Upon termination of the Contract for any reason whatsoever, Reveal undertakes to destroy, automatically or manually and within a reasonable period of time, all Customer Data provided by or duly collected on behalf of Customer, in its capacity as Processor, during the performance of the Contract, except for Processing necessary for compliance with its own accounting, tax and employment legal obligations and for the fulfillment of the Parties’ contractual obligations remaining at the end of the Contract.

8. CUSTOMER SECURITY AUDIT

8.1 At Customer's written request to Reveal, Customer can conduct a security audit of Reveal's facilities, systems, policies, controls and practices, at Customer's expense, by Customer or representatives of Customer, including without limitation an independent third-party auditor.

8.2 Customer Audit shall (i) occur at a mutually agreeable time not more than once a calendar year, starting at the Effective Date, and once following each Data Breach; (ii) not unreasonably interfere with Reveal's operations. Any third party performing such Customer Audit on behalf of Customer shall execute a standard nondisclosure agreement with Reveal with respect to the confidential processing and restricted use of information gathered in conducting the audit; and access to Reveal's facilities shall be subject to Reveal's reasonable access requirements and security policies. Notwithstanding the foregoing, Reveal's access requirements, security policies and the nondisclosure agreement, if applicable, shall in no way materially impede Customer, or a third party auditor selected by Customer, from conducting a Customer Audit.

8.3 The audit report shall be provided to Reveal by the auditors before it is finalised, so that Reveal can make any comments it may have, and the final report should take account of and respond to these comments. The audit report will then be sent to Reveal and discussed in a meeting between the Parties. 

8.4 In the event that the final audit report reveals breaches of the commitments made in the performance of this DPA, Reveal shall propose a corrective action plan within a maximum of twenty (20) working days from the meeting between the Parties.  

9. MISCELLANEOUS

9.1 Liability - The Parties shall be liable for the fulfillment of their obligations under this DPA in accordance with the Applicable Data Protection Regulations. The liability rules agreed between the Parties in the GTC shall also apply to this DPA.

9.2 Term and Termination - The DPA shall enter into force on the GTCs’ Effective Date and remain in force for the term of the T&Cs.

9.3 Prevalence - The DPA prevails over any previous agreement relating to the Processing of Customer Data that may have been signed in the past between one or more of the Parties or that would result from clauses relating to the protection of personal data and the resulting liability under the GTC.

9.4 Governing law and jurisdiction - The Processing of Personal Data under this Agreement is governed by law of the GTC. Any disputes between the Parties relating to the Processing of Customer Data under this DPA will be subject to the exclusive jurisdiction of the courts set forth in the GTC.

Exhibit A : Description of Processing

a) Subject-matter of the Processing : please refer to the Appendix 1 “Description of the Services”

b) Nature of the Processing : collection, organization, structuring, storage, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction.

c) Purpose of the Processing : performance of the Contract

d) Duration of the Processing: duration of the Contract.

e) Type of Personal Data: Identification data, contact data, professional data

f) Categories of Data Subjects: Customer’s prospects and clients, and Customer’s employees acting as clients’ account owner.