Sharework SAS ("Sharework" or "Reveal") provides their service via its app.reveal.co platform ("Reveal Service" or "Reveal Services" or "the Services" ).
This Data Processing Agreement for Reveal Services (the “DPA”) details the parties’ obligations regarding the Processing of Personal Information on your behalf (hereinafter “Customer”) as part of the provision of Reveal Services as described in further detail in the Sharework’s General Terms of Service (hereinafter “GTC”). In the event of a conflict between the terms of the GTC and that of this DPA, the terms of this DPA shall prevail.
The Customer, as controller, and Sharework, as processor, undertake to respect the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) or other data privacy or data protection law or regulation that applies to the Processing of Personal Data under this DPA (such laws collectively with GDPR, “Applicable Data Protection Law”).
For the purpose of this DPA the following terms will have the same meaning as assigned under the Applicable Data Protection Law: “Data Subject”, “Process/Processing”, “Personal Information” or “Personal Data”, “Supervisory Authority”, “Controller”, “Processor” and “Binding Corporate Rules” (or any of the equivalent terms).
“Services” means the product(s) and service(s) that are provided by Reveal to the Customer.
“Data Source”means a business database that is connected or uploaded by Customer to Reveal Services.
“Service Data” means all data produced by Reveal Services.
“CRM Data” means all data within Customer Data Source available to Reveal.
“Processed CRM Data” means CRM Data processed by Reveal Services.
“Customer Data” means the combination of Service Data, CRM Data and Processed CRM Data.
“Trusted Business Partner” means a Customer’s business partner invited to connect via Reveal for data sharing purposes
“Usage Data” means data & information about how the Customer uses the Services
Reveal provides Services allowing the Customer to connect a Data Source, process, store and share relevant CRM Data (“Processed CRM Data”) with Trusted Business Partners.
To deliver the Services, Reveal collects, processes and produces Customer Data which may include, without limitation, any information relating to an identified or identifiable natural person (‘data subject’) where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity of that natural person (such information, “Personal Data”)
The Customer is responsible for complying with its obligations as a controller under this DPA and Applicable Data Protection Law, including the lawfulness of disclosing personal information to Reveal.
The Customer, who collects the Personal Data, remains responsible for informing the persons concerned of the transfer and processing of said data by Reveal, whose responsibility, as subcontractor of the processing, can only be engaged within this limit.
The Customer must document in writing his instructions regarding the processing of personal data to Reveal. The Customer’s instructions are reflected in the Contract and this DPA. The User has the right to reasonably provide additional instructions to Reveal. If the exercise of the right to issue reasonable instructions results in disproportionate efforts on part of Reveal which exceed the Services set forth in the Contract or Reveal’s duties under Applicable Data Protection Law, Reveal may comply with the instruction for a separate fee in relation to the efforts arising thereof.
Reveal will do its best efforts to:
Reveal is authorized by the Customer to use sub processors for the performance of his contractual obligations, including the processing of personal data, provided that Reveal has concluded a written or electronic agreement with the subcontractor guaranteeing a level of protection equivalent to the level provided for in the DPA and, at the Customer’s request that main dispositions of this agreement be communicated to him.
Reveal must inform the Customer of any intended changes concerning the addition or replacement of a sub-processor, it being understood that the Customer may object to such changes if this subcontractor does not comply with GDPR mandatory dispositions, within eight days of being informed. Reveal has implemented and enforces a Vendor Management Policy.
The Customer is entitled to conduct an audit up to once per year to confirm compliance with the relevant controls under this DPA. Such audits and inspections should be a document audit. If this document audit does not satisfy the Customer, the Customer may conduct an on-site audit, during regular business hours, and without interfering with Reveal’s operations, upon at least 30 days prior notice and pursuant to an agreed-upon scope. Each party will bear its own costs in relation to the audit.
If the Customer would like a third party to conduct the audit, the third party must be mutually agreed to by the parties and must execute a written confidentiality agreement acceptable to Reveal.
The audit report or findings shall be confidential information under the Contract and the Customer will provide Reveal with a copy thereof. The Customer may use the audit reports and findings only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA.