Data Processing Agreement (DPA)

INTRODUCTION

This Jarvi Tech (Jarvi) Data Processing Agreement and its Annexes (“DPA”) outlines the agreement between the parties regarding how we handle Personal Data on your behalf as part of the Jarvi Subscription Services, under the Terms of Service between you and us (also referred to in this DPA as the “Agreement”).

This DPA is an addition to, and an essential part of, the Agreement and becomes effective once incorporated into the Agreement, which may be specified in the Agreement, an Order, or an executed amendment to the Agreement. If there is any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence to the extent of the conflict or inconsistency.

We periodically update these terms. If you have an active Jarvi Tech (Jarvi) subscription, we will notify you of any changes via email or an in-app notification.

The duration of this DPA will align with the term of the Agreement. Terms not defined in this DPA will have the meanings given in the Agreement.

01. Scope of contract and distribution of responsibilities

1.1 The Parties agree that, for the purpose of Processing Personal Data, the Parties shall act as Controller and Processor.

1.2 The Processor shall Process Personal Data solely on behalf of the Controller and always in accordance with this Data Processing Agreement.

1.3 Within the scope of the Service Agreement, each Party is responsible for fulfilling its respective obligations as Controller and Processor under Data Protection Laws.

02. Processing Instructions

2.1 The Processor will handle Personal Data according to the Controller’s instructions. This Data Processing Agreement outlines the Controller’s initial directives to the Processor. Both parties agree that the Controller can communicate any changes to these initial instructions to the Processor through written notice, and the Processor will comply with these instructions. The Processor must keep a secure, complete, accurate, and up-to-date record of all such individual instructions.

2.2 To clarify, any instructions that would result in processing beyond the scope of this Data Processing Agreement (for example, if a new processing purpose is introduced) will require prior agreement between the parties and, if applicable, will be subject to the contract change procedure outlined in the Service Agreement.

2.3 When directed by the Controller, the Processor must correct, delete, or block Personal Data.

2.4 The Processor must promptly inform the Controller in writing if, in the Processor’s opinion, an instruction violates Data Protection Laws, and provide a written explanation of the reasons for this opinion.

2.5 The Processor will not be liable for any Data Protection Losses arising from or related to any processing carried out in accordance with the Controller’s instructions after the Controller has received any information provided by the Processor in this Section 2.

03. Processor Personnel

The processor will ensure that its personnel do not process Personal Data without authorization. The processor will enforce appropriate contractual obligations on its personnel, including obligations related to confidentiality, data protection, and data security.

04. Disclosure to Third Parties; Data Subjects’ Rights

4.1 The processor will not disclose Personal Data to any third party (including any government agency, court, or law enforcement) except as outlined in this Data Processing Agreement, with written consent from the Controller, or as necessary to comply with applicable mandatory laws. If the processor is required to disclose Personal Data to a law enforcement agency or third party, it agrees to provide the Controller with reasonable notice of the access request before granting such access, allowing the Controller to seek a protective order or other appropriate remedy. If such notice is legally prohibited, the processor will take reasonable measures to protect the Personal Data from undue disclosure as if it were its own confidential information being requested and will inform the Controller promptly as soon as possible if and when such legal prohibition ceases to apply.

4.2 If the Controller receives any request or communication from Data Subjects related to the Processing of Personal Data (“Request”), the processor shall provide the Controller with full cooperation, information, and assistance (“Assistance”) regarding any such Request as instructed by the Controller.

4.3 If the processor receives a Request, it shall (i) not respond directly to such Request, (ii) forward the request to the Controller within three business days of identifying the Request as related to the Controller, and (iii) provide Assistance according to further instructions from the Controller.

05. Assistance

5.1 The Processor helps the Controller ensure compliance with obligations under Articles 32 to 36 of the GDPR, considering the nature of the Processing and the information available to the Processor.

5.2 If a Data Protection Impact Assessment (“DPIA”) is required under applicable Data Protection Laws for the Processing of Personal Data, the Processor will provide the Controller with reasonable cooperation and assistance needed to fulfill the Customer’s obligation to conduct a DPIA related to the Customer’s use of the Services, as long as the Customer does not have access to the relevant information and such information is available to Jarvi Tech (Jarvi).

5.3 The Controller will pay the Processor reasonable charges, mutually agreed upon by the parties, for providing the assistance in Section 5, to the extent that such assistance cannot be reasonably accommodated within the normal provision of the Services.

06. Information Rights and Audit

6.1 In accordance with Data Protection Laws, the Processor will make available to the Controller, upon request and in a timely manner, the necessary information to demonstrate the Processor’s compliance with its obligations under Data Protection Laws.

6.2 Jarvi Tech (Jarvi) has obtained third-party certifications and audits as detailed on our security page. Upon the Controller’s written request and subject to the confidentiality obligations outlined in the Service Agreement, Jarvi Tech (Jarvi) will provide the Controller with a copy of its most recent third-party certifications or audits, as applicable.

6.3 The Processor will, upon reasonable notice, allow for and contribute to inspections of its Processing of Personal Data, as well as the TOMs (including data processing systems, policies, procedures, and records), during regular business hours with minimal disruption to the Processor’s operations. These inspections are conducted by the Controller, its affiliates, or an independent third party on the Controller’s behalf (which will not be a competitor of the Processor) that is subject to reasonable confidentiality obligations.

6.4 The Controller will pay the Processor reasonable costs for allowing or contributing to audits or inspections in accordance with Section 6.3 if the Controller wishes to conduct more than one audit or inspection every 12 months. The Processor will immediately refer any requests from national data protection authorities related to the Processor’s Processing of Personal Data to the Controller.

6.5 The Processor commits to cooperating with the Controller in its interactions with national data protection authorities and with any audit requests from these authorities. The Controller is entitled to disclose this Data Processing Agreement or any other documents (including contracts with subcontractors) related to fulfilling its obligations under this Data Processing Agreement (commercial information may be redacted).

07. Data Incident Management and Notification

Regarding Customer data incidents, the Processor shall:

7.1 Notify the Controller of a Personal Data Breach involving the Processor or a subcontractor without undue delay (but no later than 72 hours after becoming aware of the incident).

7.2 Make reasonable efforts to identify the cause of such an incident and take necessary and reasonable steps to remediate the cause of the incident, to the extent that it is within Jarvi Tech (Jarvi)‘s reasonable control.

7.3 Provide reasonable information, cooperation, and assistance to the Controller in relation to any action to be taken in response to a Personal Data Breach under Data Protection Laws, including any communication of the Personal Data Breach to Data Subjects and national data protection authorities.

The obligations in Section 7 do not apply to data incidents caused by the Customer or the Customer’s users.

08. International Data Transfer

8.1 Jarvi Tech (Jarvi) may transfer your Personal Data to countries other than the one in which you reside. When Personal Data is transferred abroad, Jarvi Tech (Jarvi) will ensure compliance with the applicable laws in the respective jurisdiction in line with its obligations.

8.2 Jarvi Tech (Jarvi) and its associated entities have entered into Standard Contractual Clauses (“SCC”) among themselves as authorized by the European Commission under the GDPR for the transfer of personal data from Jarvi Tech (Jarvi) in the EEA, UK, and Switzerland to provide the Service in accordance with the Terms of Service.

8.3 Whenever Personal Data is transferred outside its country of origin, each party will ensure such transfers comply with the requirements of Data Protection Laws.

8.4 Where the Client is based in the European Economic Area (EEA), the parties acknowledge that the transfer of Personal Data by the Client to Workforce Cloud Tech, Inc. (Jarvi) will involve the transfer of data outside the EEA. From an EU data protection perspective and for purposes of applicable regulation, the Client will be the Data Exporter and Jarvi Tech (Jarvi) will be the Data Importer.

8.5 Where the Data Exporter is not based in the United States (“US”) or the EEA, the parties acknowledge that the transfer of Personal Data by the Data Exporter to Jarvi Tech (Jarvi) will involve onward transfer of Personal Data from the country in which the Data Exporter is based to the EEA, the US, and other jurisdictions where Jarvi Tech (Jarvi) and its Sub-Processors are registered.

8.6 The Client acknowledges that in connection with the performance of the Services, Jarvi Tech (Jarvi) is a recipient of European Client Data in the United States. The parties acknowledge and agree to the following:

1. Standard Contractual Clauses: The parties agree to abide by and process European Data in compliance with the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).
2. Jarvi Tech (Jarvi) Sub-Processors in jurisdictions where they have operations.
3. Privacy Shield: Although Jarvi Tech (Jarvi), Inc. does not rely on the EU-US Privacy Shield as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for as long as Jarvi Tech (Jarvi) is self-certified to the Privacy Shield, it will process European Client Data in compliance with the Privacy Shield Principles and inform the Client if it is unable to comply with this requirement.

If, for any reason, Jarvi Tech (Jarvi) cannot comply with its obligations under the Standard Contractual Clauses or is in breach of any warranties under the Standard Contractual Clauses, and the Client intends to suspend the transfer of European Client Data to Jarvi Tech (Jarvi) or terminate the Standard Contractual Clauses, the Client agrees to provide Jarvi Tech (Jarvi) with reasonable notice to enable it to cure such non-compliance and reasonably cooperate with Jarvi Tech (Jarvi) to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If Jarvi Tech (Jarvi) has not or cannot cure the non-compliance, the Client may suspend or terminate the affected part of the Service in accordance with the Terms of Service without liability to either party (but without prejudice to any fees incurred prior to such suspension or termination).

09. Reference to Provisions of the Standard Contractual Clauses

For the technical and organizational measures (TOMs), please refer to Annex II of the Standard Contractual Clauses.

Regarding sub-processing, see Annex III of the Standard Contractual Clauses. If the Controller objects to the appointment or replacement of any sub-processor, the Processor will either refrain from appointing or replacing the sub-processor, or if that’s not feasible, the Controller may suspend or terminate the Service(s) (without affecting any fees incurred by the Controller before such suspension or termination).

10. Term and Termination

10.1 This Data Processing Agreement becomes effective upon signing. It will remain in effect as long as the Processor is handling Personal Data in accordance with Exhibit 1 Annex I, and will automatically terminate thereafter.

10.2 The Controller may terminate the Data Processing Agreement and the Service Agreement for cause, at any time with reasonable notice or without notice, as chosen by the Controller, if the Processor materially breaches the terms of this Data Processing Agreement.

10.3 If amendments are necessary to ensure this Data Processing Agreement complies with Data Protection Laws, the Parties will agree on such amendments at the Controller’s request, with no additional cost to the Controller. If the parties cannot agree on these amendments, either party may terminate the Service Agreement and this Data Processing Agreement with 90 days written notice to the other party.

11. Deletion or Return of Personal Data

The controller can export all Customer Data before the Customer’s Account is terminated. In any case, after the termination of the Customer’s Account, (i) subject to (ii) and (iii) below and the Service Agreement, Customer Data will be kept for fourteen (14) days from the termination date, during which the Controller can contact the Processor to export Customer Data; (ii) if the Controller does not use a custom mailbox and uses the email feature, if available within the Service(s), emails that are part of Customer Data are automatically archived for three (3) months; and (iii) logs are archived for thirty (30) days in the log management systems, after which they are moved to a restricted archived cold storage for eleven (11) months (each a “Data Retention Period”). Beyond each Data Retention Period, the Processor reserves the right to delete all Customer Data in the normal course of operation, except as necessary to comply with legal obligations, maintain accurate financial and other records, resolve disputes, and enforce agreements. Once deleted, Customer Data cannot be recovered.

12. Miscellaneous

12.1 In case of any conflict, the provisions of this Data Processing Agreement shall take precedence over any other agreement with the Processor.

12.2 The limitation of liability stated in the Service Agreement applies to breaches of the Data Processing Agreement.

12.3 No Party shall receive any remuneration for fulfilling its obligations under this Data Processing Agreement except as explicitly stated here or in another agreement.

12.4 Where this Data Processing Agreement requires a “written notice,” such notice can also be communicated via email to the other Party. Notices should be sent to the contact persons listed in Exhibit 1 Annex I.

12.5 Any supplementary agreements or amendments to this Data Processing Agreement must be made in writing and signed by both Parties.

12.6 If individual provisions of this Data Processing Agreement become void, invalid, or unenforceable, this shall not affect the validity of the remaining conditions of this agreement.

13. Definitions

“Data Protection Laws” refers to the data protection laws of the country where the Controller is established, including the GDPR, and any data protection laws applicable to the Controller in relation to the Service Agreement. If the Controller is not based in an EU Member State, the California Consumer Privacy Act also applies.

“DP Losses” encompasses all liabilities, including:

1. costs (including legal fees);
2. claims, demands, actions, settlements, charges, procedures, expenses, losses, and damages (whether material or non-material, including emotional distress);
3. to the extent allowed by applicable law:

(i) administrative fines, penalties, sanctions, liabilities, or other remedies imposed by a data protection authority or any other relevant Regulatory Authority;

(ii) compensation to a Data Subject ordered by a data protection authority to be paid by the Processor;

(iii) the costs of compliance with investigations by a data protection authority or any other relevant Regulatory Authority.

“GDPR” refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Personal Data” means any information relating to an identified or identifiable natural person as defined by the General Data Protection Regulation of the European Union (“GDPR” EC-2016/679) that is processed by the Processor as part of providing services to the Controller as described in Exhibit 1.

“Service Agreement” refers to the Terms of Service available at https://www.jarvi.tech/fr/legals/cgu/ or a master services agreement executed between the Parties.

“Standard Contractual Clauses/EU Standard Contractual Clauses” are the standard contractual clauses outlined in Exhibit 1 for the transfer of Personal Data from a Data Controller in the European Economic Area to Processors established in third countries, as set out in the Annex of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, amended by incorporating the description of the Personal Data to be transferred and the technical and organizational measures to be implemented as detailed in the Appendix.

“Controller”, “Data Subject”, “Personal Data Breach”, “Processor” and “Process”/“Processing” shall have the meanings assigned to them in the GDPR.

SECTION 1: STANDARD CONTRACTUAL CLAUSES SECTION

Clause 1 - Purpose and Scope

1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
2. The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

4. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
5. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2 - Effect and Invariability of the Clauses

1. These Clauses provide the necessary safeguards, including enforceable rights for data subjects and effective legal remedies, in accordance with Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679. They also include standard contractual clauses for data transfers from controllers to processors and/or processors to processors, as per Article 28(7) of Regulation (EU) 2016/679, provided they remain unchanged, except for selecting the appropriate Module(s) or adding or updating information in the Appendix. This does not prevent the Parties from incorporating these standard contractual clauses into a broader contract and/or adding other clauses or additional safeguards, as long as they do not contradict these Clauses or infringe upon the fundamental rights or freedoms of data subjects.
2. These Clauses do not affect the obligations that the data exporter must comply with under Regulation (EU) 2016/679.

Clause 3 - Third-party beneficiaries

1. Data subjects can invoke and enforce these Clauses as third-party beneficiaries against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8 - Clause 8.1(b), 8.9(a), (c), (d), and (e);
(iii) Clause 9 – Clause 9(a), (c), (d), and (e);
(iv) Clause 12 – Clause 12(a), (d), and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d), and (e);
(vii) Clause 16(e);
(viii) Clause 18 – Clause 18(a) and (b);

3. This paragraph does not affect the rights of data subjects under Regulation (EU) 2016/679.

Clause 4 - Interpretation

1. When these Clauses use terms defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
2. These Clauses should be read and interpreted in light of the provisions of Regulation (EU) 2016/679.
3. These Clauses should not be interpreted in a way that conflicts with the rights and obligations provided in Regulation (EU) 2016/679.

Clause 5 - Hierarchy

If there is a contradiction between these Clauses and the provisions of related agreements between the Parties, whether existing at the time these Clauses are agreed upon or entered into thereafter, these Clauses shall take precedence.

Clause 6 - Description of the transfer(s)

The details of the transfer(s), including the categories of personal data being transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Docking clause

1. An entity that is not a Party to these Clauses may, with the agreement of the Parties, join these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
2. Once the Appendix is completed and Annex I.A is signed, the joining entity shall become a Party to these Clauses and will have the rights and obligations of a data exporter or data importer as designated in Annex I.A.
3. The joining entity shall have no rights or obligations under these Clauses for the period before becoming a Party.

SECTION II - OBLIGATIONS OF THE PARTIES

Clause 8 - Data Protection Safeguards

The data exporter guarantees that it has made reasonable efforts to ensure that the data importer is capable, through the implementation of appropriate technical and organizational measures, of fulfilling its obligations under these Clauses.

8.1 Instructions

1. The data importer shall process the personal data only according to documented instructions from the data exporter. The data exporter may provide such instructions throughout the duration of the contract.
2. The data importer shall immediately notify the data exporter if it is unable to comply with those instructions.

8.2 Purpose Limitation

The data importer shall process the personal data solely for the specific purpose(s) of the transfer, as outlined in Annex I. B, unless further instructions are provided by the data exporter.

8.3 Transparency

Upon request, the data exporter shall provide a copy of these Clauses, including the Appendix as completed by the Parties, to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact parts of the Appendix before sharing a copy, but must provide a meaningful summary where the data subject would otherwise be unable to understand its content or exercise their rights. Upon request, the Parties shall provide the data subject with the reasons for the redactions, as far as possible without disclosing the redacted information. This Clause does not affect the data exporter’s obligations under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate or outdated, it must inform the data exporter without undue delay. In such cases, the data importer must work with the data exporter to erase or correct the data.

8.5 Duration of Processing and Erasure or Return of Data

The data importer shall only process data for the period specified in Annex I.B. Once the processing services are concluded, the data importer must, at the data exporter’s discretion, either delete all personal data processed on behalf of the data exporter and confirm this action, or return all personal data to the data exporter and delete any existing copies. Until the data is deleted or returned, the data importer must continue to comply with these Clauses. If local laws applicable to the data importer prevent the return or deletion of personal data, the data importer guarantees that it will continue to comply with these Clauses and will only process the data as required by those local laws. This does not affect Clause 14, particularly the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the contract duration if it believes it is or has become subject to laws or practices that do not meet the requirements of Clause 14(a).

8.6 Security of Processing

1. The data importer, and during transmission, the data exporter as well, must implement suitable technical and organizational measures to ensure data security. This includes protection against security breaches that could lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the data (referred to as ‘personal data breach’). When determining the appropriate level of security, the Parties should consider the current state of technology, implementation costs, the nature, scope, context, and purposes of processing, as well as the risks to data subjects. The Parties should especially consider using encryption or pseudonymization, even during transmission, if the processing purpose can be achieved in this way. In cases of pseudonymization, any additional information needed to link personal data to a specific data subject should, if possible, remain solely under the control of the data exporter. To fulfill its obligations under this paragraph, the data importer must at least implement the technical and organizational measures outlined in Annex II. The data importer should conduct regular checks to ensure these measures continue to provide an appropriate level of security.
2. The data importer shall only allow access to personal data to its personnel to the extent strictly necessary for the execution, management, and monitoring of the contract. It must ensure that individuals authorized to process personal data are committed to confidentiality or are under a suitable statutory obligation of confidentiality.
3. In the event of a personal data breach involving personal data processed by the data importer under these Clauses, the data importer must take appropriate measures to address the breach, including steps to mitigate its adverse effects. The data importer must also notify the data exporter without undue delay upon becoming aware of the breach. This notification should include contact details for further information, a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and personal data records affected), its likely consequences, and the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects. If it is not possible to provide all the information at once, the initial notification should include the available information, with further details provided as they become available, without undue delay.
4. The data importer must cooperate with and assist the data exporter to enable the data exporter to fulfill its obligations under Regulation (EU) 2016/679, particularly in notifying the competent supervisory authority and the affected data subjects, considering the nature of processing and the information available to the data importer.

8.7 Sensitive Data

When the transfer involves personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data used to uniquely identify an individual, as well as data concerning health, a person’s sex life or sexual orientation, or data related to criminal convictions and offenses (referred to as ‘sensitive data’), the data importer must apply the specific restrictions and/or additional safeguards outlined in Annex I.B.

8.8 Onward Transfers

The data importer may only disclose personal data to a third party based on documented instructions from the data exporter. Furthermore, data can only be disclosed to a third party located outside the European Union (either in the same country as the data importer or in another third country, referred to as ‘onward transfer’) if the third party is or agrees to be bound by these Clauses under the appropriate Module, or if:

1. The onward transfer is to a country that benefits from an adequacy decision according to Article 45 of Regulation (EU) 2016/679, which covers the onward transfer;
2. The third party otherwise ensures appropriate safeguards in accordance with Articles 46 or 47 of Regulation (EU) 2016/679 regarding the processing in question;
3. The onward transfer is necessary for the establishment, exercise, or defense of legal claims in the context of specific administrative, regulatory, or judicial proceedings; or
4. The onward transfer is necessary to protect the vital interests of the data subject or another individual.

Any onward transfer is subject to the data importer’s compliance with all other safeguards under these Clauses, particularly regarding purpose limitation.

8.9 Documentation and Compliance

1. The data importer must promptly and adequately address any inquiries from the data exporter regarding processing under these Clauses.
2. Both Parties must be able to demonstrate compliance with these Clauses. Specifically, the data importer should maintain appropriate documentation of the processing activities conducted on behalf of the data exporter.
3. The data importer must provide the data exporter with all necessary information to demonstrate compliance with the obligations outlined in these Clauses. Upon the data exporter’s request, the data importer should allow and contribute to audits of the processing activities covered by these Clauses, either at reasonable intervals or if there are signs of non-compliance. When deciding on a review or audit, the data exporter may consider relevant certifications held by the data importer.
4. The data exporter may choose to conduct the audit themselves or appoint an independent auditor. Audits may include inspections at the data importer’s premises or physical facilities and should be conducted with reasonable notice when appropriate.
5. The Parties must make the information mentioned in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority upon request.

Clause 9 - Use of Sub-processors

1. The data importer has the data exporter’s general authorization to engage sub-processors from an agreed list. The data importer must inform the data exporter in writing of any intended changes to this list, such as adding or replacing sub-processors, at least 15 days in advance. This allows the data exporter enough time to object to these changes before the sub-processor is engaged. The data importer must provide the necessary information to enable the data exporter to exercise their right to object.
2. When the data importer engages a sub-processor to perform specific processing activities on behalf of the data exporter, it must do so through a written contract. This contract should essentially impose the same data protection obligations on the sub-processor as those binding the data importer under these Clauses, including third-party beneficiary rights for data subjects. The Parties agree that by adhering to this Clause, the data importer fulfills its obligations under Clause 8.8. The data importer must ensure that the sub-processor complies with the obligations imposed on the data importer by these Clauses.
3. Upon the data exporter’s request, the data importer must provide a copy of the sub-processor agreement and any subsequent amendments to the data exporter. To protect business secrets or other confidential information, including personal data, the data importer may redact parts of the agreement before sharing it.
4. The data importer remains fully responsible to the data exporter for the sub-processor’s performance under its contract with the data importer. The data importer must notify the data exporter of any failure by the sub-processor to meet its contractual obligations.
5. The data importer must agree to a third-party beneficiary clause with the sub-processor. This clause ensures that if the data importer disappears, ceases to exist legally, or becomes insolvent, the data exporter has the right to terminate the sub-processor contract and instruct the sub-processor to erase or return the personal data.

Clause 10 - Data Subject Rights

1. The data importer must promptly inform the data exporter of any request it receives from a data subject. It should not respond to the request itself unless authorized by the data exporter.
2. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests to exercise their rights under Regulation (EU) 2016/679. In this context, the Parties will outline in Annex II the appropriate technical and organizational measures, considering the nature of the processing, by which assistance will be provided, as well as the scope and extent of the required assistance.
3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11 - Redress

1. The data importer shall inform data subjects in a transparent and easily accessible manner, either through individual notice or on its website, of a contact point authorized to handle complaints. It shall promptly address any complaints received from a data subject.
2. In the event of a dispute between a data subject and one of the Parties regarding compliance with these Clauses, that Party shall make every effort to resolve the issue amicably and in a timely manner. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
3. When the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the data subject’s decision to:

(i) lodge a complaint with the supervisory authority in the Member State of their habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts as defined in Clause 18.

5. The Parties acknowledge that the data subject may be represented by a not-for-profit body, organization, or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
6. The data importer shall comply with a decision that is binding under the applicable EU or Member State law.
7. The data importer agrees that the choice made by the data subject will not affect their substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12 - Liability

1. Each Party is responsible to the other Party/ies for any damages it causes due to a breach of these Clauses.
2. The data importer is liable to the data subject, who is entitled to compensation, for any material or non-material damages caused by the data importer or its sub-processor by violating the third-party beneficiary rights under these Clauses.
3. Despite paragraph (b), the data exporter is also liable to the data subject, who is entitled to compensation, for any material or non-material damages caused by the data exporter or the data importer (or its sub-processor) by breaching the third-party beneficiary rights under these Clauses. This does not affect the liability of the data exporter and, if the data exporter is a processor acting on behalf of a controller, the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
4. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it can claim back from the data importer the portion of compensation corresponding to the data importer’s responsibility for the damage.
5. If more than one Party is responsible for any damage caused to the data subject due to a breach of these Clauses, all responsible Parties are jointly and severally liable, and the data subject can take legal action against any of these Parties.
6. The Parties agree that if one Party is held liable under paragraph (e), it can claim back from the other Party/ies the portion of compensation corresponding to their responsibility for the damage.
7. The data importer cannot use the conduct of a sub-processor to avoid its own liability.

Clause 13 - Supervision

1. The supervisory authority responsible for ensuring that the data exporter complies with Regulation (EU) 2016/679 regarding data transfers, as specified in Annex I.C, will serve as the competent supervisory authority.

   If the data exporter is not based in an EU Member State but falls under the territorial scope of Regulation (EU) 2016/679 according to Article 3(2) and has appointed a representative under Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State where the representative, as defined in Article 27(1) of Regulation (EU) 2016/679, is located, as specified in Annex I.C, will act as the competent supervisory authority.

   If the data exporter is not based in an EU Member State but falls under the territorial scope of Regulation (EU) 2016/679 according to Article 3(2) without needing to appoint a representative under Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States where the data subjects, whose personal data is transferred under these Clauses in connection with the offering of goods or services to them, or whose behavior is monitored, are located, as specified in Annex I.C, will act as the competent supervisory authority.

2. The data importer agrees to submit to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. Specifically, the data importer agrees to respond to inquiries, undergo audits, and comply with the measures adopted by the supervisory authority, including remedial and compensatory actions. It will provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III - LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14 - Local laws and practices affecting compliance with the Clauses

1. The Parties assure that they have no reason to believe that the laws and practices in the third country of destination, applicable to the processing of personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This assurance is based on the understanding that laws and practices that respect the essence of fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
2. The Parties declare that in providing the assurance in paragraph 1, they have duly considered the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved, and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination— including those requiring the disclosure of data to public authorities or authorizing access by such authorities— relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical, or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

4. The data importer assures that, in carrying out the assessment under paragraph 2, it has made its best efforts to provide the data exporter with relevant information and agrees to continue cooperating with the data exporter to ensure compliance with these Clauses.
5. The Parties agree to document the assessment under paragraph 2 and make it available to the competent supervisory authority upon request.
6. The data importer agrees to promptly notify the data exporter if, after agreeing to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph 1, including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph 1.
7. Following a notification pursuant to paragraph 6, or if the data exporter otherwise has reason to believe that the data importer can no longer fulfill its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g., technical or organizational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15 - Obligations of the Data Importer in Case of Access by Public Authorities

15.1 Notification

1. The data importer agrees to promptly notify the data exporter and, where possible, the data subject (with the data exporter’s assistance if necessary) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the destination country for the disclosure of personal data transferred under these Clauses. This notification should include details about the personal data requested, the requesting authority, the legal basis for the request, and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred under these Clauses in accordance with the laws of the destination country. This notification should include all available information to the importer.

3. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the destination country, the data importer agrees to make its best efforts to obtain a waiver of the prohibition, aiming to communicate as much information as possible, as soon as possible. The data importer agrees to document its best efforts to demonstrate them upon the data exporter’s request.
4. Where permissible under the laws of the destination country, the data importer agrees to provide the data exporter, at regular intervals throughout the contract duration, with as much relevant information as possible on the requests received (specifically, the number of requests, type of data requested, requesting authority/ies, whether requests have been challenged, and the outcome of such challenges, etc.).
5. The data importer agrees to preserve the information according to paragraphs (a) to (c) for the contract duration and make it available to the competent supervisory authority upon request.
6. Paragraphs (a) to (c) are without prejudice to the data importer’s obligation under Clause 14(e) and Clause 16 to promptly inform the data exporter when it is unable to comply with these Clauses.

15.2 Review of Legality and Data Minimization

1. The data importer agrees to assess the legality of any disclosure request, particularly whether it falls within the authority granted to the requesting public body. If, after thorough evaluation, the data importer determines there are valid reasons to believe the request is unlawful under the destination country’s laws, international law obligations, or principles of international comity, it will challenge the request. Under the same conditions, the data importer will explore appeal options. When contesting a request, the data importer will seek temporary measures to suspend the request’s effects until a competent judicial authority rules on its validity. It will not disclose the requested personal data until required by applicable procedural rules. These requirements do not affect the data importer’s obligations under Clause 14(e).
2. The data importer agrees to document its legal evaluation and any challenges to the disclosure request. To the extent allowed by the destination country’s laws, it will make this documentation available to the data exporter and, upon request, to the competent supervisory authority.
3. The data importer agrees to provide only the minimum amount of information necessary when responding to a disclosure request, based on a reasonable interpretation of the request.

SECTION IV - FINAL PROVISIONS

Clause 16 - Non-compliance with the Clauses and termination

1. The data importer must promptly notify the data exporter if it cannot comply with these Clauses, for any reason.
2. If the data importer breaches these Clauses or cannot comply with them, the data exporter must suspend the transfer of personal data to the data importer until compliance is restored or the contract is terminated. This is without prejudice to Clause 14(f).
3. The data exporter has the right to terminate the contract, as far as it concerns the processing of personal data under these Clauses, if:

(i) the data exporter has suspended the transfer of personal data to the data importer under paragraph (b) and compliance is not restored within a reasonable time, and in any case within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, the competent supervisory authority must be informed of such non-compliance. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless otherwise agreed by the Parties.

5. Personal data transferred before the termination of the contract under paragraph (c) must, at the data exporter’s choice, be immediately returned to the data exporter or deleted entirely. The same applies to any copies of the data. The data importer must certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer must continue to ensure compliance with these Clauses. If local laws applicable to the data importer prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
6. Either Party may revoke its agreement to be bound by these Clauses if (i) the European Commission adopts a decision under Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17 - Governing Law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of France.

Clause 18 - Choice of Forum and Jurisdiction

1. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
2. The Parties agree that these shall be the courts of Rennes, France.
3. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which they have their habitual residence.
4. The Parties agree to submit themselves to the jurisdiction of such courts.

ANNEX I - Data Import / Export

A. LIST OF PARTIES

Data Exporter:

Name: The Customer, as defined in the Jarvi Tech (Jarvi) Terms of Service or Master Service Agreement (on behalf of itself and Permitted Affiliates)

Address: The Customer’s address, as set out in the Master Service Agreement or Service Order Form

Contact person’s name, position, and contact details: The Customer’s contact details, as set out in the Master Service Agreement or Service Order Form and/or as set out in the Customer’s Jarvi Tech (Jarvi) Account

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with the Customer’s use of the Jarvi Tech (Jarvi) Services under the Jarvi Tech (Jarvi) Terms of Service or Master Service Agreement.

Role (controller/processor): Controller

Data Importer:

Name: Jarvi Tech (Jarvi) Inc.

Address: 10 Rue du Réage, 35510 Cesson-Sévigné,

quentin@jarvi.tech

Activities relevant to the data transferred under these Clauses: Processing on behalf of the controller (providing services)

Signature and date:

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

You may submit Personal Data while using the Services, the extent of which is determined and controlled by you at your sole discretion. This may include, but is not limited to, Personal Data related to the following categories of Data Subjects:

• End-customers of the data exporter
• Employees of the data exporter’s group
• Merchants of the data exporter

Categories of Personal Data Transferred

• Contact Data: name, date of birth, address, email, phone number, etc.
• Identification Data: PNO, social security number, or similar
• Payment Data: credit and debit card numbers, invoice data, bank account numbers, etc.
• Purchase Data: purchase and payment history, etc.
• Device Data: Internet Protocol (IP) address and geolocation data, etc.
• Log Data: includes contact data and device data

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully consider the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff with specialized training), keeping a record of data access, restrictions on onward transfers, or additional security measures.

Frequency of Data Transfer

Continuous (for the duration of the service agreement (main contract))

Purpose(s) of Data Transfer and Further Processing

We will process personal data as needed to provide the services according to the Terms of Service or Master Service Agreement, as detailed in the Service Order Form, and as further directed by you in your use of the services.

Data will be retained for the duration of the agreement and for 14 days thereafter.

For workflow automation, we use Workato to execute workflows. The data retention period in Workato can be customized to your preference. It defaults to 90 days, which is also the maximum period for which data can be retained in Workato. Users also have the flexibility to choose not to store data for specific recipes if necessary; however, this is not recommended as these records assist in troubleshooting errors in recipes.

For transfers to (sub-)processors, also specify the subject matter, nature, and duration of the processing.

C. Competent Supervisory Authority

For the purposes of the Standard Contractual Clauses, the competent supervisory authority is either (i) where the customer is established in an EU Member State, the supervisory authority responsible for ensuring the customer’s compliance with the GDPR; (ii) where the customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU Member State where the customer’s representative is established; or (iii) where the customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR without having to appoint a representative, the supervisory authority of the EU Member State where the data subjects are predominantly located. In relation to personal data subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The Processor maintains and enforces various policies, standards, and processes designed to secure personal data and other data accessible to Processor employees, updating these policies, standards, and processes periodically in line with industry standards. Below is a description of some of the technical and organizational measures implemented by the Processor as of the date of signature:

1. General Security Procedures

1.1 The Processor is responsible for establishing and maintaining an information security program designed to: (i) protect the security and confidentiality of Personal Data; (ii) guard against anticipated threats or hazards to the security or integrity of Personal Data; (iii) prevent unauthorized access to or use of Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and (v) ensure that all employees and subcontractors of the Processor, if any, comply with all of the above. The Processor shall designate an individual responsible for the information security program. This individual will respond to Controller inquiries regarding computer security and notify Controller-designated contact(s) if a breach or incident occurs, as further described herein.

1.2 The Processor shall conduct formal privacy and security awareness training for all its employees as soon as reasonably practicable after hiring and/or before being assigned to work on Personal Data, with annual recertification thereafter. Documentation of security awareness training shall be retained by the Processor, confirming that this training and subsequent annual recertification process have been completed.

1.3 The Controller shall have the right to review an overview of the Processor’s information security program before the commencement of Service and annually thereafter upon the Controller’s request.

1.4 The Processor shall not transmit any unencrypted Personal Data over the internet or any unsecured network, nor store any Personal Data on any mobile computing device, such as a laptop computer, USB drive, or portable data device, except where there is a business necessity and only if the mobile computing device is protected by industry-standard encryption software. The Processor shall encrypt Personal Data in transit into and out of the Services over public networks using industry-standard protocols.

1.5 In the event of any apparent or actual theft, unauthorized use, or disclosure of any Personal Data, the Processor shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and without undue delay and within 72 hours following confirmation of any such event, provide the Controller notice thereof, along with any further information and assistance as may be reasonably requested. Upon the Controller’s request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to the Controller.

2. Network and Communications Security

2.1 All connections from the Processor to the Controller’s computing systems and/or networks, as well as any attempts to connect, must go through the Controller’s security gateways/firewalls and adhere strictly to the Controller-approved security procedures.

2.2 The Processor must not access, nor allow unauthorized individuals or entities to access, the Controller’s computing systems and/or networks without explicit written permission from the Controller. Any such access, whether actual or attempted, must comply with the given authorization.

2.3 The Processor must implement appropriate measures to ensure that its systems connecting to the Controller’s systems, and any content provided to the Controller through these systems, are free from any computer code, programs, mechanisms, or programming devices that could disrupt, modify, delete, damage, deactivate, disable, harm, or otherwise impede the operation of the Controller’s systems in any way.

2.4 The Processor must maintain technical and organizational measures for data protection, including: (i) firewalls and threat detection systems to identify and block malicious connection attempts, spam, viruses, and unauthorized intrusions; (ii) physical networking technology designed to withstand attacks from malicious users or code; and (iii) encryption of data in transit over public networks using industry-standard protocols.

3. Personal Data Handling Procedures

3.1 Erasure of Information and Destruction of Electronic Storage Media. All electronic storage media containing Personal Data must be wiped or degaussed for physical destruction or disposal in a manner that meets forensic industry standards, such as the NIST SP800-88 Guidelines for Media Sanitization, before leaving the Controller’s Work Area(s), except for encrypted Personal Data on portable media specifically for providing service to the Controller. The Processor must maintain commercially reasonable documented evidence of data erasure and destruction for infrastructure-level resources.

3.2 The Processor must maintain authorization and authentication technologies and processes to ensure that only authorized individuals access Personal Data, including: (i) granting access rights based on the need-to-know principle; (ii) reviewing and maintaining records of employees who have been authorized or who can grant, alter, or revoke authorized access to systems; (iii) requiring personalized, individual access accounts to use passwords that meet complexity, length, and duration requirements; (iv) storing passwords in a manner that renders them undecipherable if misused or recovered in isolation; (v) encrypting, logging, and auditing all access sessions to systems containing Personal Data; and (vi) instructing employees on safe administration methods when computers may be unattended, such as using password-protected screen savers and session time limits.

3.3 The Processor must maintain logical controls to segregate Personal Data from other data, including data from other customers.

3.4 The Processor must maintain measures to ensure separate processing of data for different purposes, including: (i) provisioning the Controller within its own application-level security domain, which creates logical separation and isolation of security principles between customers; and (ii) isolating test or development environments from live or production environments.

4. Physical Security

4.1 The Processor shall ensure that at least the following physical security requirements are met:

1. All backup and archival media containing Personal Data must be stored in secure, environmentally controlled areas owned, operated, or contracted by the Processor. These media must be encrypted.
2. Technical and organizational measures to control access to data center premises and facilities are in place, including: (i) staffed reception desks or security personnel to restrict access to identified, authorized individuals; (ii) visitor screening upon arrival to verify identity; (iii) all access doors, including equipment cages, secured with automatic locking systems and access control systems that record and retain access histories; (iv) monitoring and recording of all areas using CCTV digital cameras, motion-detecting alarm systems, and detailed surveillance and audit logs; (v) intruder alarms on all external emergency doors with one-way internal exit doors; and (vi) segregation of shipping and receiving areas with equipment checks upon arrival.
3. The Processor shall maintain measures to protect against accidental destruction or loss of Personal Data, including: (i) fire detection and suppression systems, such as a multi-zoned, dry-pipe, double-interlock, pre-action fire suppression system and a Very Early Smoke Detection and Alarm (VESDA); (ii) redundant on-site electricity generators with adequate fuel supply and contracts with multiple fuel providers; (iii) heating, ventilation, and air conditioning (HVAC) systems that ensure stable airflow, temperature, and humidity, with at least N+1 redundancy for all major equipment and N+2 redundancy for chillers and thermal energy storage; and (iv) physical systems used for data storage and transport that utilize fault-tolerant designs with multiple levels of redundancy.

5. Security Testing

5.1 During the performance of Services under the Agreement, the Processor shall, at its own expense and at least once a year, hire a third-party vendor (“Testing Company”) to conduct penetration and vulnerability testing (“Security Tests”) on the Processor’s systems that contain and/or store Personal Data.

5.2 The goal of these Security Tests is to identify any design or functionality issues in the applications or infrastructure of the Processor’s systems that contain and/or store Personal Data, which could expose the Controller’s assets to risks from malicious activities. The Security Tests will look for weaknesses in applications, network perimeters, or other infrastructure elements, as well as weaknesses in processes or technical countermeasures related to the Processor’s systems that could be exploited by a malicious party.

5.3 At a minimum, the Security Tests should identify the following security vulnerabilities: invalidated or unsanitized input; broken or excessive access controls; broken authentication and session management; cross-site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; common denial of service vulnerabilities; insecure or inconsistent configuration management; improper use of SSL/TLS; proper use of encryption; and anti-virus reliability and testing.

5.4 Within a reasonable time after the Security Test has been conducted, the Processor shall address any identified issues and then, at its own expense, engage the Testing Company to perform a revalidation Security Test to ensure the resolution of the identified security issues. The results of this test shall be made available to the Controller upon request.

6. Security Audit

6.1 The Processor, along with any subcontracted entities (as applicable), must conduct an SSAE 18 (or equivalent) audit at least once a year. This audit should cover all systems and/or facilities used to provide the Service to the Controller. The results of this audit will be promptly provided to the Controller upon their written request. If, after reviewing the audit results, the Controller reasonably identifies security issues related to the Service, they will notify the Processor in writing. The Processor will then promptly discuss and, where commercially feasible, address the identified issues. Any unresolved issues will be documented, tracked, and addressed at a time agreed upon by both the Processor and the Controller.

7. Google API Disclosure

Jarvi’s use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

ANNEX III - LIST OF SUB-PROCESSORS