Effective Date: 23 September, 2024

This Data Processing Agreement ("DPA") is entered into between Grégoire Gaonach, a micro-entreprise with Siren Number 987679271 (“PolicyMate”), and the entity identified as the Customer ("Customer") and is appended to either (i) the PolicyMate Terms of Service (as applicable); or (ii) other electronic or written agreement in incorporating this DPA, governing the Customer's access and use of the PolicyMate platform and related services (either (i) or (ii), the "Agreement"). The parties agree that this DPA shall be incorporated into and form part of the Agreement and subject to the provisions therein. 

This DPA sets forth the terms and conditions under which PolicyMate may receive and process Customer Personal Data from Customer. If Customer makes any deletions or revisions to this DPA, those deletions or revisions are hereby rejected and invalid, unless agreed by PolicyMate. Customer's signatory represents and warrants that he or she has the authority to bind the Customer to this DPA. This DPA will terminate automatically upon termination of the Agreement, or as earlier terminated pursuant to the terms of this DPA. 

Data Processing Terms

1. Definitions and Interpretation
   

   1. Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning:

      1. Customer Personal Data" means any Customer Content that is Personal Data and protected by applicable privacy law(s).
         

      2. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
         

      3. “DPA” means this Data Processing Agreement and all Schedules;
         

      4. “EEA” means the European Economic Area;
         

      5. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
         

      6. “GDPR” means EU General Data Protection Regulation 2016/679;
         

      7. “Services” means the services and digital platform provided and operated by PolicyMate and used by Customer as defined in the Agreement.
         

      8. “Subprocessor” means any person appointed by or on behalf of PolicyMate to process Personal Data on behalf of Customer in connection with the Agreement.
         

   2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
      

2. Processing of Customer Personal Data
   

   1. The parties acknowledge that with regard to the processing of Customer Personal Data, Customer shall be the Controller and PolicyMate shall process Customer Personal Data as a Processor on behalf of Customer.
      

   2. PolicyMate will process Customer Personal Data only in accordance with Customer's documented instructions and will not process Customer Personal Data for its own purposes, except as set out in this DPA or where required by applicable law. The Agreement, including this DPA, along with Customer’s configuration of any settings or options in the Services (as Customer may be able to modify from time to time), constitute Customer’s complete and final instructions to PolicyMate regarding the Processing of Customer Personal Data. Additional Processing instructions (if any) require prior written agreement between the parties.
      

   3. Each party shall comply with its obligations under Applicable Privacy Law(s) in respect of any Customer Personal Data it Processes under or in connection with the Services or this DPA. Without prejudice to the foregoing, Customer is responsible for determining whether the Services are appropriate for the storage and processing of Customer Personal Data under Applicable Privacy Law(s) and for the accuracy, quality and legality of the Customer Personal Data and the means by which it acquired Customer Personal Data. Customer further agrees that it has provided notice and obtained all consents, permissions and rights necessary for PolicyMate and its Sub-processors to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA).
      

   4. PolicyMate shall promptly notify Customer if it makes a determination that Customer's instructions infringe Applicable Privacy Law(s) (but without obligation to actively monitor Customer's compliance with Applicable Privacy Law(s)) and in such event, PolicyMate shall not be obligated to undertake such Processing until such time as the Customer has updated its processing instructions and PolicyMate has determined that the incidence of non-compliance has been resolved.
      

   5. Details of Data Processing:
      

      1. Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data.
         

      2. Duration: As between Customer and PolicyMate, the duration of the processing is the term of the Agreement plus any period after the termination or expiry of the Agreement during which PolicyMate will process Customer Personal Data in accordance with the Agreement, including this DPA.
         

      3. Purpose: PolicyMate will process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
         

      4. Nature of the processing: The provision of the Services as described in the Agreement and initiated by the Customer from time to time.
         

      5. Types of Customer Personal Data. Customer Personal Data uploaded to the Services under Customer's PolicyMate account.
         

      6. Categories of data subjects: The data subjects could include Customer's employees, consultants, agents and third parties authorised to use the Services as "Users" under Customer's PolicyMate account and any other data subjects whose personal data is submitted to PolicyMate by Customer through the Services.
         

3. PolicyMate Personnel
   

   1. PolicyMate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with applicable law in the context of that individual’s duties to the Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
      

4. Security
   

   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, PolicyMate shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
      

   2. In assessing the appropriate level of security, PolicyMate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
      

5. Subprocessing
   

   1. Customer grants PolicyMate a general authorization to subcontract the processing of Customer Personal Data to a Subprocessor, including those Subprocessors listed at https://policymate.eu/page/subprocessor-list (or such other successor URL) ("Subprocessor List").
      

   2. If PolicyMate engages a new or replacement Subproccessor, PolicyMate will: DPA
      

      1. update the Subprocessor List;
         

      2. impose substantially the same data protection terms on any Subprocessor it engages as contained in this DPA (including data transfer provisions, where applicable); and
         

      3. remain liable to Customer for any breach of this DPA caused by an act, error or omission of such Subprocessor. 3.3
         

   3. If Customer elects to be notified in writing 10 days prior to PolicyMate engaging a new or replacement Subproccessor, Customer must subscribe to such notifications via the customer notification portal;
      

   4. Customer may object to PolicyMate’s appointment of any new or replacement Subprocessor promptly in writing within thirty (30) days after receipt of notice in accordance with the foregoing and on reasonable grounds related to Subprocessor's ability to comply with Applicable Privacy Law(s). In such case, the parties shall discuss Customer´s concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties cannot reach such resolution, PolicyMate shall have the right, at its sole discretion, to either not appoint the disputed Subprocessor, or permit Customer to suspend or terminate the applicable Order and/or the Agreement. These procedures are Customer’s exclusive remedy and PolicyMate’s entire liability for resolving Customer’s objections to PolicyMate’s appointment of Subprocessor’s under this DPA.
      

6. Data Subject Rights
   

   1. Taking into account the nature of the Processing, PolicyMate shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
      

   2. PolicyMate shall:
      

      1. promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
         

      2. ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable law to which PolicyMate is subject, in which case PolicyMate shall to the extent permitted by applicable law inform Customer of that legal requirement before the Subprocessor responds to the request.
         

7. Personal Data Breach
   

   1. PolicyMate shall notify Customer without undue delay upon PolicyMate becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
      

   2. PolicyMate shall co-operate with Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
      

8. Data Protection Impact Assessment and Prior Consultation PolicyMate shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Subprocessors.
   

9. Deletion or return of Customer Personal DataSubject to this section 9 PolicyMate shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data.
   

10. Audit rights
    

    1. Subject to this section 10, PolicyMate shall make available to Customer on request all information necessary to demonstrate compliance with Agreement, including this DPA, and shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Subprocessors.
       

    2. Information and audit rights of Customer only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
       

11. Data Transfer
    

    1. PolicyMate may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of Customer. If personal data processed under the Agreement, including this DPA, is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
       

12. Notices.
    

    1. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this DPA or otherwise in the Agreement or at such other address as notified from time to time by the Parties.
       

13. Governing Law and Jurisdiction
    

    1. This DPA is governed by the laws of France.
       

    2. Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of France.