PREAMBLE


This Data Processing Agreement ("DPA") forms part of the Newzik Business Agreement ("Agreement") between 

The organization agreeing to the terms of the Agreement,

 (the "Customer") 

and 

SYNCSING - NEWZIK, a simplified joint-stock company with a capital of 1.404,70€, registered under number 525 205 514, registered office located at 7 avenue Ingres, 75016 Paris, France, acting through its legal representative,

(the "NEWZIK") (together as the “Parties”) 

WHEREAS 

(A)  The Customer acts as a Data Controller. 

(B)  The Customer wishes to subcontract the Service, which imply the processing of personal data, to the NEWZIK. 


(C) The Agreement and this DPA constitute Customer’s instructions to NEWZIK to Process Customer Personal Data. NEWZIK will use and Process Customer Personal Data as Customer instructs in order to deliver the Service and to fulfill NEWZIK’s obligations under the Agreement and this DPA. NEWZIK will inform Customer of any legal requirement which prevents it from complying with Customer’s instructions, unless prohibited from doing so by applicable law or on important grounds of public interest.

(D) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation GDPR). 

(E)  The Parties wish to lay down their rights and obligations. 

DEFINITIONS AND INTERPRETATION

Unless otherwise defined, capitalized terms and expressions used in this Data Processing Agreement have the same meaning as in the GDPR, and their related terms shall be interpreted accordingly.

Processing of Customer Personal Data

NEWZIK shall: 

  • comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and 

  • not Process Customer Personal Data other than on the relevant Customer’s documented instructions. 

The Customer instructs NEWZIK to process Customer Personal Data.


NEWZIK Personnel 

NEWZIK shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.


Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, NEWZIK shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. 

In assessing the appropriate level of security, NEWZIK shall take account in particular of the risks that are presented by Processing. 


Subprocessing

NEWZIK may appoint (or disclose Customer's Personal Data to) a Subprocessor provided that the Customer is informed. The Customer may then object to this within 15 days. When a Subprocessor processes  within the European Union (the "EU") or Personal Data of Data Subjects located in the territory of the EU (the "EU Personal Data"), NEWZIK will ensure that the Subprocessor is subject to contractual obligations regarding EU Personal Data that meet the requirements of EU Data Protection Laws.


Customer authorizes NEWZIK to use the Subcontractors listed in Exhibit 1 of this Data Processing Agreement.


Data Subject Rights


Taking into account the nature of the Processing, NEWZIK shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws. 

NEWZIK shall: 

  • promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and 

  • ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the NEWZIK is subject, in which case NEWZIK shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Contracted Processor responds to the request.


Personal Data relating to children

The processing of Personal Data relating to a child is lawful when the child is at least 15 years old. In accordance with Article 8 of the GDPR, when the child is under the age of 15, such processing is lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. When Customer Personal Data processed by NEWZIK concerns children under the age of 15, Customer must ensure that consent is given or authorized by the holder of parental responsibility for the child. NEWZIK will use reasonable efforts to verify, in such cases, that consent is given or authorized by the holder of parental responsibility for the child, taking into account the technological means available.


Personal Data Breach

NEWZIK shall notify Customer without undue delay upon NEWZIK becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. 

NEWZIK shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.


Data Protection Impact Assessment and Prior Consultation

NEWZIK shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.


Deletion or return of Customer Personal Data 

Subject to this section 11, NEWZIK shall promptly and in any event within 10 business days of the date of cessation of any Service involving the Processing of Customer Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Personal Data. 

NEWZIK will provide upon request a written certification to the Customer attesting that he has fully complied with the present article 11.


Audit rights

Subject to this Article 12, NEWZIK shall make available to Customer, upon request, all information necessary to demonstrate compliance with this DPA. In the event that the documentary audit proves to be insufficient, Customer may carry out inspections by Customer or an auditor mandated by Customer in connection with the Processing of Customer's Personal Data by contractual subprocessor. The performance of on-site audits is limited to one audit per year, subject to one month's notice and at the sole expense of the Customer.

Information and audit rights of the Customer only arise under section 12 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.


Data Transfer

Customer authorizes NEWZIK to transfer the Personal Data processed under this Data Processing Agreement to a country outside the EEA provided that sufficient safeguards are in place. If Personal Data processed under this Data Processing Agreement is transferred from an EEA country to a country outside the EEA, the parties will ensure that the Personal Data is adequately protected. In doing so, the Parties will rely, unless otherwise agreed, on the standard contractual clauses approved by the EU for the transfer of Personal Data.


General Terms

Confidentiality. Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA confidential and must not use or disclose that confidential information without the prior written consent of the other Party except to the extent that: 

  • disclosure is required by law; 

  • the relevant information is already in the public domain. 

Notices. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the Order Form at such other address as notified from time to time by the Parties changing address.



Governing Law and Jurisdiction


Unless otherwise provided, this DPA herein is governed by the laws of France. In the event of a dispute concerning their implementation, execution or interpretation, and in the absence of an amicable settlement, the competent courts are the French courts.


Exhibit 1

Details of Processing


  1. Subject Matter of the Personal Data Processing: The provision of the Service by NEWZIK to Customer. 

  2. Duration of the Personal Data Processing: the Term as defined in the Agreement, and any period after the Term prior to NEWZIK’s deletion of Customer Data.

  3. Purpose and nature of the Processing of Personal Data:

NEWZIK uses the Data for the following purposes:

  1. to give access to and provide the Service in accordance with the Agreement, including any updates and information about the Service;

  2. to process and manage subscriptions and to keep the Users informed;

  3. to analyze usage in order to improve the experience of the Service and other products and services provided by NEWZIK;

  4. to host the Data and protect and ensure the proper functioning of the Service;

  5. to comply with NEWZIK's legal obligation and to make the rights effective and enforce ours in the courts.

The Customer's Data are processed because they are necessary: (i) for the provision of the Service by NEWZIK, in accordance with the Agreement, (ii) according to NEWZIK's legitimate interest in informing its customers, ensuring the security of the Service and performing analyses to improve the Service (iii) to comply with a legal obligation to which NEWZIK is a party.

  1. Categories of Personal Data: NEWZIK processes only the Data strictly necessary for its purposes. To the extent that Customer Data contains Personal Data, it may include User identification information including contact information, e-mail address and usage data (online and offline) in electronic form stored or transmitted by the Customer or Users via the Service.

  2. Data Subjects: To the extent that the Customer's Data contains Personal Data, it may concern the Customer's Users, or any other person whose information is stored by the Customer in the stored Data.

  3. Authorized Subprocessor: In order to provide the Customer and the Users with the Service, NEWZIK uses the following Subprocessor:




Subprocessor

Service

Usage

Location

Amazon Web Services Inc.

IaaS Provider

Data Storage

EU

FreshWorks Inc.

SaaS Provider

Support service 

USA

HubSpot Inc. 

SaaS Provider

CRM Platform

EU

The Rocket Science Group LLC (Mailchimp) 

SaaS Provider

Communication with Users

USA

Google LLC

SaaS Provider

Internal tools, analytics and crash reporting (Firebase)

USA/EU

Microsoft

SaaS Provider

Error reporting and performance monitoring

EU

Apple Inc.

Authentication provider

Third-party identity provider

USA/EU

Facebook

SaaS and authentication provider

Third-party identity provider and analytics

USA/EU

Stripe, Inc.

Payment provider

Online payment

USA/EU