1. Introduction
The purpose of the Data Protection Agreement (hereinafter the “Agreement“) is to govern the use of the personal data of customers (hereinafter the “Customer“) of GROWSTER (hereinafter the “Processor“) using its Surfe (app) service (hereinafter the “Service“).
2. Definitions
All terms relating to the applicable personal data protection regulations used in the Agreement are defined in Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR“).
3. Role of the Parties
Under the Agreement, the Customer acts as the personal data controller and the Processor acts as the processor within the meaning of Article 28 of the GDPR (hereinafter, together, the “Parties“).
4. Contractual documents and duration
The Agreement, which is an indivisible appendix to the contract signed between the Customer and the Processor for the use of the Service (hereinafter the “Contract“), shall apply for the entire duration of the existing contractual relationship between the Parties.
In the event of any contradiction between the Contract concluded for the use of the Service and the Agreement, the obligations set out in the Agreement shall take precedence over the Contract with regard to the applicable data protection rules.
5. Declarations and undertakings
The Processor declares that it complies with all the rules applicable to the protection of personal data and presents all the sufficient guarantees to meet the requirements of the GDPR in the context of the provision of the Service.
The Processor declares that all internal or external staff who are required to process the Customer’s personal data are bound by a confidentiality clause, an information systems charter or any other binding legal document and receive regular training and awareness-raising.
The Processor declares that the Service has been created in compliance with the rules of “Privacy by design” and “Privacy by default” and therefore that the Service is accompanied by functionalities enabling the Customer to comply with its obligations as data controller.
6. Documented instructions
The Processor undertakes to use the Customer’s personal data in connection with the use of the Service only on the Customer’s documented instructions.
The list of treatments carried out is detailed in the appendix or provided on request by the Customer.
7. Security
The Processor undertakes to guarantee the security of the Customer’s personal data and to implement all the technical and organisational measures necessary for its Service.
All the technical and organisational security measures are detailed in the appendix hereto or are supplied on request by the Customer.
8. Violation of personal data
The Processor undertakes to notify the Customer, in accordance with the obligations set out in article 28 of the GDPR, as soon as possible after becoming aware of any breach of personal data which may affect the Customer’s personal data.
The Processor undertakes to communicate, as soon as possible after becoming aware of it, all the necessary and required information in its possession to reduce the effects of the personal data breach suffered and to enable the Customer to take the appropriate safeguarding and protection measures.
Unless the Parties agree otherwise, the Processor is not authorised to take charge of notifications of personal data breaches to the relevant supervisory authority and to inform, on behalf of the Customer, the persons concerned by the processing carried out under the Contract.
9. Help and assistance
The Processor shall provide the Customer, upon written request, with all necessary and required information on the technical and organisational security measures to be implemented to guarantee the security of the Customer’s personal data.
The Processor shall provide the Customer, upon written request, with all the information necessary and required to ensure that an impact analysis (“DPIA”) is carried out.
The Processor undertakes to notify the Customer, as soon as possible after becoming aware of it, of any request for rights made to the Customer.
The Processor shall provide the Customer, upon written request, with all necessary and required information to enable the Customer to fulfil its obligation to act on requests from the persons concerned.
The Processor shall, at the Customer’s written request, carry out the actions to be taken so that the Customer can fulfil its obligation to comply with the requests of the persons concerned.
10. Liability
The Processor shall never be liable for any use made by the Customer using the Service that does not comply with the rules applicable to the protection of personal data.
The Processor is not obliged to manage requests for personal rights in place of and on behalf of the Customer. Any additional request for such management may be refused and, where appropriate, an additional service charged for.
The Processor is not obliged to ensure or audit the Customer’s security or to carry out DPIAs in place of and on behalf of the Customer. Any request in addition to the provision of information may be refused and, where appropriate, an additional service may be charged for.
11. Sub-processors
The Customer accepts that the Processor may recruit Sub-processors as part of the performance of the Agreement provided that it informs the Customer, by any means, of any changes concerning these Sub-processors occurring during the performance of the Agreement and remains responsible for the actions of Sub-processors as part of the Agreement.
The Processor undertakes only to recruit Sub-processors that offer the necessary and sufficient guarantees to ensure the security and confidentiality of the Customer’s personal data.
The Processor undertakes to monitor its Sub-processors and to ensure that the contract entered into with the Sub-processor used as part of the service contains obligations similar to those set out in the Agreement.
The Customer may raise objections by registered letter with acknowledgement of receipt i) if the Sub-processor is one of its competitors, ii) if the Customer and the Sub-processor are in a pre-litigation or litigation situation, and iii) if the Sub-processor has been convicted by a data protection supervisory authority in the year of its recruitment.
The Processor has 6 months from receipt of the objection to amend the Sub-processor.
12. Fate of personal data
The Processor shall delete the Customer’s personal data at the end of the period of performance of the Contract entered into in connection with the use of the Service and agrees that the Processor may, where technically possible, anonymise the Customer’s personal data for statistical purposes.
The Processor shall certify to the Customer, upon written request, that its personal data and all existing copies thereof have been effectively deleted.
The Customer must recover his personal data before the end of the Agreement. Failing this, the Customer may no longer recover his or her personal data, as the deletion of personal data is irreversible.
The Customer remains solely responsible for the loss of his/her personal data following the deletion of data at the end of the Agreement.
13. Audits
The Customer has the right to carry out an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire shall have the force of a sworn undertaking binding on the Processor.
The questionnaire may be sent in any form to the Processor, who undertakes to reply within a maximum of two months of receiving it.
The Customer also has the right to carry out an audit at the Processor’s premises, at its own expense, once a year, solely in the event of a data breach or proven and demonstrated failure to comply with the applicable data protection rules and this Agreement.
An audit at the Processor’s premises may be carried out either by the Customer or by an independent third party appointed by the Customer and must be notified to the Processor in writing at least thirty (30) days before the audit is carried out.
The Processor has the right to refuse the choice of the independent third party if the latter is i) a competitor or ii) in pre-litigation or litigation with the Processor. In this case, the Customer undertakes to choose a new independent third party to carry out the audit.
The Processor may refuse access to certain areas for reasons of confidentiality or security. In this case, the Processor will carry out the audit in these areas at its own expense and will communicate the results to the Customer.
In the event of a discrepancy being identified during the audit, the Processor undertakes to implement, without delay, the necessary measures to comply with this Agreement.
14. Data transfers outside the European Union
The Processor undertakes to take all necessary steps not to transfer the Customer’s personal data outside the European Union or to recruit Sub-Processor located outside the European Union.
Nevertheless, in the event that such transfers prove necessary within the framework of the Service, the Processor undertakes to implement all required mechanisms to regulate these transfers, including, in particular, entering into standard contractual clauses (“SCCs”) adopted by the European Commission.
15. Cooperation with supervisory authorities
Where this concerns processing carried out under the Agreement, the Processor undertakes to provide, on request, all the information necessary for the Customer to cooperate with the competent supervisory authority.
16. Contact
The Customer and the Processor shall each appoint a contact person to be responsible for this Agreement, who shall be the addressee of the various notifications and communications to be made under the Agreement.
The Processor informs the Customer that it has appointed Dipeeo SAS as its Data Protection Officer, who can be contacted at the following address:
17. Review
The Processor reserves the right to amend this Agreement in the event of changes to the rules applicable to the protection of personal data which would have the effect of amending any of its provisions.
18. Applicable law and jurisdiction
This Agreement is governed by French law. Any dispute relating to the performance of this Agreement shall fall within the exclusive jurisdiction of the courts within the jurisdiction of the Court of Appeal of the place where the Processor is domiciled.
CustomerÂ
Company:Â
Name
Position:
Signature
Processor
Company: Growster (Surfe)
Name: Eric DIDIER
Position: CCO
Signature
Annexes to the Data Protection Agreement
Annex 1 – Purposes of processing
| Purposes |
Legal base |
People concerned |
| CRM enrichment: acquiring email addresses |
Performance of the contract with the Customer |
Leads |
| Data enrichment: acquisition of telephone numbers |
Performance of the contract with the Customer |
Leads |
| Data enrichment by scrapping lead information on Linkedin – only public data is scrapped |
Performance of the contract with the Customer |
Leads |
| Managing the Google Chrome extension |
Performance of the contract with the Customer |
Leads |
| Transfer of Linkedin data to users’ CRMs and synchronisation |
Performance of the contract with the Customer |
Leads |
| Alert/notify opt-out leads who have requested to stop prospecting |
Performance of the contract with the Customer |
Leads |
| Hosting of lead databases |
Performance of the contract with the Customer |
Leads |
| Security and maintenance of the Surfe platform |
Performance of the contract with the Customer |
Leads |
Annex 2 – Categories of personal data and duration
| Data categories |
Periods of use (active base) |
Archiving for prescription purposes |
Anonymisation for statistical purposes |
| Lead identification data (surname, first name) |
Duration of relationship with Surfe |
Deletion after termination of the relationship with the Customer |
Anonymisation for statistical purposes |
| Contact details (email and telephone) for leads |
Duration of relationship with Surfe |
Deletion after termination of the relationship with the Customer |
Anonymisation for statistical purposes |
| Data relating to the professional life (e.g. company concerned, department, etc.) of leads |
Duration of relationship with Surfe |
Deletion after termination of the relationship with the Customer |
Anonymisation for statistical purposes |
Annex 3 – Safety measures
Surfe takes security very seriously. Our team implemented security best-practices at every level.
| Technical safety measures |
Organisational security measures |
- ISO27001 CertificationÂ
- Annual intrusion testing antivirus on GROWSTER team terminalsÂ
- No storage of passwords encryption of “user” database at rest and in transit
- Password for GROWSTER team terminals changed frequently
- HTTPS protocol, access traceability
- CRM SSO
- Two Factor Authentication is used on third-party services Surfe uses
- Every computer running Surfe development tools is secured and up to date
- Our databases are backed-up every day
- Our network is protected with firewalls
- Our system runs an automated monitoring system allowing us to be aware of issues before those affect our customers
- Server authentication using protected SSH keys (direct password authentication is not possible)
- Abusing IPs get automatically banned or rate-limited (prevents brute-force attacks on accounts)
- All traffic is encrypted (TLS)
- Our databases are encrypted at rest
- CRM tokens of our users have another layer of encryption
|
- Access badges, locked offices, information systems charter
- Password management policy
- Information systems security policy
- Team awareness and training twice a year, video protection on the premises
- Employees that can access customer data via our internal system have different security levels. We make sure they only have access to relevant data (ie. no chat message, no end-customer data).
- All the servers and services are running latest security updates and patched immediately when a kernel vulnerability is published
- Servers are located in France
|
Appendix 4 – Sub-processors and transfers
| Goals |
Subcontractors |
Server localization |
Transfers |
Appropriate warranties |
| SSO authentication |
Google |
France |
No transfers outside the EU |
No appropriate warranty required |
| Hosting |
AWS |
France |
No transfers outside the EU |
No appropriate warranty required |
| Hosting user databases |
AWS |
France |
No transfers outside the EU |
No appropriate warranty required |
| Technical notifications for users of the Surfe platform |
Customer.io |
Customer.io (European Union) |
No transfers outside the EU |
Customer.io (no appropriate warranty required) |
| Support via chat or chatbot |
Intercom |
United States |
Intercom (Transfers to the USA) |
Intercom (standard contractual clauses) |
| Use of CDN servers to improve the performance of the Surfe platform |
Cloudflare |
European Union |
Cloudflare (no transfers outside the EU) |
Cloudflare (no appropriate warranty required) |
| Technical logging and monitoring |
Datadog |
France |
No transfers outside the EU |
No appropriate warranty required |
| Generative AI |
Open IA |
United States |
Open IA (Transfers to the United States) |
Open IA (standard contractual clauses) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
