The aim of the Data Protection Agreement (hereinafter “DPA”) is to regulate the use of personal data of the client, which acts as a data controller (hereinafter “Client”), by Surfe, which acts as a processor (hereinafter “Processor”) within the framework of the Agreement (hereinafter “Agreement”).
The Processor undertakes and certifies that it complies with all provisions of the applicable data protection rules, which include the General Data ProtectionRegulation (hereinafter the “GDPR”; Regulation (EU) 2016/679 of 27 April 2016on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) and the French Data Protection Act (Law no. 78-17 of 6 January 1978 on information technology, files and freedoms). The Processor declares to offer all the sufficient safeguards to meet the requirements of the applicable data protection rules and, more particularly, to guarantee the confidentiality and protection of the Client’s data.
The Processor declares and undertakes to only use the Client’s data on its documented instructions described in the Agreement.
The Client undertakes to inform theProcessor of any modification of the instructions that may be done regarding the use of its personal data. The Processor must notify the Client, in writing and without delay, if the latter’s documented instructions constitute a breach of the applicable data protection rules.
The Processor declares and certifies that all of its employees who process the Client’s personal data are bound by a confidentiality clause or by any other legal act that guarantees the confidentiality of the Client’s personal data. The Processor undertakes to regularly train its collaborators on the applicable data protection rules.
The Processor certifies and undertakes to guarantee the security of the Client’s personal data and to implement all technical and organisational measures required to prevent any risk of data breach.
6. Data breach
The Processor undertakes to notify the Client, without delay after having acknowledged it at the latest, any data breach that may affect the Client’s personal data. The notification must specify all information necessary for the Client to process the data breach described inArticle 28 of the GDPR.In the event of a data breach, theProcessor undertakes to take all required measures to remedy the impact of the data breach. Unless the Client has given its express, prior and written consent, the Processor is not authorised to notify data breaches to the supervisory authority and to the persons concerned by the processing carried out under the Agreement.
7. Help and assistance regarding security
The Processor shall provide the Client with all necessary and required information on the technical and organisational security measures to be implemented under the Agreement to guarantee its personal data security. The Processor shall provide the Client, upon written request, with all the necessary and required information to ensure that a privacy impact assessment (“PIA”) is carried out. The Processor does not have to ensure or monitor the Client’s security or to carry outa PIA on behalf of the Client. Any additional request to provide information may be refused, and if necessary, an additional service can be charged.
8. Help and assistance regarding the rights of the data subjects
The Processor shall provide the Client, upon written request, with all necessary and required information to enable the Client to fulfill its obligation to comply with the requests of the concerned persons. The Processor executes, upon written request from the Client, the technical actions to undertake in order for theClient to fulfill its obligation to comply with the requests of the persons concerned. However, the Processor does not have to handle requests for the rights of individuals in place of and on behalf of the Client. Any additional request to ensure such management may be refused and, if necessary, an additional service could be charged.
9. Sub Processor
The Client agrees that the Processor may recruit Sub Processors solely for the purpose of performing the Agreement provided that the Processor informs the Client of any modification to its Sub Processors so that the Client may object to those. The Processor undertakes to only recruitSub Processors with necessary and sufficient safeguards to ensure the security and confidentiality of the Client’s personal data. The Agreement between the Processor and the Sub Processor shall contain similar obligations to those set out in this Agreement. The Client may object by registered letter with acknowledgement of receipt if (i) the Sub Processor is a competitor of the Client, (ii) the Client and the SubProcessor are in a pre-litigation or litigation situation, and (iii) the Sub Processor has been convicted by a data protection supervisory authority within one year of its recruitment by the Processor. Each of these situations must be demonstrated. In the absence of an undertaking by theProcessor to modify the Sub Processor within three months from receiving the objection, the Client may terminate the Agreement subject to prior notice of six (6) months and without compensation.In any event, the Processor shall remain liable for the actions of the Sub Processor under the Agreement.
10. Fate of personal data
The Client shall inform the Processor, in writing and at the latest one month before the end of the Agreement, of its choice (option 1) to return the personal data to the Processor and then to erase the personal data and all existing copies, or (option 2) to erase the personal data and all existing copies directly, or (option 3) to transfer the personal data to a new provider and then to delete the personal data and all existing copies. Unless otherwise provided in the Agreement, option 3 must be subject to an estimate by the Processor. If the Client fails to inform the Processor of its choice within the specified period, the Processor reserves the right to erase the data and all copies directly (option 2). The Processor shall attest in writing to the Client that the personal data and all copies thereof have been effectively erased.
The Client shall have the right to carry out an audit in the form of a written questionnaire once a year to verify compliance with this Agreement. The questionnaire shall have the force of as worn statement binding on the Processor. The questionnaire may be transmitted in any form to the Processor, who undertakes to reply to it within a maximum of two months of its receipt.The Client shall also have the right to carry out an on-site audit, at its own expense, once a year only in the event of a data breach or non-compliance with the applicable data protection rules and this Agreement, including as established by the written questionnaire. An on-site audit may be conducted either by the Client or by an independent third party appointed by the Client and must be notified to the Processor in writing at least thirty (30) days prior to the audit.The Processor shall have the right to refuse the choice of the independent third party if the latter is i) a competitor or ii) in pre-litigation or litigation with him.In this case, the Client undertakes to select a new independent third party to carry out the audit.The Processor may refuse access to certain areas for confidentiality or security reasons. In this case, the Processor shall carry out the audit in these areas at its own expense and report the results to the Client. In the event of any discrepancy during the audit, the Processor undertakes to implement, without delay, the necessary measures to comply with this Agreement.
12. Transfers of personal data outside the European Union
The Processor certifies and undertakes todo all the necessary to not transfer the Client’s personal data outside the European Union or recruit any Sub Processor located outside the European Union. Nevertheless, if such transfers appear necessary regarding the Agreement, the Processor certifies and declares that it will implement all the required mechanisms to govern those transfers, as, in particular, to enter into binding corporate rules(“BCR”) or standard data protection clauses adopted by the European Commission.
13. Cooperation with the supervisory authorities
Regarding processing implemented under the Agreement, the Processor undertakes to provide, on request, all the necessary information for the Client to cooperate with the competent supervisory authority.
Each of the Client and the Processor appoint an interlocutor who is in charge of this Agreement and who is the recipient of the various notifications and communications to intervene under theAgreement. If a Data Protection Officer (“DPO”) has been appointed by the Client and/or the Processor, the interlocutor will necessarily be the Data Protection Officer.
In case of the nullity of the Agreement, regardless of the cause, the Client has to communicate to the Processor, in writing, within a period of one month from the pronouncement of the nullity, its decision regarding its data fate, in accordance with Article 10 of this Agreement.
The Client reserves the right to amend thisAgreement in the event of modifications in the applicable data protection rules which would have the effect of modify in gone of its provisions.
17. Applicable law
Notwithstanding anything to the contrary contained in the Agreement, this Agreement is subject to French law. Any dispute relating to the performance of thisAgreement shall be subject to the exclusive jurisdiction of the courts of the jurisdiction of the Client’s place of residence Court of Appeal.
Appendix 1 – Security Measures
Surfe takes security very seriously. Our team implemented security best-practices at every level.
Security Practices In Our Team
Surfe does not sell any client’s data and our policy is to respect our User’s data privacy. Our business model is based on paid Surfe subscriptions.
- Two Factor Authentication is used on third-party services Surfe uses
- Every computer running Surfe development tools is secured and up to date
- Employees that can access customer data via our internal system have different security levels. We make sure they only have access to relevant data (ie. no chat message, no end-customer data).
- Surfe employee computers are not storing customer data
- We don’t have any servers, security keys in our offices. This way we make sure that Surfe, and User’s data is not at risk in case of an intrusion in our offices.
Infrastructure & Data security
Here are some of our practices in terms of infrastructure & data management:
- All the servers and services are running latest security updates and patched immediately when a kernel vulnerability is published
- Servers are located in France
- Our databases are backed-up every day
- Our network is protected with firewalls
- Our system runs an automated monitoring system allowing us to be aware of issues before those affect our customers
- Server authentication using protected SSH keys (direct password authentication is not possible)
- Abusing IPs get automatically banned or rate-limited (prevents brute-force attacks on accounts)
- All traffic is encrypted (TLS)
- Our databases are encrypted at rest
- CRM tokens of our users have another layer of encryption
Appendix 2 – Vendors
- AWS: Cloud provider
- Axeptio: Cookie banner
- ChartMogul: Financial dashboard with key metrics and customer cohorts
- Customer.io: Email sequences and newsletter to users
- Datadog: Server logs analyser
- GitHub: Code versioning and sharing
- Google Workspace: Email and Drive services
- Intercom: Customer Success platform
- Pipedrive: CRM
- Stripe: Payment service provider