Scroll Top

Last Modified: September 2023

WIIISDOM SAAS TERMS
AND CONDITIONS

WIIISDOM (“LICENSOR” OR ‘WE”) WILL PROVIDE CERTAIN SERVICES TO YOU AS THE COMPANY, OR THE LEGAL ENTITY (REFERENCED BELOW AS “YOU” OR “YOUR” OR “CUSTOMER”) THAT ENTERS INTO A WRITTEN SUBSCRIPTION QUOTATION, ORDER FORM OR SIMILAR DOCUMENT WITH LICENSOR THAT REFERENCES THIS AGREEMENT ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF AND EXCLUSIVELY THE TERMS OF THIS AGREEMENT (“AGREEMENT”), TO THE EXCLUSION OF YOUR PURCHASING TERMS AND CONDITIONS.  READ THE TERMS AND CONDITIONS OF THIS AGREEMENT CAREFULLY BEFORE PURCHASING ANY SERVICES FROM LICENSOR.  THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND LICENSOR. BY ENTERING INTO A WRITTEN SUBSCRIPTION QUOTATION, ORDER FORM OR SIMILAR DOCUMENT WITH LICENSOR THAT REFERENCES THE AGREEMENT BELOW, YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT. 

FOR THE SAKE OF CLARITY, IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF (AND FOR USE ON BEHALF OF) A COMPANY OR OTHER ENTITY (A “CORPORATE ENTITY”), YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH CORPORATE ENTITY TO THE TERMS OF THIS AGREEMENT AND YOU ACKNOWLEDGE THAT THE TERM “YOU” OR “CUSTOMER” REFERENCED BELOW REFERS TO SUCH CORPORATE ENTITY.

Licensor and Customer shall herein be referred to each as a “Party” and collectively as the “Parties”.  In consideration of the mutual promises and covenants contained in this Agreement, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. DEFINITIONS

1.1 Affiliates means any corporation, partnership or other entity now existing or hereafter organized that directly or indirectly controls, is controlled by or under common control with a Party.  For purposes of this definition “control” means the direct possession of a majority of the outstanding voting securities of an entity.

1.2 Confidential Information has the meaning given to it in Section 4.1.

1.3 Customer means the person or entity that enters into a Order Form, or similar ordering document with Licensor that expressly references this Agreement.

1.4 Customer Data means all Data made available by the Customer or its Users to Licensor or otherwise provided by Customer or its Users in connection with the provision of the Services.

1.5 Data means text, information, images, documents, materials, photos, audio, video, and all other forms of data or communication.

1.6 Documentation means the documentation for the Subscription Service generally supplied by Licensor to assist its customers in the use of the Subscription Service, including user and system administrator guides and manuals and other written materials.

1.7 Licensor Data means all Data made available by Licensor to Customer in connection with the Customer’s use or performance of the Services.

1.8 Losses has the meaning given to it in Section 9.1.

1.9 Order Form means each quotation, order form or similar ordering document signed by Customer which references this Agreement, identifies the specific Subscription Service ordered by Customer, sets forth the prices for the Subscription Service.

1.10 Professional Services means consulting or training services (excluding technical support) and any deliverables, as applicable, provided to Customer by Licensor as described under Section 2.6. below.

1.11 Services means the Subscription Service provided by Licensor pursuant to Section 2.1 hereof and/or Professional Services as defined above.

1.12 Subscription Service means Licensor’s proprietary subscription-based software solutions known as Wiiisdom Ops and further described on the applicable Order Form including all related technical support.

1.13 Users mean individuals who are authorized by the Customer to use the Services subject to the terms of section 2.2 below, and, with respect to the Subscription Service, who have been supplied passwords by the Customer (or by Licensor at the Customer’s request).  Users consist of any employee of the Customer or its Affiliates and any independent contractor of the Customer or its Affiliates.

1.14 License Term means the period of time in which Customer shall be entitled to use the Subscription Service and Documentation as specified on the applicable Order Form.

2. SERVICES

2.1 Services. Licensor shall provide the Customer with the specific Services specified on an Order Form. In the event of a conflict between the terms set forth in an Order Form and this Agreement, the terms set forth in this Agreement will control, unless an Order Form makes specific reference to the section of this Agreement that is to be amended in the Order Form.  The Customer agrees that purchases hereunder are neither contingent on the delivery of any future functionality or features nor dependent on any oral or written comments made by Licensor regarding future functionality or features.

2.2 License Grant. Subject to the terms and conditions of this Agreement, and in consideration for the payment of fees set forth on the applicable Order Form, Licensor hereby grants to the Customer, solely during the term of the applicable Order Form, a non-exclusive, non-transferable (except as set forth in Section 10.2) license to access and use the Subscription Service solely for the Customer’s internal business purposes.  This license is restricted to use by Customer and its Users and does not include the right to use the Subscription Service on behalf of any third party.  The Customer is responsible for procuring and maintaining the network connections that connect the Customer to the Subscription Service.  Subject to the terms of Section 8.3, the Customer agrees: (a) that only authorized Users are permitted to use the Subscription Service; (b) that it is responsible for authorized Users’ actions or failures to act in connection with activities contemplated under this Agreement and (c) to otherwise take all commercially reasonable steps to protect the Subscription Service and the Documentation from unauthorized use and/or access.

2.3 Licensed Volume. The Customer acknowledges that access and use of the Subscription Service is licensed to the Customer for use up to the number of Users and on the license type as set forth on the applicable Order Form (the “Volume Limitations”).  In the event that the Subscription Service is used in excess of the Volume Limitations then the Customer shall be obligated to pay Licensor for such excess at Licensor’s then current rates. For the avoidance of doubt, licenses are granted on an authorized User basis and may be reassigned between uniquely identified individual Users over time, but may not be reassigned so frequently as to enable the sharing of a single license between multiple Users and the total number of Users who can use the Subscription Service must not exceed the number of licenses purchased and accepting the terms of a modified Order Form in order to remain in compliance with the terms of this Agreement.

2.4 Affiliates. Subject to the terms of the Order Form, the Customer may make the Subscription Service available to its Affiliates provided that all licensing restrictions are complied with in each instance by each such Affiliate and that the Customer shall be liable for any breach of the terms and conditions of this Agreement by any of its Affiliates.  Any license restrictions set forth on an Order Form shall be deemed to apply to both the Customer and its Affiliates.  By way of example, if an Order Form limits use of the Subscription Service to twenty (20) Users, then the use by the Customer and its Affiliates, when aggregated together, shall not exceed a total of twenty (20) Users.

2.5 Technical Support. As part of the Subscription Service, Licensor shall provide technical support services to Customer in accordance with the additional terms on Appendix A attached hereto.

2.6 Professional Services. Customer may purchase Professional Services as described in applicable Order Form and/or Statement of Work in accordance with the Wiiisdom Professional Services Terms attached as Appendix B.

2.7 Open Source Software. A list of open-source software made available under the Subscription Service may be provided by Licensor upon written request. Open-source software is licensed to Customer under its own license terms and those terms apply to the use of the Open-Source Software. In the event of a conflict, the open-source software license terms supersede these SAAS Terms and Conditions solely with respect to that open-source software.

2.8 Beta Services. Certain functionalities of the Subscription Service may be provided under a beta form (“Beta Subscription”). Under such Beta Subscription, Customer may only operate the functionalities designated as “Beta” in the Documentation for internal testing and evaluation purposes only and not for business purposes. Customer understands that the Beta functionalities provided under a Beta Subscription have been limited in some way through restricted use. With respect to such Beta Subscription, the Beta functionalities are provided “AS IS” and “WITH ALL FAULTS”, without any support, maintenance or warranty from or liability for WIIISDOM. Customer’s use of the Beta or Preview functionalities is at Customer’s sole risk. It shall use caution and not rely in any way on the correct operation or performance of the Beta functionalities. Licensor may delete or modify a Beta or Preview functionality or terminate a Beta License at any time for convenience without notice to Customer. If Customer provides feedback to Licensor, Customer agrees that Licensor may use such feedback and incorporate the feedback into its products without restriction, compensation or other obligation to Customer.

3. FEES; PAYMENT TERMS

3.1 Fees. The Customer agrees to pay Licensor for Services provided and expenses incurred on the basis and at the rates specified in the Order Form.  Unless otherwise set forth on the Order Form fees are paid annually in advance and payment shall be due within thirty (30) days after receipt of Licensor’s invoice and shall be made in the currency specified in the Order Form.   Customer agrees to pay a late charge of one and half percent (1 1/2%) per month (or part of a month), or the maximum lawful rate permitted by applicable law, whichever is less, for all amounts, not subject to a good faith dispute, and not paid when due.

After the first year of the Term, Licensor may increase subscription fees no more than once per year in accordance with the annual percent change of the Customer Price Index (“CPI”) applicable in the Customer’s country compared to such CPI one year prior ; In the event any such price index  is negative, the Licensor’s subscription fees will not be reduced.

3.2 Disputed Charges. If the Customer disputes any charge or amount on any invoice and such dispute cannot be resolved promptly through good faith discussions between the Parties, the Customer shall pay the amounts due under this Agreement less the disputed amount, and the Parties shall proceed in good faith to promptly resolve such disputed amount.  An amount will be considered disputed in good faith if (i) the Customer delivers a written statement to Licensor on or before the due date of the invoice, describing in detail the basis of the dispute and the amount being withheld by the Customer, (ii) such written statement represents that the amount in dispute has been determined after due investigation of the facts and that such disputed amount has been determined in good faith, and (iii) all other amounts due from the Customer that are not in dispute have been paid as and when required under this Agreement.

3.3 Taxes. All payments, fees, and other charges payable by Customer to Licensor under this Agreement are exclusive of all sales, goods and services, value added, property, excise, or any other taxes, levies, and assessments of any jurisdiction. Customer shall bear all such taxes, levies, and assessments imposed on Customer or Licensor arising out of this Agreement, excluding any tax based on Licensor’s net income. If any deduction or withholding is required by law to be made by Customer, the amount of Fees shall be increased to the amount which, after making any deduction or withholding, leaves the amount equal to fees which would have been due if no deduction or withholding had been required. Prior to any deduction or withholding, Customer shall inform Licensor about the amount of such deduction or withholding and shall request from Company a tax residency certificate, or any other documents required by law, to claim an exemption from or reduction of any such deduction or withholding. Customer to whom the deduction or withholding applies, shall pay to the relevant taxation authority, or other authorities, as appropriate, the applicable amount of the deduction or withholding, and furnish to Licensor all documents confirming such deduction or withholding. These documents should include, to the extent existing, any evidence necessary to ensure utilization of tax credit by Licensor. Licensor will repay to Customer the portions of a gross-up amount which led to an effective tax saving because of tax credit available to Licensor.

4. CONFIDENTIALITY

4.1 Confidential Information.  During the term of this Agreement, each Party will regard any information provided to it by the other Party and designated in writing as proprietary or confidential to be confidential (“Confidential Information”).  Confidential Information shall also include information which, to a reasonable person familiar with the disclosing Party’s business and the industry in which it operates, is of a confidential or proprietary nature.  The receiving Party shall hold in confidence, and shall not disclose (or permit or suffer its personnel to disclose) any Confidential Information to any person or entity except to a director, officer, employee, outside consultant, or advisor (collectively “Representatives”) who have a need to know such Confidential Information in the course of the performance of their duties for the receiving Party and who are bound by a duty of confidentiality no less protective of the disclosing Party’s Confidential Information than this Agreement.  The receiving Party and its Representatives shall use such Confidential Information only for the purpose for which it was disclosed and shall not use or exploit such Confidential Information for its own benefit or the benefit of another without the prior written consent of the disclosing Party.  Each Party accepts responsibility for the actions of its Representatives and shall protect the other Party’s Confidential Information in the same manner as it protects its own valuable confidential information, but in no event shall less than reasonable care be used.  A receiving Party shall promptly notify the disclosing Party upon becoming aware of a breach or threatened breach hereunder, and shall cooperate with any reasonable request of the disclosing Party in enforcing its rights.

4.2 Exclusions. Information will not be deemed Confidential Information hereunder if such information: (i) is known prior to receipt from the disclosing Party, without any obligation of confidentiality; (ii) becomes known to the receiving Party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing Party; (iii) becomes publicly known or otherwise publicly available, except through a breach of this Agreement; or (iv) is independently developed by the receiving Party without use of the disclosing Party’s Confidential Information, as evidenced.  The receiving Party may disclose Confidential Information pursuant to the requirements of applicable law, legal process or government regulation, provided that it gives the disclosing Party reasonable prior written notice to permit the disclosing Party to contest such disclosure, and such disclosure is otherwise limited to the required disclosure.

4.3 Injunctive Relief. Notwithstanding any other provision of this Agreement, both Parties acknowledge that any use of the disclosing Party’s Confidential Information in a manner inconsistent with the provisions of this Agreement may cause the disclosing Party irreparable and immediate damage for which remedies other than injunctive relief may be inadequate.  Therefore, both Parties agree that, in addition to any other remedy to which the disclosing Party may be entitled hereunder, at law or equity, the disclosing Party shall be entitled to an injunction or injunctions (without the posting of any bond and without proof of actual damages) to restrain such use in addition to other appropriate remedies available under applicable law.

5. WARRANTIES

5.1 Subscription Service Warranty. Licensor warrants that during the term of the Order Form for the Subscription Service, the Subscription Service will conform, in all material respects, with the Documentation.  Licensor does not warrant that it will be able to correct all reported defects or that use of the Subscription Service will be uninterrupted or error free.  Licensor makes no warranty regarding features or services provided by third parties.  For any breach of the above warranty, Licensor will, at no additional cost to Customer, provide remedial services necessary to enable the Subscription Service to conform to the warranty.  The Customer will provide Licensor with a reasonable opportunity to remedy any breach and reasonable assistance in remedying any defects.  Notwithstanding any provision of this Agreement to the contrary, Licensor shall not have any obligation under this section to the extent a nonconformity of the Services are the result of (a) the Services having been modified, repaired, or reworked by any party other than Licensor or a third party on behalf of Licensor, (b) any use of the Services in conjunction with another product or service not recommended in the applicable Documentation, (c) any damage to the Services by power failure, fire, explosion, or any act of God or other cause beyond Licensor’s reasonable control, or (d) any use of or access to the Services not in conformance with the Documentation. Warranty is fully excluded in cases of evaluation, beta or free-of-charge (trial) use of the Services.

5.2 Data Security. Licensor agrees to use appropriate safeguards and comply with all applicable data protection laws in particular in compliance with the provisions of Appendix C, to prevent use or disclosure of the Customer Data other than as provided for by this Agreement.  Nonetheless, Customer acknowledges that the Subscription Service is not designed to integrate critical or personal data. Licensor agrees to implement industry standard physical safeguards, technical safeguards and policy, procedure and documentation requirements that reasonably and appropriately protect the confidentiality, integrity and availability of the Customer Data.

5.3 No Other Warranty. LICENSOR DOES NOT REPRESENT THAT THE SERVICES WILL BE ERROR-FREE OR THAT THE SERVICES WILL MEET CUSTOMER’S REQUIREMENTS OR THAT ALL ERRORS IN THE SERVICES WILL BE CORRECTED OR THAT THE OVERALL SYSTEM THAT MAKES THE SUBSCRIPTION SERVICE AVAILABLE (INCLUDING BUT NOT LIMITED TO THE INTERNET, OTHER TRANSMISSION NETWORKS, AND CUSTOMER’S LOCAL NETWORK AND EQUIPMENT) WILL BE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. THE WARRANTIES STATED IN SECTION 5 ABOVE ARE THE SOLE AND EXCLUSIVE WARRANTIES OFFERED BY LICENSOR. THERE ARE NO OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS. CUSTOMER ASSUMES ALL RESPONSIBILITY FOR DETERMINING WHETHER THE SERVICES ARE ACCURATE OR SUFFICIENT FOR CUSTOMER’S PURPOSES.

6. LIMITATION OF LIABILITY

6.1 Consequential Damage Exclusion. Neither Party will be liable to the other or any third party for loss of profits or for any special, indirect, incidental, consequential or exemplary damages (including without limitation, damages for loss of business profits, loss of goodwill, business interruption, loss of business information and/or data) in connection with the performance of the Services, or the performance of any other obligations under this Agreement, even if it is aware of the possibility of the occurrence of such damages.

6.2 Limitation of Liability. The total cumulative liability of Licensor to Customer for any and all claims and damages under this Agreement, whether arising by statute, contract, tort or otherwise, will not exceed the Services fees paid by Customer to Licensor for the Services which form the subject of the claim during the twelve (12) month period immediately preceding the event giving rise to the claim.  The provisions of this Agreement allocate risks between the Parties.  The pricing set forth in each Order Form reflects this allocation of risk and the limitation of liability specified herein.

6.3 Exclusions. Nothing in this Agreement limits a Party’s liability for death or personal injury caused by its negligence, or gross negligence or willful misconduct, or Customer’s liability for breach of Services usage or Licensor’s intellectual property rights.

7. TERM

7.1 Term. This Agreement will continue in effect until otherwise terminated in accordance with Section 7.2 below.  This Agreement will remain in effect for the License Term. At the end of the initial License Term, the License will automatically renew for successive twelve (12) month periods in accordance with the terms of the Order Form and this Agreement (each a “Renewal Term”), unless either Party notifies the other Party in writing of its election not to renew the License Term at least ninety (90) days prior to the end of the then-current term. The term for the Subscription Service shall be set forth on the Order Form. The term for the Subscription Service shall be set forth on the Order Form.  Licensor reserves the right to change the rates, applicable charges and usage policies and to introduce new charges, for such Order Form upon providing the Customer with written notice thereof (which notice may be provided by e-mail) at least 60 days prior to the then current renewal date of the Order Form.  Licensor reserves the right to modify this Agreement by posting a new Agreement online and notifying Customer of such new agreement provided that such new Agreement will only be applicable for any Order Form entered into after the date such new Agreement goes into effect.

7.2 Termination. Notwithstanding the foregoing, either Party may terminate this Agreement (i) immediately in the event of a material breach of this Agreement by the other Party that is not cured within thirty (30) days of written notice from the other Party, or (ii) immediately if the other Party ceases doing business or is the subject of a voluntary or involuntary bankruptcy, insolvency or similar proceeding, that is not dismissed within sixty (60) days of filing. All rights and obligations of the Parties which by their nature are reasonably intended to survive such termination or expiration will survive termination or expiration of this Agreement.

7.3 Effect of Termination. Upon any termination or expiration of this Agreement, Licensor shall no longer provide the applicable Services to the Customer and the Customer shall promptly cease and cause its Users to promptly cease using the Services.  Customer shall pay Licensor for all fees that had accrued prior to the termination date. Except as expressly provided herein, termination of this Agreement by either party will be a nonexclusive remedy for breach and will be without prejudice to any other right or remedy of such party.  Upon termination of this Agreement, each party shall promptly return or destroy all Confidential Information of the other party in its possession. Within thirty (30) days following termination, the Customer may retrieve the Customer Data in accordance with established and reasonable system access procedures. After such period, Licensor will have no further obligation to store and/or make available the Customer Data and may delete the same.

8. OWNERSHIP; USE OF DATA; OBLIGATIONS

8.1 Services. The Customer acknowledges and agrees that as between Licensor and the Customer, all right, title and interest in and to the Services (excluding any Customer Data) and including all modifications and configurations, all Licensor Data, all Professional Services deliverables and all of Licensor’s proprietary technology, including, without limitation, all software, products, processes, algorithms, user interfaces, know-how, techniques, designs and other tangible or intangible technical material or information made available to the Customer by Licensor in providing the Subscription Service and all derivatives thereof are and shall remain Licensor’s or its licensors’.  The Licensor name, all Licensor logos, and the product names associated with the Subscription Service are trademarks of Licensor or third parties, and no right or license is granted to use them.  The Customer shall not remove any Licensor trademark or logo from the Services.  During the term of this Agreement, Licensor grants to the Customer a limited, worldwide, non-exclusive, non-transferable (except as set forth in Section 12.2), royalty-free right to use the Licensor Data solely in connection with the Customer’s permitted use of the Services.  Licensor shall have the right to collect, analyze, use and distribute aggregated information, analysis, statistics, related benchmarking algorithms and other data generated by the Services (or derived from the Customer’s use of the Services) provided, however, that Licensor shall not disclose any such data unless such data is in an aggregated, anonymized form that would not permit a third party to identify the data as associated with the Customer or any of its Users.

8.2 Customer Data. The Customer retains ownership of all right, title and interest in and to all Customer Data.  During the term of this Agreement, the Customer hereby grants to Licensor a limited, worldwide, non-exclusive, non-transferable (except as set forth in Section 12.2), royalty-free right to use, display, transmit, and distribute the Customer Data solely as necessary to provide the Subscription Service to the Customer.  Upon termination of the Subscription Service, Licensor shall make such Customer Data available to the Customer in a mutually agreed upon format.  The Customer is solely responsible for all Customer Data, in particular the accuracy, integrity, quality or legality of collection or process of such Customer Data.  Neither the Customer nor its Users shall use the Subscription Service to: (a) send, upload or otherwise transmit any Customer Data that is unlawful, threatening, abusive, harassing, tortious, defamatory, vulgar, obscene, libelous, invasive of another’s privacy, hateful, or racially, ethnically or otherwise objectionable; (b) upload or otherwise transmit, display or distribute any Customer Data that infringes any trademark, trade secret, copyright or other proprietary or intellectual property rights of any person; (c) upload or otherwise transmit any material that contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer software or hardware or telecommunications equipment; (d) interfere with or disrupt the Subscription Service or networks connected to the Subscription Service; or (e) violate any applicable law or regulation.

8.3 Services Evaluation. Licensor may process data collected via the Services for the purposes of maintaining and improving the Services and providing support related to the Software. Processing may include measuring and analyzing Customer usage of the Services, and conducting surveys related to the Services.

9. INDEMNIFICATION

9.1 Licensor Indemnification. Subject to Section 9.3 below, Licensor will indemnify, defend and hold the Customer and its Affiliates harmless from and against any and all costs, liabilities, losses, and expenses (including, but not limited to, reasonable attorneys’ fees) (collectively, “Losses”) incurred arising out of or in connection with a claim, suit, action, or proceeding brought by any third party against the Customer or any of its Affiliates alleging that the use of the Services as permitted hereunder infringes any patent, copyright or trademark, or constitutes a misappropriation of a trade secret of a third party.  Excluded from the above indemnification obligations are claims to the extent arising from (a) use of the Services in violation of this Agreement or applicable law, (b) use of the Services after Licensor notifies the Customer to discontinue use because of an infringement claim, (c) any claim relating to any third party products or services or Customer Data, (d) modifications to the Services made other than by Licensor (where the claim would not have arisen but for such modification), (e) the combination, operation, or use of the Services with software or equipment which was not provided by Licensor, to the extent that the Customer’s liability for such claim would have been avoided in the absence of such combination, operation, or use; or (f) compliance by Licensor with the Customer’s custom requirements or specifications if and to the extent such compliance with the Customer’s custom requirements or specifications resulted in the infringement.  If the Services are held to infringe, Licensor will, at its own expense, in its sole discretion use commercially reasonable efforts either (a) to procure a license that will protect the Customer against such claim without cost to the Customer; (b) to replace the Services with non-infringing Services without loss of any material functionality or (c) if (a) and (b) are not commercially feasible, terminate the Agreement and refund to the Customer any prepaid unused fees paid to Licensor for the infringing Services.  The rights and remedies granted the Customer under this Section 9.1 state Licensor’s entire liability, and the Customer’s exclusive remedy, with respect to any claim of infringement of the intellectual property rights of a third party, whether arising under statutory or common law or otherwise.

9.2 Customer Indemnification. Subject to Section 9.3 below, the Customer shall indemnify, defend, and hold Licensor and its Affiliates harmless from and against any and all Losses resulting from a claim, suit, action, or proceeding brought by any third party against Licensor or any of its Affiliates that arises out of or results from a claim alleging that the Customer Data, or any use thereof, infringes the intellectual property rights or proprietary rights of others, or has caused harm to a third party.

9.3 Indemnification Procedure. The indemnified Party shall (i) promptly notify the indemnifying Party in writing of any claim, suit or proceeding for which indemnity is claimed, provided that failure to so notify will not remove the indemnifying Party’s obligation except to the extent it is prejudiced thereby, and (ii) allow the indemnifying Party to solely control the defense of any claim, suit or proceeding and all negotiations for settlement; provided that the indemnifying Party shall not settle any claim without the indemnified Party’s prior written consent (such consent not to be unreasonably withheld or delayed).  The indemnified Party shall also provide the indemnifying Party with reasonable cooperation and assistance in defending such claim (at the indemnifying Party’s cost).

10. GENERAL

10.1 Entire Agreement. This Agreement, including all appendices, SOWs and Order Forms, contains the entire agreement between the Parties with respect to the subject matter hereof, and supersedes all prior or contemporaneous proposals, understandings, representations, warranties, covenants, and any other communications (whether written or oral) between the Parties relating thereto and is binding upon the Parties and their permitted successors and assigns.  Except as set forth in Section 7.1, only a written instrument that refers to this Agreement and that are duly signed by the authorized representatives of both Parties may amend this Agreement.  Any inconsistent or conflicting terms and conditions contained in any purchase order issued by the Customer shall be of no force or effect, even if the order is accepted by Licensor.  This Agreement shall be construed and interpreted fairly, in accordance with the plain meaning of its terms, and there shall be no presumption or inference against the Party drafting this Agreement in construing or interpreting the provisions hereof.

10.2 Assignment. This Agreement shall be binding upon and for the benefit of Licensor, the Customer and their permitted successors and assigns.  Except as expressly stated in this Agreement, Customer may not otherwise assign its rights or delegate its duties under this Agreement either in whole or in part without the prior written consent of Licensor, and any attempted assignment or delegation without such consent will be void.  Notwithstanding the foregoing, Customer may assign this Agreement as part of a corporate reorganization, consolidation, merger, or sale of all or substantially all of its assets.  Licensor may use independent contractors or subcontractors to assist in the delivery of Services; provided, however, that Licensor shall remain liable for the actions or omissions of such independent contractors or subcontractors and for the payment of their compensation.

10.3 Governing Law. This Subscription Agreement shall be construed and governed in accordance with the laws of the State of Delaware without reference to conflict of laws principles. Any controversy, dispute or question between the parties or arising out of, in connection with, or in relation to this Agreement or its interpretation, performance or nonperformance, or any breach thereof shall be determined by arbitration conducted in Delaware, in accordance with the then existing Commercial Rules of the American Arbitration Association by a single arbitrator. The parties agree that state and federal courts sitting in Delaware shall have venue and jurisdiction over the parties to implement judgment upon any arbitral award. The award of the arbitrator shall be final and binding and enforceable in any court of competent jurisdiction in the same manner as any other judgment of said court. However, nothing contained herein shall in any way deprive either party of its right to obtain injunction or other equitable relief in such state or federal courts. If any action is brought by either party to this Subscription Agreement against the other party regarding the subject matter hereof, the prevailing party shall be entitled to recover, in addition to any other relief granted, reasonable attorneys’ fees and expenses of litigation.

10.4 Disputes. Any disputes between the Parties arising out of this Agreement shall be resolved as follows:  Members of the senior management of both Parties shall meet to attempt to resolve such disputes.  If a dispute cannot be resolved within fifteen (15) days, either Party may make a written demand for mediation.  Within fifteen (15) days after such written notification, the Parties shall meet for one day with an impartial mediator.  The costs and expenses of the mediator shall be shared equally by the Parties.  If the dispute is not resolved by mediation or the Parties are unable to agree on a mediator, then such dispute will be subject to the exclusive jurisdiction competent for the Licensor’s head offices, and each party hereby consents to the personal jurisdiction thereof.

10.5 Headings. The headings to the sections of this Agreement are for ease of reference only and shall not affect the interpretation or construction of this Agreement.

10.6 Relationship of the Parties. Licensor and the Customer are independent contractors, and nothing in this Agreement shall be construed as making them partners or creating the relationships of employer and employee, master and servant, or principal and agent between them, for any purpose whatsoever.  Neither Party shall make any contracts, warranties or representations or assume or create any obligations, express or implied, in the other Party’s name or on its behalf.

10.7 Publicity. Licensor may identify Customer as a Wiiisdom customer and use Customer name and logo in promotional and marketing materials, except as agreed otherwise in writing between the Parties.

10.8 Force Majeure. Neither Party shall be deemed to be in breach of any provision of this Agreement for any failure (except for a failure to pay fees) resulting from acts or events beyond that Party’s reasonable control, including but not limited to (i) severe weather, power failure, fires, explosions, earthquakes, drought, tidal waves and floods, (ii) war, hostilities, invasion, act of foreign enemies, mobilization, requisition, or embargo, (iii) rebellion, revolution, insurrection, or military or usurped power, or civil war, (iv) contamination by radio-activity from any nuclear fuel, or from any nuclear waste from the combustion of nuclear fuel, radio-active toxic explosive, or other hazardous properties of any explosive nuclear assembly or nuclear component of such assembly, (v) diminishment of power of telecommunications or data networks or services, or refusal of a license by a government agency, (vi) riot, commotion, strikes, go slows, lock outs or disorder, unless solely restricted to employees of Licensor or its subcontractors. If any of such event has occurred, the non-performing Party shall (i) immediately notify the other Party in writing describing at a reasonable level of detail the circumstances causing such default or delay and (b) be excused from further performance or observance of is affected obligation(s) for as long as such circumstances prevail and such party continues to use reasonable commercial efforts to recommence performance or observance as soon as possible and to whatever extent possible without delay.

10.9 Notices. Any notice, approval, request, authorization, direction or other communication under this Agreement shall be given in writing and shall be deemed to have been delivered and given for all purposes (i) on the delivery date if delivered personally to the Party to whom the same is directed; (ii) one (1) business day after deposit with a nationally recognized overnight carrier, with written verification of receipt, or (iii) by email upon conformation that the electronic mail was received by the recipient and (iv) five (5) business days after the mailing date whether or not actually received, if sent by certified mail, return receipt requested, postage and charges pre-paid or any other means of rapid mail delivery for which a receipt is available, to the address of the Party set below or forth on the applicable Order Form or SOW.  Either Party may change its address by giving written notice of such change to the other Party.

(i) For Licensor: Wiiisdom USA, Inc.
Attn: President

53 State Street / Suite 500

Boston MA 02109 USA

Email: legal@wiiisdom.com

(ii) For Customer: The address set forth in the Order Form

10.10 Modifications to Subscription Service. Licensor may make modifications to the Subscription Service or particular components of the Subscription Service from time to time to improve its functionalities and reflect the evolution of market requirements provided that such modifications do not materially degrade any functionality or features of the Subscription Service.

10.11 No Third Party Beneficiaries. Nothing contained in this Agreement is intended or shall be construed to confer upon any person any rights, benefits or remedies of any kind or character whatsoever, or to create any obligation of a Party to any such person.

10.12 Waiver and Severability. Performance of any obligation required by a Party hereunder may be waived only by a written waiver signed by an authorized representative of the other Party, which waiver shall be effective only with respect to the specific obligation described therein. The failure of either Party to exercise any of its rights under this Agreement will not be deemed a waiver or forfeiture of such rights. The invalidity or unenforceability of one or more provisions of this Agreement will not affect the validity or enforceability of any of the other provisions hereof, and this Agreement will be construed in all respects as if such invalid or unenforceable provision(s) were omitted.

APPENDIX A

TECHNICAL SUPPORT

This Appendix applies to technical support Services provided by Licensor, supplements the Wiiisdom Terms and Conditions which apply and this Appendix supersedes any conflicting terms in connection technical support Services. Capitalized terms used in this Appendix have the meaning defined in context or in the Wiiisdom Terms and Conditions.  

(a) Description of technical support services:

  • HOTLINE. Licensor will provide a hotline associated with the Subscription Service, consisting of a website that permits Customer to open tickets online. 
  • ERRORS vs BUGS. Licensor will assess Errors and Bugs in the Subscription Service. Upon discovery of any Error, Customer shall promptly use the hotline website to open a ticket and provide Licensor with a comprehensive written description of the Error, as well as such additional information as Licensor may reasonably request to assist with the verification and resolution of the Error.
    • DEFINITIONS:
      • An “Error” means a reported and verifiable failure of the Subscription Service that has a significant adverse effect on the Subscription Service’s functionality and on the Customer’s operations.
         
      • A “Bug” shall be anything that has an adverse effect on the Subscription Service’s functionality, but is not significantly adverse to be characterized as an Error.
    • ERROR FIX. After Customer has supplied the foregoing information, if Licensor then verifies the existence of an Error, then Licensor will use commercially reasonable efforts to provide an Error Fix in such time and in such manner as is reasonable in light of the type of nonconformity. For example, if a work-around is available, Licensor will ask Customer to use that work-around pending any Error Fix.
    • BUG FIX. If Licensor verifies the existence of a Bug, Licensor will add it to its list of Bugs that may be addressed with a Bug Fix by its next scheduled revision or new release to the Subscription Service.

(b) Limitations on support:

  • Customer must use its support account to submit in writing to the Licensor’s support website (https://support.wiiisdom.com/) all requests for enhancements, bug fixes or error fixes. 
  • Licensor reserves the right to decide whether or not to undertake development of “Enhancements”, meaning changes or additions to the Software requested by Licensee but outside the scope of this Agreement. If the Licensor agrees to undertake development of Enhancements, it shall submit a Professional Services offer providing for scope, fees, costs and other applicable elements. Enhancements will carry no warranty (other than title) unless expressly agreed in writing by Licensor. 

The Subscription Service’s support will include:

* Responses to technical questions
* Troubleshooting of technical issues
* Bug fixes

A detailed Scope of Support presentation is available for download on the Licensor support website (https://support.wiiisdom.com/). This presentation explains exactly what is included and what is not included.

APPENDIX B 

PROFESSIONAL SERVICES TERMS

This Appendix applies to Professional Services provided by Licensor, supplements the Wiiisdom Terms and Conditions which apply and this Appendix supersedes any conflicting terms in connection Professional Services. Capitalized terms used in this Appendix have the meaning defined in context or in the Wiiisdom Terms and Conditions.  

 

1. SCOPE OF PROFESSIONAL SERVICES; DELIVERY 

1.1 Service Descriptions.  The scope of Professional Services and related deliverables (“Deliverables”) are described (i) in the service descriptions for standard Wiiisdom professional services packages and referenced in the Order Form, or (ii) in the mutually agreed service description for custom consulting services as described under a statement of work (“SOW”) (together the “Professional Service Description”). Licensor shall have the right to make any changes to Professional Services which are necessary to comply with any applicable law or safety requirements, or which do not materially affect the nature or quality of the Professional Services, and Licensor shall notify the Customer of such event.

1.2 Professional Services Delivery. At its sole discretion, Licensor may use its own employees or contractors or employees or contractors of its Affiliates or third-party subcontractors to deliver the Professional Services (each individually a “Consultant” or collectively “Consultants”). Licensor may replace Consultants in its sole discretion. Licensor remains responsible to Customer for delivery of the Professional Services and the activities of the Consultants.  

1.3 Out-of-Scope Professional Services. Any services not specifically described in the applicable Professional Service Description are out of scope. Specifically, the following items are out of scope for all Professional Services: (1) any non-Wiiisdom product related work; (2) Product or Subscription Service customization or enhancements; (3) Documentation customization or enhancements; and (4) Customer system administration or compatibility related issues. 

 

2. FEES AND PAYMENT 

2.1 Service Fees. The fees for the Professional Services are set out in the Order Form or SOW (the “Service Fees”). The Service Fees exclude license or subscription fees, expenses and out-of-scope services. In addition, Licensor has identified the Service Fees based on the assumptions described in Section 3. Any changes to scope, timing, or any failure of the assumptions described in Section 3 may require an Order Form or SOW amendment and adjustment to Service Fees to complete the Professional Services.  

2.2 License Fees. License/Subscription Services fees are charged separately from the Professional Services. Customer must license the applicable Product or Subscription Services prior to, or concurrent with, the start of Professional Services.  

2.3 Expenses. Any expenses incurred by Consultant are charged on an actual basis unless otherwise stated in the Order Form or SOW.  

2.4 Professional Services Invoicing. Service Fees will be invoiced and due as described in the Order Form or SOW. If any additional Service Fees are required as a result of an Order Form or SOW amendment, the additional Service Fees will be invoiced and due as described in such amendment. 

2.5 Time & Materials Engagements. The Service Fees for time and material engagements are estimates only and billing will be based on actual hours performed at the rates specified in the Professional Service Description. 

 

3. ASSUMPTIONS 

3.1 Customer Responsibilities and Required Infrastructure. The successful completion of the Professional Services requires Customer’s cooperation. Customer shall provide all information, data, documentation, equipment, and other resources as may be reasonably requested by Consultant to enable Consultant to meet its responsibilities (including, but without limitation, logins and passwords, access rights, server details, etc.). Customer will also fulfill the Customer prerequisites and responsibilities described in the applicable Professional Service Description. Customer is responsible for data backups, system, network, and security infrastructure provisioning, configuration, and troubleshooting, and providing sufficient and timely access for Consultant to the Customer systems and personnel during normal business hours. 

3.2 Workshop Size. Any training workshop is limited to the specified number of users for the applicable Professional Service Description to sustain a manageable Consultant-to-participant ratio.  

3.3 Engagement Management.  Consultant will appoint a single point of contact for Customer for scoping, scheduling, progress, status, and consumption.  

3.4 Customer Project Staffing.  The Customer will provide a dedicated project manager to support the Licensor’s responsibilities and dependencies for the project and to identify, communicate and manage Customer’s processes, standards, and policies that impact the project and project timelines. Such Customer project manager shall have all the necessary technical skills, coordinate any third party involved in the project and be invested with the appropriate power to make the necessary decisions and to carry out any recommendations of Consultant.

3.5 Remote Access. The Customer will provide remote access to Customer systems or any necessary third party software for Consultant or alternative means of access acceptable to Consultant at Consultant’s sole discretion. Customer shall ensure that Licensor is authorized to access and use such third party software, and indemnify Licensor thereof.

3.6 Failure to Perform. Licensor and Consultant will be excused for a failure or delay in performance of obligations to the extent that non-performance or delay is caused by act or omission of the Customer or any third party, so long as Licensor or Consultant promptly provides written notice to the Customer of any expected failure or delay and uses all reasonable efforts to avoid and minimize the impact of any such failure or delay. 

3.7 Location. Professional Services will be delivered remotely unless otherwise stated in the Order Form or SOW.  Where applicable, travel arrangements must be finalized within a reasonable period before each on-site engagement. If Consultant must be present at Customer’s site, Customer shall provide Licensor with any worksite safety and security regulations which may apply.

3.8 Working Hours. Consultant working hours are 9am to 6pm according to Licensor time zone, unless otherwise agreed in writing by Customer and Consultant. 

3.9 Non Solicitation. Customer shall be prohibited from, directly or indirectly, soliciting or hiring a Consultant involved in the carrying out of Professional Services during the term of the Order Form or SOW, and for a period of twelve (12) months from termination thereof.

 

4. SERVICE WARRANTY, DEPLOYMENT, COMPLETION AND ACCEPTANCE 

4.1 Service Warranty. Licensor warrants that it will perform Professional Services under the Order Form or SOW in a professional and workmanlike manner. Customer must notify Licensor of any issue which it determines is a breach of this warranty within sixty (60) days of the completion date. If Licensor confirms such determination, Licensor will use commercially reasonable efforts to reperform the services to comply with the warranty. If Licensor determines that it is not commercially feasible to reperform the services, Licensor may terminate the Order Form or SOW for the applicable Professional Services and refund to Customer the amount that Licensor received for the portion of the Professional Services that failed to conform to the warranty. The remedies provided in this Section are Customer’s sole and exclusive remedies for a breach of the professional services warranty provided in this Section.

4.2 Service Completion. Licensor shall make reasonable efforts to meet any performance dates agreed between the Parties, but any such dates shall be estimates only and time shall not be of the essence for performance of the Professional Services. The Professional Services are completed upon the first of the following to occur: (1) all Deliverables included in the Service Description are delivered by Consultant; (2) the end of the Professional Services schedule indicated in the Service Description; or (3) for time and material engagements, the Consultant has performed the estimated hours.  

4.3 Customer Acceptance. All Deliverables will be deemed accepted by Customer upon delivery, unless Customer provides written notice to Consultant within five (5) days of delivery specifically identifying the manner in which the Deliverables fail to materially comply with the applicable Service Description (in which case Consultant will have the right to correct the Deliverables as it deems appropriate to satisfy the specifications and deliver corrected Deliverables to Customer).  

4.4 Delivery Reschedule. If Customer does not meet the Customer responsibilities described in the applicable Service Description and the failure results in a change to the agreed delivery dates, it will be considered a delivery reschedule. Licensor will accept a delivery reschedule at no additional cost if Customer provides a reasonable period prior notice to the scheduled delivery date for the applicable Professional Services. If a reasonable notice is not given or the delivery reschedule is due to Customer’s failure to meet its responsibilities, Licensor may charge Customer for the initial planned time and expenses or the additional time needed to complete the Professional Services.

APPRENDIX C

SECURITY OF PERSONAL DATA

Data Processing Agreement

August, 30 2023

Set forth below is a Data Processing Agreement (hereinafter the “DPA”) and related riders to be included in agreements between the Controller and/or any of its Affiliates and the Processor as defined below. Defined terms should be adjusted as appropriate to be consistent with the underlying agreement and applicable data protection laws, in particular the EU General Data Protection Regulation (hereinafter the “GDPR”). 

This Data Processing Agreement is established between

 

[______________________________], located in [______________________] and represented by [___________________________________]  (hereinafter, “the Controller” or “the Customer”)

 

of the one part, AND

The company Groupe Wiiisdom Software SAS with a capital of 122 519,68 €, registered in the SIREN directory. under the number 498273010, whose registered office is located at 63 Place Saint Hubert 59800 Lille – FRANCE, including its affiliated companies, namely WIIISDOM USA, INC, a company under US / Californian law identified by the n°3942785 and Les solutions Wiiisdom Canada, inc., a company under Canadian / Quebec law, identified under n°1171710818, all these companies being represented by M Sébastien Goiffon duly authorized for the purpose hereof.

(hereinafter, “the Processor” or “Wiiisdom”)

on the other part,

The Processor and the Controller may be named hereinafter “a Party” and together “the Parties”. 

If the fields above are not completed, they are deemed to be the equivalent fields of the most recent purchase order, contract or similar document engaging the Parties.

1. Preamble

The parties have concluded commercial relations, possibly governed by a contract for the provision of services (hereinafter called the “Main Contract” or “the “Agreement” ). These commercial relationships are qualified as “Processing” or “sub-contracting” within the meaning of the GDPR on the date of the Main Contract. The Main Contract to which this DPA is  incorporated by reference or attached may proceed indifferently from a written agreement, an order form, accepted term of services or an offer and acceptance in any form. Under the Main Contract, the Controller entrusts Personal Data Processing to the Processor, in order for the provisions of the Main Contract to be fulfilled. Said Personal Data Processing is summarized in Appendix 1. As an addendum to the Main Contract and in order to allow the sub-processing in accordance with applicable data protection laws, the Parties agree to these contractual clauses which will apply to their sub-processing relationship and, where applicable, to any subsequent sub-processing. It is hereby specified that these clauses are adopted contractually in addition to existing regulated standard clauses, if any of said clauses are applicable. They incorporate the provisions of the GDPR and complete the Main Contract on the points mentioned below.

As part of their contractual relations, the Parties shall undertake to comply with every applicable regulation on Personal Data Processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 which is applicable from 25 May 2018 (hereinafter “the General Data Protection Regulation” or the GDPR), in order to guarantee the Data Subjects and the Controller the security, availability, confidentiality and protection.

 

2. Definitions

The capitalized words hereinafter shall have the meaning set forth by the applicable laws or the meaning set in this DPA. If a definition is contradictory between the applicable law and the meaning set forth in this agreement, the meaning of the applicable law shall prevail.

Mentions of “Personal Data” in this agreement refers to “Personal Data processed in the framework of the Main Contract”.

 

3. Purpose

The purpose of this agreement is to define the conditions in which the Processor undertakes to carry out, on the Controller’s behalf, the personal data processing operations defined below.

The Processor is authorized to Process, on behalf of the Controller, the necessary Personal Data for providing the service(s) described in Appendix 1 to the Standard Contractual Clauses.

The nature of operations carried out on the data, the Purpose(s) of the Processing, the categories of Personal Data processed, and the categories of Data Subjects are specified in Appendix 1 of this DPA.

 

4. Duration of the contract

This contract enters into force during the duration of the Main Contract between the Controller and the Processor.

This agreement automatically terminates at the end of the Main Contract, except for the provisions, in particular of confidentiality, which survive the end of the Main Contract.

When the Main Contract covered by this DPA has taken effect before the signing of this DPA, the Parties undertake to take all the necessary measures to comply with these clauses, if they have not already done so, at each Party’s initiative, in anticipation of the signing of this agreement, for integration into their respective organization, of the provisions of the applicable data protection regulations.

 

5. Processor’s obligations with respect to the Controller

The Processor shall undertake to the following:

5.1 Purpose

Process the data solely for the purpose(s) subject to the sub-processing it carries out on the behalf of the Controller.

5.2 Instructions

Process the data in accordance with the documented instructions from the Controller appended hereto. 

Where the Processor considers that an instruction infringes the General Data Protection Regulation or any other legal provision of the Union or of Member States bearing on data protection or any other applicable law, it shall inform as soon as possible the Controller thereof. Moreover, where the Processor is obliged to transfer Personal Data to a third country or an international organization, under any applicable law to which the Processor is subject, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

5.3 Confidentiality

Guarantee the confidentiality of Personal Data processed hereunder. In particular, with regards to its personnel:

ensure that the persons authorized to process the Personal Data hereunder: 

  • have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • receive the appropriate personal data protection training

5.4 Privacy by design / default

Take into consideration, in terms of its tools, products, applications or services, the principles of data protection by design and by default

5.5 Sub-contracting

When the Processor intends to engage another subcontractor, on its own initiative, to carry out part of the processing activities entrusted to it by the Controller, in particular to a service provider essential for the implementation of the Processor’s solutions used by the Controller, the Processor may only engage another subcontractor (“Sub-processor”) to carry out specific Processing activities. According to the provisions of Article 28, 2nd paragraph of the GDPR, the Controller gives general written authorization to the Processor for the purpose of recruiting Sub-processors making it possible to provision the Services on behalf of the Controller. At the Controller’s request, the Processor makes available to the Controller a list of Sub-processors intervening under the Main Contract, for instance via a dedicated page on its website. In the event of a modification to this list of Sub-processors, the Controller has the possibility of being notified of it before said modification is effective. The dispositions related to said notification are described in the Standard Contractual Clauses mentioned in the Annexes of this DPA. The notification may take the form of an email sent to a mailing list to which the Controller must be subscribed, the subscription request being made by contacting the Processor. Within a period not shorter than five (5) calendar days of receipt of the notification, the Controller will have the opportunity to raise objections, in particular based on a lack of adequacy with the rules and laws applicable to it. Beyond this period, if no objection was emitted by the Controller without being resolved, the modification of the list of Sub-processors will be deemed to be accepted without reservation by the Controller. The Controller recognizes that certain Sub-processors are essential for the provision of the Services and that objecting to the sub-contracting entrusted to certain Sub-processors may prevent the Processor from offering the Services to the Controller. In the event of a well-founded and irresolvable objection, the Controller will have the option of terminating the Main Contract under conditions to be established between the Parties by way of an addendum. The Processor ensures that each Sub-processor presents adequate guarantees with regard to the Controller’s instructions, the Data Protection laws relating to the technical and organizational measures adopted for the Processing of Personal Data and ensures that each Sub-processor immediately ceases the Processing of Personal Data if these guarantees fail. If a Sub-processor transfers all or part of the Personal Data of a Data Subject for which the GDPR is applicable outside a country of the European Union or a country which has been the subject of an official adequacy decision by the European Commission, the Processor makes sure and can prove at all times the existence of appropriate guarantees offered by said Sub-processor with regard to the protection of Personal Data. 

Where the Sub-processor fails to fulfill its data protection obligations, the Processor remains fully liable with regard to the Controller for the Sub-processor’s performance of its obligations. The Sub-processor is obliged to comply with the obligations hereunder on behalf of and on instructions from the Controller. It is the initial Processor’s responsibility to ensure that the Sub-processor provides the same sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing meets the requirements of the applicable Personal Data protection laws.

The Processor ensures that each Sub-processor is subject to adequate confidentiality obligations and that it undertakes to comply with the obligations of this DPA on behalf and according to the instructions of the Controller, by a written agreement with a content similar to that of this DPA. The possible authorization given by the Controller to the Processor allowing it to engage a third party or Sub-processor, in no way relieves the Processor from its responsibility towards the latter as regards the compliance with Data protection rules by anyone acting on their own initiative.

5.6 Data transfers to third countries

In the event that the Processing operations involve Transfers of Personal Data to a Third Country or to an international organization, the Processor verifies the existence and/or establishes appropriate safeguards in particular pursuant to Article 46 of the GDPR, in particular the execution of the European Commission’s standard contractual clauses (Article 46, § 2, subparagraph d of the RGPD) available via this link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914  

5.7 Data subjects’ right to information

It is the responsibility of the Controller to provide (or to make sure that is provided) the information that is required, in accordance with the applicable Personal Data protection laws, to the Data Subject concerned by the Processing operations, at the time of data collection or subsequently, before the implementation of the subcontracted processing. The Processor must therefore transmit to the Controller, when requested to do so, any information relating to the Processing which it carries out on behalf of the Controller and which must be provided to the Data Subjects, in particular as regards Personal Data transfers to countries external to the EU and the technical and organizational measures taken by it for the correct Processing of Personal Data. If the Processor finds that the information provided may not be sufficient to inform the Data Subjects, the Processor must, before any intervention it carries out, inform the Controller of additional information specific to the subject of the processing having to be provided to the Data Subjects.

At the time Personal Data is being collected, the Processor may be instructed by the Controller to provide the Data Subjects concerned by the processing operations with information about the data processing it carries out on behalf of the Controller. The wording and format of the information must then be agreed with the Controller prior to collecting the data.

5.8 Exercise of Data Subjects’ rights

The Processor shall assist the Controller, insofar as this is possible, for the fulfillment of its obligation to respond to requests for exercising the Data Subject’s rights: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).

Where the Data Subjects submit requests to the Processor to exercise their rights, the Processor must forward these requests to the Controller as soon as possible by email (to an appropriate and predefined point of contact between the Parties), providing it with all useful information concerning the processing carried out by the Processor, to enable the Controller to answer to said requests. The email address(es) that the Processor must use is specified in the relevant Annexes.

The Controller authorizes the Processor to respond to requests from data subjects, prior to any notification to the Controller, only in order to determine whether the request relates to Personal Data processed by the Processor on behalf of the Controller.

If the contact e-mail address above is not provided in this DPA, it is deemed to be the Controller’s DPO public email address or, if there is(are) no such email address(es), the contact email address specified in the most recent purchase order, contract or similar document engaging the Parties.

5.9 Notification of Personal Data Breaches

In the event of a Personal Data Breach, the Processor shall cooperate with and assist the Controller for the purposes of compliance with the obligations listed under Articles 33 and 34 of Regulation (EU) 2016/679 or Articles 34 and 35 of Regulation (EU) 2018/1725, whichever is applicable, taking into account the nature of the Processing and the information available to the Processor.

5.9.1 Violation of data relating to data processed by the Controller

In the event of a Personal Data breach relating to data processed by the Controller where the Processing in question is correlated to the services rendered by the Processor to the Controller, the Processor shall provide assistance to the Controller:

a) For the purposes of notifying the competent Supervisory Authority(ies) of the Personal Data Breach, as soon as possible after the Controller becomes aware of it, if applicable (unless the Personal Data Breach is unlikely to give rise to a risk to the rights and freedoms of natural persons);

b) For the purposes of obtaining the following information which, in accordance with Article 33(3) of Regulation (EU) 2016/679 or Article 34(3) of Regulation (EU) 2018/1725, whichever is applicable, must be included in the Controller’s notification, and include, at least:

    1. the nature of the Personal Data, including, if possible, the categories and approximate number of persons affected by the Breach and the categories and approximate number of involved Personal Data records;
    2. the likely consequences of the Personal Data Breach;
    3. the measures taken or proposed to be taken by the Controller to remedy the Personal Data Breach, including, where applicable, measures to mitigate any negative consequences.

When, and insofar as, it is not possible to provide all the information at the same time, the initial notification contains the information available at that time and, as it becomes available, additional information is subsequently communicated as soon as possible;

c) For the purposes of satisfying, in accordance with Article 34 of Regulation (EU) 2016/679 or Article 35 of Regulation (EU) 2018/1725, whichever is applicable, the obligation to communicate the Personal Data Breach to the concerned Data Subjects as soon as possible, where the Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons.

5.9.2 Data breach in relation to Personal Data Processed by the Processor

In the event of a Personal Data Breach relating to data processed by the Processor on behalf of the Controller, the Processor shall notify the Controller as soon as possible after becoming aware of the Breach. This notification shall contain at least:

  1. a description of the nature of the Breach observed (including, if possible, the categories and approximate number of persons affected by the Breach and of involved Personal Data records);
  2. details of a contact point from which further information can be obtained about the Personal Data Breach;
  3. its likely consequences and the measures taken or proposed to be taken to remedy the Breach, including mitigation of any negative consequences.

When, and insofar as, it is not possible to provide all the information at the same time, the initial notification shall contain the information available at that time and, as it becomes available, additional information shall subsequently be communicated as soon as possible.

In such a case, the Processor must notify the Controller of the Data Breach within 48 hours of becoming aware of it.

5.10 Assistance due by the Processor to the Controller regarding compliance with its obligations

a) The Processor shall promptly notify the Controller of any request it has received from a Data Subject. It shall not respond to the request itself, unless authorized to do so by the Controller. 

b) The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, taking into account the nature of the Processing. In fulfilling its obligations in accordance with (a) and (b), the Processor shall comply with the controller’s instructions 

c) In addition to the Processor’s obligation to assist the Controller pursuant to Clause 5.10.b, the Processor shall furthermore assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the Personal Data Processing and the information available to the Processor: 

    1. the obligation to carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data (a “data protection impact assessment”) where a type of Processing is likely to result in a high risk to the rights and freedoms of natural persons; 
    2. the obligation to consult the competent Supervisory Authority/ies prior to Processing where a data protection impact assessment indicates that the Processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk; 
    3. the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated; 
    4. the obligations in Article 32 of Regulation (EU) 2016/679/ or Articles 33 and 36 to 38 of Regulation (EU) 2018/1725.

d) The Parties shall set out in one of the Annexes to this DPA the appropriate technical and organizational measures by which the Processor is required to assist the Controller in the application of this Clause as well as the scope and the extent of the assistance required.

5.11 Security Measures

Implement the appropriate measures: The Processor undertakes to implement the technical and organizational measures guaranteeing an appropriate level of service, in particular security measures adapted to the risk, including, where appropriate and feasible, the encryption of Personal Data, the means allowing to guarantee the constant confidentiality, integrity, availability and resilience of the processing systems and services, the means to restore the availability of Personal Data and access to it within appropriate timeframes in the event of physical or technical incident, the means to guarantee the exercise of the rights of the Data Subjects, in particular by means of measures intended for the pseudonymization or anonymization of Personal Data, and procedures aimed at testing, analyzing and regularly assessing the effectiveness of said technical and organizational measures.

The Processor undertakes to implement the security measures described in the related Annex 2 to this DPA.

5.12 Fate of data

At the end of the service bearing on the Processing of such Personal Data, the Processor undertakes to, at the Controller’s choosing:

  • destroy all Personal Data, or
  • return all Personal Data to the Controller, or
  • return the Personal Data to any party designated by the Controller.

Together with said return, all existing copies in the Processor’s information systems must be destroyed. Once destroyed and at the Controller’s demand, the Processor is able demonstrate, in writing, that this destruction has taken place.

5.13 Privileged interlocutor

Designate a privileged interlocutor: The Processor must communicate to the Controller the name and contact details of the person or department in charge competent with regard to the protection of Personal Data. It can be a Data Protection Officer (DPO). 

The Processor has designated a privileged interlocutor whose contact details are listed in the appropriate Annex(es) of this DPA. 

In the event of any modification, the information will be made available to the Controller by any appropriate means, including updating the information publicly accessible on its website. In any event, this person or service can be contacted by email using the contact details mentioned above.

5.14 Record of categories of processing activities

The Processor states that is able to produce, at the request of the Controller or any competent authority, a record of all categories of processing activities carried out on behalf of the Controller including at least:

  • the name and contact details of the Controller on behalf of which the Processor is acting, any other Sub-processors and, where applicable, their Data Protection Officer information and contact details;
  • the categories of Processing carried out on behalf of the Controller;
  • where applicable, transfers of Personal Data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
  • where possible, a general description of the technical and organizational security measures, including inter alia:
    • the pseudonymisation and encryption of personal data;
    • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. 

5.15 Documentation

  1. The Parties shall be able to demonstrate compliance with the present clauses.
  2. The Processor shall deal promptly and adequately with inquiries from the Controller about the Processing of Personal Data in accordance with this DPA.  
  3. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the Controller’s request, the Processor shall also permit and contribute to audits of the Processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Controller may take into account relevant certifications held by the Processor.    
  4. The Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the Processor and shall, where appropriate, be carried out with reasonable notice. 
  5. The Parties shall make the information referred to in this clause, including the results of any audits, available to the competent supervisory authority/ies on request.

Controller’s obligations with respect to the Processor

The Controller undertakes to:

6.1 Data provision

Provide the Processor with the Personal Data to be processed and / or the means and authorizations to collect and process said data in application of the Main Contract and this DPA. Said provision of data must be done in accordance with all applicable laws. The Personal Data processed on the behalf of the Controller is the Controller’s data and Processor cannot be held reliable for processing any Personal Data on the behalf of the Controller, especially with regards to the nature or categories of the processed Personal Data that the Processor cannot assess on its own.

6.2 Instructions

Document, in writing, any instruction bearing on the Processing of Personal Data by the Processor.

6.3 Compliance

Ensure, before and throughout the Processing, compliance with the obligations set out in the applicable Data Protection laws on the Processor’s part.

6.4 Supervision

Supervise the processing, including by conducting audits and inspections with the Processor.

7. Standard Contractual Clauses

This DPA embeds Standard Contractual Clauses (hereinafter “SCC”) that the Parties shall complete and sign prior to any exports of Personal Data to outside of the European Economic Area and/or when the Processor and Controller are based in the EU. 

In case of any discrepancy between this DPA and the SCCs, the SCCs prevail. In case of any discrepancy between the SCCs for transfer of personal data to third countries and the SCCs to be executed between Processor and Controller both located in the EU, the SCCs for transfer of personal data to third countries will prevail.

If there are transfers of personal data to third countries in the course of the Main Contract
The related Standard Contractual Clauses between Controller and Processor are incorporated into this DPA by reference. If there is a conflict or inconsistency between the other clauses of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail to the extent of the conflict or inconsistency. The text of said Clauses incorporated by reference is the Annex to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 which is available at the following URL:

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914

In case the Processor transfers Personal Data to third countries, the SCCs are also aimed at being executed by the Processor and any receiving party (including Sub-processors, in which case the module to be taken into account would be module three “processor to processor”) in said third countries.

If Processor and Controller are both located in the UE

The related Standard Contractual Clauses between Controller and Processor are incorporated into this DPA by reference. If there is a conflict or inconsistency between the other clauses of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail to the extent of the conflict or inconsistency. The text of said Clauses incorporated by reference is the Annex to the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council which is available at the following URL:

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0915 

The implementation details, options and choices of said clauses executed by the Parties, with the corresponding annexes, are available hereafter.

8. California Consumer Privacy Act (“CCPA”) / California Privacy Rights Acts (“CPRA”)

Processor will implement and maintain commercially reasonable security measures designed to ensure the integrity, security and confidentiality of Controller’s Personal Information (Personal Information” having the meaning of “Personal Data”) and protect it in accordance with all applicable laws, regulations, rules and guidelines, including the CCPA and CPRA.

Processor will comply with all applicable provisions of the CCPA and CPRA and

  • Will retain, use disclose, transfer or process Personal Information it receives from Controller only as needed to provide the Services and to fulfill its obligations under the Main Agreement and as otherwise specified in agreements between the parties; 
  • Will not sell or rent any Personal Information that it receives from Controller, and
  • Will not retain, use or disclose Personal Information outside of the direct business relationship between Processor and Controller. 

This DPA will be binding upon and inure to the benefit of the Parties, their successors and permitted assigns.

If any conflicts exist between this DPA and any other agreement between the parties, this DPA will prevail.

The Effective Date of this DPA is commenced upon the date of the last signature herein.

9. General Provisions

This DPA supplements the Main Contract relating to the provision of services entrusted to the Processor. It cancels and replaces any contrary or contradictory clause of the Main Contract to which it is related. All other clauses not affected by this DPA remain, with the exception, however, of the clauses limiting or exonerating the responsibility of the Parties which may have been stipulated by the Main Contract, which are in any case deprived of effect for the case of Breach of Data Protection. The Processor reserves the right to modify or update this DPA. Subject to the revised DPA not violating any regulations applicable to the Controller, by continuing to access or use the Processor’s services after the entry into force of such revisions, the Controller agrees to be bound by the revised DPA. The latest version of this DPA in force can be found on the Processor web site. In the event of modification of this DPA, the Controller has the option of being notified at least ten (10) calendar days before said modification is effective, by email informing it of a proposed modification to the Agreement. The notification can take the form of an email sent to a mailing list to which the Controller must be subscribed. Within a delay not shorter than five (5) calendar days of receipt of the notification, the Controller will have the opportunity to raise objections, based on a lack of adequacy with the rules and laws applicable to it. Beyond this period, the modification of the DPA will be deemed to be accepted without reservation by the Controller. In the event of a well-founded and irresolvable objection, the Controller will have the option of terminating the Main Contract under conditions to be established between the Parties by way of addendum. 

In the event that regulated standard clauses are adopted, it is understood that the clause of this DPA will be replaced by contrary or contradictory standard clauses, which would replace them. 

Any dispute relating to the conclusion, execution or non-execution or interpretation of Data Protection rules will be subject to the law of France. 

 

The Controller ([                 ] Name of the Controller)

Name: [                    ]

Authorized Signature ……………………

The Processor (Wiiisdom)

Name:………………………………

Authorized Signature ……………………

 

If the fields above are not completed, they are deemed to be the equivalent fields of the most recent purchase order, contract or similar document engaging the Parties.

APPENDIX 1 – Data processing description

August, 30 2023

 

Controller

Where Personal Data is transferred to third countries, the Controller is deemed to be the data exporter for the purposes of implementing the relevant standard contractual clauses.

The Controller is (please specify briefly activities relevant to the transfer, for instance a software company, a non governmental organization, etc., dealing with…):

The Controller is a [Specify the country] organization and includes (i) the legal entity that has executed the DPA as the controller and, if the case be (ii) all affiliates of Controller established within the European Economic Area (EEA) and Switzerland that have purchased Services.

 

Processor

Where Personal Data is transferred to third countries, the Processor is deemed to be the data importer for the purposes of implementing the relevant standard contractual clauses.

The Processor is a software company, Wiiisdom, providing Software as a Service solutions in connection with which it processes Personal Data upon the instruction of the Controller in accordance with the terms of the Main Agreement.

 

Data subjects

The Processed Personal Data concern the following categories of Data Subjects:

  • Prospects, customers, business partners and vendors of Controller (who are natural persons)
  • Employees or contact persons of Controller’s prospects or customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Controller (who are natural persons)
  • Controller’s users authorized by Controller to use the Services
  • Any Data Subject who’s Personal Data is Processed by the Processor on the behalf of the Controller. Because of the nature of the services offered by Processor to Controller, that can process any kind of data, the categories of Data Subjects whose Personal Data is processed by the Processor on the behalf of the Controller are determined by the Controller.
  • Other categories or details : __________________________________

 

Categories of data

The Processed Personal Data concern the following categories of data:

  • Personal Data of the Data Subjects generated in the normal course of business, including but not limited to: first and last name; email address; title; position; employer; contact information, including company, phone number, physical business address; 
  • Connection data, browsing data and localization data
  • Any Personal Data that is Processed by the Processor on the behalf of the Controller. Because of the nature of the services offered by Processor to Controller, that can process any kind of data, the categories of Personal Data processed by the Processor on the behalf of the Controller are determined by the Controller.
  • Other categories or details : __________________________________

 

Special categories of Personal Data (if appropriate)

The Processed Personal Data concerns the following special categories of data:

Any special categories of Personal Data that are Processed by the Processor on the behalf of the Controller. Because of the nature of the services offered by Processor to Controller, that can process any kind of data, the categories of Personal Data processed by the Processor on the behalf of the Controller are determined by the Controller.

 

Processing operations

The Processed Personal Data can be subject to the following basic Processing activities:

  • Collecting
  • Recording
  • Organizing
  • Structuring
  • Storing
  • Adapting or altering
  • Retrieving
  • Consulting
  • Using
  • Transmitting
  • Destroying

 

Other dispositions

  1. In accordance with article 28 of the GDPR, the Controller gives a general written authorization to the Processor to engage sub-processors under the terms specified in section 5.5 of the Data Processing Agreement.
  2. The Processor main contact means for assistance to the Controller is by email to dpo@wiiisdom.com. This includes assistance to Data Subject rights, audits, Personal Data Breaches, Data Protection questions, etc.
  3. The Controller main contact means for Personal Data matters is by email to _______________.

 

The Data Controller / Customer Name

Name:………………………………

Authorized Signature ……………………

The Processor / Wiiisdom

Name: Sébastien GOIFFON

Authorized Signature ……………………

 

If the name and signature fields of this appendix are not completed, they are deemed to be the equivalent fields of the most recent purchase order, contract or similar document engaging the Parties.

APPENDIX 2 – Standard Contractual Clauses 

Annex to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, hereinafter also referred as “SCCs”

1/ If there are transfers of personal data to third countries in the course of the Main Contract

Annex to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, hereinafter also referred as “SCCs”

The following modules are to be taken into account, depending on the nature of the transfer in question.

  • MODULE TWO: Transfer controller to processor
  • MODULE THREE: Transfer processor to processor
  • MODULE FOUR: Transfer processor to controller

The Standard Contractual Clauses are executed with the following options and choices :

  • Clause 7 – Optional : the Clause does not apply
  • Clause 9 – Module TWO and MODULE THREE: OPTION 2, time period = 5 calendar days
  • Clause 11 – ALL MODULES: Paragraph (a): The OPTION does not apply
  • Clause 13 – ALL MODULES: The competent supervisory authority is the French one (CNIL)
  • Clause 17 – Modules TWO, THREE: OPTION 1: Member State in the State of France.
  • Clause 17 – Module FOUR: Member State is the State of France.
  • Clause 18 – Module TWO, THREE – Paragraph (b) : Member State is the State of France.
  • Clause 18 – Module FOUR : Country is France.

 

2/ In case the subprocessing is performed by Processor for a controller based in the UE

Annex to the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council

  • Clause 1 : Option 1
  • Clause 5 optional : the clause is executed
  • Clause 7.7.a : Option 2, time period = 5 calendar days.
  • Clause 8.c.4 : Option 1
  • Clause 9.1.c : Option 1
  • Clause 9.2.c : Option 1

ANNEX I to the SCCs

A – LIST OF PARTIES 

Data exporter(s):

Name: The entity identified as “Controller” in the DPA.

Address: The address for the Controller associated with its Wiiisdom account or as otherwise specified in the DPA or the Main Agreement.

Contact person’s name, position and contact details: The contact details associated with the Controller’s account, or as otherwise specified in the DPA or the Main Agreement.

Activities relevant to the data transferred under these Clauses: The activities specified in the Appendix 1 of the DPA.

Signature and date: By using the Wiiisdom services to transfer Controller’s Data to Third Countries, the data exporter will be deemed to have signed this Annex I.

Role (controller / processor): 

  • Controller

Data importer(s):

Name: Wiiisdom” as identified in the DPA.

Address: The address for Wiiisdom specified in the Main Agreement.

Contact person’s name, position and contact details: The contact details for Wiiisdom specified in the DPA or the Main Agreement.

Activities relevant to the data transferred under these Clauses: The activities specified in Appendix 1 of the DPA.

Signature and date: By transferring Controller’s Data to Third Countries on Controller’s instructions, the data importer will be deemed to have signed this Annex I.

Role (controller / processor): 

  • Processor

 

B – DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred 
Categories of data subjects are specified in Appendix 1 of the DPA. 

Categories of personal data transferred 
The personal data is described in Appendix 1 of the DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access  to the  data, restrictions  for onward transfers or  additional security measures
The data exporter might include sensitive personal data described Appendix 1 of the DPA.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Personal Data is transferred on a continuous basis in accordance with Controller’s instructions and usage of the SaaS Services offered by Data Importer and used by Data Exporter.

Nature of the processing
The nature of the processing is described in Appendix 1 of the DPA.

Purpose(s) of the data transfer and further processing
To provide the SaaS Services offered by Data Importer and used by Data Exporter and specified in the Main Contract.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
By default: during the time the data exporter uses the services provided by the data importer. 
Some other retention period(s) may be specified on a case-by-case basis.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter, nature and duration of the processing are described in Appendix 1. The duration of the processing by Data Importer’s sub-processors is the same as the duration of the processing by Data Importer.

 

C – COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

Identify the competent supervisory authority/ies in accordance with Clause 13
As specified in Appendix 2 of this DPA

ANNEX II to the SCCs

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications if any) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons

The technical and organizational measures (including the certifications held by the data importer if any) as well as the scope and the extent of the assistance required to respond to data subjects’ requests, are described in the DPA. Some more details are provided hereunder.

The application is deployed in single tenant mode. Meaning that each customer has its own dedicated infrastructure when it comes to computing. All resources for a tenant are isolated in a dedicated account and an isolated network. This means there can be no communication between two deployments of the application. These properties ensure that different environments cannot communicate with each other.

Each customer has his own storage service in his dedicated account. In other words, there is no pooling of storage services between different customers. The storage of data is done in 2 different ways:

  • Relation Database storage
  • Object (File) storage

As mentioned above, the relational database and object storage are specific to each tenant. To guarantee an appropriate level of security, we use different encryption scales. First, we ensure that data is encrypted at rest. In other words, the two storage services are encrypted directly by the cloud provider, using a key specific to each tenant. For the most sensitive data, we encrypt it before persisting it, to guarantee security during transport.

In production, only a limited number of Wiiisdom employees can access a tenant’s deployment. We don’t have any in-house certifications, but rely on the certifications of the various cloud providers we use (AWS/Azure).

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

The technical and organizational measures that the data importer will impose on sub-processors are described in the DPA. Some more details are provided hereunder.

Customer data is hosted on the cloud providers we use. Our sub processors are AWS and Microsoft Azure are ISO 27001 and SOC 2 certified:

To supervise the application, we use the Grafana Cloud service, which is ISO 27001 and SOC 2 certified (https://grafana.com/legal/security-compliance/).

Finally, the product team also uses a tool to track user activity: Pendo, which is also ISO 27001 and SOC 2 certified (https://support.pendo.io/hc/en-us/articles/360031862372-Security-and-Privacy).

 Measures of pseudonymisation and encryption of personal data

All data in transit is encrypted, using modern ciphers. TLS 1.2+ is enforced with all transfers

All data at rest are encrypted, using modern ciphers (typically AES-256)

Personal data is pseudonymized as much as possible; for instance, every process made on data related to a natural person is actually referring to an internal identifier and not some data that can directly be used to identify the data subject.

To guarantee the security of data in transit, we rely on certificates provided by AWS and Azure. All communications are carried out via HTTPS with the TLS 1.2+ algorithm.

To guarantee an appropriate level of security, we use different encryption scales. The two storage services are encrypted directly by the cloud provider, using a key specific to each tenant. For the most sensitive data, we encrypt it before persisting it using AES-GCM or RSA-OAEP algorithms with sufficient key sizes. Each key is unique to a particular tenant.

When creating a tenant’s resources in our various cloud providers, we make sure to use a unique id to identify them. This property allows us to use an internal identifier so as not to have, for example, a direct link between the database and a client.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

All Wiiisdom’s processes are run on high-availability nodes including real-time replication and data integrity verifications.

All accesses are segregated.

The application is deployed in single tenant mode. Meaning that each customer has its own dedicated infrastructure when it comes to computing. All resources for a tenant are isolated in a dedicated account and an isolated network. This means there can be no communication between two deployments of the application. These properties ensure that different environments cannot communicate with each other.

Each customer has his own storage service in his dedicated account. In other words, there is no pooling of storage services between different customers. The storage of data is done in 2 different ways:

  • Relation Database storage
  • Object (File) storage

As mentioned above, the relational database and object storage are specific to each tenant. To guarantee a certain level of security, we use different encryption scales. First, we ensure that data is encrypted at rest. In other words, the two storage services are encrypted directly by the cloud provider, using a key specific to each tenant. For the most sensitive data, we encrypt it before persisting it, to guarantee security during transport.

In production, only a limited number of Wiiisdom employees can access a tenant’s deployment.

To guarantee high availability, the application is architected in a distributed way. The application is based on microservices, enabling us to guarantee availability and integrity using stateless principles. If one of the application’s services fails, it is immediately replaced by a new instance. These services are restarted automatically to ensure disponibility and resilience.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

All data is hosted on multi-redundant storage with high availability capabilities. Databases are backed up regularly. Disaster Recovery and Business Continuity Plans have been elaborated and are regularly tested and revised

The data is hosted on managed services that allow us to guarantee its replication on different availability zones to ensure high availability and redundancy. These storage services are backed up on a daily basis, with retention to ensure that they can be restored in the event of an incident. Every quarter we carry out a disaster recovery to test the procedures we have put in place.

Wiiisdom has elaborated a business continuity and disaster recovery plan that is tested regularly.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Security analysis is performed regularly, including vulnerability and penetrability tests. Their findings are reviewed and corrective actions are scheduled if need be.

Business continuity and disaster recovery plans are tested and reviewed regularly

As part of our development process, we carry out code reviews to ensure an appropriate level of security. During these reviews, various tests are performed, such as Static Application Security Testing (SAST). This type of test reveals vulnerabilities directly on our code base. We also carry out Dynamic Application Security Testing (DAST) to consolidate new developments. Finally, during these code reviews, several developers re-read their collaborator’s code to limit risk.

Our applications use numerous third-party dependencies. To guarantee the absence of vulnerabilities in these third-party dependencies, we publish them in a tool that enables us to analyze the presence of vulnerabilities in these dependencies on a daily basis. The various containers representing each of our services are also scanned daily for vulnerabilities. Finally, we use a last tool to automate the updating of our application components to speed up version upgrades.

To ensure maximum security, we also perform penetration tests on our application to assess the presence of vulnerabilities.

Wiiisdom has elaborated a business continuity and disaster recovery plan that is tested regularly.

 Measures for user identification and authorisation 

Administrative and IT access given to Wiiisdom’s personnel is based on the need to know criteria.

Authorizations are reviewed regularly

Accounts are created (respectively canceled) as soon as they are needed (respectively not needed anymore)

Strong password policy is enforced for users and Wiiisdom’s personnel who have access to Wiiisdom’s Services infrastructure.

Some Wiiisdom services may support SSO using SAML v2 and OKTA so that its customers can rely on their own authentication services to access Wiiisdom services.

Measures for the protection of data during transmission 

All data in transit is encrypted, using modern ciphers. TLS 1.2+ is enforced with all HTTP based transfers. All other transfers are using modern encryption when needed (IMAPS, SMTPS, FTPS, etc.)

To guarantee the security of data in transit, we rely on certificates provided by AWS and Azure. All communications are carried out via HTTPS with the TLS 1.2+ algorithm.

 Measures for the protection of data during storage

All data at rest are encrypted, using modern ciphers (typically AES-256)

To guarantee a certain level of security, we use different encryption scales. In other words, the two storage services are encrypted directly by the cloud provider, using a key specific to each tenant. For the most sensitive data, we encrypt it before persisting it using AES-GCM and RSA-OAEP algorithms with sufficient key sizes. Each key is unique to a particular tenant.

Measures for ensuring physical security of locations at which personal data are processed

All data is processed in 3rd parties’ datacenters that are heavily secured regarding the physical security aspect of data protection.

Measures for ensuring events logging

All personal data processes are logged, all the actions of the users are logged. All logs are centralized and stored in secured storage. Access to logs is secured and monitored

All access to our resources is tracked and logged by our cloud providers.  Access to these logs is limited to a certain number of collaborators.

Measures for ensuring system configuration, including default configuration 

All default credentials and accesses are disabled by default. In case a shared access is needed, the related credentials are changed so that they don’t use the default values

The application’s various secrets are specific to each environment. For each environment, we initially create a set of secrets that we supply at deployment time. There are no default secrets in the application.

Measures for internal IT and IT security governance and management 

A Compliance Officer or some personnel with a similar role is in charge of everything related to personal data protection, including the reviewing of agreements with customers and contractors regarding everything that relates to personal data protection.

The technical team and the CTO in particular are professionals skilled in data security and protection.

Upper management is involved in data protection and the necessary resources and means are made available

The processes and measures in place that are aimed at data protection are documented and the documentation is regularly reviewed and updated.

 Measures for ensuring data minimisation 

The categories and details of personal data that are processed are reviewed by the CTO, the Compliance Officer and the relevant personnel to ensure they are actually needed.

The application does not process any personal data of its users but email, first name and last name.

 Measures for ensuring limited personal data retention 

Personal Data retention is limited to the minimum required to perform the provided services under the Agreement and this DPA.

The application does not process any personal data of its users but email, first name and last name.

 Measures for ensuring accountability

The processes and measures in place that are aimed at data protection are documented and the documentation is regularly reviewed and updated.

 Measures for allowing data portability and ensuring erasure

All data can be exported in standard format (SQL, CSV, etc.)

Data extraction procedures, based on a particular user or on the users of a particular customer, have been written and are regularly tested and updated if need be

Data deletion procedures, based on a particular user or on the users of a particular customer, have been written and are regularly tested and updated if need be. Random tests are regularly performed to determine if the data concerning a particular data subject which is supposed to be erased is actually erased.

The data for a tenant can be exported from the relational database and the storage of our objects.

In order to ensure the complete deletion of a tenant’s data, we delete the account used to guarantee the complete deletion of this data.

 Measures for assisting the Controller

The Processor has designated a team of professionals in charge of providing assistance to the Controller, especially regarding the fulfillment of its obligations and in particular regarding audits, questionnaires, impact assessments, Data Subject rights, etc.

In particular, we use Vanta, a platform that automates compliance, streamline security reviews and manage risk and prove security in real time.

 Additional measures and details

When it comes to offering technical support services, Processor will not process any personal data on the behalf of Controller, with the exception of the following data which may be processed by Processor: first name, surname, e-mail address and telephone number of Controller’s employees who use the software (internal IT employees and external IT consultants), as well as purchasers and legal contacts and, where applicable, personal data processed by Controller and accessed by Processor as part of the services provided to Controller (in particular in the case of technical support requests requiring access to such data, and in the absence of the possibility of anonymizing said data, which will otherwise be anonymized, generally at the express request of Processor), as well as, more generally, any data to which it is strictly necessary to access in order to render the services provided to Controller. In particular, this information will be processed by our subcontractor providing services for the supply of support systems “Zoho” (data processed in Quincy and Dallas USA) and “Google” for storage and drive computing capacities (data processed in Ireland and/or the USA) and in our ERP and CRM “Oracle NetSuite” (data processed in Frankfurt, Germany) and in our marketing tool “Hubspot” (data processed in the USA). We have carried out the necessary preliminary studies and, where necessary, established the appropriate contractual relationships to ensure that all such processing complies with the applicable regulations.

Sub-processors and suppliers
Description
Country of data processing
Details, comments, guarantees
For Technical Support
Zoho Helpdesk service provider USA ISO 27001, SOC-2, HIPAA https://www.zoho.com/compliance.html
Google (drive, Workspace) Collaboration suite, storage Ireland and/or USA ISO 27001, SOC-2, SOC-3, HIPAA, PCI DSS https://cloud.google.com/security/compliance?hl=en
Oracle Netsuite ERP and CRM Germany ISO 27001, SOC-2, SOC-1, NIST 800-53, PCI DSS https://www.netsuite.com/portal/platform/infrastructure/operational-security.shtml
Hubspot Marketing and analytics USA SOC-2, SOC-3, penetration tests, DPA https://trust.hubspot.com/
For SaaS services
AWS Infrastructure, Platform as a Service, Cloud computing USA PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171 ISO 27001, 27017, 27018, 27701 https://aws.amazon.com/compliance/ https://aws.amazon.com/fr/compliance/iso-certified/
Azure Infrastructure, Platform as a Service, Cloud computing USA ISO 27001, PCI DSS, SOC-1, SOC-2, ISO 27001, 27017, 27018, 27701 https://learn.microsoft.com/en-us/azure/compliance/
Grafana Cloud Monitoring EU ISO 27001, PCI DSS, SOC-1, SOC-2, CSA https://grafana.com/legal/security-compliance/

Join us on December 5 at 11 am ET live on LinkedIn to learn how to build dynamic dashboards—and ensure they always work!

Save your spot Register

X