DATA PROCESSING ADDENDUM
Within the framework of contractual relationships between DAVI and the Customer, the parties undertake to comply with applicable regulations concerning the processing of personal data and access to data, particularly:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR");
- Regulation (EU) 2022/868 of the European Parliament and of the Council of May 30, 2022, on rules concerning access to and portability of data in digital services (hereinafter "Data Act").
The parties thus ensure the protection, confidentiality, and portability of data in accordance with these texts, respecting the rights of data subjects.
This data processing addendum with its annexes (together, this "DPA") is incorporated into the subscription agreement (or any other electronic or mutually signed written agreement) between DAVI and the Customer that references it (the "Agreement"). This DPA becomes effective on the effective date of the Agreement.
1. Data Processing
1.1. Scope
This DPA applies when DAVI processes Customer Personal Data or Account Data in providing the Services under the Agreement to Customer.
1.2. Roles of the Parties
- (a) Customer Personal Data. The parties agree that DAVI is a processor with respect to its processing of Customer Personal Data in providing the Services. DAVI will only process Customer Personal Data in accordance with the Agreement, this DPA (including Annex A), and Orders (the "Documented Instructions"). DAVI will promptly inform Customer if it becomes aware that the Documented Instructions violate Data Protection Laws.
- (b) Account Data. The parties agree that Customer and DAVI are independent controllers of Account Data, and each party (i) will comply with its obligations as a controller and (ii) undertakes to provide reasonable assistance to the other party when Data Protection Laws require it.
1.3. Customer Obligations
Customer is responsible for ensuring that no special categories of personal data (under Article 9 of GDPR), personal data relating to criminal convictions and offenses (under Article 10 of GDPR), or similar sensitive personal data (defined in Data Protection Laws) are submitted to DAVI for processing.
1.4. Compliance with Laws
Each party will comply with all Data Protection Laws applicable to its performance under this DPA.
2. Term
This DPA remains in effect until the completion of (a) expiration or termination of the Agreement, and (b) the return or deletion of Customer Personal Data in accordance with Section 6.
3. Security and Confidentiality
DAVI will implement and maintain technical and organizational measures to protect Customer Personal Data and Account Data against destruction, loss, accidental or unlawful alteration, unauthorized disclosure or access, as described in Annex B (the "Technical and Organizational Measures"). DAVI will take appropriate measures to ensure compliance with the Technical and Organizational Measures by its employees, agents, contractors, and subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data or Account Data have agreed to appropriate confidentiality obligations.
4. Privacy by Design and by Default
DAVI commits to applying the principles of "privacy by design and by default" as defined in Article 25 of GDPR. This means that appropriate technical and organizational measures are integrated into systems and processes from their design to ensure a level of security appropriate to the risks. Furthermore, only personal data strictly necessary for processing purposes are collected, processed, and retained. DAVI ensures that these principles are respected throughout the entire lifecycle of processing, from the design phase to data deletion.
5. Subprocessors
5.1. Subprocessor Authorization
Customer generally authorizes DAVI to engage subprocessors in accordance with this Section 4 and approves DAVI's use of the subprocessors listed in the Subprocessor List. DAVI will update the Subprocessor List at least 30 days before appointing a new subprocessor and will provide Customer with a mechanism to receive notifications of updates to the Subprocessor List (a "Change Notice"), which is currently available via the Subprocessor List.
5.2. Objections to Subprocessors
Customer may object to the new subprocessor for reasonable reasons related to the protection of Customer Personal Data by sending an email to davi@davi.ai describing its good faith legitimate objection within 15 days following a Change Notice (an "Objection Notice"), in which case DAVI may satisfy the objection by (a) not using the subprocessor to process Customer Personal Data; (b) taking corrective measures requested by Customer in its Objection Notice; or (c) ceasing to provide the portions of Services that involve the subprocessor processing Customer Personal Data, subject to mutual agreement of the parties to adjust the compensation for Services given their reduced scope. If none of the options described above is reasonably available and Customer's objection has not been resolved to the mutual satisfaction of the parties within 15 days following DAVI's receipt of the Objection Notice, either party may terminate the relevant Order and DAVI will refund to Customer a pro-rata portion of any unused amount prepaid by Customer under the applicable Order for the Services based on the remaining portion of the current Order term. If Customer does not provide a timely Objection Notice regarding a new subprocessor, Customer will be deemed to have authorized DAVI's use of the subprocessor and waived its right to object.
5.3. Subprocessor Requirements
DAVI will enter into a written agreement with each subprocessor that contains data protection obligations equivalent to those in this DPA. DAVI will be responsible for the acts and omissions of its subprocessors undertaken in connection with DAVI's performance under this DPA to the same extent that DAVI would be responsible if performing the Services directly.
6. Data Subject Requests
If DAVI receives a Data Subject Request, DAVI will (a) inform the data subject to submit the request directly to Customer and (b) promptly inform Customer of the request. When Data Protection Laws require it, DAVI, at Customer's request and taking into account the nature of Customer Personal Data processed, will provide reasonable assistance to Customer in responding to the Data Subject Request to the extent that Customer is not able, through its use of the Services, to respond to a particular Data Subject Request on its own. To the extent permitted by applicable law, Customer will be responsible for all costs arising from DAVI's assistance.
7. Data Deletion
At the end of the Contract, the Customer has 30 days to export their personal data using the tools provided or by requesting assistance from DAVI. At the end of this period, and unless the Customer takes action to the contrary, DAVI will automatically delete the Customer's personal data.
Data in production will be deleted within a maximum of 90 days, and data in backups within 180 days. During this retention period in backups, the data will be isolated, protected, and excluded from any processing, unless otherwise required by law.
In accordance with regulations, DAVI will only retain data whose retention is required by applicable laws, which will remain subject to the security conditions of this DPA until its final deletion.
8. Personal Data Breaches
8.1. Breach Notification
DAVI will inform Customer without undue delay after becoming aware of a Personal Data Breach. DAVI's notification to Customer will describe (a) the nature of the Personal Data Breach, including, if known, the categories and approximate number of data subjects concerned and personal data records concerned; (b) the measures that DAVI has taken, or plans to take, to respond to and mitigate the Personal Data Breach; (c) any measures that DAVI recommends Customer take to remedy the Personal Data Breach; and (d) information regarding DAVI's point of contact concerning the Personal Data Breach. If DAVI cannot provide all of the above information in the initial notification, DAVI will provide the information to Customer as soon as it becomes available.
8.2. Breach Response
DAVI will promptly take all measures relating to its Technical and Organizational Measures that it deems necessary and desirable to identify and remedy the cause of a Personal Data Breach.
8.3. General
DAVI's notification or response to a Personal Data Breach will not constitute an acknowledgment of fault or liability with respect to the Personal Data Breach. The obligations set forth in this Section 7 do not apply to Personal Data Breaches caused by Customer, Authorized Users, or Customer component providers. Unless required by applicable law (including timelines prescribed by Data Protection Laws), if Customer decides to inform a supervisory authority, data subjects, or the public of a Personal Data Breach, Customer will make reasonable efforts to provide DAVI with prior copies of the notice(s) and allow DAVI to have the opportunity to provide clarifications or corrections.
9. Audits
9.1. DAVI Audit Reports
Upon Customer's request, and subject to the confidentiality provisions of the Agreement, DAVI will make available to Customer copies or extracts of DAVI's audit reports relating to the security of the Services.
9.2. Customer Audit Rights
Customer may request (directly or through a third-party auditor subject to written confidentiality obligations) an audit of DAVI to verify DAVI's compliance with the terms of this DPA if such an audit is required by Data Protection Laws and DAVI's compliance cannot be demonstrated through less burdensome means for DAVI (including under Section 8.1). Any audit under this section must meet the following requirements: (a) Customer must provide DAVI with written notice of at least 30 days of a proposed audit, unless otherwise required by a competent supervisory authority or Data Protection Laws; (b) Customer may not conduct more than one audit during a 12-month period, unless required by a competent supervisory authority; (c) Customer and DAVI must mutually agree on the time, scope, and duration of the audit in advance; (d) Customer must reimburse DAVI for time spent in connection with an audit at DAVI's reasonable professional service rates, which will be made available to Customer upon request; (e) Customer must ensure that its representatives conducting an audit protect the confidentiality of all information obtained through the audit in accordance with the Agreement, execute a mutually acceptable enhanced non-disclosure agreement if requested by DAVI, and comply with DAVI's security policies when on DAVI's premises; and (f) Customer must promptly disclose to DAVI any written audit report created, and any non-compliance findings discovered, as a result of the audit.
10. Data Ownership
Customer retains full ownership and control of Customer Data, including Customer Personal Data generated in connection with the use of the Services.
11. Data Access and Portability
Upon Customer's request, DAVI will make available Customer Data and Customer Personal Data in a structured, commonly used, and interoperable format to enable their export, copying, or transfer to another provider. This access will be provided without undue delay and within thirty (30) days at the latest.
12. Data Sharing with Third Parties
Customer may request DAVI to transmit its Data to a third party of its choice. DAVI will execute this transmission under security conditions equivalent to those applied for Customer. Only reasonable and proportionate fees, corresponding to costs directly related to the transfer, may be charged.
13. Interoperability
DAVI will maintain technical interfaces and documentation enabling the interoperability of the Services with other solutions, in accordance with Data Act requirements.
14. Access by Public Authorities
DAVI may be required, in exceptional situations of public interest defined by the Data Act, to communicate certain Data to competent public authorities. To the extent permitted by law, DAVI will inform Customer prior to any such communication.
15. Use of Data by DAVI
Customer Data and Customer Personal Data will be used by DAVI only in connection with the performance of the Agreement. Any secondary use for commercial purposes will require Customer's prior written consent.
16. Technical Data Collected by DAVI
As part of providing the Services, DAVI may collect technical data, such as logs and metrics, to ensure proper operation, monitoring, security, and continuous improvement of the Services. This technical data is classified according to its nature and relationship to Customers, as follows:
16.1. Internal Technical Data
Logs and metrics generated exclusively for internal operation, monitoring, or security purposes of the Services, and containing no information identifying a Customer or its users, constitute internal data. This data remains the exclusive property of DAVI, which may use it freely for maintenance, optimization, security, and improvement of its Services.
16.2. Customer-Related Data
When logs or metrics contain information relating to a specific Customer (including a tenant identifier, user identifier, or any Customer Data), such data is considered Customer Data. It is subject to the ownership, access, portability, and data protection regime defined in this DPA and may only be used by DAVI for purposes expressly authorized by Customer.
17. Impact Assessments and Prior Consultation
Taking into account the nature of the processing and the information available to DAVI, DAVI will assist, when Data Protection Laws require it, Customer in fulfilling its obligations related to data protection impact assessments (when related to the Services, and only to the extent that Customer does not otherwise have access to relevant information) and prior consultation with supervisory authorities, including by providing the information described in Section 8.1 above.
18. Data Transfers
Any transfer of data to a third country may only be done with the prior written consent of the controller and provided that the specific requirements of Articles 44 et seq. of GDPR are met.
If the Processor is required to transfer Data to a third country or international organization under Union law or Member State law to which it is subject, it must inform the Controller of this legal obligation before Processing, unless the law concerned prohibits such information on important grounds of public interest.
19. Limitation of Liability
The liability of each party taken as a whole, arising from or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement.
20. Modifications
DAVI may make modifications to this DPA when (a) the change is necessary to comply with applicable law; or (b) the change is commercially reasonable, does not materially reduce the security of the Services, does not change the scope of DAVI's processing of Customer Personal Data, and does not have a materially adverse impact on Customer's rights under this DPA.
21. Definitions
Capitalized terms not otherwise defined in this DPA or in the Agreement have the meaning assigned to them below.
- "Account Data" means information about Customer that Customer provides to DAVI in connection with creating or administering its DAVI accounts, such as the first and last name, username, and email address of an Authorized User or Customer's billing contact.
- "Controller" means the entity that determines the purposes and means of the processing of personal data.
- "Customer Data" means data from Customer's environment that is submitted for processing by the Services. Through Customer's configuration and use of the Services, Customer controls the types and amounts of Customer Data.
- "Customer Personal Data" means Customer Data comprising personal data.
- "Data Protection Laws" means data protection or privacy laws and regulations directly applicable to the processing of personal data by a Party under the Agreement, including European Data Protection Laws.
- "Data Subject" means the identified or identifiable natural person to whom personal data relates.
- "Data Subject Request" means a request from a data subject exercising their rights under Data Protection Laws that relates to Customer Personal Data and identifies Customer.
- "EEA" means the European Economic Area.
- "European Data Protection Laws" means GDPR; UK GDPR; and any national data protection law, implementing regulation, or binding decision made under GDPR or UK GDPR.
- "GDPR" means Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- "Data Act" means Regulation (EU) 2022/868 of the European Parliament and of the Council of May 30, 2022, on rules concerning access to and portability of data in digital services, aimed at ensuring fair, secure, and transparent use of data between service providers and users.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Personal Data Breach" means a breach of DAVI's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
- "Process" and "Processing" mean any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- "Processor" means the entity that processes personal data on behalf of a controller.
- "Subprocessor" means any subprocessor engaged by DAVI or a DAVI affiliate to process Customer Personal Data on behalf of DAVI or its affiliate while providing the Services.
- "Subprocessor List" means the list of subprocessors available in Annex B.
Annex A - Data Transfer Details
1. LIST OF PARTIES
Data Exporter(s):
Name: Customer.
Address: Customer's address associated with their DAVI account or as specified in the Agreement.
Contact person's name, position, and contact details: Customer's contact details associated with their DAVI account or as specified in the Agreement.
Activities relevant to the data transferred under these clauses: Processing of Customer Personal Data and Account Data for the purpose of providing, supporting, and improving the Services.
Signature and date: The parties agree that execution of the Agreement constitutes execution of this Annex A by both parties.
Role (controller/processor): Processor or controller with respect to Customer Personal Data; controller with respect to Account Data.
Data Importer(s):
Name: DAVI.
Address: 19, rue Godefroy, 92800 PUTEAUX
Contact person's name, position, and contact details: DAVI's contact details as set forth in the Agreement. DAVI's privacy team can be contacted at davi@davi.ai.
Activities relevant to the data transferred under these clauses: Processing of Customer Personal Data and Account Data for the purpose of providing, supporting, and improving the Services.
Signature and date: The parties agree that execution of the Agreement constitutes execution of this Annex A by both parties.
Role (controller/processor): Processor with respect to Customer Personal Data; controller with respect to Account Data.
2. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
With respect to Account Data: data subjects may include Customer's employees. With respect to Customer Personal Data, data subjects may include Customer's employees, customers, suppliers, and end users.
Categories of personal data transferred
With respect to Account Data: personal data that is sent to DAVI by Customer for the purpose of using the Services. With respect to Customer Personal Data: personal data that is sent to DAVI by Customer for the purpose of using the Services.
No sensitive personal data (Article 9 of GDPR) is collected, stored, or processed by DAVI.
The frequency of the transfer (e.g., whether the data is transferred on a one-time or continuous basis)
Personal data is transferred on a continuous basis.
Nature of the processing
DAVI will only process Customer Data for the Permitted Purposes, which will include: (i) processing necessary to provide the Service in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Service; and (iii) processing to comply with all other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.
Purpose(s) of the data transfer and further processing
With respect to Account Data: for DAVI to (a) manage Customer's account, including to calculate fees; (b) provide and improve the Services and support, including to respond to support requests and resolve other issues; and (c) provide Customer and Authorized Users with information, service and feature announcements, and other reports. With respect to Customer Personal Data: for DAVI to provide, support, and improve the Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
With respect to Account Data: personal data is retained to manage Customer's accounts in accordance with DAVI's privacy policy. With respect to Customer Personal Data: personal data is retained in accordance with Customer's configuration of the Services or retention schedules described in the documentation.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing
With respect to Account Data: the subject matter of personal data transferred to subprocessors is Account Data, which is transferred to subprocessors to manage Customer's accounts with DAVI, in accordance with DAVI's privacy policy. With respect to Customer Personal Data: the subject matter of personal data transferred to subprocessors is Customer Personal Data, which is transferred to subprocessors to provide, support, and improve the Services, as specified in the Agreement between Customer and DAVI.
3. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority determined in accordance with Data Protection Laws.
Annex B - Technical and Organizational Measures
As of the date of this DPA, DAVI's technical and organizational measures include the following.
1. Access Control
- DAVI restricts access to Customer Personal Data to employees with a defined need to know or a role requiring such access.
- DAVI maintains user access controls that address timely provisioning and deprovisioning of user accounts.
2. Business Continuity
- DAVI maintains business continuity, backup, and disaster recovery plans ("BC/DR Plans") to minimize service loss and comply with applicable laws.
- BC/DR Plans address threats to the Services and any dependencies, and have an established procedure to resume access and use of the Services.
- BC/DR Plans are tested at regular intervals.
3. Change Control
- DAVI maintains policies and procedures to apply changes to the Services, including the underlying infrastructure and system components, to ensure quality standards are met.
- Security patches are applied in accordance with DAVI's patching schedule.
- DAVI maintains a testing and development environment separate from the production environment.
4. Data Security
- DAVI maintains technical safeguards and other security measures to ensure the security and confidentiality of Customer Personal Data.
- DAVI logically separates Customer Personal Data in the production environment.
Annex C - Subprocessor List
1. What is a Subprocessor?
In order to provide its Services, DAVI may engage third parties or other members of the DAVI group (affiliates) to perform data processing activities that involve access to Customer Data. These organizations, called "subprocessors," are identified below with their location and the types of services they provide to DAVI.
2. Subprocessors
| Company | Country | Service Type |
|---|---|---|
| Hubspot | Germany | Support ticket management and customer service |
| MailJet | Germany / Belgium | Email notification services |
| Microsoft Corporation (Azure) | France | Infrastructure provider |
| Microsoft Corporation (Office 365) | France | Email and office applications |
| Scaleway | France | Infrastructure provider |