GENERAL TERMS & CONDITIONS
General Terms and Conditions of Use and the Services
Clustaar is a web and mobile platform (the “Platform”) operated by One Clic Conseil, a simplified joint-stock company with capital of €7,491, whose registered address is 14, rue du Vieux Faubourg, Lille (59800) registered in the Lille Trade and Companies Register under number 794 927 020 and with intracommunity VAT number FR85794927020 (the “Service Provider”).
The Platform allows Owner Users to generate robot conversation agents online (the “Chatbots”) for users (the “User(s)”).
Various services are offered on the Platform (the “Service(s)”) including:
– Access to the Chatbot creation interface
– Chatbot settings; and
– Users’ visualization of Chatbot settings; and
– Integration on the compatible web or mobile interfaces (the “Interface(s)”) and Chatbot management.
These General Terms and Conditions of Use and the Services apply unreservedly and unrestrictedly, excluding all other conditions for the provision of the aforementioned Services.
Article 1 – Definitions – Interpretation
The terms and expressions beginning with a capital letter where used in this Contract have the following meaning:
|“Owner Access”||Has the meaning given in article 4.2;|
|“User Access”||Has the meaning given in article 4.3;|
|“Bug”||Means any design, performance or programming error on the Platform which impedes normal use of all or part of the Platform and/or causes an incorrect result or action when the Platform is used according to the instructions;
|“Chatbot”||Has the meaning given in the recitals;|
|“Client”||Has the meaning given in the Special Terms and Conditions;|
|“Special Terms and Conditions”||Has the meaning given in article 2.1;|
|“Contract”||Has the meaning given in article 2.1;|
|“Owner(s)”||Has the meaning given in article 4.1.a. An Owner may also be called Owner or Admin on the Platform;|
|“Interface(s)”||Has the meaning given in the recitals;|
|“User(s)”||Has the meaning given in article 4.1.b. A User may also be called User or Guest on the Platform;|
|“Day(s)”||Means a day of the week other than Saturday, Sunday or public holidays in France under the provisions of article L. 3133-1 of the Labour Code;|
|“Solution(s)”||Has the meaning given in article 8;|
|“Party(ies)”||Means the Service Provider and the Client;|
|“Platform”||Has the meaning given in the recitals;|
|“Service Provider”||Has the meaning given in the recitals;|
|“Service(s)”||Has the meaning given in the recitals; and|
|“Third Party”||Means any natural or legal person or any other entity, which is not a Party to this Contract, including Users.|
The following rules apply to the interpretation of this Contract:
(a) the headings of articles and appendices are included for convenience and in no way affect the interpretation of any of the stipulations of this Contract;
(b) the use of the expressions “including”, “in particular”, or “particularly” imply that the listing following them is not limiting or exhaustive;
(c) the term “or” is not exclusive;
(d) the definition given to a singular term also applies to that term when used in the plural, and vice versa. This also applies to the use of male or female pronouns;
(e) deadlines expressed in days, months or years are calculated according to the provisions of articles 640 to 642 of the Code of Civil Procedure;
(f) any reference to a Party includes a reference to its heirs, successors and assigns; and
(g) any reference to a document includes any versions of it if amended or replaced (other than in breach of the provisions of this Contact).
Article 2 – Contractual documents – Client’s declaration
2.1. Contractual Documents
The contractual documents are:
– the special terms and conditions drafted by the Parties “the “Special Terms and Conditions”) where applicable;
– these General Terms and Conditions of Use and the Services;
– the Data Processing Agreement provided in Appendix A.
All of the above documents and their appendices together form the contract binding the Parties (the “Contract”).
In case of conflict between one or more provisions in any of the aforementioned documents, the higher document shall prevail.
2.2. Client’s declaration
The Client declares that:
– it has full knowledge hereof and of the appendices;
– it has received all necessary information to make an informed decision;
– it has full capacity, power and authority to sign and execute this contract; and
– that signing hereof does not contradict any legislative, regulatory or statutory provision or contractual stipulation applicable to it.
Article 3 – Purpose of the Contract
The purpose of the Contract is to define the terms and conditions applicable to the Client’s access to the Platform and Services.
The Service Provider grants the Client which accepts after having fully tested the Platform, within the strict terms of article 9, a right to access and use the Platform and Services throughout the term of the Contract.
The Client may not assign all or part of the rights and obligations arising from this Contract without the Service Provider’s prior written permission.
It is specified that for the proper execution hereof, the Client undertakes to notify the Service Provider as soon as possible, by email as well as a registered letter with delivery notice, of any change to its address for correspondence (postal address or P.O. Box). The Service Provider will in no case be responsible for the consequences of the Client’s failure to give notification of this information.
Article 4 – Access – Settings – Updates
4.1. Terms of access to the Platform
The Platform is accessible at the following internet address: https://app.clustaar.com/ optimised for the later versions of the Edge, Chrome and Firefox browsers as well as the mobile web browsers for Android and IOSmobile: Chrome and Safari. The Service Provider is not responsible for the correct installation and operation of browsers on the Client’s and Users’ devices.
The Client may define two categories of Access to the Platform for its collaborators working on the Platform.
- Owner Access
Owner Access is conducted by a log-in provided by the Service Provider. It allows access to the administration and management settings for the Platform giving the option in particular to create, modify and/or integrate Chatbots.
The log-ins provided are personal and confidential. The Client undertakes to make every effort to keep the log-ins secret and not to disclose them in any way whatsoever.
The Client is entirely responsible for the use of those log-ins. It shall ensure that no person not authorised by the Service Provider uses the Owner Access. In the event that it becomes aware that another person is using the Owner Access, the Client will immediately inform the Service Provider and confirm in writing, by registered letter with delivery notice or by email with read receipt.
In the event of theft or loss of the log-ins, the Client will immediately inform the Service Provider and confirm in writing, by registered letter with delivery notice or by email with read receipt.
- User Access
The Client can use its Owner Access to invite one or more Third Parties to consult ongoing projects (the “User(s)”).
The Users however cannot edit the Chatbots, as this ability is reserved for the Owner only.
In order to be invited to consult a Chatbot project on the Platform, the Client’s collaborator must have an account on the Platform which may be created for free at https://app.clustaar.com/#/register
The Client can also use its Owner Access to revoke Users’ access to the shared Platform at any time.
4.2. Settings and integration of Chatbots
The efficiency and interest of Chatbots generated via the Platform directly depend on their settings.
The Client is solely responsible for the settings of the Chatbot and must alone ensure that they meet their expectations.
All generated Chatbots must be integrated according to the instructions given on the Platform. The Client undertakes not to expose the Interface on which the Chatbot is integrated to any risk of piracy and attempted attacks on the vulnerability of the Interface and its security system. As a result, the Client must implement all appropriate measures to prevent those aforementioned risks or any other risk that may affect the Interface.
4.3. Services Update
The Service Provider may be led to update the Services. If the Service Provider modifies the Service in such a way that their functionality is reduced, the Client shall be informed by email at the address associated with the account, and may notify its intention to terminate the Contract with notice of fifteen (15) days. This right of termination does not apply to updates made to the functionalities provided as part of a beta version or an evaluation.
Article 5 – Availability of the Platform and Chatbots
The Service Provider provides the Services to the Client via the Platform accessible on its server through the internet with the exception of maintenance periods. The rate of availability of the Platform and Chatbots configured on the Platform varies depending on the Solutions as detailed in Appendix B hereto.
The Service Provider takes all measures to ensure this monthly availability of the Platform for the time elapsed over a calendar month. Excluding in case of force majeure, this availability designates, for a given calendar month, the total number of minutes minus the duration in minutes of any disruptions to the Services, divided by the total number of minutes of that month.
The Client acknowledges that it is informed that the Chatbot is partially based on third party services (interface, API, etc.) and that in the event of unavailability or dysfunction of one of these services the Chatbot will be unavailable and the Service Provider shall in no case be held responsible for this situation and its consequences.
The Client is also informed that the production of evolutions on the Platform, allowing its improvement may occasionally invoke disruption to the Platform of almost sixty (60) minutes per month. This service disruption may not be considered as unavailability of the Platform when the Service Provider has informed the Client by email 48 hours prior to this service disruption.
The Service Provider reserves the right to update and make operational modifications to the Platform at any time. These updates and operational modifications to the Platform may make access to the Services momentarily unavailable.
The Client undertakes to inform the Company as soon as possible of any unavailability of the Platform by sending an email to the following address: [email protected] Otherwise, the unavailability claimed by the Client may not be included by the Company in the calculation of the Platform’s monthly availability.
The Client is alerted of technical risks and access interruptions that may occur.
The Client and Service Provider undertakes not to expose the Platform to any risk of piracy and attempted attacks on the vulnerability of the Platform and its security system. As a result, the Client and the Service Provider must implement all appropriate measures to prevent those aforementioned risks or any other risk that may affect the Platform and their hosts.
The Service Provider undertakes to implement regular checks to reasonably ensure that the Client may use and access the Platform in the conditions determined herein.
All unavailability that is not a Bug is expressly excluded from the calculation of the Platform’s availability. As a result, any unavailability directly or indirectly due to an error of use by the Client or a User shall not be included in the calculation of availability.
In this context, the Service Provider shall not be obliged to resolve any anomaly or be considered responsible for an anomaly in the following cases:
- the Client’s non-compliance with the required technical configurations stated in the Contract;
- intrusion of a virus or malicious software on the Client’s devices;
- force majeure;
- the Client’s refusal to send the Service Provider the necessary information or data for analysis of the anomaly.
In case of the Service Provider’s non-compliance with this availability rate, the Client where appropriate shall be entitled to claim indemnification if provided as such in its Special Terms and Conditions.
Article 6 – Assistance
The level of assistance varies depending on the Solutions as detailed in Appendix B hereto.
Free technical assistance is available via the customer support livechat available on the Platform. Where livechat is unavailable, the Client will be invited to send a request for assistance by email to the following address [email protected] with as much useful information as possible.
In such cases, the Service Provider shall strive to resolve Bugs which the Client encounters as soon as possible.
6.2. Fixing Bugs
The Service Provider runs a diagnostic of the Bugs reported by the Client and makes every effort to make corrections or override solutions by instructions either by telephone or in writing (livechat or email) which it gives to the Client depending on the course of action it deems most appropriate.
Assistance services expressly exclude all functioning of the Platform directly or indirectly due to an error of use by the Client or any Third Party including any User or a change to the Client’s environment.
These commitments by the Service Provider shall not be construed as a commitment by it to ensure evolving or adaptive maintenance beyond the commitments expressly made herein.
Article 7 – Additional services
In order to assist the Client in its use of the Platform, the Service Provider offers training on the Platform aimed at the presentation of the Platform’s main functions and means of use.
If the Client would like personalised training, it may send the Service Provider a request for a quote for that training.
The Service Provider does not guarantee the compatibility and interoperability of the Platform with the Client’s other software subject to the stipulations of the Solution subscribed. The compatibility and interoperability of the Platform rely on specific IT developments to be made by the Service Provider. These developments may be made at the Client’s request and shall be billed by the Service Provider in terms agreed by the Parties.
7.3. Additional functions
Additional functions may be developed by the Service Provider, on the Platform at the Client’s request.
In any event, new functions shall entirely be the property of the Service Provider and the Client may not claim any ownership or indemnity for these developments. These developments will be made by mutual agreement and billed by the Service Provider in terms agreed by the Parties.
Article 8 – Personal data
The provisions relative to the processing of personal data applicable under the Use of the Platform are provided in the Data Processing Agreement in Appendix A hereto.
Article 9 – Licensing – Intellectual Property
The Service Provider grants the Client a personal, non-exclusive, non-assignable and non-transferable right of use of the Platform, the Services, including Chatbots, throughout the term of the Contract.
This Contract does not confer any right of ownership for the Platform, the Services or the Chatbots. The temporary provision of the Platform and Services, including Chatbots, shall not be construed as assigning any intellectual property right whatsoever to the Client.
The Client undertakes to use the Platform and its Services, including Chatbots, only according to its needs. This licence is granted with the sole objective of allowing the Client to use the Platform and Services, including Chatbots, excluding any other purpose according to their intended use.
The Client may in no case make the Services available to a Third Party and is strictly prohibited from any other use, including but not limited to any adaptation, modification, translation, arrangement, distribution or decompilation.
The Client is also prohibited from reproducing any element of the Platform or any documentation related to it, by any means, in any form and on any support whatsoever.
Article 10 – Users’ Obligations
The Client is prohibited from:
- transmitting, publishing, distributing, recording or destroying any material, in particular content of the Platform, in breach of the laws or regulations in force regarding the collection, processing or sharing of personal data;
- creating false profiles on the Platform;
- providing inaccurate information in the Platform’s form or not updating it regularly;
- via the Platform or Chatbots, distributing data, information or content of a defamatory, damaging, obscene, offensive, violent or violence-inciting nature, or that is political, racist, xenophobic or generally in any way contrary to the laws and regulations in force;
- referencing or creating links to any content or information available via the Platform, without the Service Provider’s prior express written permission;
- using information, content or data on the Platform in order to offer a considered service, at the Service Provider’s discretion, in competition with the Platform;
- selling, exchanging or monetising information, content or any data on the Platform or service offered by the Platform, without the Service Provider’s express written permission;
- on the Platform or Chatbots, practising reverse engineering, decompiling, disassembling, decrypting or otherwise attempting to obtain the source code in relation to any associated intellectual property used to provide all or part of the Services;
- using manual or automatic devices or software, coding robots or other means to access, explore, extract or index any page on the Platform or Chatbots;
- endangering or attempting to endanger the safety of the Platform or Chatbots. This includes attempts to control, scan or test the vulnerability of a system or network or to breach the security or authentication measures without express prior authorisation;
- counterfeiting or using the products, logos, trademarks or any other element protected by the Service Provider’s intellectual property rights;
- simulating the appearance or functioning of the Platform or Chatbots, for example with mirroring;
- directly or indirectly disturbing or disrupting the Platform, Chatbots, or more generally the Services, or imposing a disproportionate charge on the infrastructure of the Platform or Chatbots or attempting to transmit or activate IT viruses via or on the Platform or Chatbots.
It is recalled that breaches of the security of the system or network may lead to civil and criminal action. The Service Provider verifies the absence of any such breach and may call on the legal authorities to, where applicable, take action against users participating in any such breach.
The Client must ensure that Users undertake to comply with the prohibitions of this article, and more generally to use the Platform and Chatbots in a loyal manner, according to their intended use and the legal and regulatory provisions and uses in force.
Article 11 – Responsibility
11.1. Use of the Platform and Chatbots
The Service Provider’s role is limited to the provision of the Platform to the Client. The Service Provider makes no commitment to deliver a Chatbot to the Client, which is free generate or not generate any Chatbot via the Platform. The Client may not seek a reduction of the financial conditions hereof in case of under-use of the Services included in the Solution subscribed.
The Service Provider makes no guarantee regarding the growth in the Client’s business following use of the Platform.
The Client is obliged to ensure that its use of the Platform and Chatbots complies with the legal and regulatory provisions. The Service Provider gives the Client no guarantee regarding the compliance of the use of the Platform and Chatbots, which it does or plans to do, with the legal and regulatory provisions.
The Client is responsible toward the Service Provider for the use of the Platform and Chatbots by all Owners, Users, or Third Parties.
11.2. Data and content
The Service Provider does not control the Client’s use of the Platform and Chatbots.
The Client undertakes not to directly or indirectly enter content that may violate public order, incite Third Party protests, or breach the legal provisions in force.
As a result, it is expressly agreed that where legal action is taken against the Service Provider in any respect or in any country whatsoever, by a User or a Third Party on the basis of, in particular, an industrial and/or intellectual property right related to an element directly or indirectly provided by the Client, including all Users, the latter undertakes to fully guarantee the Service Provider against direct and/or indirect economic and financial consequences (including costs of proceedings and defence) that may arise from these claims.
The Client must ensure the proper configuration and operation of the Service Provider’s APIs. The Client may not reproach the Service Provider on any basis whatsoever for the non-receipt or loss of data and content following unchecked or poorly composed API calls. The Client will, therefore, strive to keep a backup of data transmitted.
11.3. General provisions
In any event, the Service Provider shall in no case be responsible for indirect unforeseeable loss or damage to the Client, Users or Third Parties, including in particular any loss of earnings, inaccuracy or corruption of files or data, harm to business, loss of profits or sales, loss of customers or lost opportunity in any regard and on any basis whatsoever.
In case of condemnation of the Service Provider, it is expressly agreed that its responsibility shall be limited to the amount of fees effectively paid by the Client under this Contract in the year preceding the event for which the Service Provider’s responsibility has been claimed.
Article 12 – Solutions
Several solutions are offered to the Client (the “Solution(s)”) as listed in Appendix B. The initial choice of Solution subscribed by the Client is stated in the Special Terms and Conditions.
The chosen Solution determines, in particular:
– the number of Users that can interact with Chatbots and billing to Users; and
– the applications that are compatible with the Chatbots.
It is specified that for the purposes of the Solution, Users of Chatbots are billed as follows:
|Channel of use||Clustaar Webchat||Intercom||Facebook Messenger||Twillio|
|User Definition||Unique user identified by a computer web browser
Defined by the integrator (API)
|Unique user identified by a login provided by Intercom||Unique user identified by a login provided by Facebook||Unique user identified by telephone number|
The Client’s choice of Solution is its own full, exclusive responsibility.
The Client also acknowledges that in the event that the maximum available number of Users for its Solution is exceeded, additional Users will be subject to additional itemised billing as detailed in the description of Solutions in Appendix B and in the Special Terms and Conditions. The Client may in no case take advantage of the abusive use of its Chatbots by Users to request non-billing for these Users by the Service Provider; the Client is informed in particular of this risk in case of availability of its Chatbots on freely accessible public Interfaces.
In case of non-consumption by the Client of the set number of Users given under the Solution it has subscribed, no price reduction will be given.
Article 13 – Fees
13.1. Payment terms
The Client is obliged to pay a fixed monthly sum, determined and payable according to the stipulations of the Special Terms and Conditions. Where applicable it is also obliged to pay an additional fee per extra User of its Chatbots where the maximum number of Users given in its Solution is exceeded.
Payments made by the Client shall not be considered final until the sums owed are actually received by the Service Provider.
An invoice is drawn up by the Service Provider and submitted to the Client ahead of each payment.
13.2. Payment incidents
Without prejudice to any damages and interest, failure by the Client to pay a sum when due, by law invokes:
– application of a late penalty equal to five (5)% of the amount excluding tax of the invoice concerned by the payment incident, without prior notice, per calendar day, from the first day late;
– immediate charging of all of the sums due by the Client to the Service Provider, without prejudice to any other action that the Service Provider may take against the Client; and
– immediate charging of a fixed indemnity of €40 for recovery costs in accordance with article D. 441-5 of the Commercial Code. Where recovery costs incurred are higher than this fixed indemnity, the Service Provider reserves the right to claim additional indemnification upon presentation of the corresponding justification.
In case of non-respect of the payment conditions above, the Service Provider also reserves the right to suspend or cancel the access of the Client and users to the Platform and Chatbots as well as the provision of Services as well as to reduce and/or cancel any agreed discounts.
Article 14 – Termination
The Client has the possibility at all times, including during the Contract, to terminate the Solution by email as well as a registered letter with delivery notice to the Company’s registered address. This termination shall not be effective until the end of the current contract period.
The Contract may also be terminated in case of characterized, repeated and serious breach by either Party of the obligations imposed by the Contract, after notice addressed by registered letter with delivery notice or letter hand-delivered against signature, to resolve this breach within fifteen (15) calendar days from receipt of the letter of notice.
Once the Contract is terminated for any reason whatsoever, within a period of six (6) months from the termination of the Contract, all data as well as the Chatbots shall be destroyed without prior information to the Client by the Service Provider. As a result, the Client must keep a backup of its data.
Article 15 – Communication
Without prejudice to the stipulations of article 16, the Client authorises the Service Provider throughout the term of the Contract and for two (2) years after its cessation for any reason whatsoever, to communicate by any means and support, the existence of referencing of the Client by the Service Provider with respect to this Contract. To this effect, the Service Provider may use the Client’s logo on its website or any other communication support.
Article 16 – Confidentiality
For the purposes hereof, the term “Confidential Information” covers all information or documents disclosed by each Party to the other Party, in writing or verbally, including but not limited to all written or printed documents, design models, business secrets, know-how, financial or trade documents, calculations and templates, or more generally all means of disclosure of the Confidential Information that each Party may choose with regard to the other Party.
However, the term “Confidential Information” does not cover information which:
(i) is, or will be when shares, available and known to the public other than by disclosure in breach of these provisions;
(ii) has been or would be communicated to one of the Parties by a third party not directly or indirectly related to the other Party or one of its representatives;
(iii) has been developed by one of the Parties on the basis of information other than that Confidential Information; or
(iv) is disclosed or announced to the public by agreement between the Parties.
Throughout the term of this Contract and for two (2) years after its cessation for any reason whatsoever, the Parties undertake not to in any way whatsoever including verbally, disclose the Confidential Information without the other Party’s prior written permission, and:
– to protect and keep strictly confidential, and treat with the same level of caution and protection that it would afford to its own confidential information of the same importance, the other Party’s Confidential Information;
– not to disclose it internally other than to its employees or subcontractors, and only where necessary for the execution hereof;
– not to totally or partially copy, reproduce or duplicate where these copies, reproductions or duplications have not been authorised by the other Party; specifically, all Confidential Information and their reproductions transmitted by each of the Parties to the other must be returned immediately upon request.
In the event that one of the Parties’ legal or regulatory obligations, particularly following a request from a judicial or administrative authority, or in the context of regulations applicable to it, require it to communicate Confidential Information or make it public, this Party is authorised as such.
Article 17 – Applicable law – Agreement of proof
This contract is subject to French law.
The IT systems and files are authentic in relations between the Parties.
As such, for the purposes of proof, in the context of any proceedings, the Service Provider and Client may validly produce data, files, programmes, recordings or other elements received, issued or kept through the IT systems operated by the latter, on all analogue or digital supports, and may take advantage thereof without manifest error.
Article 18 – Divisibility – Independence of the Parties
If any of the stipulations of the Contract is found to be null or unenforceable, for any reason whatsoever, by a competent Court, the validity of the other stipulations of the Contract shall in no way be affected or compromised and the Parties shall negotiate in good faith to replace the disputed stipulation with another of the same economic effect as the initial one.
The Parties expressly declare that they are and shall remain independent professional business partners throughout the term of the Contract.
The Parties expressly declare that they do not wish to hereby create a company with legal personality, or a joint venture, or a de facto partnership.
Article 19 – Disputes
Any dispute which may arise from the interpretation, execution, non-execution or results or consequences of this Contract shall, where the dispute is brought before the French civil courts, be subject to the competence of Lille Commercial Court, to which competence is expressly allocated.
Data Processing Agreement
Customer GDPR Data Processing Agreement
This Customer Data Processing Agreement reflects the requirements of the European Data Protection Regulation (“GDPR”) as it comes into effect on May 25, 2018. Clustaar´s products and services offered in the European Union are GDPR ready and this DPA provides you with the necessary documentation of this readiness.
This Data Processing Agreement (“DPA”) is an addendum to the Customer Terms of Service (“Agreement”) between Clustaar and the Customer. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Authorized Affiliates (defined below).
The parties agree as follows:
“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
“Authorized Affiliate” means any of Customer Affiliate(s) permitted to or otherwise receiving the benefit of the Services pursuant to the Agreement.
“Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.
“Controller” means an entity that determines the purposes and means of the processing of Personal Data.
“Customer Data” means any data that Clustaar and/or its Affiliates processes on behalf of Customer in the course of providing the Services under the Agreement.
“Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
“EU Data Protection Law” means (i) prior to May 25, 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”) and on and after May 25, 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (in each case, as may be amended, superseded or replaced).
“Personal Data” means any Customer Data relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable Data Protection Law.
“Privacy Shield” means the EU-US and Swiss-US Privacy Shield Frameworks, as administered by the U.S. Department of Commerce.
“Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 pursuant to the Directive, details of which can be found at www.privacyshield.gov/eu-us-framework.
“Processor” means an entity that processes Personal Data on behalf of the Controller.
“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
“Services” means any product or service provided by Clustaar to Customer pursuant to and as more particularly described in the Agreement.
“Sub-processor” means any Processor engaged by Clustaar or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or any Clustaar Affiliate.
2. Scope and Applicability of this DPA
2.1 This DPA applies where and only to the extent that Clustaar processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
2.2 Role of the Parties. As between Clustaar and Customer, Customer is the Controller of Personal Data and Clustaar shall process Personal Data only as a Processor on behalf of Customer. Nothing in the Agreement or this DPA shall prevent Clustaar from using or sharing any data that Clustaar would otherwise collect and process independently of Customer’s use of the Services.
2.3 Customer Obligations. Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to Clustaar; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Clustaar to process Personal Data and provide the Services pursuant to the Agreement and this DPA.
2.4 Clustaar Processing of Personal Data. As a Processor, Clustaar shall process Personal Data only for the following purposes: (i) processing to perform the Services in accordance with the Agreement; (ii) processing to perform any steps necessary for the performance of the Agreement; and (iii) to comply with other reasonable instructions provided by Customer to the extent they are consistent with the terms of this Agreement and only in accordance with Customer’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Clustaar in relation to the processing of Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Clustaar.
2.5 Nature of the Data. Clustaar handles Customer Data provided by Customer. Such Customer Data may contain special categories of data depending on how the Services are used by Customer. The Customer Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to Customer; (ii) to provide customer and technical support to Customer; and (iii) disclosures as required by law or otherwise set forth in the Agreement.
2.6 Clustaar Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Clustaar shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, Clustaar is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.
3.1 Authorized Sub-processors. Customer agrees that Clustaar may engage Sub-processors to process Personal Data on Customer’s behalf. The Sub-processors currently engaged by Clustaar and authorized by Customer are listed in Annex A.
3.2 Sub-processor Obligations. Clustaar shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Clustaar to breach any of its obligations under this DPA.
3.3 Changes to Sub-processors. Clustaar shall provide Customer reasonable advance notice (for which email shall suffice) if it adds or removes Sub-processors.
3.4 Objection to Sub-processors. Customer may object in writing to Clustaar’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Clustaar promptly in writing within five (5) calendar days of receipt of Clustaar’s notice in accordance with Section 3.3. Such notice shall explain the reasonable grounds for the objection. In such event, the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services that cannot be provided by Clustaar without the use of the objected-to-new Sub-processor.
4.1 Security Measures. Clustaar shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data, in accordance with Clustaar’s security standards described in Annex B (“Security Measures”).
4.2 Confidentiality of Processing. Clustaar shall ensure that any person who is authorized by Clustaar to process Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
4.3 Security Incident Response. Upon becoming aware of a Security Incident, Clustaar shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.
4.4 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Clustaar may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
5. Security Reports and Audits
5.1 Clustaar shall maintain records of its security standards. Upon Customer’s written request, Clustaar shall provide (on a confidential basis) copies of relevant external certifications, audit report summaries and/or other documentation reasonably required by Customer to verify Clustaar’s compliance with this DPA. Clustaar shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm Clustaar’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year.
6. Processing location
6.1 Processing Locations. Clustaar stores and processes EU Data (defined below) in data centers located inside the European Union.
7. Return or Deletion of Data
7.1 Upon deactivation of the Services, all Personal Data shall be deleted on demand, save that this requirement shall not apply to the extent Clustaar is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data Clustaar shall securely isolate and protect from any further processing, except to the extent required by applicable law.
7.2 Upon specific request, all Personal Data of a specific final user shall be deleted, given that his Interlocutor Id has been provided by the Customer.
8.1 To the extent that Customer is unable to independently access the relevant Personal Data within the Services, Clustaar shall (at Customer’s expense) taking into account the nature of the processing, provide reasonable cooperation to assist Customer by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made directly to Clustaar, Clustaar shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Clustaar is required to respond to such a request, Clustaar shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
8.2 To the extent Clustaar is required under Data Protection Law, Clustaar shall (at Customer’s expense) provide reasonably requested information regarding Clustaar’s processing of Personal Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
9.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
9.2 This DPA is a part of and incorporated into the Agreement so references to “Agreement” in the Agreement shall include this DPA.
9.3 In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
9.4 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
Annex A – List of Sub-processors
Please see our page on GDPR positionnig.
Annex B – Security Measures
Please see our page on GDPR positionnig.