Data Processing Addendum – Europe

In this Data Processing Addendum, “Whispli” refers to WHISPLI SASU, a French company registered at the Paris Trade and Companies Register under SIREN 853 011 278, having its registered office located 10 Rue de La Paix 75002 France, and “Client” refers to you as client of Whispli (together the “Parties”).

By using the services provided by Whispli, the Client accepts and agrees to (a) this Data Processing Addendum, (b) the General Terms of Use, and (c) the Privacy Policy (together the “Agreement”).

 

PREAMBLE

  1. In order to comply with applicable laws and regulations concerning the protection of personal data, and in particular with the provisions of Article 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “GDPR”), the Client and Whispli have agreed to enter into this personal data processing addendum (hereinafter the “DPA”).
  2. The Parties agree to process the personal data collected, transmitted, produced, administered, and hosted is the context of the provision of the services in accordance with (a) the applicable regulation concerning the protection of personal data, (b) this DPA and the (c) data processing sheet agreed between the Parties (hereinafter the “Data Processing Sheet“).
  3. The Data Processing Sheet sets out the purpose(s) of the data processing, the legal basis for the processing, the categories of personal data processed as part of the Services (defined below), and the categories of data subjects.
  4. Unless otherwise specified in the Agreement, the Parties declare that:
    1. Any data controller identified as such in the Data Processing Sheet, undertakes the capacity of controller for the processing activities described in this DPA and performed as part of the Services (the “Controller“);
    2. Whispli, and any other processors identified as such in the applicable Data Processing Sheet, each at the level set forth in such sheet, acts as a data processor for the Processing described in this DPA and performed in the context of the Services (the “Processor“).

 

  • ARTICLE 1. PURPOSE

The purpose of this DPA is to describe the Processing activities and to define the conditions under which Whispli undertakes to carry out, on behalf of the Client, the Personal Data Processing activities necessary for the provision of the Services.

 

  • ARTICLE 2. DEFINITIONS

Data Processing Sheet” has the meaning set out in the preamble. The Parties acknowledge and agree that the Processing is carried out pursuant to the Data Processing Sheet in Appendix 1;

Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier. For the purpose of this DPA, the Data Subject includes the Whispli platform’s users, the Client’s staff members and any informants;

DPO” means the data protection officer, in accordance with Article 37 of the GDPR;

Controller” means the natural or legal person, who, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Controller is the Client except provided otherwise;

Personal Data” means information relating to natural persons, identified or identifiable, directly or indirectly, within the meaning of Article 4 of the GDPR, for which the Client is the Controller, and which is processed by Whispli on behalf of the Client;

Personal Data Breach” means a breach of security, resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

Processing” means any activities or set of activities, whether performed by automated means or not, and involving Personal Data, including the collecting, recording, organising, storing, updating, amending, accessing, using, forwarding, distributing or any other form of supplying, compiling, linking, as well as deleting or destroying of Personal Data. The Processing is described in this DPA and the Data Processing Sheet;

Processor” means the legal person, which processes Personal Data on behalf of the Controller. For the purposes of this DPA, the Processor is Whispli, and any other Processor indicated as such;

Regulation” means all applicable laws and regulations in France concerning the protection of personal data, in particular the GDPR and, as long as the Client is located in France, French Law n° 78-17 of 6 January 1978 known as « Loi Informatique et Libertés »;

Services” means the services agreed between the Parties under the Agreement, including Whispli General Terms and Conditions, namely the provision a whistleblowing platform and related services, and the corresponding data processing activities carried out by Whispli in its capacity as a Processor for the Client;

Supervisory Authority” means the Commission Nationale de l’Informatique et des Libertés (CNIL) or any other competent supervisory authority in the applicable territory.

Sub-processor” means the legal entity engaged by the Processor to carry out operations relating to the Processing of Personal Data on the instructions of the Controller, within the scope of the purposes and means defined by the Controller and in accordance with the Regulations. For the purposes of this DPA, the Sub-processor on the date of signature of the DPA is referenced in the table in Article 16.

In any event, the interpretation provisions contained in the General Terms of Use apply to this DPA.

 

  • ARTICLE 3. DESCRIPTION OF THE PROCESSING

  1. The Processor processes the Personal Data made available by the Controller, on its behalf and with its express authorization.
  2. The nature of the Processing carried out by the Processor on behalf of the Controller in the context of the Services, as well as the types of Personal Data processed, the purposes, the categories of Data Subjects and the retention periods are specified in the Data Processing Sheet.

 

  • ARTICLE 4. GENERAL OBLIGATIONS OF THE PARTIES

  1. The Parties undertake to comply with the Regulations. 
  2. On the day of signature or acceptance of the Agreement, the Processing entrusted to the Processor pursuant to this DPA and the Data Processing Sheet constitute the documented instructions of the Controller. The Client warrants that its instructions for the Processing complies and remains compliant with the Regulations.
  3. The Parties undertake to keep each other informed and to respond promptly and appropriately to any request relating to the Processing covered by this DPA and any changes in the Services that would affect the Processing.
  4. The Parties agree that only the Personal Data necessary for the provision of the Services are processed, as regards the quantity of data, the extent to which it is processed and the period for which it is retained.  Whispli will not process Personal Data for its own benefit, for the benefit of any third party, or for its own purposes or advertising purposes or other purposes, unless required by any applicable Regulations.
  5. The Processor acknowledges and the Controller represents and warrants that it is responsible for:
    1. providing sufficient information to the Data Subjects at the time of collection of Personal Data and, if necessary, to obtain their informed, explicit and prior consent;
    2. ensuring, prior to and throughout the duration of the Processing, compliance with the obligations provided for by the Regulations; and
    3. supervising the Processing and carrying out audits if deemed necessary.

 

  • ARTICLE 5. GENERAL OBLIGATIONS OF THE PROCESSOR

  1. The purpose of this Article is to define the obligations of the Processor to ensure the security and confidentiality of Personal Data.
  2. The Processor represents and warrants that it has sufficient and adequate guarantees as to the implementation of appropriate technical and organizational measures so that the Processing of Personal Data meets the requirements of the Regulations and warrants the safeguarding of the rights of Data Subjects.
  3. In accordance with the Regulations, the Processor undertakes to:
    1. process, and ensure that any natural person acting under its authority only processes, Personal Data in accordance with the purposes set out in this DPA, on the instructions of the Controller;
    2. subject its personnel involved in the processing of Personal Data to an obligation of confidentiality and a Personal Data protection training sessions;
    3. take all the security measures referred to in its Personal Data Protection Policy;
    4. comply with the requirements set by the Regulations regarding the use of sub-processing and, in particular, impose, as far as possible, on any sub-processors the same obligations as those referred to in this DPA;
    5. make available to the Controller all the information necessary to demonstrate compliance with the obligations referred to above and to enable audits to be carried out by the Controller;
    6. contribute to audits carried out by the Controller;
    7. assist the Controller in fulfilling its obligation to respond to requests submitted by Data Subjects in order to exercise their privacy rights;
    8. assist the Controller in ensuring compliance with their obligations of data security, notification to the competent Supervisory AuthorityCNIL and communication to the Data Subjects in case of Personal Data Breach, if applicable;
    9. maintain a record of all categories of processing activities carried out on behalf of the Controller;
    10. cooperate with the competent Supervisory Authority CNIL, if requested by the latter;
    11. inform the Controller, if it considers that a Processing instruction constitutes a violation of the Regulations;
    12. assist the Controller in carrying out any data protection impact assessment (DPIA) for the Processing related to the Services, if required by the Regulations and/or if requested by the competent Supervisory Authority CNIL.
  4. In the event of termination of the Agreement, for any reason whatsoever, the Processor must delete the Personal Data. In the Personal Data is handed back upon the Client request, the Processor shall destroy any copies of the Personal Data as soon as possible and shall notify the Controller in writing of such destruction.

 

  • ARTICLE 6. RETENTION PERIOD OF PERSONAL DATA

  1. The Processor undertakes to keep the Personal Data collected for a limited retention period; this period being approved by the Controller. However, the Processor is not responsible for the obligation incumbent on the Data Controller in terms of the retention period of Personal Data.
  2. The retention periods for the Personal Data collected by the Processor are indicated in the Data Processing Sheetdefined by Data controller and set by the Data Controller directly in the Platform. Data Processor shall have no responsibility for this.
  3. At the end of the retention periods, the Processor undertakes, upon decision of the Controller, to destroy or hand back the Personal Data to the Controller. The Processor may archive Personal Data after anonymization.
  4. The deletion of the Personal Data is decided by the Controller.

 

  • ARTICLE 7. CONTACT POINT – DPO

  1. The Parties agree that their respective DPO are their point of contact for any matter related to the protection of Personal Data in the context of the Service.
  2. The email contact details of the Data Protection Officer (DPO) appointed by Whispli are: [email protected]
  3. The email contact of the DPO appointed by the Client shall be communicated upon first request of Whispli.

 

  • ARTICLE 8. DATA PROTECTION IMPACT ASSESSMENT

  1. In accordance with Article 35 of the GDPR, the Controller undertakes to carry out a privacy impact assessment to ensure that the Processing complies with the Regulations, when it is likely to generate a high risk for the rights and freedoms of the persons concerned by the Processing.
  2. If the Processor becomes aware of a high risk to the rights and freedoms of the persons concerned by the Processing, the Processor undertakes to inform the Controller of such a risk as soon as possible, and to assist the Controller in carrying out the privacy impact assessment, as well as in carrying out the prior consultation of the supervisory authority in accordance with Article 36 of the GDPR.

 

  • ARTICLE 9. PROCEDURES FOR EXERCISING THE DATA SUBJECTS’ PRIVACY RIGHTS

  1. The Processor guarantees that it implements all measures to enable the Data Subjects to effectively exercise the rights available to them under the Regulation.
  2. The Processor undertakes, as far as possible, to assist the Controller in the handling of any request from a Data Subject exercising their rights of access, rectification, erasure, limitation, portability, or opposition to their Personal Data or the right to define post-mortem directives.
  3. In the event of a request addressed directly to the Processor, the latter undertakes to inform the Controller as soon as possible and to provide the Controller with the necessary information.
  4. The Processor ensures, as soon as possible, that the appropriate action is taken to respond to any privacy request from a Data Subject, upon instructions from the Controller.
  5. The Processor undertakes to keep an up-to-date register of requests for the exercise of rights by the Data Subject, whether these requests are received from the Controller or from the Data Subject itself.

 

  • ARTICLE 10. PERSONAL DATA BREACHES

  1. In the event of a Personal Data Breach observed by the Processor, the latter notifies the Controller by email of such a breach as soon as possible from the date of such knowledge. This notification must be sent by email to the DPO of the Controller.
  2. The Personal Data Breach notification email will contain as far as possible the following available information:
    1. the nature of the Personal Data Breach, including, where possible, the categories and approximate number of concerned Data Subjects;
    2. the categories and approximate number of records of Personal Data;
    3. the name and contact details of the DPO for further information;
    4. the likely consequences of the Personal Data Breach;
    5. the measures taken, or to be taken, to remedy the Personal Data Breach, including, where possible, measures to mitigate the possible adverse consequences for Data Subjects.
  3. This notification contains any other useful information to enable the Controller, if necessary, to notify the competent Supervisory Authority  CNIL of this violation.
  4. The Processor undertakes to (i) document any Personal Data Breach, whether it has been discovered by itself or notified to it by the Controller, as the case may be, in the context of the provision of the Services; and (ii) to make such documentation available to the Controller.
  5. Unless otherwise provided for in the Regulations applicable to the Processor, the Processor shall not, without the prior written consent of the Controller, as the case may be, inform the Data Subjects or third parties or the Supervisory Authority of any potential or actual Personal Data Breach.
  6. The Processor undertakes to assist the Controller, if necessary, in ensuring compliance with the security obligations of the Processing in the event of a Personal Data Breach by taking all appropriate measures, and by transmitting to it any necessary information enabling them to fulfil the obligations to notify the Controller of a Personal Data Breach to the Supervisory Authority and to the Data Subjects.

 

  • ARTICLE 11. SECURITY MEASURES

  1. The Parties undertake and warrant to implement and regularly update the appropriate technical and organisational measures to guarantee a level of security appropriate to the risks associated with the Processing, taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the Processing, based on a risk analysis described below, and to protect the Personal Data from any accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
  2. The Processor warrants that it has carried out a risk analysis for the Processing described in this DPA, and that it has defined the appropriate technical and organizational measures.
  3. The security measures provided by the Processor as part of the appropriate technical and organizational measures, including pseudonymization or encryption, as applicable, are described in (i) Whispli Personal Data Protection Policy and (ii) Appendix 2 “Whispli Security Measures”.
  4. The Processor undertakes to implement, regularly evaluate, maintain, control, test, apply and, where applicable, update the appropriate technical and organizational measures, in order to:
    1. to ensure the safeguarding of the rights of Data Subjects in accordance with the Regulations;
    2. protect Personal Data from any breach, threat or danger to its continued security, confidentiality, integrity and availability such as unauthorized or illegitimate Processing and against accidental loss, destruction or damage to Personal Data; and
    3. restore availability of and access to Personal Data as soon as possible in case of a Personal Data Breach.
  5. To ensure the confidentiality, integrity and security of Personal Data, the Processor acknowledges that it has implemented the following security measures to protect Personal Data:
    1. all Personal Data is hosted, for the purposes of the Processing, with one or more hosting providers as a Sub-Processor designated in the table set out in Article 16. If the Processor were to change host, it undertakes to acts in compliance with the conditions set out in Article 16 of this DPA;
    2. functional traces and access to Personal Data are subject to traceability and logging.
  6. The Parties undertake to set up a procedure for assessing the level of security applied to the protection of the Personal Data processed in the context of the Services. The purpose of this procedure is to regularly check whether the security measures implemented by each Party to ensure the protection of Personal Data are still relevant and appropriate with regard to the Regulations.

 

  • ARTICLE 12. AUDITS

  1. The Controller may carry out audits to verify the Processor’s compliance with the provisions of this DPA.
  2. After informing the Processor in writing, including by email to Data Processor, providing a twenty (20) days’ prior notice, the Controller may have an audit carried out, at its own cost, to verify compliance with all the security measures implemented to protect the Personal Data. Such an audit may take place at any time, subject to a limit of one audit per calendar year. 
  3. The audit must be carried out by an independent and recognised expert, whose name is provided to the Processor at least five (5) days before the start of the audit. The Processor may refuse the expert selected, giving objective reasons for its decision.
  4. In any event, the audit operations must not cause any disruption to the Processors’ activities beyond the constraints inherent in an audit. Thus, the auditor must make reasonable endeavours to avoid causing any damage, injury or disruption to the Processors’ premises, equipment, personnel and business.
  5. The audit must be carried during business hours and may only relate to information specific to the Processor, to preserve the confidentiality of information specific to the Processor’s other customers or information. The Processor undertakes to co-operate in good faith with the auditor and to facilitate the audit by providing all necessary information and responding to all requests relating to the audit.
  6. A copy of the audit report drawn up by the auditor will be sent to each Party. If the conclusions of the audit contain recommendations, the conditions for their implementation will be examined as soon as possible between the Controller and the Processor. If the audit concludes that the Data ProcessorWhispli  has failed to comply with this DPA, Data Processor Whispli  will take all reasonably necessary measures to ensure compliance in the future.
  7. The auditor, as designated natural person, will be subject to the strictest confidentiality and professional secrecy.

 

  • ARTICLE 13. RECORDS OF PERSONAL DATA PROCESSING ACTIVITIES

  1. The Parties undertake to set up and implement records of data processing activities containing all information required by the Regulation.  A copy of the records of data processing activities is available directly from the Platform.  The Processor undertakes to provide the Controller with a copy of such records at the latter’s first request and at the latest within eight (8) days of its request formalized by any means.

 

  • ARTICLE 14. INTERNATIONAL TRANSFER

  1. The Processor undertakes to host the Personal Data in the territory of the European Union or in any other territory expressly designated by the Client as an instruction and under its exclusive responsibility.
  2. In the absence of express instruction from the Client, if the Processor may rely on its affiliated group companies or use any Sub-Processor located in countries outside the European Union (EU) and the European Economic Area (EEA) involving a transfer of Personal Data to a Third Country. If so, the Processor undertakes to:
    1. notify the Controller of all relevant information regarding the purpose of such transfer and the country to which the Personal Data processed pursuant to this DPA would be transferred;
    2. implement measures required to ensure appropriate safeguards for the protection of Personal Data that would be the subject of the transfer in accordance with the Regulations.
  3. The Processor is responsible for ensuring that any transfer of Personal Data complies with the Regulations.
  4. Upon request from the Controller, the Processor shall enter into additional transfer agreements.

 

  • ARTICLE 15. LIMITATION OF LIABILITY

  1. The Parties undertake to perform this DPA with all due care required by professional diligence and best practice. Each Party is responsible for the proper performance of its obligations and for the personnel that it may assign to their performance, for the quality of the services and operations that it carries out in performance of this DPA and for meeting the deadlines set for it. Each Party will perform its obligations in accordance with the applicable regulations and undertakes to ensure that its obligations are carried out by personnel with the appropriate skills and level of training.  
  2. None of the Parties may be held liable for damage caused by a failure resulting from:
    1. a cause of force majeure event within the meaning of case law based on article 1218 of the French Civil Code, defined but not limited to natural events, fire, explosion, national strike, war, insurrection, sabotage, and more generally any unforeseeable, irresistible situation external to the Party concerned ; and/or 
    2. a failure attributable to the other Party to fulfil its obligations under this DPA ; and/or 
    3. the intervention of the other Party or a third party preventing the proper performance of the DPA.
  3. None of the Parties may be held liable for any indirect damage, such as a loss of profit, commercial loss, loss of customers or opportunity, data loss or data alteration, nor any cost of obtaining a substitute service.
  4. In any event, compensation for damages suffered by one of the Parties because of a proven breach by the other Party is expressly limited for the duration of this DPA, for all causes combined and for whatever reason, to the amount paid by the Controller in the previous 12-month.
  5. In compliance with the applicable regulation, the above limitation of liability cap will not apply for claims made directly by Data Subjects.

 

  • ARTICLE 16. SUB-PROCESSORS

  1. The Processor undertakes to reference its Sub-Processors in the table below. 
  2. If the Processor uses Sub-Processors other than those referenced in the table below to carry out specific processing activities pursuant to this DPA, it undertakes to carry prior written notification to the Controller. If, within five (5) days of receipt of that notice, the Controller notifies the Processor in writing of any objections with reasonable grounds to the proposed appointment, the Processor shall not appoint that proposed Sub-Processor until (i) reasonable steps have been taken to address the objections raised by the Client and (ii) the Client have been provided with a reasonable written explanation of the steps taken.
  3. In any event, the Processor undertakes to ensure that the Sub-Processors provide sufficient guarantees as to the implementation of appropriate technical and organizational measures defined in Whispli Personal Data Protection Policy and Appendix 2, so that data processing activities meets the requirements of the Regulations.
  4. In accordance with Article 28.4 of the GDPR, the Processor acknowledges that, if a Sub-Processor fails to comply with its data protection obligations, it remains fully liable to the Controller for the performance by the Sub-Processor of their obligations.

SUB-PROCESSORS AT THE DATE OF THE AGREEMENT

Sub processors to be adapted to each client’s configuration and purchased options.

 

  • ARTICLE 17. DURATION AND TERMINATION 

  1. This DPA shall take effect on the day it is signed or accepted and will have the same duration as the Agreement. Thus, this DPA will automatically terminate upon termination of the Agreement, except any surviving rights and obligations.
  2. Upon termination, Whispli will assist the Client, which shall bear all cost, to ensure that all or part of the Personal Data made available by the Client or on behalf of the Client in the context of the Service, is either deleted and returned to the Client or made available to another service provider, as required by the Client and to the extent required by law. In any event, the Personal Data will be deleted once the Client or new service provider has confirmed in writing that the data provided by Data Processor has been received in full. following the retention periods provided by the Data Processing Sheet and applicable law.
  3. The provisions of this DPA which are by nature intended to continue to apply after termination, will continue to apply, including provisions for confidentiality, limitation of liability and applicable law.

 

  • ARTICLE 18. COMPLIANCE

  1. Whispli shall comply with the Regulations to the extent applicable thereto in its quality of Processor and maintain reasonably accurate records of the Processing of Personal Data.
  2. The Processing is subject to the Regulations, except where the Client and none of its users are European Union residents. In such case, the Processing is governed by the Client’s local applicable law for personal data protection.
  3. Attached to this DPA are addenda that provide terms specific to the Processing of Personal Data arising out of specific legal requirements from particular jurisdiction. In the event of conflict or inconsistency between this DPA and an Addendum, the Addendum applicable to the Client’s Personal Data from the relevant jurisdiction shall prevail with respect to the Client’s Personal Data from that jurisdiction, but solely with regard to the portion of the provision in conflict or that is inconsistent. 

 

  • ARTICLE 19. MISCELLANEOUS

  1. This DPA is governed by the laws of France. Unless specifically provided otherwise, this DPA is governed by the Agreement, including as to the dispute resolution.

 

 

APPENDIX 1 – Whispli Data Processing Sheet

 

Client : [TO COMPLETE]
Provider :  Whispli
Purpose and aims of the Processing: The Provider processes the Client Data mentioned in this Appendix within the scope and for the purposes of the Services provided under the Contract.

Collecting and recording a report;

Recording any information regarding the processing and tracking of the report;

Securing communications among authorized personnel;

Exchanges between authorized personnel and a reporter;

Secure data archiving.
Nature of the Processing: Ensure secure communication between the whistleblower and the client, including file uploads, and the storage of this information within the system.
Location of the Client Data: [TO COMPLETE]
Categories of data subjects: Employees, contractors, subcontractors, customers of the Client 
Categories of personal data:
  • Identity/identification data (e.g., name, identification number, signature);
  • Contact information (e.g., email or postal address, phone number);
  • any other personal data that a whistleblower may provide.
Special category of data (sensitive data):
  • Special categories/sensitive data (e.g., racial or ethnic origin, genetic data, biometric data, health information, sexual orientation);
  • Personal characteristics (e.g., date of birth, gender, marital status);
  • Professional details (e.g., title, company, role);
  • Financial details and payment information (including transaction data, bank account details or credit/debit card numbers);
  • Online activity/device data (e.g., device identifier, login ID, timestamp information, IP address, logs);
  • Contents of electronic communications (e.g., email communications, call recordings);
  • Images (e.g., photographs, video recordings).
Duration of Processing: Duration of the contract
Duration of the retention of Client Data: The duration of the retention depends on Client’s discretion, which may select different data retention periods depending on the case.
Client Contact Points
  • Data Protection Officer :


[TO COMPLETE]

  • CISO (for all data security incidents) :

[TO COMPLETE]
Contact points of the Provider [email protected]

 

APPENDIX 2 – Whispli Security Measures

The Processor takes all the necessary precautions to maintain the safety of the processed Data, in particular their confidentiality, integrity and availability.

To this end, the Processor defines, implements and monitors the application of a security and confidentiality policy.

This policy shall in particular describe technical and organizational measures to reduce risks.

The measures implemented for this treatment are set out in the Security Insurance Plan annexed to the Agreement. 

 

Categories Measures
Train users Inform and awareness for those handling the data
Write an IT charter and give it a binding force
Authenticate users Define a unique identifier (login) for each user
Use a strong authentication method, based on a verified directory
Adopt a user password policy compliant with CNIL recommendations
Force user to change password after reset
Limit the number of attempts to access an account
Manage credentials Defining Enabling Profiles
Remove obsolete access permissions
Carry out an annual review of authorizations
Log access and manage incidents Provide a logging system
Inform users of the implementation of the logging system
Protect logging equipment and logged information
Provide for procedures for personal data breach notifications
Secure workstations Provide for an automatic session lock procedure
Use regularly updated antivirus software
Installing a software firewall
Obtain the user’s agreement before any remote intervention on his workstation.
Secure mobile computing Provide encryption means for mobile equipment
Make regular backups or synchronizations of data
Require a secret for unlocking smartphones
Protect the internal computer network Limit network flows to the bare minimum
Secure remote access to mobile computing devices via VPN
Implement WPA2 or WPA2-PSK for Wi-Fi networks
Secure Servers Restrict access to administration tools and interfaces to authorized persons only.
Install critical updates without delay
Ensuring data availability
Secure Web sites Use the TLS protocol and verify its implementation
Check that no passwords or usernames are passing through the URLs.
Check that user input match what is expected
Put a consent banner for cookies that are not required for the service.
Backup and Business Continuity Plan Make frequent backups of data, whether in paper or electronic form.
Store backup media in a secure location.
Provide security means for the transport of backups
Plan and test business continuity on a regular basis
Archive in a secure manner Implement specific access arrangements for archived data
Securely destroy obsolete archives
Oversee the maintenance and destruction of data Recording maintenance work in a handrail
Supervision by an official of the organization of interventions by third parties
Erase the data of any hardware before it is discarded
Manage subcontracting Include a specific clause in subcontractors’ contracts
Provide for the conditions for the restitution and destruction of data
Ensure the effectiveness of the guarantees provided (security audits, visits, etc.).
Secure exchanges with other organizations Send data in encrypted form (either by encrypting the data directly or using an encrypted tunnel)
Make sure it’s the right recipient
Transmit the secret in a separate transmission and via a different channel
Protect the premises Restrict access to the premises by means of locked doors, whether to paper files or computer equipment, including servers.
Install intrusion alarms and check them periodically.
Oversee IT developments Offer privacy-friendly settings to end users
Avoid comment areas or frame them strictly
Testing on fictitious or anonymized data
Use cryptographic functions Use recognized algorithms, software and libraries
Securely store secrets and cryptographic keys

 

APPENDIX 3 Specific legal requirements from particular jurisdictions

 

Schedule SCCs Controller to Processor  is applicable when [Customer], acting as a Controller, uses the Services of the Service Provider, acting as a Processor and in this context communicates Personal Data to the Service Provider for the purposes of performance of the Services, where the Service Provider is located outside of the EEA and there is a Transfer of Personal Data from [Customer] to the Service Provider

In this case, in addition to the Framework Agreement and Schedule Controller to Processor, Schedule SCCs Controller to Processor.2 is also applicable.

Where this is the case, [Customer] and the Service Provider shall both comply with the provisions of the Framework Agreement, Schedule Controller to Processor and Schedule SCCs Controller to Processor.

Whispli: 853 011 278 R.C.S. Paris : www.whispli.com

Office address : 50 Rue de Taitbout, 75009 Paris // Postal address : 10 rue de la Paix, 75002 Paris