Data Processing Agreement

Koyeb Data Processing Agreement - April, 27th 2021

For all intents and purposes, all terms used in this Data Processing Agreement whose first letter of each word is in capital letter have the same meaning as in the Koyeb Terms of Service.

1. Purpose of these clauses

In the context of the performance of the Agreement, Koyeb is required to process personal data among Customer Data.

Koyeb (the “Processor”) acts as a subcontractor, the Customer (the “Controller”) being responsible for the collection and processing of such personal data.

The purpose of these clauses is to define the conditions under which the Processor undertakes to carry out the personal data processing operations defined below on behalf of the Controller.

In the context of their contractual relationship, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”).

2. Description of the subcontracted personal data processing

The Subcontractor is authorized to process on behalf of the Controller the personal data necessary to provide the Service(s).

The categories of data subject are the end users of the services provided by the Customer and the Authorised Users entitled to access the Platform by the Customer.

The purposes of the processing are as follows:

• to provide Cloud Computing Services;
• to provide management services for the various cloud platforms used by the Customer;
• to compile statistics;
• to comply with applicable legislation;
• to manage the Customer relationship;
• to prevent fraud;
• to manage requests from data subjects for exercising their rights such as the right of access, rectification, deletion, opposition, erasure, limitation, portability, and concerning the use of personal data after the death of data subjects.

Unless the consent of the data subjects obtained under the conditions provided in accordance with the applicable legislation, these operations must not lead to the creation of profiles that may reveal sensitive data (racial or ethnic origins, philosophical, political, trade union, or religious opinions, sexual life or people's health).

In any event, the Controller is required to previously inform the Processor of any other processing intended and to guarantee compliance with the applicable regulation. In particular, the Controller is required to carry out, if necessary, a data protection impact assessment of the processing intended under the conditions defined in Article 35 of the GDPR.

The personal data processed is or may be as follows if necessary in view of the purpose of the processing in question:

• the identity of the data subjects: first name, name, telephone number, postal address, email address;
• family, economic and financial situation: marital situation, number of people in the household, number and age of the child(ren) in the household, profession, field of activity, socio-professional category;
• technical data on the use of the Services: login data, Services ID, history of use and connection to the Services, etc.

For the performance of the Service subject of the Agreement, the Controller shall make available to the Processor the information which guarantees compliance with the legal provisions in force and in particular the GDPR.

3. Duration of these clauses

These clauses take effect as from the entry into force of the Agreement, for the duration of the Agreement.

4. Undertakings of the Controller

The Controller undertakes, in the context of the performance of the Agreement to:

• transmit via the Platform only Customer Data strictly necessary for the provision of the Services;
• document in writing any instructions regarding the processing of personal data by the Processor;
• comply with the provisions of the French law n°78-17 on Information Technology and Freedoms, the GDPR and more generally the regulations applicable in France;
• supervise the processing of personal data, including through the conducting of audits in accordance with the terms previously agreed with the Processor;
• ensure that there is a legal basis for the processing of personal data;
• obtain, where applicable, the consent of the data subjects to the processing and/or transfer of their personal data;
• provide all relevant information to data subjects at the time of data collection.

The Processor shall not be liable for any failure by the Controller to comply with applicable regulation except where the law expressly provides otherwise.

5. Undertakings of the Processor

In accordance with Articles 28 and 32 of the GDPR, the processor undertakes:

• to take and maintain all useful measures, and in particular appropriate technical and organisational measures, to preserve the security and confidentiality of the personal data entrusted to it by the Controller for the provision of the Services, in order to prevent them from being distorted, altered, damaged, or accessed by unauthorized persons;
• to ensure that persons authorized to process personal data on their behalf, in addition to having received the necessary training in the protection of personal data, respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
• to comply with applicable legal provisions relating to the conditions of processing and/or the destination of the data provided by the Controller or which it will have access to in the context of the provision of Services;
• to act only on the only documented instruction of the Controller for the processing of the personal data in question;
• to use the personal data collected or to which it may have access solely for the purposes of providing the Controller with the Services;
• not to use the personal data collected or which it may have access in the context of the performance of the Contract for purposes contrary to the Contract in accordance with the applicable regulations, and to transfer it only to a third party indicated or authorized by the Controller;
• not to resell or transfer personal data that is strictly confidential;
• to assist the Controller, where possible, by implementing appropriate technical and organisational measures, as well as to fulfil its obligation to respond to requests from data subjects in order to exercise their rights of access, rectification, erasure, opposition, limitation and portability of data;
• to assist the Controller, where possible and in light of the information provided to it by the latter, to comply with its obligation to: (a) notify the supervisory authority of a personal data breach; (b) communicate a personal data breach to the data subject; (c) conduct a data protection impact assessment.

The Processor may use another subcontractor to carry out specific processing activities. In this case, it shall previously inform the Controller in writing of any proposed changes concerning the addition or replacement of other subcontractors. The Controller has a minimum of seven (7) days from the date of receipt of this information to submit its objections. This subcontracting can only be carried out if the Controller has not raised any objections within the agreed period.

Koyeb uses certain subcontractors to assist in providing Koyeb Services to its customers. Subcontractor will be referred as sub-processor if the entity will or potentially have access to or process Personal Data.

6. Subcontractors and Sub-processors

A subcontractor is a third party engaged by Koyeb, who is providing services that enable Koyeb to provide the Services and/or will provide added value directly or indirectly to Koyeb’s customers. Subcontractors have or potentially have access to or process service data (which may contain Personal Data) in which case they will be referred to as sub-processor.

Infrastructure Subcontractors

Back-End Services

Koyeb back-end services are located in co-location facilities and in the infrastructure subcontractors listed below. Koyeb controls the logical access to infrastructure running these services. Subcontractors don’t have access to these services.

Customer Workloads

Koyeb owns and controls access to the infrastructure that Koyeb uses to host Customer services and to store and process Customer Data. Subcontractor and region depend on which subcontractor and region Customer chooses to select. Customer Data will stay in the region selected by the Customer but may be shifted and co-located between different datacenters within the region to ensure performance and availability of the services. These subcontractors don’t have logical access to data.

Service Specific Subcontractors

Koyeb uses certain third parties listed below to provide specific functionality within the Services. In order to provide the relevant functionality these subcontractors have access to Service data, limited to the indicated Services.