Data Charter

This GDPR and confidentiality agreement (hereinafter referred to as the “Data Charter”) forms part of the online subscription agreement and contains the terms and conditions that govern access to and use of the Platform(s) by CLIENT (hereinafter referred to as the “Agreement”). along with the:

• General Terms of the Agreement
• Subscription Terms  
• Platform Use Terms
• Service Level Agreement
• Privacy Policy

This Data Charter takes effect immediately after clicking an “I Accept,” “Sign up” or similar button or check box presented with these terms (the “Effective Date”). By accepting this Data Charter, CLIENT agrees to be legally bound by its terms and conditions. The signatory of this Data Charter  represents to have legal authority to bind CLIENT.  

When having a first capital letter, the terms used in this Data Charter will have the same meaning as those defined in the General Terms of the Agreement.

‍

1. DEFINITIONS

‍

The defined terms used in this Data Charter will have the meanings set forth hereunder, when having a first capital letter:

• “Authorized User” refers to the individuals who are designated by CLIENT to use the Platform. Authorized Users are limited to employees, consultants, contractors and agents of CLIENT or its affiliates.  

• “Confidential Information” refers to:

• any information which relates to: information regarding financial and/or business operations, including, but not limited to, marketing and product plans, concepts, business plans, financial condition, employees, inventions, algorithms, decision technology and/or models, processes, designs, specifications, drawings, samples, improvements, developments, applications, engineering, manufacturing and marketing data and plans, software code (object and source), security procedures and approaches, know-how, experimental work, distribution arrangements and/or trade secrets;

• any Content upon which a Party owns intellectual property rights;

• any information which (i) either party has marked as confidential or proprietary, (ii) either Party, orally or in writing has advised the other Party is of a confidential nature or (iii) due to its character or nature, a reasonable person in a like position and under like circumstances would treat as confidential.

• Such Confidential Information may be produced in a variety of forms, including but not limited to:  any and all verbal, electronic, and/or written communications (whether in the form of slides, handouts, letters, memoranda, agreements, facsimile transmissions, meetings, conference and other telephone calls, diskettes, files, tapes, and/or any other mode) and/or related concepts, proposals, data sources, pricing, schedules, development efforts (including source code, object code and/or documentation), numerical data processing algorithms, product and software design specifications.
• The following information shall not be construed as Confidential Information, when it:
  
  
  • was in the receiving Party's lawful possession prior to the disclosure and had not been obtained by the receiving Party either directly or indirectly from the disclosing Party; or
  • is lawfully disclosed to the receiving Party by a third party without restriction or disclosure; or
  • is independently developed by the receiving Party

‍

2. CONFIDENTIALITY

‍

2.1 For a period of 2 years following the termination of this Data Charter, each Party shall keep strictly confidential the other Party’s Confidential Information whether received before, on or after the Effective Date.  

2.2 Each Party shall ensure that its present and relevant past staff and each member of its personnel and its subcontractors who may have access to such Confidential Information, shall keep it confidential. Each Party will therefore ensure that its employees and subcontractors are aware of and comply with the provisions of the Data Charter and are bound by obligations of confidentiality no less restrictive than the terms set out in this Data Charter.  

2.3 Each Party will establish and maintain such security measures and procedures as are reasonably practicable to provide for the safe custody of the other Party’s Confidential Information in its possession and to prevent unauthorized access thereto or use thereof. With this regard, each Party agrees to take the same kind of measures and precautions as for its own Confidential Information of like kind but in no event less than reasonable care in protecting such Confidential Information.

2.4 Each Party shall give notice to the other Party of any unauthorized misuse, disclosure, theft or other loss of that Party's Confidential Information immediately upon becoming aware of the same.

2.5 As a strictly limited exception to their confidentiality obligations regarding the Confidential Information:

• each Party may disclose Confidential Information only to its employees, affiliates employees and sub-contractors who have a need to access such Confidential Information and for the sole and exclusive purpose of the Agreement;

• each Party shall have the right to disclose Confidential Information to the extent required by applicable law, regulation or authority, or pursuant to an order of a competent court, regulator or law enforcement agency.

2.6 Upon termination of the Data Charter (whatever the cause), each Party shall cause all Confidential Information belonging to the other Party in whatever medium the same is recorded or held to be returned, deleted or destroyed according to the written instructions of the other Party and shall immediately certify in writing upon the other Party’s request that it has returned, deleted or destroyed all Confidential Information of the other Party.

‍

3. DATA PROTECTION

‍

3.1 Purpose

The purpose of this section 3 is to establish the terms and conditions upon which HEXAGONE undertakes to carry out, on CLIENT behalf, the personal data processing operations defined below. With this regard, HEXAGONE shall act as data processor and each CLIENT act as Controller.  As part of their contractual relations, the Parties shall comply with the applicable regulations on personal data processing and, in particular the GDPR.

‍

3.2 Description of the processing being subcontracted out  

3.2.1 HEXAGONE is authorized to process, on behalf of CLIENT the necessary personal data for providing access to the Platforms.  

• ensure, before and throughout the processing, compliance with the obligations set out in the GDPR on HEXAGONE’s part.

3.2.2 The nature of operations carried out on the data is the collection, sorting, saving, restricting and deletion of data.

• document, in writing, any instruction bearing on the processing of data by HEXAGONE;

3.2.3 The purpose(s) of the processing are:

• Access and use of the Platforms;

• Establish statistics and volumes of traffic and use of the platform.

3.2.4 The personal data processed are:

• Data relating to the Authorized Users:
  • Last Names, First Names, gender of the users;
  • First Name;
  • Last Name;
  • Email address;
  • Username and encrypted password for Platform access;
  • Company;
  • Job position;
  • Country;
  • CRM system;
  • IP Address

• Some data related to the usage of the Platforms:
  • Frequency of use, number and duration of Authorized Users’ connections; 
  • Creation and modification of projects, documents;
  • Export or download of presentations, emails and PDF files;
  • Preview of Presentations and emails renditions in web-browser.
• Data automatically collected by the Platforms: cookies (files placed on users’ device when they connect to the Platform). Cookies management is entirely users’ responsibility, through the configuration of their Internet browser. Users have the option to delete those cookies.

3.2.5 The categories of data subjects are: Authorized Users.

3.2.6 To perform the processing covered herein, CLIENT shall provide the processor with the following necessary information: Authorized Users’ last name, first name, gender, country, email address.

‍

3.3 General obligations

3.3.1 HEXAGONE shall undertake to:  

• process the data solely for the purpose(s);
• process the data in accordance with the documented instructions from CLIENT. Where HEXAGONE considers that an instruction infringes the GDPR or of any other legal provision of the Union or of Member States bearing on data protection, it shall immediately inform CLIENT without delay.  
• guarantee the confidentiality of personal data processed hereunder;
• ensure that the persons authorized to process the personal data hereunder:  
  • have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • receive the appropriate personal data protection training.

3.3.2 HEXAGONE may engage another sub-processor (hereinafter "the Sub-Processor") to conduct specific processing activities. In this case, HEXAGONE shall inform CLIENT in writing beforehand, of any intended changes concerning the addition or replacement of other processors. This information must clearly indicate which processing activities are being subcontracted out, the name and contact details of the sub-processor and the dates of the subcontract. CLIENT has a timeframe of 7 days from the date on which it receives said information to object thereto. Such sub-contracting is only possible where CLIENT has not objected thereto within the agreed timeframe.  

3.3.3 CLIENT is hereby informed that the following entities may act as Sub-Processors:

• HEXAGONE AFRIQUE SÀRL, Tunisia;
• AMAZON WEB SERVICES;
• CRISP.

3.3.4 The above Sub-Processors are obliged to comply with the obligations hereunder on behalf of and on instructions from CLIENT. It is HEXAGONE’s responsibility to ensure that each Sub-processor provides the same sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing meets the requirements of the GDPR. Where a Sub-Processor fails to fulfil its data protection obligations, HEXAGONE remains fully liable with regard to CLIENT for the Sub-Processor's performance of its obligations.

‍

3.4 Data subjects' right to information

It is CLIENT responsibility to inform the data subjects concerned by the processing operations at the time data are being collected unless this is part of the services being performed by HEXAGONE.

‍

3.5 Exercise of data subjects' rights

3.5.1 HEXAGONE shall assist CLIENT insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject's rights: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).  

3.5.2 Where the data subjects submit requests to the processor to exercise their rights, HEXAGONE shall forward these requests as soon as they are received by email to privacy@hexagone.life.

‍

3. 6 Notification of personal data breaches

HEXAGONE shall notify CLIENT of any personal data breach not later than 48 hours after having become aware of it, by notifying CLIENT by email. Said notification shall be sent along with any necessary documentation to enable CLIENT where necessary, to notify this breach to the competent supervisory authority.

‍

3.7 Assistance lent by HEXAGONE to CLIENT regarding compliance with its obligations

3.7.1 HEXAGONE shall assist CLIENT in carrying out data protection impact assessments.  

3.7.2 HEXAGONE shall assist CLIENT with regard to prior consultation of the supervisory authority.  

‍

3.8 Security measures

HEXAGONE shall ensure that it has implemented appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures and shall  implement the following security measures:

• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;  
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
• the pseudonymization and encryption of personal data, if required by CLIENT.

‍

3.9 Fate of data

At the end of the Service bearing on the processing of such data, or at CLIENT’s request the processor undertakes, upon CLIENT choice to:

• destroy all personal data

‍

3.10 Data Protection Officer

Should HEXAGONE have to designate a data protection officer pursuant to article 37 of the GDPR, it shall communicate to CLIENT its name and contact details.

‍

3.11 Record of categories of processing activities

HEXAGONE shall maintain a written record of all categories of processing activities carried out on behalf of CLIENT including:

• the name and contact details of CLIENT on behalf of which HEXAGONE is acting, any other processors and, where applicable, the data protection officer;  
• the categories of processing carried out on behalf of CLIENT;  
• where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;  
• where possible, a general description of the technical and organizational security measures, including inter alia:
  • the pseudonymization and encryption of personal data;  
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;  
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;  
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

3.12 Documentation and audit

3.12.1 Upon request, HEXAGONE shall provide CLIENT with the necessary documentation for demonstrating compliance with all of its obligations.

3.12.2 During the term of this Data Charter, upon a fifteen (15) day prior notice to HEXAGONE, CLIENT (or its appointed representative) shall have the right, during normal business hours and at CLIENT’s own expense, to conduct an investigation and/or audit, for the exclusive purpose of ensuring HEXAGONE’s compliance with this section 3. HEXAGONE agrees to cooperate fully with such investigations and/or audits.

3.13 CLIENT’s obligations

CLIENT undertake to:

• supervise the processing, including by conducting audits and inspections with HEXAGONE;
• document, in writing, any instruction bearing on the processing of data by HEXAGONE;
• ensure, before and throughout the processing, compliance with the obligations set out in the GDPR on HEXAGONE’s part.

‍

4. FATE OF CLIENT CONTENT

‍

4.1 After termination of the Agreement, HEXAGONE shall have no obligation to maintain or provide any CLIENT Content and shall thereafter, unless legally prohibited, delete all CLIENT Content in its systems or otherwise in its possession or under its control.

‍

4.2 Notwithstanding what precedes, should CLIENT end all Subscriptions but continues to use the Platforms on a Trial Authorization, all CLIENT Content created during said Trial Authorization shall remain available on the Platforms.  

‍

5. TERM AND TERMINATION

‍

5.1 The Data Charter will commence on the Effective Date and will remain in force until the term of the Agreement.