Last updated on 09/26/2024
Data Processing Agreement
Effective from October 12, 2024. Click HERE to see the previous version.
This Data Processing Agreement (hereinafter “DPA”) is applicable between the company RINGO (trading under the name MODJO), a simplified joint stock company with a capital of 38,666.31 euros registered in the trade and companies register of Nanterre under number 879 606 283, and whose registered office is located at 59, avenue Sainte-Foy - 92200 Neuilly-sur-Seine, France (hereinafter “RINGO”) and each of its Client as identified in the Order Form (hereinafter the “Client”).
Preamble
In the context of the performance of the Order Form(s) and the attached General Terms and Conditions of Sales Modjo (T&Cs) concluded between RINGO and the Client, the Client, in its capacity as Controller, entrusts RINGO, in its capacity as Processor, with the processing of Personal Data.
This Data Protection Agreement is attached to the Order Form and the General Terms and Conditions of Sales Modjo.
The parties intend to comply with all applicable regulations regarding the Processing of Personal Data, and in particular the French law n°78-17 of 6 January 1978 (known as “Loi Informatique et Libertés”) as amended and the EU General Regulation on the Protection of Personal Data n°2016-679 dated 27 April 2016 (“GDPR”).
The parties have agreed to this Contract in order to ensure compliance with Article 28(3) and (4) of GDPR. This Contract applies to the processing of personal data as specified in Article 1.
It is expressly agreed that the terms used in this Contract with a capital letter (e.g., Controller, Personal Data, Service, …) correspond to the definitions contained in GDPR and in the T&Cs. This Contract shall be read and interpreted in the light of the provisions of GDPR.
1. Description of Processings
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the Client, in its quality of Controller, are:
- Categories of data subjects: whose personal data is processed: the Client’s staff and employees using the services provided by RINGO, the Client’s contacts, prospects, and clients.
- Categories of personal data processed: data related to the identification of the data subjects (name, surname, contact details, and email), data related to meetings, phone call and video conference recordings, data related to the use of the Service such as comments, reviews, translations and intelligent summaries and scoring made on the services, data related to emails exchanged between the data subjects, data related to meeting reminder emails, and data related to networks.
- Object of the processing: the performance by RINGO of the Service, and their use by the Client, in accordance with the Order Form(s) and the attached T&Cs concluded between RINGO and the Client.
- Nature of the processing: the collection and analysis of data including Personal Data on behalf of the Client.
- Purposes of the processing: the performance by RINGO, on behalf of the Client, of the Service, mainly the collection, the recording, and the analysis of meetings, phone call, video conference recordings and mails, and the filling of the customer relationship management software as well as the assistance, back-up, security and maintenance services attached to the Service.
- Categories of data subjects: whose personal data is processed: the Client’s staff and employees using the services provided by RINGO, the Client’s contacts, prospects, and clients.
Categories of personal data processed: data related to the identification of the data subjects (name, surname, contact details, and email), data related to meetings, phone call and video conference recordings, data related to the use of the Service such as comments, reviews, translations and intelligent summaries and scoring made on the services, data related to emails exchanged between the data subjects, data related to meeting reminder emails, and data related to networks.
Object of the processing: the performance by RINGO of the Service, and their use by the Client, in accordance with the Order Form(s) and the attached T&Cs concluded between RINGO and the Client.
Nature of the processing: the collection and analysis of data including Personal Data on behalf of the Client.
Purposes of the processing: the performance by RINGO, on behalf of the Client, of the Service, mainly the collection, the recording, and the analysis of meetings, phone call, video conference recordings and mails, and the filling of the customer relationship management software as well as the assistance, back-up, security and maintenance services attached to the Service.
Duration of the processing: Personal Data is processed by RINGO for the duration of the contractual relationship of the Client, logs are kept for a period of one (1) year. When the AI Assistant feature is activated by the Client, data is retained by OpenAI for a maximum of 30 days for the purpose of content moderation and abuse prevention.
2. Instructions
RINGO shall process personal data only on documented instructions from the Client and in accordance with the above provisions, unless required to do so by Union or Member State law to which RINGO is subject. In this case, RINGO shall inform the Client of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the Client throughout the duration of the processing of personal data. These instructions shall always be documented.
If RINGO considers that any of the Client’s instructions constitute a breach of the applicable regulations on the protection of Personal Data, it will inform the Client immediately. RINGO will not be held liable in any way for the Client’s instructions and decisions and their possible consequences.
The provisions of this Contract, as well as the activation by the Client, its Administrators or Users of the translation and AI Assistant features constitute documented instructions from the Client to RINGO.
3. Purpose Limitation
RINGO shall process the Personal Data only for the purposes of the processing, as set out in Article 1, unless it receives further instructions from the Client.
4. Duration of the Processing of Personal Data
RINGO shall process the Personal Data only for the duration of the processing, as set out in Article 1, unless it receives further instructions from the Client.
5. Security of Processing
RINGO undertakes to put in place appropriate technical and organizational security measures to ensure the security of the Personal Data it processes against any destruction, loss, alteration, unauthorized disclosure of, or access to, or any other form of unauthorized processing. In assessing the appropriate level of security, RINGO takes due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks involved for the data subjects.
A description of these measures has been drawn up by RINGO in accordance with Article 32 of GDPR and is available on written request.
When the AI Assistant feature is activated by the Client, the Client agrees that the security measures implemented are those of the OpenAI security policy.
RINGO grants access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing, and monitoring the Service. RINGO ensures that persons authorized to process the personal data received are under an appropriate contractual obligation of confidentiality.
6. Documentation and Compliance
RINGO shall make available to the Client all information necessary to demonstrate compliance with the obligations that are set out in this Contract and stem directly from GDPR.
At the request of the Client, RINGO shall also permit and contribute to audits of the processing activities covered by this Contract, at reasonable intervals or if there are indications of non-compliance.
The reasonable intervals mean that an audit may be carried out at the rate of one (1) time per calendar year, and with sixty (60) days' written notice to RINGO.
This audit must be conducted in a manner that respects the security and confidentiality of RINGO's documentation and procedures. It will last no more than one (1) day and will be held during normal business hours at RINGO's location.
The Controller may decide to carry out the audit itself or to appoint an independent auditor, chosen by mutual agreement between the parties and subject to an obligation of confidentiality.
Notwithstanding any provision to the contrary, the Client shall be responsible for all costs and/or expenses incurred as a result of this visit.
The parties shall make the information set out in this clause, including the results of any audit, available to the competent supervisory authority(ies) upon request.
7. Use of Sub-processors
RINGO has the Client’s general authorization for the engagement of sub-processors enumerated in the agreed list (Annex 1).
RINGO undertakes to provide an up-to-date list of its sub-processors and their processing activities upon request by the Client.
RINGO shall inform the Client of any intended changes of that list through the addition or replacement of sub-processors at least fifteen (15) days prior to the addition or the replacement date of the concerned sub-processor.
The Client may object to RINGO’s use of a new sub-processor by notifying RINGO promptly in writing (e.g., via email) and before the addition or the replacement date of the concerned sub-processor. In the event the Client objects, RINGO will use reasonable efforts to make available to the Client a change in the Service or recommend a commercially reasonable change to Client’s configuration or use of the Service to avoid processing of Personal Data by the objected-to new sub-processor. If RINGO is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, the Client may terminate the applicable Order Form with respect only to those services which cannot be provided by RINGO without the use of the objected-to new sub-processor by providing written notice to RINGO, with return receipt requested.
The absence of Client’s objections will be deemed as the Client’s acceptance of the changes affecting the sub-processors list.
Where RINGO engages a sub-processor for carrying out specific processing activities on behalf of the Client, the sub-processor of RINGO is obliged to fulfill, in substance, the same data protection obligations as the ones imposed on RINGO in accordance with this Contract. It is the responsibility of RINGO to ensure that the sub-processor presents sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets the requirements of GDPR.
RINGO remains fully responsible to the Client for the performance by its sub-processors of its obligations.
Some sub-processors only process Client data when the feature for which they are acting is activated by the Administrator or the Client's User.
Thus, the sub-processor OpenAI processes Client data only when the Administrator has activated the AI Assistant. When this feature is enabled, OpenAI will process
the personal data to deliver its services under the agreed conditions. As a reminder, in accordance with the OpenAI policy, personal data is retained for a maximum period of 30 days for the purpose of content moderation and abuse prevention.
8. Data Subject Rights
RINGO shall assist the Client, to the extent possible, in responding to requests from data subjects to exercise their rights under applicable data protection laws. In particular, RINGO will assist the Client in ensuring compliance with its obligations in relation to the exercise of data subject rights, including but not limited to:
- The right to access;
- The right to rectification;
- The right to erasure (the “right to be forgotten”);
- The right to restrict processing;
- The right to data portability;
- The right to object to processing.
9. Data Breach Notification
RINGO shall notify the Client without undue delay upon becoming aware of a personal data breach, providing the Client with sufficient information to allow it to meet any obligations to report or inform data subjects of the personal data breach under the applicable data protection laws.
10. Return and Deletion of Personal Data
At the end of the provision of services relating to the processing, RINGO shall, at the choice of the Client, delete or return all personal data to the Client, and delete existing copies unless applicable law requires storage of the personal data.
11. Governing Law and Jurisdiction
This Contract is governed by the law of France. The parties agree that any dispute arising out of or in connection with this Contract shall be submitted to the exclusive jurisdiction of the courts of Paris.
Annex 1 : List of Permitted Sub-processors