TERMS OF SERVICES
Last update: 2022-01-26
This Terms of Service (this "Agreement"), effective as of the Start Date, is entered into by Opendatasoft, a French simplified joint-stock company (société par actions simplifiée) with a capital of €399 509, registered with the Paris Trade and Companies Register under number 538 168 329, having its principal place of business at 50, Boulevard Haussmann - 75009 Paris, France ("Opendatasoft"), and its Customer.
1.DEFINITIONS
"Additional Services" shall mean the additional services, functionalities or options subscribed by Customer in addition to the Opendatasoft Services, such as the providing of additional trainings, the customization of the platform or the development of specific features or functionalities, as defined by mutual agreement between the Parties at the signing of the Agreement or during its performance;
"Affiliate" shall mean, with respect to a party, any entity, whether incorporated or not, that directly or indirectly controls, is controlled by, or is under common control with such party or its corporate parent, where "control" (or variants of it) shall mean the direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
"Agreement" shall mean this Terms of Services and its Annex 1 "Purchase Order(s)", Annex 2 "SLA", Annex 3 "Professional Services", Annex 4 "DPA" and Annex 5 "Opendatasoft Terms of Use", and any amendments relating to Additional Services;
"API" shall mean the proprietary application programming interfaces that allows interaction between the Customer Application and the Opendatasoft Services. This API is the exclusive and sole property of Opendatasoft;
"Authorized Third Party" shall mean any entity duly authorized by Customer to access, use and/or interoperate with the Services in accordance with this Agreement and Opendatasoft Terms of Use, and in particular any Customer's Affiliate or provider;
"Authorized User" shall mean (a) in the case of an individual accepting this Agreement on such individual's own behalf, such individual; or (b) an individual who is directly or indirectly authorized by Customer to use the Services. Users may include, for example, employees, consultants, contractors or agents of Customer, its Affiliates and/or of Authorized Third Party;
"Back Office" shall mean the administration interface made available to Customer by Opendatasoft and aiming Customer to customize the graphical interface of Customer Application, define its administration rights and security levels for the creation, modification and publication of Customer Data. Back Office is detailed at https://help.opendatasoft.com;
"Business Days" shall mean every day from 9:00 am to 6:00 pm, except Saturday, Sunday and public holidays in France.
"Confidential Information" shall mean (i) any protected information held by the disclosing party, or a third party to whom the disclosing party has a non-disclosure obligation, including any information, know-how and software, including but not limited to its source code and any translation, compilation, partial copy and derivative work ; (ii) any information designated as confidential at the time of disclosure to the receiving party, or when orally transmitted, identified as confidential and recorded in written or other tangible form (including electronic) with a clearly stated confidentiality notice; and (iii) any information that must, in light of the circumstances of its disclosure, be treated in good faith as confidential;
"Customer" shall mean the company or entity which enters into the Agreement with Opendatasoft and as identified at the top of the Agreement;
"Customer Application" shall mean Customer's website as made available by Customer to End Users and based on the Opendatasoft Services;
"Customer Data" shall mean all electronic data or information submitted by or on behalf of Customer to, or collected from the Customer Application by, the Opendatasoft Services;
"Documentation" shall mean the online documentation for the Opendatasoft Services, accessible at: https://help.opendatasoft.com, as updated on a regular basis;
"End User" shall mean any end user of the Customer Application;
"External Use" shall mean an Authorized Third Party's use of Opendatasoft Services, which are designated for external use in the Documentation, provided such use is solely in connection with Customer's business relationship with the Authorized Third Party;
"Party" or "Parties" shall mean either Opendatasoft or Customer separately or Opendatasoft and Customer together;
"Services" or "Opendatasoft Services" shall mean the specific proprietary and generally available software-as-a-service product of Opendatasoft, including the Opendatasoft platform, the Documentation, and any specific features or options as specified in the Purchase Orders and, as the case may be, Additional Services;
"Terms of Use" shall mean Opendatasoft Terms of Use available at: https://legal.opendatasoft.com/en/terms-of-use.html ;
"Purchase Order" shall mean the ordering document for Customer's purchases of Services from Opendatasoft that are executed hereunder from time to time, including any schedules or addenda thereto. A Purchase Order will set forth Customer's product and service entitlements;
"Start Date" shall mean the date on which Opendatasoft shall make the Services available to Customer as set forth in an applicable Purchase Order;
"Subscription Term" shall mean the subscription period set forth in an applicable Purchase Order ;
2. OPENDATASOFT SERVICES
2.1. Provision of Opendatasoft Services
2.1.1. Opendatasoft shall make the Services and, if applicable, Additional Services available to Customer pursuant to this Agreement and all Purchase Orders during a Subscription Term. This Agreement supersedes any commercial offer, quotation, conditions of sale or purchase, letter of intent or any other pre-contractual document between the Parties.
2.1.2. Opendatasoft shall make the Services, and if applicable, Additional Services available to any Authorized Third Party duly designated by Customer, under the conditions agreed with Customer and subject to this Agreement. Customer is and remains responsible for the proper performance of this Agreement by both Customer and the Authorized Third Party, and agrees to ensure that the Authorized Third Party fully complies with this Agreement and the Terms of Use.
2.1.3. Customer Affiliates may use subscriptions to the Services subject to the terms of this Agreement. This Agreement shall apply to such Customer Affiliates, and such Affiliates shall be deemed the "Customer" as contemplated herein. Customer Affiliates may also use the Services purchased by Customer without signing a Purchase Order if Customer makes certain employees of such Affiliate Users hereunder.
2.2. Opendatasoft responsibilities
2.2.1. Opendatasoft shall: (a) ensure that the Services perform in material compliance with this Agreement, and in particular its Annexes 2 and 3; (b) use commercially reasonable efforts to make the Services available 24 hours a day, seven days a week, except for: (i) planned downtime or maintenance as provided by Opendatasoft SLA; or (ii) any unavailability caused by circumstances which are beyond Opendatasoft's reasonable control, including, without limitation, internet service provider, Third-Party Providers or hosting facility failures or delays involving hardware, software or power systems not within Opendatasoft's possession or reasonable control, denial of service attacks, or in case of force majeure within the meaning of article 1218 of the French Civil Code and applicable case law; and (c) provide the Services in accordance with applicable laws and regulations.
2.2.2. Opendatasoft will maintain administrative, physical and technical safeguards designed to protect the confidentiality and integrity of Customer Data. Opendatasoft will only access, use, process, modify, delete or disclose Customer Data (a) to provide the Services in accordance with this Agreement, (b) to provide support services and prevent or address service or technical problems, (c) as compelled by law in accordance with the Confidentiality section below or as required under applicable law, (d) to display Customer Data to End Users.
2.3. Data hosting & publishing
2.3.1.Customer understands and agrees that Opendatasoft has the legal quality of host within the meaning of article 6 I 2) of the French Law of June 21, 2004 on confidence in the digital economy. In this capacity, Opendatasoft shall promptly remove any obviously illegal content as soon as it becomes aware of it, in accordance with the provisions of Opendatasoft Terms of Use available at: [https://legal.opendatasoft.com/fr/terms-of-use.html].
2.3.2. Customer Data are made available to End Users by Customer under its sole and exclusive liability. Customer shall ensure the security level of the Customer Data it publishes or makes available to End Users.
3. CUSTOMER OBLIGATIONS
3.1. Cooperation
Customer agrees and undertakes to cooperate in good faith with Opendatasoft on all matters related to the Services, and in particular to provide Opendatasoft, upon request, with all documents and information in its possession that are useful for the performance of the Services and, if applicable, Additional Services.
3.2.Use of the Services
3.2.1. Customer is responsible for all actions taken by Customer or its Users in Customer's account(s) and for Users' compliance with this Agreement.
3.2.2. Customer shall: (a) have sole responsibility for the accuracy and legality of all Customer Data; (b) ensure that any user IDs, passwords and other access credentials for the Services are kept strictly confidential and not shared with unauthorized persons; (c) promptly notify Opendatasoft of any breach of security or unauthorized use of its account; (d) use commercially reasonable attempts to comply with requests made by Opendatasoft to update various features or functionalities within the Services to optimize their performance; (e) use the Opendatasoft Services in compliance with this Agreement, the Documentation, applicable Purchase Order(s), Opendatasoft Terms of Use and all applicable laws and regulations; and (f) provide notice and obtain any legally required consent for the use and display of Customer Data to End Users.
3.2.3. Customer shall use the Services solely for its and its Affiliates' business purposes as contemplated by this Agreement and shall not: (a) license, sell, resell, lease, transfer, distribute, or otherwise commercially exploit or make the Services available to any third party, except Authorized Third Party if applicable; (b) send via or store within the Services unlawful, offensive or tortious contents under French law; (c) use the Services to imitate or impersonate another person; (d) interfere with or disrupt the integrity or performance of the Services or the data contained therein; or (e) attempt to gain unauthorized access to the Services or its related systems or networks.
3.2.4. Opendatasoft may, in its reasonable discretion, refuse to operate its Services where the content of the Customer Data or the delivery of such Customer Data to End Users is, in Opendatasoft's reasonable opinion, unlawful. Any use of the Services by Customer that, in Opendatasoft's reasonable judgment, imminently threatens the security, stability, integrity or availability of the Opendatasoft Services, or otherwise harms Opendatasoft, other customers or third parties, may result in immediate suspension of the Services; however Opendatasoft will use commercially reasonable efforts under the circumstances to notify Customer in advance of such suspension and provide Customer with an opportunity to correct its use of the Services prior to any such suspension. Opendatasoft will have no liability for any such suspension made in good faith. Unless this Agreement has been terminated, Opendatasoft will restore Customer's access to the Services once it verifies that Customer has resolved the condition requiring suspension.
4. FEES & PAYMENT
4.1. Fees and taxes
Customer shall pay all fees specified in all Purchase Orders hereunder. Except as otherwise specified herein or in a Purchase Order, (i) fees are based on the Opendatasoft Services subscription(s) purchased and not actual usage; (ii) payment obligations are non-cancelable; (iii) fees paid are non-refundable, except pursuant to Section 10.4 (Termination for Cause); and (iv) the subscription entitlement(s) purchased cannot be decreased during the relevant Subscription Term.
Unless otherwise stated, Opendatasoft's fees do not include any direct or indirect taxes, and in particular VAT. Customer is responsible for paying all taxes. If Opendatasoft has the legal obligation to pay or collect taxes for which Customer is responsible under this Section, the appropriate amount shall be invoiced to and paid by Customer, unless Customer provides Opendatasoft with a valid tax exemption certificate authorized by the appropriate tax authority.
4.2. Invoicing and payment
Except as otherwise provided, all fees are quoted and payable in euros. Fees for Services will be invoiced annually in accordance with the applicable Purchase Order(s). Customer is responsible for maintaining complete and accurate billing and contact information within the Services, including tax identification numbers.
4.3. Late payments
In case of late payment, Opendatasoft may impose late fees as contemplated in invoice. If Customer's account is 30 days or more overdue after the payment limit mentioned in the Purchase Order, Opendatasoft may, in addition to any of its other rights or remedies, upon written notice, suspend Customer's access to the Services until such amounts are paid in full. If such failure to pay has not been cured within 60 days of the due date, then upon written notice, Opendatasoft may terminate this Agreement and any or all outstanding invoice in accordance with Section 10.4. When terms of payment are agreed between the Parties, such as payment in installments, the default of a single payment term makes the entire debt due and will lead to the immediate suspension of the Services.
5. PROPRIETARY RIGHTS
5.1. Reservation of rights
5.1.1. As between Opendatasoft and Customer, Customer exclusively owns and retains all rights, title and interest in and to all Customer Data.
5.1.2. Subject to the limited rights expressly granted hereunder, Opendatasoft reserves all rights, title and interest in and to the Services and, if applicable, Additional Services, and Customer retains all rights to the Customer Application, including all related intellectual property rights therein and to any improvements, enhancements or updates thereto.
5.2. Promotional use
Opendatasoft may use Customer's name and logo to identify Customer for the delivery of the Services and as a customer for promotional purposes.
5.3. Intellectual property rights
5.3.1. Customer acknowledges that the Services and, if applicable, Additional Services, and all their related components, are the exclusive property of Opendatasoft. The trademarks, logos, names, graphics, photographs, animations, videos, software, usage statistics, databases, platform, APIs, features, contents and texts created, published or recorded by Opendatasoft ("the IP rights") are the exclusive property of Opendatasoft and may not be reproduced, used or represented without its prior written authorization, in particular for promotional or commercial purposes, under penalty of legal action.
5.3.2. In consideration of the complete payment of the applicable fees, Opendatasoft grants Customer a personal, non-exclusive and non-transferable license to use the Services and, if applicable, Additional Services and the IP Rights in compliance with this Agreement, for the sole benefit of Customer, its Affiliates and/or any Authorized Third Party. Customer shall not assign, transfer, delegate or sublicense this license and the IP Rights to any third party, directly or indirectly, in any manner whatsoever without the prior written consent of Opendatasoft, except any Authorized Third Party.
5.3.3. Except as permitted by law, which cannot be excluded by mutual consent of the Parties, Customer is prohibited from any attempt to (i) copy, modify, reproduce, create any derivative work, alter, mirror, republish, upload, post, transmit or distribute all or any part of the IP Rights in any form, on any medium or by any means whatsoever; (ii) decompile, disassemble, reverse engineer or otherwise make comprehensible all or part of the IP Rights; (iii) access all or part of the Services and/or Additional Services in order to develop a competing application or service; (iv) access the Opendatasoft solution in source code or unlocked code with comments;; and (v) use the Opendatasoft solutions, Services and/or Additional Services to provide services to third parties or license, sell, rent, lease, assign, distribute, display, disclose, commercially exploit or otherwise make available the Opendatasoft Services, Additional Services and/or IP Rights to any third party in breach of this Agreement.
5.3.4. Customer agrees to use reasonable efforts to prevent any unauthorized access to, or use of, the Opendatasoft platform, Services, Additional Services and IP Rights, and, in the event of any such unauthorized access or use, to promptly inform Opendatasoft.
5.3.5. If Customer provides Opendatasoft with any suggestions, comments, improvements, ideas or other feedback relating to the Services and/or Additional Services, Customer acknowledges and agrees that Opendatasoft may incorporate and use any such feedback without any obligation, payment, or restriction based on intellectual property rights or otherwise, excluding any Customer Confidential Information contained in the feedback.
5.4. Creations
5.4.1. As part of the Services or, if applicable, Additional Services, Opendatasoft may perform intellectual creation services consisting of the design of specific creations, APIs, contents or features ("Creations") for the benefit of Customer. Creations may, if necessary, be made from documents, information, images or any other content provided by Customer to Opendatasoft. In this case, Customer guarantees that said contents and their use do not infringe third-party's rights, nor constitute unfair competition.
5.4.2. Creations remain the property of Opendatasoft, and Customer only has the right to use Creations in accordance with the provisions of Section 5.3 hereof. In any event, it is agreed between the Parties that ownership of Creations may be transferred to Customer upon its acceptance of a specific quote and the payment of the corresponding invoice.
6. CONFIDENTIALITY
6.1. The receiving party shall use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care) and undertakes to (i) not use any Confidential Information of the disclosing party for any purpose outside the scope of this Agreement, and (ii) except as otherwise authorized by the disclosing party in writing, limit access to Confidential Information of the disclosing party to those of its and its Affiliates' employees, contractors and agents who need such access for purposes consistent with this Agreement and who are subject to written confidentiality obligations. Receiving party shall be liable for any breach of this Section 6 by its representatives. Other than as otherwise provided herein, neither party shall disclose the terms of this Agreement or any Purchase Order to any third party other than its representatives without the other party's prior written consent.
6.2. If the receiving party is compelled by law to disclose Confidential Information of the disclosing party, it shall provide the disclosing party with prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at disclosing party's cost, if the disclosing party wishes to contest the disclosure.
6.3 If the receiving party discloses or uses (or threatens to disclose or use) or fails to limit access to any Confidential Information of the disclosing party in breach of the confidentiality obligations set forth herein, the disclosing party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the Parties that any other available remedies are inadequate.
7. WARRANTIES & INSURANCE
7.1. Opendatasoft Warranties
Opendatasoft represents and warrants that (a) the Services will be materially performed in accordance with the Documentation and (b) their functionality and overall security will not materially be decreased during a Subscription Term. In the event of a breach of this Section 7.1, Customer's exclusive remedy shall be as provided in the Section 10.4.
7.2. Customer Warranties
7.2.1. Customer represents and warrants, both for itself, its Affiliates and any Authorized Third Party that, when using the Opendatasoft Services, Customer, its Affiliates or any Authorized Third Party will comply with all applicable laws and regulations and respect the rights of third parties and the provisions of this Agreement, including the Terms of Use. Specifically, Customer its Affiliates and/or its eventual Authorized Third Party undertakes to (i) inform the End Users of the type of license and the source for Customer Data made available to End Users, (ii) publish on Customer Application terms of use and a privacy policy detailing the functionalities of its website as well as the data processing implemented under its responsibility; (iii) comply with French Law n°78-17 called "Informatique et Libertés" of January 6, 1978 as modified and the EU Regulation n°2016/679 of April 27, 2016 ("GDPR"), as well as with the recommendations of the CNIL and EDPB on personal data; (iv) not infringe third parties' rights, and in particular intellectual property rights, when creating, distributing or making available data to End Users; (v) not to use the Services, in whole or in part, for illicit purposes. Customer assumes sole and entire liability for the content processed and/or made available on the Customer Application and/or by its Affiliates and/or any Authorized Third Party. Customer is duly informed that it is strictly forbidden to transmit and/or store and/or disseminate data of a pornographic, pedophilic, hateful and/or racist nature or inciting to hatred or discrimination. In any event, it is reminded that Customer uses the Services and, if applicable, gives access to its Affiliates or any Authorized Third Party under its sole and exclusive liability.
7.2.2. In case of use by Customer of public data, Customer agrees and undertakes, both for itself, its Affiliates and any Authorized Third Party, to comply with applicable laws and regulations on Open Data and the free re-use of public sector information for instance. Customer, its Affiliates and Authorized Third Party shall in particular ensure, within the framework of the license granted to End Users (allowing the free re-use of public information for commercial or non-commercial purposes), compliance with the following principles: (i) public information must not be altered or distorted; (ii) sources and date of their last update must be mentioned; and re-use comprising personal data must comply with French Law "Informatique et Libertés" of January 6, 1978 and the GDPR.
7.2.3. It is agreed between the Parties that any breach of Customer's warranties under Section 7.2 shall constitute a sufficiently serious breach that may result in non-performance or temporary suspension or termination of the Services and, as the case maybe, Additional Services.
7.3. Insurance
Each Party declares that it holds a professional liability insurance policy with a reputable company covering the risks of its civil and commercial liability relating to the performance of this Agreement, and undertakes to provide evidence of said insurance policy upon the other Party's first written request.
8. MUTUAL INDEMNIFICATION
8.1. Indemnification by Opendatasoft
Opendatasoft shall defend, indemnify and hold Customer harmless from any final awarded damages, attorneys' fees and judgments or settlements ("Damages") arising from any claims, demands, suits or proceedings made or brought by a third party ("Claims") against Customer alleging (a) that Customer's use of the Services and/or Additional Services within the scope of this Agreement infringes the intellectual property rights of such third party; (b) a breach by Opendatasoft of its confidentiality obligations under Section 6 hereof; or (c) gross negligence or willful misconduct by Opendatasoft.
If Opendatasoft receives information about an infringement Claim related to the Services and/or Additional Services, Opendatasoft shall in its discretion and at no cost to Customer (i) modify the Services and/or Additional Services so that they no longer infringe, without breaching Opendatasoft's warranties under "Opendatasoft Warranties" above, (ii) obtain a license for their continued use by Customer in accordance with this Agreement, or if (i) and (ii) are not reasonably practicable, then (iii) terminate Customer's subscriptions for the Services and/or Additional Services upon 30 days' written notice and refund Customer any prepaid fees covering the remainder of the term of the terminated subscriptions. Opendatasoft shall have no obligation to indemnify or defend Customer to the extent any Claim arises from Customer's use of any Third-Party Provider's services, or Customer's use of the Services and/or Additional Services in breach of this Agreement.
8.2. Indemnification by Customer
Customer shall defend, indemnify and hold Opendatasoft harmless from any damages arising from any Claims against Opendatasoft alleging (a) violation of applicable law arising from Customer's use of the Services and/or Additional Services in breach of this Agreement; (b) that Customer Data infringes intellectual property rights of a third party; (c) a breach by Customer of its confidentiality obligations under Section 6 hereof; or (d) gross negligence or willful misconduct by Customer, and will indemnify Opendatasoft from any final awarded damages against Opendatasoft incurred in connection with a Claim.
8.3. Procedure
The Party seeking indemnification must: (a) promptly notify the indemnifying party in writing of the applicable Claim for which indemnification is sought; provided, that failure to notify shall not relieve a party of its indemnification obligations unless the indemnifying party has been materially prejudiced thereby; (b) give the indemnifying party sole control of the defense and settlement of the Claim (except that the indemnifying party may not settle a Claim unless it unconditionally releases the indemnified party of all liability); and (c) provide the indemnifying party with all non-monetary assistance, information and authority reasonably required for the defense and settlement of such Claim.
9. LIMITATION OF LIABILITY
9.1 Limitation of Liability
OPENDATASOFT' LIABILITY WITH RESPECT TO ANY SINGLE INCIDENT ARISING OUT OF OR RELATED TO THIS AGREEMENT OR ITS PERFORMANCE WILL NOT EXCEED 20 (TWENTY) % OF THE TOTAL NET AMOUNT PAID BY CUSTOMER FOR ACCESSING THE SERVICES IN THE TWELVE MONTHS PRECEDING THE INCIDENT GIVING RISE TO LIABILITY.
9.2 Exclusion of Indirect Damages.
IN NO EVENT SHALL EITHER PARTY HAVE ANY LIABILITY TO THE OTHER PARTY FOR ANY LOST PROFITS OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR COVER DAMAGES OF ANY KIND OR NATURE HOWEVER CAUSED AND, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
10. TERM & TERMINATION
10.1. Term of the Agreement
This Agreement commences on the Start Date and continues until all Purchase Orders entered into hereunder have terminated or expired pursuant to the terms hereof and subject to Section 10.3 below.
10.2. Subscription Term
Subscriptions to the Services commence on the Start Date and continue for the Subscription Term specified in the applicable Purchase Order. Unless otherwise set forth in a Purchase Order, subscriptions shall only renew upon the mutual agreement of the Parties. Notwithstanding anything to the contrary, any renewal in which subscription volume for any Services has decreased from the prior term will result in re-pricing at renewal without regard to the prior term's per-unit pricing.
10.3. Continued Use
In the absence of automatic renewal or a signed renewal Purchase Order, upon expiration of the applicable Purchase Order, Opendatasoft will cease providing the Services to Customer. In the event that the Parties are negotiating renewal in good faith, Opendatasoft may, for a limited period of time, allow Customer to continue to use the Services hereunder beyond the expiration of such Purchase Order, and Customer agrees: (i) to pay for such use of the Services in an amount equal to the fees in effect immediately prior to such expiration (entitlements and fees prorated for such period), and (ii) that Opendatasoft will cease providing the Services at the end of such period if Customer has not signed a new Purchase Order.
10.4. Termination for cause
A party may terminate this Agreement for cause: (a) upon 7 days' written notice of a material breach to the other party if such breach remains uncured at the expiration of such period; or (b) immediately if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors. Upon any termination for cause by Customer, Opendatasoft shall refund Customer any prepaid fees covering the remainder of the Subscription Term after the date of termination. Termination for cause by Customer shall not relieve Customer of the obligation to pay any fees accrued or payable to Opendatasoft prior to the effective date of termination. Upon any termination for cause by Opendatasoft, Customer shall remain obligated to pay all fees owed for the remainder of the Subscription Term within 30 days as from the termination's written notice.
10.5. Customer Data Reversibility & Deletion
Following the termination or expiration of this Agreement, Opendatasoft shall delete or securely overwrite Customer Data, in accordance with this Agreement, applicable laws and the Documentation, and provide Customer with any supporting evidence in that respect at Customer's request. Within thirty (30) Business Days from the termination of this Agreement, Opendatasoft will provide Customer with the following, upon Customer's written request: metadata sheets of all datasets, in JSON format; raw data loaded on the platform (resources, attachments), in their original format; resulting datasets, in JSON format; editorial content, in HTML and CSS format; and list and groups of users and their associated roles, in CSV format. Opendatasoft will proceed at the same time to the definitive deletion of all Customer Data on its platform and servers.
10.6. Surviving Provisions
Section 1 and Sections 3 through 11 of this Agreement shall survive any termination or expiration of this Agreement.
11. DATA PROTECTION
Each Party warrants to the other that it will comply with all legal and regulatory obligations applicable to its processing of personal data as data controller.
By signing this Agreement, Customer accepts Opendatasoft's Privacy Policy as made available at: https://legal.opendatasoft.com/fr/privacy-policy.html
To the extent that Opendatasoft processes any Personal Data contained in Customer Data, on Customer's behalf, in the provision of the Services, the terms of the Annex 4 "DPA" shall apply and the Parties agree to comply with such terms.
12. GENERAL PROVISIONS
12.1. Relationship of the Parties
The Parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the Parties.
12.2. Non-solicitation Clause
Each of the Parties agrees not to engage or cause to be engaged, directly or through intermediary personnel, any employee of the other party. This commitment is valid for the duration of this Agreement and for a minimum of 2 (two) years after its expiration or termination. In the event of non-compliance with this provision, it is agreed between the Parties that the penalty charged will be equivalent to 1 year's salary offered by the new employer.
12.3. Anti-Corruption
Neither party has received or been offered any illegal or improper bribe, kickback, payment, gift or thing of value from an employee or agent of the other party in connection with this Agreement.
12.4. Notices
All notices under this Agreement shall be sent in writing via mail or email. Notices of termination or of an indemnifiable claim ("Legal Notices") shall be identified as Legal Notices. Notices to Opendatasoft shall be addressed to: legal@opendatasoft.com. Legal Notices to Customer shall be addressed to: [Legal Contact ].
12.5. Waiver and Cumulative Remedies
No failure or delay by either Party in exercising any right under this Agreement shall constitute a waiver of that right. Other than as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity.
12.6. Severability
Any provision of this Agreement which is prohibited and unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof or affecting the validity or enforceability of such provisions in any other jurisdiction.
12.7. Governing Law
This Agreement shall be governed exclusively by French Law.
12.8. Dispute & Jurisdiction
In the event of a dispute between the Parties regarding this Agreement and their respective obligations, they shall endeavor to find an amicable solution within 30 days as from a written notice sent by a party to the other by email or registered letter with acknowledgement of receipt. In the absence of an amicable solution, any dispute between the Parties will be subject to the jurisdiction of the Commercial Court (tribunal de commerce) of Paris.
12.9. Entire Agreement
This Agreement is the entire agreement between the Parties regarding Customer's use of the Services, and supersedes all prior and contemporaneous agreements, proposals or representations, written or oral, concerning its subject matter. No modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and signed by the Parties. The Parties agree that any term or condition stated in a Customer's purchase order or in any other Customer's documentation (excluding Purchase Orders) is void. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) the applicable Purchase Order and (2) this Agreement. The English language used in this Agreement shall be deemed to be language chosen by both Parties hereto to express their mutual intent, and no rule of strict construction against either Party shall apply to rights granted herein or to any term or condition of this Agreement.
ANNEX
Service Level Agreement
This Service Level Agreement describes and sets forth maintenance and support services provided by Opendatasoft to Customer in connection with the Services ("Support").
1.General
Opendatasoft makes available the Support as described below for Customer's use of the Services.
2. Definitions
Capitalized terms not defined herein shall have the meaning set forth in the Terms of Services:
"Anomaly" means any repetitive and reproducible default or failure in the access and/or use of all or part the Opendatasoft Services;
"Hosting Infrastructure" means all the cloud and/or physical data center facility, system and network monitoring, Opendatasoft equipment, and other physical infrastructure used by Opendatasoft to provide the Services.
"Upgrades" means technical upgrades of the Services, if and when available, that Opendatasoft generally releases from time to time to Customer without additional fees. Upgrades may include new features or functionality to the Services.
3. Access and Availability
Opendatasoft Services are accessible 24 hours a day, 7 days a week, except in the event of force majeure or an event beyond the control of Opendatasoft and subject to any breakdowns and interventions necessary for the proper functioning of the Services.
Opendatasoft shall use its best efforts to ensure the availability of the Opendatasoft Services, as described herein. In this regard, Opendatasoft guarantees a monthly availability of 99.9% of end-user's data points of access to Opendatasoft's Services (dataset catalog, pages, and search APIs). Availability is defined as the capacity of Opendatasoft to serve the requests of the Users on an already integrated set of data. It therefore does not take into account the possible cases of exceeding the quotas or of poorly or partially integrated data.
The monthly availability is the ratio of the number of minutes the service has been available, by the total number of minutes in the considered month. The service is considered unavailable when Opendatasoft's external monitoring probes fail for a full consecutive minute, as checked from several different locations on the internet.
However, Opendatasoft shall not be held responsible for any disruptions, interruptions and/or anomalies that are not of its own making and that affect transmissions via the Internet network and more generally via the communication network, regardless of the extent and duration thereof, as well as for any downtime resulting of emergency maintenance required in order to ensure the security of the platform or its data.
4. Upgrades and Maintenance
As part of Support, Opendatasoft will make available to Customer all Upgrades applicable to the Services purchased by Customer as and when such Upgrades are made generally available by Opendatasoft. Customer is reminded that it has no right to maintain previous versions.
Opendatasoft may need to carry out maintenance operations on all or part of its Services, for the improvement and installation of new features, for auditing the proper functioning of the Services, or in case of malfunction or threat of malfunction.
Maintenance and Upgrades may result in temporary unavailability or interruption of all or part of the Services.
Opendatasoft will inform Customer, by any means and at least 15 days in advance, of the occurrence of the evolutionary maintenance operations that are expected to have a significant impact on the availability of the Services (beyond our standard SLA).
In such cases, Opendatasoft shall not be liable to Customer for any compensation or damages whatsoever.
5. Technical Support
Support is provided at no additional cost to Customer during Business Days and hours by e-mail to: support@opendatasoft.com.
Support is provided in French or English.
Customer contacts accessing Support must be registered with Opendatasoft in order for Opendatasoft to verify authorized representatives for communications and notices.
When notifying, Customer shall describe the incident and its effects and provide Opendatasoft with any available information sufficient to enable Opendatasoft to identify and reproduce the Anomaly.
Customer shall also reasonably designate the level of severity of the Anomaly pursuant to the criteria below:
- "Blocking Anomaly": any operating anomaly that makes it impossible to use all or part of the Opendatasoft Services;
- "Semi-blocking Anomaly": any operating anomaly that prevent normal use of all or part of the Opendatasoft Services;
- "Non-blocking Anomaly": any operating anomaly that does not prevent normal use of the Opendatasoft Services.
Upon receipt of a Support request, and subject to the providing by Customer of the above required information, Opendatasoft will make its best efforts to respond within the following timeframes:
- Blocking Anomaly: 4 hours (Business Days) as from Customer's notification by e-mail;
- Semi-blocking Anomaly: 8 hours (Business Days) as from Customer's notification by e-mail;
- Non-blocking Anomaly: No later than 5 Business Days as from Customer's notification by e-mail.
Customer will update Opendatasoft as additional information becomes available, and in particular provide Opendatasoft with:
- information which clearly and specifically identifies the Anomaly experienced;
- Information in order for Opendatasoft to reproduce the Anomaly;
- screenshots and error messages;
- network information: Source IP address, public IP address, trace route and ping information
- Log Files (client side)
- Contact information
If Customer fails to notify Opendatasoft or if its notification is insufficiently documented to allow Opendatasoft to identify or reproduce the Anomaly, Opendatasoft shall not be held responsible. The same applies in case of:
- failure to comply with the deadlines for correction following an Anomaly that has not been notified as described above or that has been notified in an insufficient manner (insufficiently documented);
- misuse of server resources;
- Anomalies with an external origin to Opendatasoft.
Further, Opendatasoft may request to share a computer display via a screen sharing technology to troubleshoot and resolve certain problems.
Any remote access by Opendatasoft to Customer's systems is always subject to Customer's consent, in Customer's sole discretion, and conducted in accordance with Customer's security policies and procedures.
Version updated October 2021
ANNEX 4
DATA PROTECTION AGREEMENT
The purpose of this Annex, which represents a Data Protection Agreement, is to define the conditions in which Opendatasoft manages Processing in its capacity as Processor for the Customer, who is the Controller.
It is in this regard that, in the context of their contractual relationship, the Parties undertake to comply with existing regulations with respect to the Processing of Personal Data and, in particular, EU regulation 2016/679 (the "GDPR") of April 27, 2016, and applicable since May 25, 2018; Law No. 78-17 relative to data processing, data files and individual liberties (the Law of January 6, 1978) and its subsequent amendments, the recommendations set forth by the European Data Protection Board and by the French National Commission for Information Technology and Civil Liberties (CNIL). As a sign of its commitment and of its high level of compliance, Opendatasoft obtained the GDPR Governance label (No. 2018-271), awarded by the CNIL on June 21, 2018:
.
It is in this context that the Parties have come together to conclude this present Agreement.
1. DEFINITIONS
For the needs of this document, and notwithstanding all other definitions set out in the Agreement, the following terms will have the meanings given below:
Agreement |
This designates the present Data Protection Agreement, supplemented by the following Appendices:
In the event of a conflict in terms of Personal Data Processing between the Terms of Service and this Agreement, the provisions of the latter shall prevail over the former. |
Authorized Data recipient |
This designates an administrator, an employee or a Sub-Contractor of Opendatasoft who has a legitimate need to access Personal Data as part of fulfilling the Service Contract. |
Authorized Purposes |
This designates the reasons for which the Processing of Personal data is carried out by Opendatasoft in accordance with Appendix 1, "Details concerning the Processing of Data." |
Controller |
This designates the Customer in their status as a legal entity who alone determines the means and purposes of the Processing carried out by Opendatasoft within the scope of the Service Contract. |
Data |
This designates all types of information and/or data to which the Parties have access within the context of contractual relationships, regardless of their format or medium, whether Personal Data or not (e.g.: financial data, customer's data, strategic data, technical data, professional data, administrative data, commercial data, legal data, accounting data, etc.). |
Data Protection Regulations |
This designates the regulations in force concerning the Processing of Personal data and, in particular:
|
Datasets |
This designates data generated by the Customer, published on the Opendatasoft Platform and made accessible to all or some of the different categories of users, depending on the offer subscribed by the Customer and the licenses offered by the latter to the users. |
Data subject |
This designates any natural person whose Personal Data is Processed. |
Instructions |
This designates the instructions written for Opendatasoft by the Controller. These instructions follow strict formal requirements and cannot be considered valid instructions unless they are formulated by the Customer in writing in the form of this Agreement, an email or an official letter written by a duly authorized person. The instructions will be accompanied with all necessary documentation required for their proper fulfillment. |
Non-member country |
This designates any State that is not a member of the European Union. This terminology also incorporates any international organization made up of non-EU member states. |
Personal Data |
This designates all information relating to an identified natural person or an identifiable natural person, either directly or indirectly by means of aggregated information, by reference to an identification number or by means of elements that are particular to him/her: name, address, telephone number, IP address, email address, vehicle registration number, professional registration number, user name/login, password, login data, etc. |
Personal Data Breach |
This designates a security breach that entails the accidental or unlawful access to, or destruction, loss, alteration or non-authorized disclosure of transmitted, stored or processed Personal Data. |
Platform |
This designates the platform published by Opendatasoft, as well as all of its graphic, audio, visual, software and textual components. The Platform is the exclusive property of Opendatasoft. It is made available to the Customer as part of the sub-contracted Processing activities. |
Processing |
This designates any operation or set of operations, whether carried out or not by means of automated processes, and applied to Personal data or sets of Personal data, such as collection, recording, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other means of provision, reconciliation or linking, limitation, deletion or destruction. |
Processor |
This designates Opendatasoft in its status as a legal entity carrying out the Processing of Personal Data on behalf of, and following the Instructions of the Customer. Any Opendatasoft sub-contractor who carries out Processing on Personal Data by strictly following the Instructions provided by the Controller is called a "Sub-processor". |
Regulatory authority |
This designates any competent authority in terms of the protection of Personal Data. |
Security Policy |
This designates Opendatasoft's internal security policy, which is regularly updated. This Security policy consists of, specifically:
|
Sensitive Data |
This designates the particular categories of Personal Data, the Processing of which is, in principle, forbidden by GDPR. This means Personal Data that reveals one's racial or ethnic background, political opinions, religious or philosophical beliefs or union membership, as well as the Processing of genetic data, biometric data with the aim of identifying an individual natural person, data concerning health or data concerning the sexual life or sexual orientation of a natural person. |
Services |
This designates the services provided by Opendatasoft within the scope of the Service Contract. |
Service Contract |
This designates the contract as defined in Article 2 of the General Terms of Service |
2. CONTRACT PERIOD AND HIERARCHY
2.1. This Agreement enters into force upon being signed and remains applicable throughout the duration of the Service Contract.
2.2. This Agreement supersedes any applicable clause concerning the Personal Data protection that may be found in the Service Contract, or any other document. In the event any contradiction, the Parties expressly agree that the present Agreement shall prevail over the Service Contract.
3. NOMINATION AND ROLE OF OPENDATASOFT
The Customer, in its capacity as Controller, designates Opendatasoft as Processor for the processing of Personal Data in the Customer's name and on the Customer's behalf with the aim of fulfill the Authorized Purposes specified in Appendix 1 of this Agreement as part of providing the Services.
In accordance with applicable regulations, Opendatasoft has appointed a data protection officer, who can be contacted by email at dpo@opendatasoft.com or by mail at the following address: OPENDATASOFT -- Service DPO, 50, boulevard Haussmann, 75009 Paris.
4. INSTRUCTIONS AND COMPLIANCE
4.1 Opendatasoft guarantees the Customer that it will:
- process only those Personal Data necessary to fulfill the Authorized Purposes, in accordance with the Instructions defined in Appendix 1, and agrees not to process Personal Data for other purposes;
- comply with the Data Protection Regulations, as well as the Instructions formulated by the Customer, and agrees to ensure that the Regulations and Instructions are respected by the Authorized recipients and Sub-processors;
- ensure that all systems, services and products used in the context of the Personal Data processing are in compliance with the Data Protection Regulations;
- cooperate with and conform to the instructions or decisions of any Regulatory Authority within a time period that would enable the Customer to meet the deadlines imposed by said Authorities; and
- not do, fail to do or allow anything to be done that would lead the Customer to violate the Data Protection Regulations.
4.2 Opendatasoft is not responsible for hosting Sensitive Data, nor is Opendatasoft an "Approved Host of Health Data" as referred to in Article L1111-8 of the French Public Health Code. Any Customer who processes Sensitive Data will be wholly liable for its actions, and Opendatasoft cannot be held liable for these actions.
5. COOPERATION AND ASSISTANCE
Opendatasoft agrees to:
- designate a special representative responsible for representing Opendatasoft with regard to the Customer. This special representative will have the experience, skills, and the authority and means necessary to carry out his/her job;
- actively support and participate in a logic of cooperation with the aim of ensuring compliance with the Regulations on the protection of Data and the best practices recommended by the Customer in the context of these regulations. To this end, Opendatasoft agrees, with the aim of fully cooperating with the Customer, to provide the Customer with all the means at its disposal, such as information on the Processing entrusted to it, and assistance in the event of a complaint, a request for advice or communication, or a real or presumed security breach affecting Personal Data. Moreover, Opendatasoft agrees not to make any public declaration or announcement to a third party, including a Regulatory Authority, without first having consulted the Customer concerning the content of such a public declaration or announcement, unless expressly stipulated otherwise by the laws of a Member State or Nonmember Country;
- make its personnel aware of the issues surrounding the protection of Personal Data;
- modify, transfer and/or delete the Personal Data held by Opendatasoft or in its name by a Sub-processor, in accordance with any written Instruction made by the Customer;
- notify the Customer any technological progress and progress in working methods that would involve making changes to the Security Policy
- inform the Customer immediately:
- if the Instructions provided by the Customer relating to Processing are illegal, or if they appear to be contrary to the principles and recommendations of the Regulatory Authority;
- in the event that a Personal Data Breach occurs, or in the event of a security breach affecting Opendatasoft's IT system or the IT system of one of its Sub-processors, and to do so immediately after being made aware of it, as stipulated by Article 6.2 of this Agreement;
- if Opendatasoft or a Sub-processor receives a complaint, a notification or a message from a Regulatory Authority directly or indirectly concerning the Processing or the compliance of one or the other Party with the Data Protection Regulations; and
- if Opendatasoft or a Sub-processor receives a complaint, a notification or a message from a Data Subject who is exercising his/her rights.
- help the Customer to comply with the obligations set forth in Articles 32-36 of the GDPR, by taking into account the nature of the Processing and the information made available to Opendatasoft. This assistance can include providing information and assistance in order to perform privacy impact assessment relating to the Processing operations conducted by Opendatasoft.
6. SECURITY
6.1. With respect to the Customer, Opendatasoft agrees to:
- ensure that all appropriate technical and organizational measures have been put in place against the destruction (whether accidental or unlawful), loss, modification, and unauthorized disclosure or access to the Personal Data held or processed by Opendatasoft, including all necessary measures to ensure compliance with the security requirements concerning Personal Data contained in the Data Protection Regulations;
- enable the tracking of actions performed on the Platform by means of a tool that concentrates and correlates tracking of access to APIs and to the Platform itself;
- implement the Security Policy;
- ensure that the Authorized Recipients and Sub-processors comply with the provisions of its Security Policy, and to furthermore integrate all of the reasonable requests made by the Controller relating to the security and Processing of Personal data; and
- carry out the differentiated outsourcing of Data provided by the Customer so as to ensure the integrity of the Data is protected and to ensure the continuity of the Services. Opendatasoft ensures that the Sub-processors providing hosting services have ISO-27001 certification.
6.2. In the event of a real or potential Personal Data Breach that affects Opendatasoft's Services or those of a Sub-processor, Opendatasoft agrees to:
- notify the Customer of any security breach that could lead to a Personal Data Breach, and to do so as soon as possible, within a maximum of one working day following awareness of said breach, by email;
- provide with the notification all useful documentation allowing the
Customer, if necessary, to advise the Competent supervisory
authority or Data Subjects of this violation. In this regard,
Opendatasoft will clarify, to the extent that it is possible, the
following points:
- a description of the nature of the Personal Data Breach, including, if possible, the categories and approximate number of People affected by the breach and the categories and approximate number of Personal Data records concerned;
- the name and contact information of the Data Protection Officer and/or another contact person from whom additional information may be obtained;
- a description of the probable consequences of the Personal Data Breach; and
- a description of the measures taken or being considered by Opendatasoft to remedy the Personal Data Breach, including, as appropriate, measures to reduce the potential negative consequences.
- communicate the information defined above in intervals and without undue delay in the event that it is not possible for Opendatasoft to supply all the precise information at the same time, or if further clarification can be provided to certain information already communicated.
6.3. Opendatasoft will carry out an annual exam of its Security Policy and will regularly update it, to reflect:
- emerging changes in technological advances and best practices;
- any change or proposed change to the procedures, sites and systems of Opendatasoft, the Services and/or related processes;
- any new perceived or modified threat to the procedures, sites and systems of Opendatasoft; and
- any reasonable request made by the Customer to modify or upgrade practices.
7. ACCOUNTABILITY
With respect to the Customer, Opendatasoft agrees, in terms of accountability, to:
- keep the record of processing activities up-to-date as stipulated by Article 30 of the GDPR, and to keep a record of all Processing and Instructions relating to Processing carried out on behalf of the Customer;
- keep the record of security breaches up-to-date , which is logged by Opendatasoft as soon as there is a Personal Data Breach, whether or not this breach was the subject of a notification to the Regulatory Authority;
- maintain documentation relating to the training or awareness raising of Opendatasoft employees regarding Personal Data Protection;
- document, to the greatest extent possible, all of the procedures implemented by Opendatasoft in terms of Personal Data Protection by means of its Security Policy;
- regularly update its Security Policy, as stipulated in Article 6 of this document;
- provide the Customer, upon request, with a Security Assurance Plan.
8. RECIPIENT OF PERSONAL DATA
8.1 Opendatasoft guarantees the Customer that it will:
- limit access to Personal Data to only those Authorized Recipients and Sub-processors who require access to the Data. When one of its employees accesses Data, Opendatasoft ensures that this access is strictly limited to the employee's professional responsibilities;
- ensure that all of the Authorized Recipients are aware of the Data Protection Regulations, and are aware both of the duties of Opendatasoft and of their own personal duties and obligations in relation to these Regulations and to this Agreement;
- impose on the Authorized Recipients and Sub-processors legally binding confidentiality and security obligations equivalent to those contained in this Agreement; and
- ensure that the Authorized Recipients and Sub-processors comply with the Data Protection Regulations, and document this obligation in writing.
8.2. As part of providing the Services, Opendatasoft is expressly authorized by the Customer to designate one or several Sub-processors for the processing of Personal Data:
- provided that a sub-processing contract is concluded with the Sub-processor before the Sub-processor transfers or accesses Personal Data, and that said contract contains obligations relating to Processing that are the same as those set forth in this Agreement; and
- provided that Opendatasoft ensures that the Sub-processor fulfills the obligations concerning Personal Data Protection and confidentiality, as set forth in the Sub-processing contract.
8.3. All sub-processing carried out within the scope of the Services does not release Opendatasoft from its responsibilities and obligations toward the Customer in relation to this Agreement. Opendatasoft remains wholly liable for any acts and omissions committed by its Sub-processors.
9. DATA SUBJECTS
9.1 With respect to the Customer, Opendatasoft agrees, as part of a Data Subject's request to exercise his/her rights:
- to notify the Customer immediately and within a maximum of 5 Business Days of any request by a Data Subject who wishes to exercise his/her rights in virtue of the Data Protection Regulations, notably concerning requests for access, rectification and deletion of Data, as well as requests for the portability of Data and opposition to Processing;
- to fully cooperate with the Customer with the aim of responding, within a reasonable time period, considering the nature and number of requests, to the requests of Data Subjects who wish to exercise their rights in virtue of the Data Protection Regulations; and
- to not disclose Data, including Personal Data, to the Data Subject without having first consulted and obtained written consent from the Customer.
9.2 Any operation carried out by Opendatasoft as part of a Data Subject's request to exercise his/her rights may, as appropriate, result in additional invoicing, taking into account the technical investigations carried out.
10. TRANSFER TO NON-MEMBER COUNTRIES
10.1. Opendatasoft will not carry out any transfer of Personal Data to Non-member Countries without first obtaining written consent from the Customer, who may refuse consent or impose conditions on it that the Customer, in their absolute discretion, judges appropriate.
10.2. Opendatasoft shall conform to the Instructions provided by the Customer concerning the transfer of Data to Non-member Countries, except in the case where Opendatasoft is bound, in compliance with applicable laws, to transfer Personal Data to a Nonmember Country. In this specific case, Opendatasoft will inform the Customer in writing before such a transfer takes place, unless applicable law prohibits such notification.
10.3. By this Agreement, the Customer consents to the transfer of Personal Data to the entities and locations mentioned in Appendix 1, strictly for the purposes of providing the Services, and provided that:
- the Non-member Country is a country that, according to the European Commission, has proven that it has an adequate level of Personal Data Protection; or
- Opendatasoft fulfills one of the following conditions:
- Opendatasoft enters into or obtains, from the entity identified in Appendix 1, a data transfer agreement that makes use of the Standard Contractual Clauses developed by the European Commission;
- The transfers carried out with the entity mentioned in Appendix 1 are included in the derogations for specific situations set forth in Article 49 of the GDPR.
10.4. Opendatasoft ensures that no onward transfer of Personal Data towards another Non-member Country will take place unless the Customer has provided prior consent to this transfer, or that this onward transfer meets the requirements established in Article 10.3 of this document.
11. ADDITIONAL REQUIREMENTS
Throughout the contractual relationship, the Customer may identify additional requirements other than those identified in this Agreement in order to comply with its obligations in terms of the Data Protection Regulations.
When the Customer identifies additional requirements, the Parties shall collaborate in good faith to agree to modifications to this Agreement that will enable Processing to be carried out in conformity with said additional requirements. The costs associated with the implementation of these additional requirements will be borne by the Customer.
12. LIABILITY
12.1. Opendatasoft agrees to implement all necessary and reasonable measures to ensure the security of Processing, and will therefore be liable for damages related to a security failure attributable to Opendatasoft that leads to the unavailability, loss of traceability, doubts as to the integrity or a lack of confidentiality of Personal Data. It is nevertheless expressly agreed between the Parties that zero risk in terms of IT security does not exist.
12.2. Opendatasoft's liability under this Agreement whether in contract, tort, or under any other theory of liability is subject to the limitation of liability provisions of the Service Contract.
13. AUDIT AND INSPECTION
13.1. The Customer may order on-site audits in order to ensure that Opendatasoft maintains a high level of compliance. This audit will focus on the elements discussed in Article 7 of this document. This audit will be carried out at the sole expense of the Customer.
13.2. The Customer may call for audits with the aim of ensuring compliance with the Data Protection Regulations concerning Processing operations carried out for the purposes of providing the Services in the conditions defined hereafter:
- the audit is performed by an outside auditor selected together by both Parties for its expertise, independence, and impartiality;
- The selected auditor is bound to the Parties by a Confidentiality Agreement and/or professional secrecy.
- The Customer will notify Opendatasoft, in writing and with an advance notice of a minimum of thirty (30) working days, of its intention to perform a compliance audit;
- The audit performed must in no what impair or slow down the Services proposed by Opendatasoft, or adversely affect the organizational management of Opendatasoft. The audit operations must not involve actions which could damage the infrastructure hosting the SERVICE or interfere with other SERVICES provided by Opendatasoft to other customers. During the audit, the Customer agrees to comply with the general conditions of the Infrastructure as a Service (IaaS) provider hosting their domain. Opendatasoft will, upon request, communicate the relevant general terms;
- an identical copy of the audit report will be sent to both the Customer and Opendatasoft following the completion of the audit process, and regarding which remarks may be made by the Parties. If necessary, this report may be subject to a thorough review by a steering committee.
- The cost of the compliance audit will be born exclusively by the Customer;
- The Customer will only be able to order a compliance audit one (1) time per year; and
- Opendatasoft will have three (3) months as from the presentation of the audit report to correct, at its expense, the deficiencies and/or nonconformities noted.
- The Customer must communicate all useful information concerning the penetration test, including:
- the contact details of the auditor and the persons in charge of the audit.
- IP addresses used for the penetration tests.
- The tools used for the test.
- The Customer will only be able to perform penetration tests from their application and using their login details.
13.3. Opendatasoft agrees to allow selected auditors access to the sites, installations, documents and information required, with the aim of assessing its proper level of compliance, and to cooperate fully with the auditors to help them successfully carry out their assignment.
13.4. In the event of an inspection carried out by a competent Regulatory Authority with an interest in the Customer's Processing, Opendatasoft agrees to fully cooperate with the Regulatory Authority.
13.5. In the event of an inspection carried out by a competent Regulatory Authority with respect to the Customer, Opendatasoft agrees to fully assist the latter concerning the Processing carried out by means of the Platform.
13.6. All Data collected during Audits and Inspections are considered "Confidential Data" .
14. MODIFICATIONS TO THE AGREEMENT
14.1. This Agreement cannot be modified except in writing and when signed by the duly authorized representatives of each Party.
14.2. In the event of a modification to the Data Protection Regulations, it is agreed that the Parties may revise the provisions of this Agreement, and negotiate in good faith to comply with the updated Data Protection Regulations.
******
Appendix 1: DATA PROCESSING DETAILS
A. Opendatasoft's governance
Data Protection Officer |
François-Xavier Boulin dpo@Opendatasoft.com |
Representative |
David THOUMAS -- CTO david.thoumas@opendatasoft.com |
B. Details concerning the processing of data
Categories of data subjects |
Users of Opendatasoft Services Customer's contacts |
Categories of Data |
Data relating to the users of Opendatasoft Services
Datasets published by the Customer on the Platform |
Categories of Processing carried out Please indicate all the processing activity performed by Opendatasoft |
The following categories of Processing are carried out from the Platform:
The following categories of Processing can be carried out according to the desires of the Customer :
|
Duration Please indicate the how long the processing activities will be carried out |
The processing activities are carried out throughout the duration of the contractual relationship between Opendatasoft and the Customer. |
Retention periods Please indicate the period for which the Data categories will be saved, and the reason they are saved |
The Datasets published on the Platform are retained throughout the duration of the contractual relationship between Opendatasoft and the Customer. These Datasets are then retained in intermediate archives for a period of 30 days so as to carry out, as applicable, reversibility operations. |
Transfer outside the EU Opendatasoft is located outside the European Union - ODS LLC can be a data recipient if authorized by the customer |
Personal Data are transferred outside the European Union to the United States. The Sub-processors make use of Standard Contractual Clauses. |
C. Authorized Sub-processors
Identity of the Sub-processor |
Categories of processing carried out |
Location of processing operations |
Transfer outside the EU |
Concerned Data |
Comments |
---|---|---|---|---|---|
AWS |
Hosting and user account |
Europe |
No |
Customer data uploaded to services under AWS accounts selected by ODS if this host is selected (see financial appendix) |
If selected SOC 1/ISAE 3402, SOC 2, SOC 3 FISMA, DIACAP, and FedRAMP PCI DSS Level 1 ISO 9001, ISO 27001, ISO 27017, ISO 27018 |
Outscale |
Hosting |
France |
No |
Customer data uploaded to services under Outscale accounts selected by ODS if this host is selected (see financial appendix) |
If selected Outscale has an in formation security management system in a ccordance with the req uirements of ISO 27001: 2013 And is committed to imp lementing the security measures provided for by ISO 27001 cert ification |
ElasticCloud |
Analytics, system and application traces, logs, metrics, alerts, for Opendatasoft Infrastructure) SRE team |
Europe |
No |
Metadata concerning system and application traces, logs, metrics |
SOC 2 - CSA STAR - ISO /IEC 27001 - ISO/IEC 27017 -ISO/IEC 27018 - FedRAMP - SOC3 - ISAE 3000 DPA / SCC |
Datadog |
Analytics, system and application traces, logs, metrics, alerts for Opendatasoft Infrastructure team (SRE) |
Europe |
No |
Metadata concerning system and application traces, logs, metrics |
ISO 27001 DPA / SCC |
Algolia |
User and dataset search in backoffice |
France |
No |
Names, usernames, e-mail address, metadata linked to datasets, backoffice research activity |
ISO 27001 (BSI C5) , ISO27017, SOC 2 Type 2 -SOC 3 DPA |
Beamer |
Product news notification in back office |
USA |
Yes |
date and time of the beamer script loading preferred language used to access Beamer IP address in anonymous format device type (unique device identifier) operating system and browser type geographic location (approximate) url and referral domain anonymized aggregate statistic |
Only for domain admin istrator DPA / SCC |
Google recpatcha |
Captcha for public forms, account management Used to protect against bots in forms of: Account creation sending message reuse submission |
USA |
Yes |
Metadata provided by the user's browser |
DPA / MCC |
JawgMaps |
Map Tiles |
France / Europe |
No |
Auto matically hashed IP address - retention time of 60 seconds (count of user sessions but not stored) |
DPA |
Postmark |
Outgoing email |
USA |
Yes |
first name, last name, user name, content of emails sent automatically via the tool (preview of a dataset (dataset type, notification of re-use, metadata, contact messages) notifications of contributions to a dataset (feedback, proposal to add / modify records to a dataset by a user) the messages included in requests for access / registration to a domain, and the responses (messages entered in the relevant forms at the front and back office), and the contact form the daily report for admins contains the id, names and description of all new datasets the content of reuse (title, description, url) submitted by the reusers, and any rejection messages) |
DPA - SCC For data center : ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2, and SOC 3, PCI DSS Level 1, (...). SOC 2 Type 2 SSL encryption 2048-BIT RSA for data at rest application security: redundant servers for APIs, SMTP, Inbound and Web interface. Security protocols (SSL / TLS), API, SMTP endpoint |
FrontApp |
Support |
USA |
Yes |
Name - first name, email address, role (if provided), content of messages sent to support |
DPA /SCC Data protection measures both at rest and in transit (encryption of data at rest and in transit, pseudonymization) Measures aimed at permanently guaranteeing the confidentiality, integrity, availability and resilience of processing systems and services FrontApp maintains strict confidentiality through encryption of customer data, identity management and access (logical and physical). Integrity is maintained by requiring that all code changes undergo a second review before being deployed to production. Access to data is restricted and logged to prevent unauthorized modification or corruption. Measures to ensure the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident (daily backup, Business Continuity Plan, Business Recovery Plan, regular audit, intrusion test in particular) User identification and authorization measures (notably via multi-factor authentication) Measures to ensure the physical security of places where personal data is processed by using ISO 27001 and SOC 2 certified cloud providers Measures to ensure event logging and alerts in case of abnormal events Measures to ensure system hardening through auto matically deployed configurations Internal IT security governance and management measures Certification measures (regular audit of SOC 2 certification, regular intrusion tests) Measures to ensure data minimization, quality, limited retention, portability and erasure of data Measures to guarantee the principle of accountability through third-party audits |