Contractual Appendix - Data Processing Agreement (DPA)

Article 1: Definitions

Personal data: Any information relating to an identified or identifiable natural person ('data subject'), as defined by the General Data Protection Regulation (GDPR).
Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: The natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data transfer: Any transfer of personal data outside the European Economic Area (EEA), including to a third country or an international organisation.
Cloud Service: Any personal data processing, storage, or management service provided by the Processor via cloud infrastructures.
Access necessary for the service: Any access to personal data strictly required for the performance of the defined contractual services, including provisioning, maintenance, technical support, system monitoring, and incident resolution, excluding any access for commercial analysis, profiling, or direct marketing purposes.
HDS (Health Data Hosting): Specific status in France for health data hosts, requiring certification issued by an accredited body.

Article 2: Purpose

The purpose of this appendix is to define the terms and conditions for the processing of personal data under the main Contract, including the use of cloud services. It aims to ensure the parties' compliance with the obligations arising from the GDPR and French laws regarding personal data protection in cases where the Processor is certified as HDS, as well as the requirements of the CISPE code of conduct.

Article 3: Obligations of the Data Controller

Lawfulness of processing: The Data Controller undertakes to process personal data lawfully, fairly, and transparently in accordance with Articles 5 and 6 of the GDPR.
Specified purposes: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisation: The Data Controller must ensure that the collected data is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy of data: It is the responsibility of the Data Controller to ensure that personal data is accurate and, where necessary, kept up to date.
Security of data: The Data Controller must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. This includes the regular assessment of the security measures of the cloud services used.

Article 4: Obligations of the Data Processor

4.1 Processing according to instructions and limitation of access

The Processor commits to:

Process personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by a legal obligation
Strictly limit its access to personal data to only the access necessary for the service as defined in Article 1
Formally refrain from any processing of personal data for the purposes of:
- Data mining or data exploration
- Profiling of end users or behavioral analysis
- Direct marketing or targeted advertising
- Any commercial use unrelated to the execution of contractual services.

4.2 Access management policy

The Processor maintains a detailed access management policy for customer data which includes:

Procedures for granting and revoking access
Identification of authorized persons and their access levels
Physical and technical access controls to infrastructures
Complete logging of accesses with retention for a minimum of 24 months
Procedures for managing emergency access and supervision

4.3 General obligations

Confidentiality: The Processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
HDS Certification: The Processor declares to be certified as a Health Data Host and that it will maintain this certification throughout the duration of the Contract.
Security of processing: The Processor commits to implementing the appropriate technical and organisational measures to ensure the security of the personal data it processes, including data processed via cloud services, in accordance with Article 32 of the GDPR.
Sub-processing: The Processor must not engage another processor without prior specific or general written authorisation of the Data Controller. In the case of authorised sub-processing, the Processor must ensure that the sub-processor meets the same data protection obligations.
Assistance to the Data Controller: The Processor must assist the Data Controller, as far as possible, in fulfilling its obligations regarding data security, notification of data breaches, conducting data protection impact assessments, and prior consultations with supervisory authorities.
Data localization: The Processor must provide clear information on the locations of data storage and processing within the cloud infrastructures, and ensure that these locations comply with applicable data protection regulations.

Article 5: Description of processing

The Processor is authorized to process personal data on behalf of the Data Controller as necessary to provide the Services. The nature and category of operations performed on the personal data will be defined by the Data Controller according to the specific needs of each Service. The purposes of the processing are determined by the Data Controller and communicated to the Processor. The nature and category of personal data processed are specified by the Data Controller. The categories of data subjects are identified by the Data Controller. For the performance of the Services, the Data Controller makes the necessary information available to the Processor. The duration of the processing is determined by the Data Controller based on the requirements of the provided Services.

Article 6: Rights of data subjects

Access and rectification: The Data Controller and the Processor must allow data subjects to exercise their rights of access and rectification of their personal data, in accordance with Articles 15 and 16 of the GDPR.
Erasure and restriction of processing: Data subjects must be able to exercise their rights to the erasure of their data (right to be forgotten) or to the restriction of processing, in accordance with Articles 17 and 18 of the GDPR.
Data portability: The Data Controller must ensure, where applicable, the portability of the personal data of data subjects, in accordance with Article 20 of the GDPR.
Objection: Data subjects must be able to exercise their right to object to the processing of their personal data in accordance with Article 21 of the GDPR.

6.1 Modalities for exercising rights

As a Processor, Cloud Temple assists the Data Controller in fulfilling the rights of data subjects according to the following modalities:

Standard process:

Requests are generally sent by the Data Controller via the usual communication channels: Account Manager and Service Delivery Manager.
The Processor provides technical assistance within the limits of its role as a processor and the capabilities of its services.

Direct contact:

For exceptional cases or specific questions, the Cloud Temple Data Protection Officer can be contacted directly: DPD@cloud-temple.com
A validation workflow by the Cloud Temple DPO is maintained to ensure the consistency of responses.
Traceability of requests and actions taken is ensured.

Receipt of requests: In the event that a data subject directly submits a request to exercise their rights (access, rectification, erasure, objection, restriction, or portability) to the Processor, the latter commits to transmitting it to the Client in writing within a maximum of 72 hours from its receipt. The Processor will not respond directly to the data subject without prior written instructions from the Data Controller.

Technical assistance and execution: The Processor commits to assisting the Client under the following conditions to enable the exercise of rights:

Access and Portability: The Processor makes available to the Client the tools or procedures allowing the extraction of health data in a structured and commonly used format.
Consultation of traces: In accordance with security commitments, the Host allows the Client to consult the access logs to Personal Health Data (DSCP) to respond to requests for information on data accesses.
Rectification and Erasure: The Processor commits to executing, upon justified request of the Client, the technical operations for the definitive modification or deletion of data in production and backup environments, and to providing written confirmation thereof.
Restriction: In case of a request for restriction of processing, the Processor will collaborate with the Client to implement technical measures to isolate or lock the concerned data.
Documentation: The Processor will provide the Client with all the information necessary to demonstrate that the technical measures taken allow for the effective respect of the rights of individuals.

Article 7: Security and confidentiality measures

The Processor specifically commits to implementing sufficient measures to ensure the security and confidentiality of Personal Data, and in particular health data, entrusted and processed as part of the Services, namely:

Implementing appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, as well as against any other form of unlawful processing
Not using personal data for its own account or for the account of third parties and not transferring them without the prior written authorization of the Data Controller or the end customer
Ensuring that persons authorized to process personal data are subject to appropriate confidentiality obligations
Not making copies or duplications of personal data without the prior written authorization of the Data Controller or the end customer (unless necessary for the performance of the Services provided by the service provider under the Contract)
Informing the Data Controller of any accidental or unauthorized access to personal data, any breach of personal data regulations or any suspicion of such a breach, as soon as possible and, if possible, no later than 48 hours after becoming aware of it
Depending on the choice of the Data Controller, deleting or returning the personal data at the end of the Contract, and destroying existing copies, unless there is a legal obligation to retain them
Implementing an information systems security policy and logical and physical access authorization management, which it must maintain and develop throughout the duration of the Contract
Encrypting the stored data.

The Processor implements a customer data access control system comprising:

A strong authentication and identity management system
A principle of least privilege policy with periodic review of authorizations
Separation of customer environments and data isolation
A comprehensive logging system with automatic alerts
Periodic audits of access and security controls.

Article 8: Notification of data breaches

In the event of a breach of personal data or Personal Health Data, the Processor must notify the Data Controller without undue delay after becoming aware of it. This notification must include:

The nature of the personal data breach
The categories and approximate number of data subjects concerned
The categories and approximate number of personal data records concerned
The name and contact details of the contact point where more information can be obtained
The likely consequences of the personal data breach
The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.

This notification must specify the potential impact on data hosted in the cloud and the measures taken to address it, enabling the Data Controller to notify this breach to the competent supervisory authority and, if applicable, to the data subjects in accordance with Article 33 of the GDPR.

Article 9: Data transfers outside the European Union

9.1 Data localization according to services

Cloud Services:

All personal data is exclusively processed and stored within the European Union
All infrastructures and datacenters are located in the European Union
The customer can select processing geographical zones from the available European locations
No data processing or storage takes place outside the European Union.

Managed Services (Infogérance):

Personal data is by default processed and stored within the European Union
Technical support teams located outside the European Union may need to access the data as part of the service provision, solely with the prior written agreement of the Data Controller
These accesses are strictly limited to operational needs and framed by the appropriate GDPR safeguards.

9.2 Conditions for non-EU transfers

Any access or transfer of personal data by teams or to third countries may only be carried out with:

The prior written authorization of the Data Controller for the service concerned
Compliance with the conditions set out by the GDPR, notably in Articles 44 to 50
The implementation of appropriate safeguards, such as standard contractual clauses approved by the European Commission or the existence of an adequacy decision
The limitation of access to operational needs only.

Article 10: Duration and end of processing

10.1 End of contract

At the end of the main contract, the Processor commits, according to the instructions of the Data Controller, to delete all personal data or return them to the Data Controller, and to destroy existing copies unless a legal obligation requires otherwise.

10.2 Recovery process

The Processor provides a detailed guide enabling the Data Controller to recover their data in a standard and usable format, including:

Available export formats
Recovery procedures
Provisioning timeframes
Available technical assistance.

10.3 Data deletion timeframes

The Processor commits to the following timeframes:

Logical deletion: within 48 hours following the request
Definitive physical deletion: within 30 calendar days following the logical deletion
Confirmation of deletion: certificate of destruction provided within 5 business days following the physical deletion.

This obligation also includes data stored on backup media in cloud infrastructures, unless a legal obligation requires their retention. In this case, the Processor informs the Data Controller with legal justification and retention period.

Article 11: Documentation and audits

The Processor will make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this appendix and will allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller, to verify compliance with this appendix and the GDPR.

The Processor makes available to the Data Controller:

A dedicated page listing all compliance processes maintained up to date at: https://www.cloud-temple.com/demarches-conformite/
Available compliance certificates (ISO 27001, SecNumCloud, HDS, ISAE, etc.)
Recommendations for the secure use of Cloud Temple services including:
- Best practices for protecting access to the Cloud Console
- Controlled management of access and permissions
- Securing deployed resources via cloud services.

Article 12: Record of processing activities

12.1 Content of the record

The Processor maintains an electronic record of processing activities in accordance with Article 30(2) of the GDPR. This record contains the list of customers for whom Cloud Temple operates as a processor, with for each customer:

The contact details of the customer company and the data protection officer (last name, first name, phone, email)
The categories of processing carried out on behalf of this customer
Transfers outside the European Union if applicable
The technical and organizational security measures implemented.

12.2 Automated management

The record is automatically updated upon:

The establishment of new customer contracts
Modifications of existing services
Evolutions of security measures.

12.3 Access to the record

Upon written request:

The Data Controller can only access the information concerning them in the record
The competent authorities (CNIL, ANSSI, etc.) can access the complete record as part of their control missions.

The Processor has a period of 15 business days to communicate the requested information from the receipt of the request. A validation process for legitimate requests is implemented to ensure the confidentiality of sensitive information.

Article 13: Sub-processors

The Processor may need to engage one or more external service provider(s) / supplier(s) for the provision of specific services covered by the Contract. For this purpose, the Processor may engage, under its responsibility, one or more second-tier Sub-processor(s) for the sole purpose of providing part of the services necessary for the managed system.

The Processor commits to entering into a binding legal act with any subsequent sub-processor it engages for the Processing of Data, to impose on them compliance with the requirements of the GDPR and the same obligations as those provided for in Article 20.2. In particular, the Processor must ensure that the subsequent sub-processor it has engaged provides sufficient guarantees for the implementation of necessary security measures, particularly in the context of health data.

In the event of failure of the subsequent sub-processor to comply with its data protection obligations, the Processor will remain fully liable to the Data Controller, without prejudice to the rights of the Data subjects set out in Articles 79 and 82 of the GDPR.

The list of authorized subsequent sub-processors is as follows:

Sub-processor	Activity	Location	Authorization Date
Digital Realty	Datacenter hosting	France / EU	15/01/2025
Data4	Datacenter hosting	France / EU	15/01/2025
Telehouse	Datacenter hosting	France / EU	15/01/2025
Iron Mountain	Tape outsourcing	France / EU	15/01/2025

note

Iron Mountain is not HDS certified.

In addition to these sub-processors are those of the Contract.

During the execution of the Contract, the Data Controller may access the update of this list at any time from the Processor. The Processor shall notify the Data Controller in writing of any intended changes concerning the addition or replacement of other processors at least 30 calendar days before implementation. For any new critical sub-processor, a specific prior authorization from the Data Controller is required.

Article 14: Liability

The Data Controller and the Processor acknowledge that they may be held liable for damages caused by the processing of personal data that is not in compliance with the GDPR and applicable French laws. The Processor is liable for the damage caused by the processing if it has not complied with the obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Data Controller.

Article 15: Amendments

Any modification of this appendix must be the subject of a written amendment signed by both parties. The modifications must comply with the requirements of the GDPR and French laws relating to personal data protection.

Article 16: Applicable law and jurisdiction

This appendix is governed by French law. Any dispute relating to its interpretation or execution shall be under the exclusive jurisdiction of the French courts. In the event of a discrepancy between the language versions of this appendix, the French version shall prevail.

Article 1: Definitions​

Article 2: Purpose​

Article 3: Obligations of the Data Controller​

Article 4: Obligations of the Data Processor​

4.1 Processing according to instructions and limitation of access​

4.2 Access management policy​

4.3 General obligations​

Article 5: Description of processing​

Article 6: Rights of data subjects​

6.1 Modalities for exercising rights​

Article 7: Security and confidentiality measures​

Article 8: Notification of data breaches​

Article 9: Data transfers outside the European Union​

9.1 Data localization according to services​

9.2 Conditions for non-EU transfers​

Article 10: Duration and end of processing​

10.1 End of contract​

10.2 Recovery process​

10.3 Data deletion timeframes​

Article 11: Documentation and audits​

Article 12: Record of processing activities​

12.1 Content of the record​

12.2 Automated management​

12.3 Access to the record​

Article 13: Sub-processors​

Article 14: Liability​

Article 15: Amendments​

Article 16: Applicable law and jurisdiction​