Política de privacidad

Personal Data Protection Policy

Preamble

Ofelia may act as a Processor for Data Processing operations carried out on behalf of the Client, who acts as the Data Controller within the meaning of Regulation (EU) 2016/679 (the "Regulation"), as set out in the "Personal Data" article of the General Terms and Conditions of Sale (GTCs).

Ofelia has taken note of the Regulation, and in particular of its Article 28 concerning the obligations imposed on any Processor acting on behalf of a Controller of personal data.

This document sets out Ofelia's commitments to the Client with regard to data protection in the context of the provision of the Services.

Definitions

The terms used herein have the meaning set out in the Regulation, including:

"Adequacy Decision" means a decision adopted by the European Commission establishing that a Third Country ensures an adequate level of protection of Personal Data by reason of its domestic legislation or the international commitments it has entered into.

"Data" or "Personal Data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location Data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"EEA" means the European Economic Area.

"Third Country" means a country that is not a member of either the EU or the EEA.

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing; where the purposes and means of such Processing are determined by Union law or Member State law, the Controller may be designated, or the specific criteria applicable to its designation may be provided for, by Union law or Member State law.

"Processor" means the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

"Sub-Processor" means the processor engaged by the Processor and which processes Personal Data on behalf of the Processor.

"Transfer outside the EU" or "Processing outside the EU" or "Transfer" means the transmission of Data from an EU or EEA member country to a Third Country, or the access to Data located within an EU or EEA member country from a Third Country (e.g., remote access to a database located in Europe).

"Processing of personal data" or "Processing" or "Process" means any operation or set of operations which is performed on Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"EU" means the European Union.

"Data Breach" or "Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of Personal Data transmitted, stored or otherwise processed, or unauthorised access to such Data.

Description of Data Processing Operations

The Data Processing operations carried out by Ofelia as a Processor are performed for the purposes set out in Appendix A.

Implementation of Processing Operations

Ofelia undertakes to comply with the Client's written instructions regarding the use that may be made of the Data. The list of Processing operations that may be carried out by Ofelia on behalf of the Client is attached hereto as Appendix A – Record of Processing activities carried out as a Processor (Article 30 of the GDPR).

Ofelia shall immediately inform the Client if, in its opinion, any of the Client's instructions is likely to constitute an infringement of the Regulation.

In the event that the Client considers that a new data processing operation entrusted to Ofelia requires a data protection impact assessment within the meaning of Article 35 of the Regulation, Ofelia shall assist the Client in carrying out this impact assessment. This assistance may be subject to invoicing.

Information of Data Subjects

The Controller shall inform the data subjects of the personal data processing operations carried out in the context of the Services.

Security Measures

Ofelia undertakes to implement all organisational and technical measures to ensure the physical and logical security of the Data in accordance with the state of the art and the recommendations published by the Data Protection Authorities or the administrative authorities competent in matters of IT security.

The security and confidentiality measures taken by Ofelia must take into account the most recent technical possibilities and the cost of their implementation, the characteristics of the processing (nature, scope, purpose, etc.) as well as the risks presented for the rights of the data subjects.

The security measures shall guarantee the integrity, access traceability, confidentiality and availability of the Data at all times, and shall include in particular:

  • The identification and securing of premises (for example: locked access, restricted access requiring authorisation and authentication);
  • Logical security (for example: firewalls, authentication and archiving of access to Data, incident simulations);
  • Securing Personal Data exchange flows so that they cannot be exploited by an unauthorised third party;
  • Logging of activities on the IT system;
  • Protection of IT environments by up-to-date antivirus software (programs and virus signatures);
  • Implementation of control procedures to verify the level of security.

Ofelia shall ensure that only secure means of communication are used to process Personal Data.

Ofelia undertakes to limit access to the Data to authorised persons only, on a need-to-know basis.

Ofelia shall also ensure that persons authorised to process Personal Data for the purposes hereof, including its staff and the staff of any Sub-Processors, undertake to comply with an appropriate obligation of confidentiality.

Cooperation by Ofelia

Ofelia undertakes to cooperate with the Client by making available to it, upon written request, all information necessary to demonstrate compliance with its obligations, and by allowing the Client, for this purpose, to carry out any verification it deems useful, the practical arrangements of which shall be agreed upon.

Sub-Processing

The Client hereby authorises the sub-processing of all or part of the processing operations entrusted to Ofelia, and Ofelia undertakes to engage only Sub-Processors that comply with the provisions of the GDPR.

The list of Ofelia's current Sub-Processors is set out in Appendix B. An updated version may be communicated to the Client at any time upon simple request.

Ofelia guarantees that its Sub-Processors will comply with the commitments to which it is itself bound, in particular with regard to the commitments it may make in terms of security or within standard contractual clauses or any other appropriate safeguard.

Data Transfers

Ofelia does not voluntarily transfer Personal Data outside the territory of the EU or the EEA.

In the event that, for the purposes of providing the Services, Ofelia is required to Transfer Data outside the EU or the EEA, such Processing operations shall meet the requirements of the Regulation regarding the Transfer of Data outside the EU, namely:

  • The Processing is carried out in a Third Country benefiting from an Adequacy Decision;
  • The Processing is governed by standard contractual clauses published by the European Commission. In this case, Ofelia and the data-importing Sub-Processor shall incorporate said standard clauses into the GTCs and undertake to ratify them prior to the implementation of the Processing operation(s) concerned;
  • The Processing is governed by Binding Corporate Rules (BCRs).

Should the exception(s) used for the Transfer become invalid, Ofelia undertakes to modify the chosen mechanism and replace it with a mechanism capable of governing the intended Transfer.

Where Ofelia engages Sub-Processors, it shall ensure that they have implemented appropriate technical and organisational measures to guarantee a level of protection for the transferred Data at least equivalent to that provided herein in the event of a Data Transfer (standard contractual clauses, BCRs, etc.).

Data Protection Officer

Ofelia has appointed a Data Protection Officer: the company Virtual DPO – contact@virtual-dpo.fr.

The Client shall communicate to Ofelia, upon signature of the Commercial Proposal, the identity and contact details of its DPO.

Where the Client has not appointed a DPO, it shall communicate to Ofelia the name and detailed contact information of a relevant contact person from whom information on the Processing of Data may be obtained.

Notification in the Event of a Personal Data Breach

In the event of an incident likely to affect the security of Personal Data, in the event of a probable or established compromise of the integrity of Personal Data, or in the event of a probable or established Breach of the confidentiality rules applied to Personal Data, Ofelia shall inform the Client as soon as possible. This information is provided to enable the Client to comply with its notification obligations to the CNIL and to the data subjects, in accordance with the provisions of Article 33 of the GDPR.

Ofelia shall carry out investigations to provide the Client, as they progress, with any useful information on the nature and extent of the potential Data Breach and the corrective measures implemented.

Ofelia shall describe the security breach and, where possible, the categories and number of persons affected by the breach as well as the Data concerned.

Ofelia further undertakes to cooperate with the Client and to implement the means necessary to resolve the incident.

Notification of Requests for Disclosure by Third Parties

Ofelia undertakes to notify the Client of any request for transmission or consultation of the Data issued by a judicial or administrative authority as soon as possible before providing any response, unless the applicable law prohibits such notification on grounds of public interest.

Exercise of Rights by Data Subjects

Any natural person whose Data is collected by Ofelia on behalf of the Client has a right of access, restriction, rectification, erasure and, where applicable, objection to the processing or portability of the Personal Data concerning them, in accordance with the provisions of the applicable regulations.

The rights set out in the preceding paragraph shall be exercised directly with the Controller.

Consequently, Ofelia shall notify the Client as soon as possible of any request to exercise the aforementioned rights and shall comply with the Client's instructions, subject to their compliance with the applicable regulations and their prior communication to Ofelia.

Data Retention Period / Termination of the Subscription

Ofelia shall retain the processed Data for the duration of the Subscription, unless otherwise requested by the Client or unless a legal obligation imposes a different retention period.

In any event, Ofelia undertakes to delete all Data upon the Client's first request.

Ofelia shall provide the Client, upon request, with a certificate attesting to the destruction of the Data.

The Data may be subject to intermediate archiving for a maximum period corresponding to the statutory limitation period.

Appendix A – Record of Processing Operations Carried Out on Behalf of the Client

For all these processing operations:

Legal basis: defined by the Client, acting as Controller.

1. Identity management, User access and Account creation by Administrators
Purposes Enable the Client (Data Controller) to provision and synchronize its user and Administrator base, in order to assign connection authorizations and enable account creation.
Data subjects Client's Users
Data processed Data from the client's HR information system, used to define authorizations and create user accounts. (Possibly: Name, email, job title, department, team, country, office, fixed-term/permanent contract, remote location, employee ID, manager (reporting line), etc.)
User identifier, connection rights (Standard user, qualified user, etc.)
User's connection data to the Solution.
Identifiers, role, administration actions, logs (who did what, when)
Sensitive data No by principle, but Ofelia has no control over the content imported by the Client.
Retention period Duration of the contract + contractual reversibility period (unless a shorter period is specified by the client acting as Data Controller)
Transfers outside the EU Yes, Composio in the US
Sub-processors AWS
Composio (email and OAuth token only)

2. Ingestion and indexing of the knowledge base (RAG)
Purposes Ingest, vectorize and index the content of the client's knowledge base to enable its use by the AI agent
Data subjects All persons whose data is included in the client database imported by the Client via its user interface.
Data processed Any data included in the client database imported by the Client via its user interface.
Sensitive data No by principle, but Ofelia has no control over the content imported by the Client.
Recipients This data is not intended to be processed by a natural person. Access is possible only as part of the "support" processing activity.
Retention period Duration of the contract + contractual reversibility period (unless a shorter period is specified by the client acting as Data Controller)
Transfers outside the EU Yes, OpenAI and LangSmith in the US (SCCs)
Sub-processors AWS, OpenAI, LangSmith

3. Database Hosting
Purposes Host the data imported by the Client on the Solution
Data subjects Users and persons whose data appears in the Database imported by the Client.
Data processed All data included in the Database imported by the Client.
Sensitive data No by principle, but Ofelia has no control over the content imported by the Client.
Recipients This data is not intended to be processed by a natural person. Access is possible as part of the "Management of User support requests" processing activity.
Retention period Duration of the contract + contractual reversibility period (unless a shorter period is specified by the client acting as Data Controller)
Transfers outside the EU Service providers' servers located in Europe
Sub-processors AWS

4. Hosting of data related to prompts submitted by Users

Purposes Retain the Prompts and responses exchanged via the Solution to ensure conversational continuity, quality monitoring and traceability
Data subjects Client's users, persons mentioned in the Prompts and in the responses
Data processed User identifier, textual content of prompts, textual content of responses
Sensitive data No by principle, but Ofelia has no control over the content of the Prompts and responses
Recipients This data is not intended to be processed by a natural person. Access is possible as part of the "Management of User support requests" processing activity.
Retention period 12 months
Transfers outside the EU Yes, LangSmith in the US
Sub-processors LangSmith, AWS
5. Analysis of Prompts and formulation of responses
Purposes Interpret the user's prompt, query the database via the Solution, generate a response and deliver it in the user's corporate messaging tool.
Data subjects Client's Users, persons mentioned in the Prompts or in the client database imported by the Client via its user interface.
Data processed Textual content of prompts, any data included in the client database imported by the Client via its user interface.
Sensitive data No by principle, but Ofelia has no control over the content imported by the Client.
Recipients The User who issued the Prompt, if the response produced by the Solution includes personal data.
Retention period Prompts and generated responses retained for 30 days by OpenAI
Transfers outside the EU Yes, OpenAI in the US (SCCs)
Sub-processors AWS, OpenAI

6. Execution of actions in third-party tools
Purposes Execute, after validation by the User in their corporate messaging tool, actions in the third-party tools they are connected to (ticket creation, message sending, record update, event scheduling, etc.)
Data subjects Client's users, persons mentioned in the content of the action or affected by it (message recipients, ticket assignees, event participants, etc.)
Data processed User's data, executed actions (if they include personal data), data relating to the persons targeted by the action.
Sensitive data No by principle, but Ofelia has no control over the content imported by the Client or over the nature of the actions to be executed.
Recipients Any person with access to the result of the action, if it contains personal data.
Retention period 30 days
Transfers outside the EU Yes, Composio in the US (SCCs)
Sub-processors Composio

7. Configuration and execution of business processes
Purposes Enable the client's process owners to configure business processes; execute these processes (orchestration, validations, approvals, automated actions) at the Users' request
Data subjects Client's users, approvers, persons mentioned in the process variables or attachments (employees, client's customers, third parties)
Data processed Data relating to users and approvers. Any data that may be present for the purposes of configuring and executing the processes.
Sensitive data No by principle, but Ofelia has no control over the content imported by the Client or over the nature of the processes to be executed.
Recipients Persons with access to the results, documents, actions, etc. generated by the processes, if these contain personal data.
Retention period Duration of the contract + contractual reversibility period (unless a shorter period is specified by the client acting as Data Controller)
Transfers outside the EU Service providers' servers located in Europe
Sub-processors AWS
8. Handling of User support requests (Support)
Purposes Manage user support requests
Data subjects Client's users
Data processed Content of the support request submitted from the conversational agent, transmitted conversational context.
All data that the support team may access in order to resolve the support request.
Sensitive data No by principle, but Ofelia has no control over the content imported by the Client.
Recipients Support team
Retention period Duration of the contract to ensure support follow-up (unless a shorter period is requested by the client acting as Data Controller)
Transfers outside the EU Service providers' servers located in Europe
Sub-processors Zendesk

Appendix B – List of Authorised Sub-Processors
Subcontracted processing activity(ies) Sub-processor name Transfer outside the EU
Identity management, User access and Account creation by Administrators AWS
Composio
Yes: Composio
Ingestion and indexing of the knowledge base (RAG) AWS
OpenAI
LangChain (LangSmith)
Yes: OpenAI, LangChain (LangSmith)
Database hosting AWS N/A
Hosting of data related to prompts submitted by Users AWS
LangChain (LangSmith)
Composio
Yes: LangChain (LangSmith), Composio
Prompt analysis and response generation OpenAI Yes: OpenAI
Execution of actions in third-party tools Composio Yes: Composio
Configuration and execution of business processes AWS N/A
Management of User support requests (Support) Zendesk N/A