Personal Data Protection Policy
Preamble
Ofelia may act as a Processor for Data Processing operations carried out on behalf of the Client, who acts as the Data Controller within the meaning of Regulation (EU) 2016/679 (the "Regulation"), as set out in the "Personal Data" article of the General Terms and Conditions of Sale (GTCs).
Ofelia has taken note of the Regulation, and in particular of its Article 28 concerning the obligations imposed on any Processor acting on behalf of a Controller of personal data.
This document sets out Ofelia's commitments to the Client with regard to data protection in the context of the provision of the Services.
Definitions
The terms used herein have the meaning set out in the Regulation, including:
"Adequacy Decision" means a decision adopted by the European Commission establishing that a Third Country ensures an adequate level of protection of Personal Data by reason of its domestic legislation or the international commitments it has entered into.
"Data" or "Personal Data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location Data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"EEA" means the European Economic Area.
"Third Country" means a country that is not a member of either the EU or the EEA.
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing; where the purposes and means of such Processing are determined by Union law or Member State law, the Controller may be designated, or the specific criteria applicable to its designation may be provided for, by Union law or Member State law.
"Processor" means the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
"Sub-Processor" means the processor engaged by the Processor and which processes Personal Data on behalf of the Processor.
"Transfer outside the EU" or "Processing outside the EU" or "Transfer" means the transmission of Data from an EU or EEA member country to a Third Country, or the access to Data located within an EU or EEA member country from a Third Country (e.g., remote access to a database located in Europe).
"Processing of personal data" or "Processing" or "Process" means any operation or set of operations which is performed on Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"EU" means the European Union.
"Data Breach" or "Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of Personal Data transmitted, stored or otherwise processed, or unauthorised access to such Data.
Description of Data Processing Operations
The Data Processing operations carried out by Ofelia as a Processor are performed for the purposes set out in Appendix A.
Implementation of Processing Operations
Ofelia undertakes to comply with the Client's written instructions regarding the use that may be made of the Data. The list of Processing operations that may be carried out by Ofelia on behalf of the Client is attached hereto as Appendix A – Record of Processing activities carried out as a Processor (Article 30 of the GDPR).
Ofelia shall immediately inform the Client if, in its opinion, any of the Client's instructions is likely to constitute an infringement of the Regulation.
In the event that the Client considers that a new data processing operation entrusted to Ofelia requires a data protection impact assessment within the meaning of Article 35 of the Regulation, Ofelia shall assist the Client in carrying out this impact assessment. This assistance may be subject to invoicing.
Information of Data Subjects
The Controller shall inform the data subjects of the personal data processing operations carried out in the context of the Services.
Security Measures
Ofelia undertakes to implement all organisational and technical measures to ensure the physical and logical security of the Data in accordance with the state of the art and the recommendations published by the Data Protection Authorities or the administrative authorities competent in matters of IT security.
The security and confidentiality measures taken by Ofelia must take into account the most recent technical possibilities and the cost of their implementation, the characteristics of the processing (nature, scope, purpose, etc.) as well as the risks presented for the rights of the data subjects.
The security measures shall guarantee the integrity, access traceability, confidentiality and availability of the Data at all times, and shall include in particular:
- The identification and securing of premises (for example: locked access, restricted access requiring authorisation and authentication);
- Logical security (for example: firewalls, authentication and archiving of access to Data, incident simulations);
- Securing Personal Data exchange flows so that they cannot be exploited by an unauthorised third party;
- Logging of activities on the IT system;
- Protection of IT environments by up-to-date antivirus software (programs and virus signatures);
- Implementation of control procedures to verify the level of security.
Ofelia shall ensure that only secure means of communication are used to process Personal Data.
Ofelia undertakes to limit access to the Data to authorised persons only, on a need-to-know basis.
Ofelia shall also ensure that persons authorised to process Personal Data for the purposes hereof, including its staff and the staff of any Sub-Processors, undertake to comply with an appropriate obligation of confidentiality.
Cooperation by Ofelia
Ofelia undertakes to cooperate with the Client by making available to it, upon written request, all information necessary to demonstrate compliance with its obligations, and by allowing the Client, for this purpose, to carry out any verification it deems useful, the practical arrangements of which shall be agreed upon.
Sub-Processing
The Client hereby authorises the sub-processing of all or part of the processing operations entrusted to Ofelia, and Ofelia undertakes to engage only Sub-Processors that comply with the provisions of the GDPR.
The list of Ofelia's current Sub-Processors is set out in Appendix B. An updated version may be communicated to the Client at any time upon simple request.
Ofelia guarantees that its Sub-Processors will comply with the commitments to which it is itself bound, in particular with regard to the commitments it may make in terms of security or within standard contractual clauses or any other appropriate safeguard.
Data Transfers
Ofelia does not voluntarily transfer Personal Data outside the territory of the EU or the EEA.
In the event that, for the purposes of providing the Services, Ofelia is required to Transfer Data outside the EU or the EEA, such Processing operations shall meet the requirements of the Regulation regarding the Transfer of Data outside the EU, namely:
- The Processing is carried out in a Third Country benefiting from an Adequacy Decision;
- The Processing is governed by standard contractual clauses published by the European Commission. In this case, Ofelia and the data-importing Sub-Processor shall incorporate said standard clauses into the GTCs and undertake to ratify them prior to the implementation of the Processing operation(s) concerned;
- The Processing is governed by Binding Corporate Rules (BCRs).
Should the exception(s) used for the Transfer become invalid, Ofelia undertakes to modify the chosen mechanism and replace it with a mechanism capable of governing the intended Transfer.
Where Ofelia engages Sub-Processors, it shall ensure that they have implemented appropriate technical and organisational measures to guarantee a level of protection for the transferred Data at least equivalent to that provided herein in the event of a Data Transfer (standard contractual clauses, BCRs, etc.).
Data Protection Officer
Ofelia has appointed a Data Protection Officer: the company Virtual DPO – contact@virtual-dpo.fr.
The Client shall communicate to Ofelia, upon signature of the Commercial Proposal, the identity and contact details of its DPO.
Where the Client has not appointed a DPO, it shall communicate to Ofelia the name and detailed contact information of a relevant contact person from whom information on the Processing of Data may be obtained.
Notification in the Event of a Personal Data Breach
In the event of an incident likely to affect the security of Personal Data, in the event of a probable or established compromise of the integrity of Personal Data, or in the event of a probable or established Breach of the confidentiality rules applied to Personal Data, Ofelia shall inform the Client as soon as possible. This information is provided to enable the Client to comply with its notification obligations to the CNIL and to the data subjects, in accordance with the provisions of Article 33 of the GDPR.
Ofelia shall carry out investigations to provide the Client, as they progress, with any useful information on the nature and extent of the potential Data Breach and the corrective measures implemented.
Ofelia shall describe the security breach and, where possible, the categories and number of persons affected by the breach as well as the Data concerned.
Ofelia further undertakes to cooperate with the Client and to implement the means necessary to resolve the incident.
Notification of Requests for Disclosure by Third Parties
Ofelia undertakes to notify the Client of any request for transmission or consultation of the Data issued by a judicial or administrative authority as soon as possible before providing any response, unless the applicable law prohibits such notification on grounds of public interest.
Exercise of Rights by Data Subjects
Any natural person whose Data is collected by Ofelia on behalf of the Client has a right of access, restriction, rectification, erasure and, where applicable, objection to the processing or portability of the Personal Data concerning them, in accordance with the provisions of the applicable regulations.
The rights set out in the preceding paragraph shall be exercised directly with the Controller.
Consequently, Ofelia shall notify the Client as soon as possible of any request to exercise the aforementioned rights and shall comply with the Client's instructions, subject to their compliance with the applicable regulations and their prior communication to Ofelia.
Data Retention Period / Termination of the Subscription
Ofelia shall retain the processed Data for the duration of the Subscription, unless otherwise requested by the Client or unless a legal obligation imposes a different retention period.
In any event, Ofelia undertakes to delete all Data upon the Client's first request.
Ofelia shall provide the Client, upon request, with a certificate attesting to the destruction of the Data.
The Data may be subject to intermediate archiving for a maximum period corresponding to the statutory limitation period.
Appendix A – Record of Processing Operations Carried Out on Behalf of the Client
For all these processing operations:
Legal basis: defined by the Client, acting as Controller.
1. Identity management, User access and Account creation by Administrators
2. Ingestion and indexing of the knowledge base (RAG)
3. Database Hosting
4. Hosting of data related to prompts submitted by Users
5. Analysis of Prompts and formulation of responses
6. Execution of actions in third-party tools