SaaS Contract - PlanningPME Web Access - GDPR
BETWEEN THE UNDERSIGNED :
Limited liability company with capital of EUR 40,000, with registered office at 1-3 Rue Marcel Carné 91080 Courcouronnes - France, recorded in the Evry Commercial Register
Hereinafter referred to as “the Provider”,
PARTY OF THE FIRST PART
PARTY OF THE SECOND PART
Individually referred to as “Party” and jointly as “Parties”,
The customer wishes to use the services of a specialised Service Provider for the operation of a scheduling solution in SaaS (Software as a Service) mode. The Customer's objectives with regard to using this solution is the scheduling of resources.
The Provider is a supplier of Software as a Service, corporate applications leased online (known as a SaaS provider). In this capacity, it is the Application Service Provider as set out below in the contract.
The Customer acknowledges that it has run a free trial of the solution on the PlanningPME website, allowing it to judge whether the Application Services are suitable for its needs and to take all reasonable precautions for their use.
NOW, THEREFORE, THE FOLLOWING HAS HEREBY BEEN AGREED
ARTICLE 1. DEFINITIONS
The terms in initial capitals in this Contract, whether used in the singular or the plural, shall have the meaning given to them below.
Solutions means the operational functions listed in the description of the application services and made available to the Customer as part of the Application Services that form the object of the contract.
Data means the information, publications and, generally, the data in the Customer database, the use of which forms the object of this contract, which can only be consulted by Users.
API is a set of functions that facilitate access to the solution's services.
Log-in Details means both the user’s own username and their password, sent to them upon subscribing to the service.
Internet means all interconnected networks, which are located in all regions of the world.
Intranet means a company’s or an organization’s own computer network, which uses TCP/IP protocols and, more generally, the technologies of the Internet, and which may be connected to the Internet.
Software means any software supplied by the Provider to the Customer and, in particular, the associated Solutions.
Application Service means the service offered by the Provider in SaaS mode, allowing the Customer to use the Solutions.
User means an individual placed under the responsibility of the Customer (officer, employee, representative, etc.) and benefitting from access to the Application Services on their computer in accordance with the use licence acquired by the Customer.
Error is a fault in the design of a computer programme which causes it to malfunction; the level of seriousness can range from minor to critical.
Documentation explains how the solution functions and how it must be used.
Maintenance enables the expiry of equipment to be foreseen and IT infrastructure to be developed (software and hardware).
Premium version refers to the Service Provider's PlanningPME offer including additional services (notification, storage level, security guarantee, type of hosting) with distinct financial conditions.
Enterprise Version means the Service Provider's PlanningPME offer comprising additional services compared to the standard version (synchronization, notification, storage level, security guarantee, type of hosting) under separate financial conditions.
ARTICLE 2. OBJECT
The contract sets out the terms and conditions applicable to the Services ordered by the Customer.
The Provider grants to the Customer, who accepts:
- an access right to the Provider’s servers under the conditions set out below
- a right to end use of the Solutions
- a set of services defined hereinafter, including data hosting, application services maintenance and technical support
ARTICLE 3. CONTRACTUAL DOCUMENTS
The contract as well as the documents entitled “Annexes” constitute the entire agreement existing between the Parties, hereinafter referred to jointly as the Contract. This replaces and annuls any previous oral or written commitment with regard to the object of the Contract.
The Contract is formed of the following contractual documents, presented hierarchically based on their legal force, in descending order.
- this document
- the annexes to this document
In the event of a contradiction between one and/or several provisions appearing in any of these documents, the higher-ranking document shall take precedence.
The annexes to this document, which are an integral part of the Contract, are as follows:
- Annex A: Quality Charter
- Annex B: Financial Conditions
It is formally agreed between the Parties that if one of the Parties were to waive, or show tolerance with regard to, all or part of the commitments set out in the Contract, regardless of the frequency or duration, this shall not constitute an amendment to the Contract and nor may it establish a right of any kind.
appendix C: Personal data
appendix D: List of subsequent subcontractors
Premium Version : means the Service Provider's PlanningPME offer comprising additional services (notification, storage level, security guarantee, type of hosting) under separate financial conditions.
Enterprise Version: refers to the PlanningPME offer of the Service Provider including additional services compared to the standard version (synchronisation, notification, storage level, security guarantee, hosting type) with different financial conditions.
ARTICLE 4. ENTRY INTO EFFECT, TERM AND RENEWAL
The Contract shall come into effect upon receipt of the signed purchase order.
Its contractual term is set at 12 months from its entry into force.
The Provider shall notify the Customer of the maturity of the Contract, and the renewal terms offered to it, in writing, 30 days before the end of this term.
If no response is received from the Customer within 30 days of the notification, the Contract shall be renewed under identical conditions, unless the Parties agree a new functional scope for the Application Services to meet the needs of the Customer.
ARTICLE 5. DESCRIPTION OF THE APPLICATION SERVICES
5.1. APPLICATION SOLUTIONS
The Provider makes the planning Solution PlanningPME Web Access available to the Customer on its server via the Internet.
The data processed by the solution is as follows: customer, project, sub-project, resource, skill, equipment, event, unavailability, group, user, history, which can be supplemented, modified or deleted by the user.
The Provider grants the Customer a non-exclusive right to use the solution.
A warranty against any programming defect is provided by the Provider from the date that the Application Services are accessed for a duration of 90 days. This warranty is no longer valid if a third party operates the programmes.
The Provider provides data hosting, maintenance and security for the Solutions.
For data hosting, the size is limited to 50 GB. Beyond this limit, an additional cost of 90 € excl tax / month / 50 GB will be charged. The Provider performs a back-up of the Data every day. These back-ups are saved for a week (see the Quality Charter in Annex A).
The services are provided pursuant to the Quality Charter in the Annexes.
The Provider provides an API limited to 2000 requests per hour and per API key; above this limit, a volumetric pricing will be applied.
Premium Version : if the Customer opts for the Premium Service; he will benefit from the following additional advantages:
- Automatic notifications: information on actions performed on the platform, sent by e-mail or SMS. Activation of this functionality entails the following for the customer: his subscription to an Amazon Simple Notification Service.
- Data storage: size is limited to 100 GB of storage.
- Security: unique authentication, also called “SSO” (Single Sign-On).
Enterprise Version: If the customer opts for the Enterprise Version; he will benefit from the following additional advantages over the standard version:
- Synchronisation: the Customer may synchronise the events of a resource to an Outlook or Google Calendar
- Automatic notifications: information of actions carried out through the Platform by email and SMS. Triggering of this functionality implies for the customer the following prerequisite: his subscription to a dedicated Amazon Web Services (AWS).
- Data hosting: size limited to 200 GB of storage
- Security: single authentication called “SSO” (Single Sign-On).
The Internet Access Provider is chosen by the Customer. The Provider provides no warranty with respect to this.
5.3. ACCESS TO THE SOLUTIONS
The Customer alone shall use this right of access. It may log in at any time, excluding during maintenance periods, namely:
- 24 hours a day
- 7 days a week
- including Sundays and public holidays
- with support from the Provider’s technical support teams
The Solution may be accessed:
- from the Customer’s computers
- from any of the Customer’s portable computers
- using the Log-in Details provided to the Customer
On accessing the Application Services, the Customer is identified by:
- a username assigned to each User by the Provider
- a password sent to the Customer by the Provider
The Customer will use the Log-in Details sent to it each time it connects to the Application Services.
The purpose of the Log-in Details is to restrict access to the Solutions under this Contract to the Customer’s Users, to protect the Solutions’ integrity and availability, as well as the integrity, availability and confidentiality of the Customer’s Data, as transmitted by the Users.
Confidentiality of log-in details:
The Log-in Details are personal and confidential. The Customer undertakes to make every effort to keep its Log-in Details secret and not to disclose them in any form whatsoever. The Customer is entirely responsible for the use of the Log-in Details and is responsible for the safekeeping and security of the access codes sent to it. It will make sure that no other person not authorized by the Provider has access to the Application Services and the Solutions. Generally, the Customer assumes responsibility for the security of individual workstations used to access the Solutions. If it is aware that another person has accessed them, the Customer shall inform the Provider immediately and confirm it by registered letter. If its log-in details are lost or stolen, the Customer shall use the process put in place by the Provider to recover its log-in details, by e-mail or telephone.
ARTICLE 6. APPLICATION QUALITY
The Customer has been advised of the inherent technical risks of the Internet and the interruptions to access that may result from them. The Provider shall therefore not be held liable for any unavailability or slowing of the Application Services. In addition, the Provider provides its services pursuant to the Quality Charter. The Provider is not able to guarantee the continuity of the Application Services, fulfilled remotely via the Internet, a fact which the Customer acknowledges.
The Provider undertakes to implement effective controls to give a reasonable assurance that the Customer may access and use the relevant applications at the times set out in this contract.
The Provider guarantees the implementation of the Application Services pursuant to the Quality Charter in the Annexes.
The Application Services may occasionally be suspended due to essential maintenance on the Provider’s servers. If the Application Services are interrupted due to maintenance, the Provider undertakes to comply with the process described below in the article “Maintenance”, so that the Customer can preferably be informed of the interruption and can take measures sufficiently in advance to avoid any disruption to its business.
The Provider may not be held liable for the possible impact of this outage on the Customer’s business.
ARTICLE 7. LICENCE
The Provider assigns the Customer a personal, non-exclusive, non-assignable and non-transferable right to use the Solutions, for the entire duration of the Contract and worldwide.
The Customer may only use the Application Services and Solutions in accordance with its requirements and their documentation. In particular, the licence for the Solutions is only assigned with the sole aim of allowing the Customer use of the Services, to the exclusion of all other purposes.
The right of use refers to the right to present and implement the Application Services in accordance with their purpose, in SaaS mode, through a connection to an electronic communications network. The Customer may not in any case make the Solutions available to a third party and is strictly prohibited from any other use, in particular but not limited to any adaptation, modification, translation, arrangement, dissemination or decompilation.
ARTICLE 8. MAINTENANCE
The Provider is responsible for corrective and ongoing maintenance of the Solutions.
Corrective maintenance: Telephone support for handling errors is available from Monday to Friday from 9:00 a.m. to 6:00 p.m. Error reports must be immediately confirmed by an e-mail to the Provider. The Provider shall proceed to diagnose the error and then implement corrective measures.
(a) In the event of a critical error, the report shall be acknowledged in under 24 business hours. The Provider shall strive to correct critical errors as soon as possible and will offer a workaround solution.
(b) In the event of a normal error, the report shall be acknowledged within 48 business hours. The Provider shall strive to correct the error and will offer a workaround solution that means the functionalities in question can continue to be used, within 60 working days.
(c) In the event of minor errors, the report shall be acknowledged as soon as possible, and the Provider will correct the minor error in a new version of the Service, issued as part of ongoing maintenance.
The Provider is not responsible for Maintenance in the following cases:
- refusal of the Customer to cooperate with the Provider in resolving errors and in particular to respond to questions and requests for information.
- use of the Application Services that is not compliant with their purpose or their documentation.
- unauthorized modification of the Solutions by the Customer or a third party.
- failure of the Customer to meet its obligations under the Contract.
- installation of any software packages, software or operating systems that are incompatible with the Application Services.
- failure of the electronic communication networks.
- voluntary act of degradation, abuse or sabotage.
- deterioration due to an event of force majeure or misuse of the Application Services.
Ongoing maintenance: The Customer benefits from updates and functional developments to the Application Services.
The Provider undertakes to transmit updated documentation for new updates to the Solutions.
Corrections to and developments of the Application Services are expressly subject to this Contract.
The Provider warrants that the upgrades or new versions of Software shall not lead to any loss in performance or functionality with regard to the Application Services.
The Provider shall perform regular anti-virus and anti-malware updates on the servers.
ARTICLE 9. TECHNICAL SUPPORT
The Provider shall respond to the Customer by telephone from Monday to Friday, 9:00 a.m. to 6 p.m., by telephone, within a maximum of 1 hour upon calling +33 161 612 080.
ARTICLE 10. TRAINING
On the Customer’s request, the Provider may, under conditions to be defined, provide a mutual agreement on the provision of training.
The Provider shall submit a proposal for training provision if its technical support and corrective maintenance reports reveal that there are recurrent problems with the Customer’s use, distinct from errors.
ARTICLE 11. DATA PROCESSING
11.1. PERSONAL DATA
The Parties undertake to comply with European Regulation 2016/679, dated 27 April 2016, concerning the protection of individuals as regards personal data processing and the free circulation of this data, (known as the “GDPR”) and Law no. 78-17, dated 6 January 1978, regarding information technology, files and freedoms, amended (known as the “Law on Information Technology and Freedoms”) (hereafter referred to as the “Regulation”). The Service Provider provides services for professionals. As part of these services, they gather and process a small amount of personal information about individuals. The personal information gathered and processed from its customers is primarily the first names, last names and email addresses of its contacts who are its customers’ staff. In this context, the Service Provider can be considered to be responsible for its Customers’ personal data, within the meaning of the aforementioned regulations.In certain cases, the Service Provider may be commissioned by the Customer to gather and process personal data of the users of the SaaS solution and the customers of its own customers. In this context, the Customer is responsible for the processing of this information, which is then entrusted to the Service Provider. In this context, the Service Provider is acting as a sub-contractor and is not involved in defining the means and purposes of this data processing. The Service Provider’s obligations as a sub-contractor are laid out here in Annex C.
11.2. USE OF DATA
The Customer has editorial responsibility for use of the Application Services.
The Customer is solely responsible for the quality, lawfulness and pertinence of the Data and content it transmits for the purposes of use of the Application Services. It also warrants that it owns the intellectual property rights permitting use of the Data and content. Consequently, the Provider accepts no liability if the Data and/or content is not compliant with laws and regulations, public policy provisions or even the Customer’s requirements.
The Customer shall indemnify the Provider, on first request, from and against all liabilities that may result from accusations from a third party relating to a breach of this indemnity.
More generally, the Customer is solely liable for content and messages disseminated and/or downloaded via the Application Services. The Customer remains the sole owner of the Data constituting the content of the Solutions.
If a request from an administrative or judicial authority is received by the Provider, it undertakes to inform the Customer of this immediately.
The Customer shall complete the declaratory formalities concerning the Processing with the competent data protection authorities. The Provider undertakes to provide any useful information to enable these formalities to be completed.
ARTICLE 12. TECHNICAL AUDIT
The Customer, after notifying the Provider in writing, with a minimum notice period of 4 weeks, may conduct, at its own cost, an audit of the operating conditions of the Solutions, and, more generally, of the compliance of the Provider with the technical and security specifications [Quality Charter in the annexes]. To this effect, the Customer shall designate an independent auditor who is not in competition with the Provider in the SaaS market and who must be approved by the Provider and sign a confidentiality agreement.
The audit must be conducted within the strict conditions described above and may not include the Provider’s financial, accounting or commercial data in its scope.
The Provider undertakes to cooperate in good faith with the expert and to facilitate the audit, providing him or her with all the information necessary and responding to all requests related to this audit. The audit shall be conducted during the Provider’s business hours. A copy of the audit report by the auditor shall be sent to each Party and examined conjointly by the Parties, who agree to meet for this purpose.
ARTICLE 13. FINANCIAL CONDITIONS
The financial conditions are set out in the Annexes.
The fees for the Services are indicated in euros and do not include taxes or charges.
The invoicing address is the Customer’s registered address.
Excluded from the fees and requiring separate invoices are the following:
- and more generally any provisions not included in the SaaS offer
13.2. PAYMENT METHODS
Regardless of the contractual duration, the Services are invoiced every 12 months.
Invoices are payable in advance, within 30 days of their receipt, by cheque or bank transfer.
13.3. DEFAULT IN PAYMENT
Without prejudice to any damages and interest, the Customer’s failure to pay an invoice when it is due entitles the Provider to:
- apply late-payment interest equal to three times the statutory interest rate, without prior notice and commencing from the first day of delay.
- claim additional banking and management costs (recovery, correspondence and telephone reminder costs, resubmission of debits declined by its bank).
- suspend the Services immediately.
13.4 Price review
Target Skills may revise the price for the month of January of each year, according to the following formula:
- P(t) = P (t-1) x [ (S(t) / S(t-1) ], in which
- P(t-1) is the base price or the price corresponding to the last revision ;
- P(t) is the price after revision ;
- S(t-1) is the latest known Syntec* index at the date of signature ;
- S(t) is the Syntec index published at the date of signature of the contract where the index corresponds to the date of the last revision.
*The Syntec index is used to measure changes in the cost of labour, mainly of an intellectual nature, for services provided. Read more:
ARTICLE 14. OWNERSHIP
The Customer is and remains the owner of all the Data that it uses via the Application Services under the Contract.
The Provider is and remains the holder of ownership rights concerning all elements of the Application Services and the Solutions made available to the Customer and more generally the IT infrastructure (software or hardware) implemented or developed under the Contract.
The Contract does not confer any right of ownership to the Customer to the Solutions.
The temporary availability of the Solutions under the conditions set out in the Contract may not be viewed as an assignment of any intellectual property right to the benefit of the Customer, within the meaning of the French Intellectual Property Code.
The Client is prohibited from reproducing any element of the Software or any documentation concerning it, by any method whatsoever, in any form whatsoever and on any media whatsoever.
The Customer may not assign the rights and obligations arising from the Contract, in whole or in part, whether this is by way of a temporary assignment, a sub-licensing agreement or any other contract transferring said rights and obligations.
ARTICLE 15. WARRANTY OF TITLE
The Provider declares and warrants:
- that the Solutions it has developed are original within the meaning of the French Intellectual Property Code,
- that it owns all the intellectual property rights required to be able to conclude the Contract.
The Provider declares and warrants that the Solutions are not liable to infringe the rights of third parties.
ARTICLE 16. LIABILITY – FORCE MAJEURE
Each of the Parties assumes liability for the consequences resulting from its negligence, errors and omissions as well as the negligence, errors and omissions of any of its subcontractors that cause direct harm to the other Party.
In addition, and in the event of negligence proven by the Customer, the Provider shall only be obliged to remedy the pecuniary consequences of direct and foreseeable harm due to performance of the Services. As a consequence, the Provider cannot, under any circumstances, assume liability for indirect or unforeseeable damages to, or losses of, the Customer or third parties, which specifically includes any loss of earnings, loss, inaccuracy or corruption of files or Data, commercial damage, loss of revenue or profits, loss of clientele, loss of opportunity, costs of obtaining a substitute product, service or technology, relating to or originating from the failure to perform or wrongful performance of the services.
In any case, the amount for which the Provider is liable is strictly limited to the reimbursement of the sums actually paid by the Customer as of the date on which the event incurring liability occurred, per user workstation, per day of interruption based on average consumption over the previous 12 months.
Furthermore, the Provider may not be held liable for the accidental destruction of the Data by the Customer or a third party accessing the Application Services using the Log-in Details provided to the Customer.
The Provider may not, in any case, be held liable for any damages in the event of losses caused by an interruption or a drop in service by the telecommunications operator, an electricity supplier or an event of force majeure.
Neither of the Parties may be held liable for any breach of its obligations under this Contract if such a breach results from: a governmental decision, including any withdrawal or suspension of any authorizations, a total or partial strike, whether internal or external to the company, a fire, a natural disaster, a state of war, a total or partial interruption or a stopping of the telecommunications or electrical networks, an act of computer piracy, or more generally any other event of force majeure having the characteristics defined in jurisprudence. The Party observing such an event must immediately inform the other Party of the impossibility of fulfilling its obligations.
The suspension of obligations or delay therein may not be used to invoke liability for non-performance of obligations, nor give rise to the payment of damages or late-payment interest.
ARTICLE 17. INSURANCE
The Provider has subscribed to the necessary insurance policies to cover the risks related to its business. It undertakes to provide the Customer with proof of this, if explicitly requested.
ARTICLE 18. TERMINATION
In the event of a breach of contractual obligations by one of the Parties, the other Party is entitled to terminate the Contract 30 days after a letter of notice sent by registered post with acknowledgement of receipt has gone unheeded. The breach or breaches observed shall be indicated in the letter of notice.
In the event of termination, the Customer shall cease using the access codes for the Solutions or the Application Services. The reversibility services shall be implemented pursuant to the article “Reversibility”.
The Provider undertakes not to store the Data beyond the storage period set by the Customer for the purposes for which it was collected and, in any case, not to store it after the termination of the Contract.
At the end of the Contract or in the event of its early termination, regardless of the reason for this, the Provider and its subcontractors shall immediately return a copy of all the Data to the Customer, in the same format that the Customer used to send the Data to the Provider, or failing this, in a structured and commonly used format.
This return shall be confirmed by a report, signed and dated by Parties.
Once the return is completed, the Provider shall destroy the copies of the Data held on its systems within a reasonable period and must provide proof of this to the Customer within a reasonable period, following signature of the return report.
ARTICLE 19. REVERSIBILITY
In the event of termination of the contractual relationship, regardless of the reason for this, the Provider undertakes to return – or possibly destroy, at the Customer’s option – all the Data belonging to it, in a standard readable format that would not pose problems in an equivalent environment (SQL dump). This shall be carried out free of charge, upon the first request of the Customer communicated by registered letter with acknowledgement of receipt and within 7 days of receiving such a request.
The Customer shall actively work with the Provider in order to facilitate the Data retrieval.
The Provider shall ensure that the Customer may continue using the Data, without interruption, directly or with the assistance of another service provider.
Upon request, and subject to an additional invoice, the Provider may reload the Customer’s Data into the system that it has selected, although it is the Customer’s responsibility to make sure this is completely compatible.
Upon the Customer’s request, the Provider may provide additional technical support to the Customer and/or a third party designated by it, within the framework of reversibility.
This support shall be invoiced at the Provider’s rate in effect when the reversibility notification is issued.
ARTICLE 20. NON-SOLICITATION OF STAFF
Each of the Parties shall refrain from hiring, or giving work to, any of the other Party’s employees, whether directly or through an intermediary, without this Party’s prior express agreement. This provision is valid for the entire duration of the Contract and for 12 months following its termination.
If one of the Parties does not comply with this obligation, it undertakes to compensate the other Party, by immediately paying it, upon request, a fixed sum equal to 12 times the employee’s gross monthly remuneration at the point in time of his or her departure.
ARTICLE 21. CONFIDENTIALITY
Each of the parties is obliged (i) to keep all the information received from the other Party confidential and, in particular, (ii) not to disclose the other Party’s confidential information to any third parties, other than employees or agents that require knowledge of it; and (iii) to only use the other Party’s confidential information to exercise its rights and fulfil its obligations under the terms of the Contract.
Notwithstanding the foregoing, none of the Parties shall have any obligation with regard to information that (i) has entered or enters the public domain without this being due to the fault of the Party receiving it, (ii) is developed independently by the Party receiving it, (iii) is already known to the Party receiving it before the other Party disclosed it, (iv) is legitimately received from a third party not subject to an obligation of confidentiality, or (v) must be disclosed by law or following a court order (in which case it must be disclosed only to the extent required and after notifying the Party that initially provided it in writing).
The Parties’ obligations with regard to confidential information shall remain in effect for the entire duration of the Contract and, once it has ended, for as long as the information in question remains confidential for the Party that disclosed it and, in any case, for a period of 5 years after the end of the contract.
Each of the Parties must return all copies of documents and media containing confidential information of the other Party as soon as the Contract ends, regardless of the reason for this.
The Parties also undertake to ensure that their staff comply with these provisions, along with any agent or third party that may be engaged in any form whatsoever under the Contract.
ARTICLE 22. MISCELLANEOUS
The invalidity, lapse, unenforceability or lack of binding force of one or any of the Contract’s provisions shall not result in the remaining contractual provisions being invalid, lapsed or unenforceable, or lacking binding force, and they shall remain in effect. However, the Parties may, by mutual agreement, agree to replace the invalidated provision(s).
The Customer’s data constitutes the content of the Solutions.
The Contract is subject to French law, to the exclusion of all other legislation.
If the contract is written in, or translated into several languages, only the French version shall have binding force.
Disputes – clause conferring territorial jurisdiction:
To find a mutual solution to any dispute that may arise during the performance of the Contract, the Parties agree to meet with each other within 30 days of receiving a registered letter with acknowledgement of receipt from one of the two Parties.
IF, AT THE END OF A PERIOD OF FIFTEEN DAYS, THE PARTIES DO NOT REACH AGREEMENT ON A COMPROMISE OR SOLUTION, THE DISPUTE WILL THEN BE SUBJECT TO THE COMPETENT COURTS AT THE PROVIDER’S REGISTERED OFFICE.
ANNEX A - QUALITY CHARTER
The Provider undertakes to comply with the Quality Charter and, in particular, the following points, which act as a guarantee of the service’s quality:
The Provider undertakes to implement effective controls to give a reasonable assurance that the Customer can access and use the Solutions in question at the times set out in this Contract.
The Provider has introduced a redundant system that can run an uninterrupted service.
In the event of non-compliance with availability commitments during the course of a month, the following penalties will be applied:
- the total amount excluding tax of the penalties due for a month is capped at 100% of the monthly price due, excluding tax, for that month.
The Provider may supply an availability report as a means of verifying the parameters defined in this Charter.
SECURITY AND CONFIDENTIALITY
The Provider strives to secure access and use of the Solutions, taking into account the protocols, in accordance with standard practice in the field.
The Provider has put in place effective safeguards against unauthorized physical and electronic access to the Provider’s operating systems and applications, as well as to the Customer’s confidential information, in order to give a reasonable assurance that access to the systems and the Data of the Customer is restricted to authorized individuals, and that the Customer’s confidential information is protected against any use contrary to its purpose.
The Provider has put in place a double back-up of the Data with verification performed by its services, on a daily basis and in response to any specific request related to an event.
The Parties undertake to cooperate with the competent data protection authorities, in particular in the event of any requests for information that may be sent to them or in the event of an inspection. The media is stored in two separate locations for 7 consecutive days.
The Data is backed up through a database back-up procedure. The period for restoring back-ups is 1 day.
The Provider undertakes to implement effective controls in order to give a reasonable assurance that the applications made available to Customers process the data entrusted to it without risk of omission, alteration, deformation or any other form of error that could damage the integrity of the results from these applications and that data is processed in compliance with the applicable statutory regulations, and that the Data and processing are accessible in the event of inspections and external audits that may be conducted.
The integrity of the data processing extends to all system components and all processing phases (data input, transmission, processing, storage and data output). These controls consist of coherence and processing controls, detection and management of errors as well as the Users’ information on any related risk of non-conformity.
The Provider guarantees a response time of 5 seconds between its server and any User located in France. The response time refers to the monthly average of the average daily response time for opening a weekly schedule.
PREMIUM VERSION AND ENTERPRISE VERSION
If the Customer opts for the Premium version of the PlanningPME service or for the Enterprise Version of the PlanningPME service, then the latter will benefit from the following additional advantages:
- SSO: a single sign-on functionality implemented on the platform, allowing a user to access various computer applications by performing just one authentication.
- Storage Rescue: the Customer’s schedule and associated data are stored and replicated on various virtual and physical servers located in data centres. These data centres are located in distinct geographical locations.
ANNEX B - FINANCIAL CONDITIONS
|Number of resources
|PlanningPME Standard - Monthly cost excluding tax
|PlanningPME Premium - Monthly cost excluding tax
|PlanningPME Enterprise - Monthly cost excluding tax
|Management of 1 to 9 resources
|Management of 10 to 19 resources
|Management of 20 to 29 resources
|Management of 30 to 39 resources
|Management of 40 to 49 resources
|Management of 50 to 74 resources
|Management of 75 to 99 resources
|Management of 100 to 149 resources
|Management of 150 to 199 resources
|Management of 200 to 249 resources
|Management of 250 to 299 resources
|Management of 300 to 349 resources
|Management of 350 to 399 resources
|Management of 400 to 499 resources
|Management of 500 to 599 resources
|Management of 600 to 699 resources
|Management of 700 to 799 resources
|Management of 800 to 899 resources
|Management of 900 to 999 resources
|Management of more than 1000 resources
ANNEX C – PERSONAL DATA
- Out of concern for privacy, the Service Provider has been careful to comply with the applicable regulations.
Article 1. SubjectThe aim of this annex is to define the conditions in which the Service Provider, in its role as a sub-contractor, undertakes to process personal data (hereafter referred to as “Personal Data”) on behalf of its Customer and acting in its role of responsibility for processing.
Article 2. Customer UndertakingThe Customer acts as data controller within the meaning of the Regulation. It alone is responsible for defining the means and purposes for processing carried out by the Service Provider in the performance of the contract. When the Customer decides to make use of the Service Provider’s services to carry out personal data processing on its behalf, the Customer will define the following points in a separate document: - The nature of the processing to be carried out on Personal Data by the Service Provider - The exact purpose(s) of the Personal Data processing carried out by the Service Provider; - The categories of people concerned by the Service Provider’s processing; - The categories of Personal Data processed by the Service Provider; - The means of access to Personal Data by the Service Provider. Furthermore, the Customer undertakes: - Ahead of time and during the processing, to ensure compliance with its obligations under the Regulation; - In compliance with the Regulation, to inform the relevant people about the use made of their Personal Data; - To provide written documentation pertaining to the performance of processing by the Service Provider. - To communicate to the Service Provider only the Personal Data required for the correct performance of processing under the Contract. In order to do this, the Customer undertakes to put in place all measures required to restrict access by the Service Provider to Personal Data; - To communicate in writing all requests for assistance to the Service Provider, it being stipulated that these requests need to be documented and substantiated.
Article 3. Service Providers general obligations regarding the processing of Personal DataIn the context of the processing of Personal Data performed on behalf of the Customer, the Service Provider undertakes to: - Instructions: only process Personal Data upon receipt of written, documented instructions from the Customer and to immediately inform the Customer if an instruction seems to them to run counter to the Regulation; - Confidentiality: ensure that their staff and potential sub-contractors who are authorised to access Personal Data are aware of the Customer’s instructions, and undertake only to process the aforementioned Data entrusted to them in strict compliance with these instructions; - Training: ensure training of its staff and create awareness regarding the issues around the protection of Personal Data; - Processing records: maintain records of processing performed on the Customer’s behalf in compliance with the Regulation. - Period of Retention: only retain processed Personal Data in a form that makes it possible to identify individuals for the time required to perform the services covered by the Contract; - Information: inform the Customer as soon as possible about requests directly made to it by the relevant people or by the competent authorities, and more widely, about any event which impacts the processing of Personal Data entrusted to it by the Customer. - Assistance: provide the Customer with reasonable assistance in responding to requests for the exercising of rights by relevant persons and/or to requests for information by the monitoring authorities or as part of conducting privacy impact reports. This assistance will be provided so long as a written, detailed, substantiated request is provided by the Customer, and that the Customer actively collaborates with the Service Provider.
Article 4. Specific undertakings regarding Personal Data securityThe Service Provider specifically undertakes to: - Depending on the nature of the processing and the Personal Data, and bearing in mind the risks involved, implement technical and organisational measures, the aim of which is to protect Personal Data against breaches of Personal Data within the meaning of the Regulation. The Service Provider makes a description of these measures available to the Client and shall provide them upon first request - Only allow access to Personal Data by those persons who are properly authorised due to their position and job title, this being strictly restricted to what is required in order for them to carry out their work. The Service Provider shall ensure that these persons are subject to the contractual or legal obligation to appropriate levels of confidentiality and security; - Inform the Customer if there is a breach of Personal Data within the meaning of the Regulation. This notification must be made as soon as possible after the Service Provider has discovered the breach. - Hold the Personal Data on servers located within the European Union and not change its location without the Customer’s prior written agreement. - Refrain from transferring Personal Data to a country outside of the European Union or a country recognised as having adequate protection without the Customer’s prior written agreement.
The Customer must make sure that sufficient guarantees are provided to regulate transfers of Data, in particular through the implementation of binding corporate rules on subcontractors or by the signing of standard contractual clauses as adopted by the European Commission in its decision 2010/84/EU with the interested Parties, including the Provider and any subcontractors.
PlanningPME use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Article 5. Specific undertakings concerning sub-contractingThe Service Provider has the Client's general authorisation for the use of subsequent subcontractors on the basis of a list agreed in Appendix D. . The Service Provider shall specifically inform the Client in writing of any proposed changes to this list by the addition or replacement of subsequent subcontractors at least fifteen (15) days in advance, thereby giving the Client time to be able to object to such changes before the recruitment of the relevant subsequent subcontractor(s). The Service Provider shall provide the Client with the necessary information to enable the Client to exercise its right to object. This information must clearly define the processing activities which have been sub-contracted, the identity and contact details of the sub-contractor and the dates of the sub-contracting contract. Where the Provider uses a subsequent subcontractor to carry out specific processing activities (on behalf of the Customer), it does so by means of a contract which imposes on the subsequent subcontractor, in substance, the same data protection obligations as those imposed on the Provider under these Clauses. The Service Provider shall ensure that the subsequent subcontractor complies with the obligations to which it is itself subject under these clauses and the Regulations. The Service Provider remains liable to the Client for the performance of the subsequent subcontractor's obligations in accordance with the contract concluded with the subsequent subcontractor.
Article 6. Disposal of Personal Data at the end of the contractAt the end of the contract, except if there is a legal obligation to retain it, the Service Provider undertakes to return or destroy processed Personal Data on behalf of the Customer within a reasonable time period and in line with the Customer’s instructions. If Personal Data is destroyed, the Service Provider will certify in a report that this data and any copies have been destroyed. Depending on the type of portability/reversibility operations involved, the Service Provider reserves the right to issue supplementary invoices for these operations.
Article 7. Service Provider’s responsibilityThe Parties agree that the Service Provider shall only be held responsible for any damage caused by processing which is covered by the Contract: - If it has failed to comply with the obligations foreseen under the Regulation which are specifically imposed upon it as a sub-contractor, or, - If it has acted beyond or contrary to the Customer’s legal instructions.
APPENDIX D - LIST OF SUBSEQUENT SUBCONTRACTORS
|Outsourced processing activity
|Identity of subcontractor
|2 rue Kellermann - 59100 Roubaix - France. +33(0)820 698 765