Data Processing Agreement - previous version
This is an archived page of our April 2024 DPA which is replaced from October 11, 2024
This Data Processing Agreement (hereinafter “DPA”) is applicable between the company RINGO (trading under the name MODJO), a simplified joint stock company with a capital of 38.666,31 euros registered in the trade and companies register of Nanterre under number 879 606 283, and whose registered office is located at 59, avenue Sainte-Foy - 92200 Neuilly-sur-Seine, France (hereinafter “RINGO”) and each of its Client as identified in the Order Form (hereinafter the “Client”).
Preamble:
In the context of the performance of the Order Form(s) and the attached General Terms and Conditions of Sales Modjo (T&Cs) concluded between RINGO and the Client, the Client, in its capacity as Controller, entrusts RINGO, in its capacity as Processor, with the processing of Personal Data.
This Data Protection Agreement is attached to the Order Form and the General Terms and Conditions of Sales Modjo.
The parties intend to comply with all applicable regulations regarding the Processing of Personal Data, and in particular the French law n°78-17 of 6 January 1978 (known as “Loi Informatique et Libertés”) as amended and the EU General Regulation on the Protection of Personal Data n°2016-679 dated 27 April 2016 (“GDPR”).
The parties have agreed to this Contract in order to ensure compliance with Article 28(3) and (4) of GDPR. This Contract applies to the processing of personal data as specified in Article 1.
It is expressly agreed that the terms used in this Contract with a capital letter (e.g., Controller, Personal Data, Service, …) correspond to the definitions contained in GDPR and in the T&Cs. This Contract shall be read and interpreted in the light of the provisions of GDPR.
1 - Description of processings
Los detalles de las operaciones de tratamiento, en particular las categorías de datos personales y los fines del tratamiento para los que se tratan los personales por cuenta del Cliente, en su calidad de Responsable del Tratamiento, son :
● Categories of data subjects whose personal data is processed : the Client’s staff and employees using the services provided by RINGO, the Client’s contacts, prospects and clients.
● Categories of personal data processed : data related to the identification of the data subjects (name, surname, contact details and email), data related to the phone call and video conference recordings, data related to the use of the Service such as comments, reviews, translations and intelligent summaries and scoring made on the services, data related to the emails exchanged between the data subjects, data related to meeting reminder e-mail and data related to the networks.
● Object of the processing: the performance by RINGO of the Service, and their use by the Client, in accordance with the Order Form(s) and the attached T&Cs concluded between RINGO and the Client.
● Nature of the processing : the collection and analysis of data including Personal Data on behalf of the Client.
● Purposes of the processing : the performance by RINGO, on behalf of the Client, of the Service , mainly the collection, the recording and the analysis of phone call, video conference recordings and mails, and the filling of the customer relationship management software as well as the assistance, back-up, security and maintenance services attached to the Service.
● Duration of the processing : Personal Data is processed by RINGO for the duration of the contractual relationship of the Client, logs are kept for a period of one (1) year. When the AI Assistant feature is activated by the Client, data is retained by Open AI for a maximum of 30 days for the purpose of content moderation and abuse prevention.
2- Instructions
RINGO shall process personal data only on documented instructions from the Client and in accordance with the above provisions, , unless required to do so by Union or Member State law to which RINGO is subject. In this case, RINGO shall inform the Client of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the Client throughout the duration of the processing of personal data. These instructions shall always be documented.
If RINGO considers that any of the Client’s instructions constitute a breach of the applicable regulations on the protection of Personal Data, it will inform the Client immediately. RINGO will not be held liable in any way for the Client’s instructions and decisions and their possible consequences.
Las disposiciones del presente Contrato, así como la activación por parte del Cliente, sus Administradores o Usuarios de las funciones de traducción y AI Assistant constituyen instrucciones documentadas del Cliente a RINGO.
3 - Purpose limitation
RINGO tratará los Datos Personales únicamente para los fines del tratamiento, según lo establecido en el artículo 1, a menos que reciba otras instrucciones del Cliente.
4 - Duration of the processing of personal data
RINGO shall process the Personal Data only for the duration of the processing, as set out in Article 1, unless it receives further instructions from the Client.
5 - Security of processing
RINGO se compromete a establecer medidas de seguridad técnicas y organizativas adecuadas para garantizar la seguridad de los Datos Personales que trata frente a cualquier destrucción, pérdida, alteración, divulgación o acceso no autorizados o cualquier otra forma de tratamiento no autorizado. Al evaluar el nivel de seguridad adecuado, RINGO tiene debidamente en cuenta el estado de la técnica, los costes de aplicación, la naturaleza, el alcance, el contexto y los fines del tratamiento, así como los riesgos que entraña para los interesados.
A description of these measures has been drawn up by RINGO in accordance with Article 32 of GDPR and is available on written request.
When the AI Assistant feature is activated by the Client, the Client agrees that the security measures implemented are those of the OpenAI security policy.
RINGO concede acceso a los datos personales objeto de tratamiento a los miembros de su personal sólo en la medida estrictamente necesaria para la aplicación, gestión y control del Servicio. RINGO garantiza que las personas autorizadas a tratar los datos personales recibidos están sometidas a una obligación contractual adecuada de confidencialidad.
6 - Documentation and compliance
RINGO pondrá a disposición del Cliente toda la información necesaria para demostrar el cumplimiento de las obligaciones que se establecen en el presente Contrato y se derivan directamente del GDPR.
At the request of the Client, RINGO shall also permit and contribute to audits of the processing activities covered by this Contract, at reasonable intervals or if there are indications of non-compliance.
Los intervalos razonables significan que se podrá realizar una auditoría a razón de una (1) vez por año natural, y con un preaviso por escrito a RINGO de sesenta (60) días.
Esta auditoría deberá realizarse respetando la seguridad y confidencialidad de la documentación y los procedimientos de RINGO. No durará más de un (1) día y se realizará durante el horario laboral normal en la sede de RINGO.
El Responsable del Tratamiento podrá decidir llevar a cabo la auditoría por sí mismo o designar a un auditor independiente, elegido de mutuo acuerdo entre las partes y sujeto a una obligación de confidencialidad.
Notwithstanding any provision to the contrary, the Client shall be responsible for all costs and/or expenses incurred as a result of this visit.
The parties shall make the information set out in this clause, including the results of any audit, available to the competent supervisory authority(ies) upon request.
7 - Use of sub-processors
RINGO has the Client’s general authorisation for the engagement of sub-processors enumerated in the agreed list (Annex 1).
RINGO undertakes to provide an up-to-date list of its sub-processors and their processing activities upon request by the Client.
RINGO informará al Cliente de cualquier cambio previsto en dicha lista mediante la adición o sustitución de subprocesadores al menos ocho (8) días antes de la fecha de adición o sustitución del subprocesador en cuestión.
El Cliente puede oponerse a que RINGO utilice un nuevo subencargado del tratamiento notificando a RINGO sin demora por escrito (por ejemplo, por correo electrónico) y antes de la fecha de incorporación o sustitución del subencargado en cuestión. En caso de que el Cliente se oponga, RINGO hará todo lo razonablemente posible para poner a disposición del Cliente un cambio en el Servicio o recomendar un cambio comercialmente razonable en la configuración o el uso del Servicio por parte del Cliente para evitar el tratamiento de Datos Personales por parte del nuevo subencargado objetado Si RINGO no puede poner a disposición dicho cambio dentro de un plazo razonable, que no excederá de treinta (30) días, el Cliente podrá rescindir la Orden de Pedido aplicable sólo con respecto a aquellos servicios que no puedan ser prestados por RINGO sin el uso del nuevo subencargado objetado, mediante notificación por escrito a RINGO, con acuse de recibo.
La ausencia de objeciones por parte del Cliente se considerará como la aceptación por parte del Cliente de los cambios que afecten a la lista de subprocesadores.
Where RINGO engages a sub-processor for carrying out specific processing activities on behalf of the Client, the sub-processor of RINGO is obliged to fulfil, in substance, the same data protection obligations as the ones imposed on RINGO in accordance with this Contract It is the responsibility of RINGO to ensure that the sub-processor presents sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the processing meets the requirements of GDPR.
RINGO sigue siendo plenamente responsable ante el Cliente del cumplimiento de sus obligaciones por parte de sus subprocesadores.
Algunos subprocesadores sólo procesan datos del Cliente cuando la función para la que actúan es activada por el Administrador o el Usuario del Cliente.
Así, el subprocesador OpenAI procesa los datos del Cliente sólo cuando el Administrador ha activado el Asistente AI . Cuando esta función está activada, OpenAI procesará los datos del Cliente para la provisión de resúmenes inteligentes, capítulos y puntuación.
Del mismo modo, el subprocesador Deepl sólo procesa los datos del Cliente cuando el Usuario activa la función de traducción para un registro específico. Cuando se activa esta función, Deepl procesará los datos del Cliente relacionados con este registro para proporcionar una traducción.
8- Assistance to the Client
The Client shall inform Data Subjects of the processing of their data and of their rights under the “Loi Informatique et Libertés” and GDPR (rights of access, information, opposition, etc.). In particular, the Client must inform its own employees and their correspondents of the recording of their telephone and video conversation and of the fact that they can at any time object to such recording. RINGO may not be held responsible for this obligation under any circumstances.
RINGO notificará sin demora al Cliente cualquier solicitud que haya recibido del interesado. El Cliente se compromete a responder a las solicitudes de los Interesados en el plazo de un (1) mes.
As a Processor, RINGO shall assist the Client in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing and the Client’s instructions.
RINGO shall also assist the Client in ensuring its compliance with its following obligations, taking into account the nature of the data processing and the information available to RINGO :
● the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons and, where applicable, the obligation to consult the competent supervisory authority prior to the processing
● the obligations set out in article 32 of GDPR.
9 - Inspections, control or audits by public authorities
In the event of an inspection, control or audit carried out by a public authority, including a Supervisory Authority, each Party undertakes to provide all necessary assistance to the other.
If the public authority considers that the processing carried out violates the applicable regulations on the protection of personal data, the parties undertake to communicate and immediately take the necessary measures to remedy the breach.
10 - Notification of personal data breach
In the event of a personal data breach, RINGO shall cooperate with and assist the Client for the Client to comply with its obligations under Articles 33 and 34 of GDPR, where applicable, taking into account the nature of processing and the information available to RINGO.
In the event of a data security breach not caused by the Client, RINGO undertakes to take immediate corrective measures to remedy the situation.
RINGO shall notify the Client of any breach without undue delay after becoming aware of such breach, by an email sent to the Client.
This notification shall contain all relevant information about the breach, in order to enable the Client, if necessary, to notify the Supervisory Authority concerned and/or the Data Subjects concerned by the breach, in accordance with its obligations as Controller.
The parties undertake to cooperate fully in order to put an end to the breach as soon as possible.
11 - Storage of Data inside the European Union and international transfers
Personal data processed by RINGO on behalf of the Client and RINGO’s websites and databases are hosted by Amazon Web Services on servers located in the European Economic Area (“EEA”).
Cualquier transferencia de datos a un tercer país o a una organización internacional por parte de RINGO se realizará únicamente sobre la base de este Contrato o con el fin de cumplir con un requisito específico en virtud de la legislación de la Unión o del Estado miembro al que esté sujeto el procesador y se llevará a cabo de conformidad con el Capítulo V del GDPR.
Prior to a transfer authorised by the Client, RINGO undertakes to put in place the necessary measures to ensure that the recipient located in the country outside the European Economic Area presents an adequate level of protection.
When the Client has activated the AI Assistant feature, the Client agrees to the processing of its data by OpenAI in accordance with its processing terms and to the transfer of its data to the United States in accordance with the standard contractual clauses adopted by the European Commission.
RINGO podrá transferir datos personales a los subencargados del tratamiento autorizados que se indican en el Anexo 1 "Lista de subencargados del tratamiento autorizados". Dichos subencargados pueden estar situados fuera de la Unión Europea. En tal caso, RINGO se asegura de que el subprocesador pueda garantizar el cumplimiento del Capítulo V del GDPR presentando un nivel adecuado de protección, como el uso de cláusulas contractuales estándar adoptadas por las Comisiones o BCR aprobadas.
The exhaustive list and information about our sub-processors is provided in Annex 1.
12 - Changes and updates
RINGO reserves the right to change this DPA at any time. The Client is informed of these changes by email (sent to the email address of the Modjo Administrator) or on the website www.modjo.ai or on Modjo commercial conversational analysis platform, as decided by RINGO on its sole discretion.
Except for the use of sub-processors, as stated in Article 7 of this DPA, changes to this DPA will apply to the Client, even if it has registered before the change, eight (8) days after the information has been given to them. In the event the updated DPA would be of material detriment to the Client and the change is not required by applicable laws, regulations, directive, guidance or decision of an european data protection authority or a court order, the Client informs RINGO of the Client’s objection and its reason within eight (8) days of the information. If the Parties cannot reach an agreement within thirty (30) days following the receipt of the Client’s objection, the Client may terminate the Service affected by the change without penalty by written notice to RINGO. Any use of the Service after the information of the Client will be deemed as the Client’s acceptance of the updated DPA.
13 - Fate of data after the termination of the contract
Tras la rescisión del Contrato, el Cliente dispondrá de un plazo de un (1) mes para solicitar por escrito la devolución, en formato de archivo bruto y bajo su responsabilidad, de sus grabaciones; a falta de dicha solicitud en este plazo, RINGO podrá proceder a la destrucción definitiva de todos los datos, incluidos los registros y copias de seguridad.
14 - Data Protection Officer
RINGO cuenta con un responsable de protección de datos con el que se puede contactar por correo electrónico en la dirección dpo@modjo.ai.
15 - Record of processing activities
RINGO undertakes to keep an up-to-date Record of processing activities carried out in its capacity as Processor, including the following information:
● the name and contact details of the Controller, any sub-processors and the Data Protection Referent;
● the categories of processing carried out on behalf of the Controller;
● any transfers of Personal Data to countries outside the European Union and evidence of the existence of appropriate safeguards;
● a general description of the technical and organisational security measures put in place.
16 - RINGO responsibilities
For the duration of the Contract concluded between RINGO and the Client:
● RINGO guarantees the confidentiality of the Personal Data processed in its capacity as a Processor and ensures that the members of its staff who are authorised to process the Personal Data respect this principle of confidentiality and have received the necessary training in this regard
● RINGO undertakes to take into account the principle of protection of Personal Data by design and by default, with regard to the tools, products, applications or services that it uses
●
17 - Client’s responsibilities
El Cliente se compromete a recoger y tratar los Datos Personales de conformidad con la normativa laboral y de protección de datos aplicable, en particular en lo relativo a los métodos, la base y los fines del tratamiento, la duración de la conservación de los Datos Personales, los derechos de los Titulares de los Datos y la información que se les facilita.
In particular, the Client undertakes to comply with all regulations and obligations applicable to the Processing of employees’ data and to the processing of special categories of Personal Data (such as health data, religious beliefs, sexual orientation, etc.) and to carry out, prior to their Processing, the necessary verifications, studies and impact analyses, to inform Data Subjects according to articles 12, 13 and 14 of GDPR and to obtain, where applicable, the consent of the Data Subjects with regard to the collection and processing of their personal data and, in particular, the recording of their voice.
The Client undertakes to provide RINGO with all the information required to carry out the intended Processing activities in compliance with all applicable regulations and to document any instructions concerning the Processing.
El Cliente se compromete a facilitar a RINGO los Datos Personales identificados en el artículo 1 del presente Contrato y a garantizar la licitud y exactitud de los mismos. El Cliente también se compromete a garantizar la efectividad de los derechos de los Titulares de los Datos.
El Cliente exime a RINGO de cualquier reclamación o acción al respecto.
The Client undertakes to supervise the Processing, including carrying out at its own expense the necessary audits and inspections of RINGO or to ensure at its own expense the conduct or defense of the interests of the parties in the context of any action, procedure or control.
Annex 1 : List of Permitted Sub-processors
