ORIS Materials Intelligence - Data Processing Agreement (DPA)

1. Provider’s commitments as a Data Processor

The Processing carried out by the Provider as a Processor is described in this exhibit. The Parties expressly agree that Provider only acts in accordance with the Customer’s instructions and orders, it is therefore the Customer’s Data Processor under Data Privacy Regulation for the supply of the access to the Solution being agreed that for the Maintenance, Provider acts as the Data Controller.

Therefore, in accordance with Data Privacy Regulation, Provider when acting as a Data Processor, shall:

1. Only process Personal Data under the Customer’s written instruction such as the Agreement, and through the use of the Solution’s functionalities and inform the Customer if an instruction does not comply with the Data Privacy Regulation, including regarding Data transfers to any third country or international organization, unless it must do so under UE Law or the law of the State Member to which the Data Processor is subject; in this case, Data Processor informs the Customer about this legal obligation before the Processing, unless if the applicable law prevents such information for general interest reasons; 
2. Ensure the persons authorized to process the Personal Data shall comply with the confidentiality or be subject to an adequate legal obligation of confidentiality; 
3. Implement all necessary measures to ensure Personal Data security and integrity, 
4. Inform the Customer and collect its potential objections in case of change of subprocessor accessing the Personal Data, it being specified that the Parties agree that the Customer accepts the subprocessors used on the date of signature of the Contract, as listed in this schedule; 
5. Reasonably assist the Customer, through adequate technical and organizational measures, as reasonable as possible, to fulfil its obligation of answering the Data Subjects’ requests in order to exercise his/her rights (access, erasure etc.) by transferring the request to the Customer, to perform impact analysis and prior consultations; 
6. In the particular case of receipt of a Data Subject’s request to exercise his/her rights, notify the Customer and forward it the request and do not answer the request unless the Customer expressly instructs the Provider to do so;
7. To provide reasonable assistance to the Customer in ensuring compliance with its security obligation, taking into account the nature of the processing and the information at its disposal;
8. Delete all Personal Data held in a digital format and return to the Customer send those in paper format at the end of the Service relating to the Processing and destroy the existing copies, unless otherwise specified by EU Law or if the Member State law requires the retention of the Personal Data; 
9. make available to the Customer within a reasonable period of time all information necessary to demonstrate compliance with the obligations set out in this Exhibit and to enable and assist in one audit per year, including inspections, by the Customer or another auditor appointed by the Customer, it being understood that any penetration test shall be subject to prior written agreement on its terms and scope;
10. Notify the Customer as soon as possible and if possible within 48 hours of becoming aware of any Personal Data Breach at the Provider or the host of the Personal Data and assist the Customer in providing information to the relevant national supervisory authority and to the Data Subjects following such a breach where appropriate;
11. Cooperate reasonably with the CNIL if necessary; 
12. Cease all Processing upon termination or expiry of the Agreement other than as necessary to provide the reversibility of Personal Data referred to in (viii) above.

The Customer hereby authorizes the Provider to carry out statistics from the processed Data for the purpose of improving the functionality of the Solution and the Services.

2. Description of the Processing

Purpose of the Processing: The purpose of the processing of Personal Data is the provision of the Services, and to subcontract the management of registrations and access to the Solution by Users.

Term of the Processing: The term is the duration of the Agreement, including the reversibility period. In any event, the Personal Data will be deleted upon termination of the Agreement at the end of the reversibility period.

Nature of the Processing carried out by the Service Provider: The Processing includes the following operations: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, restriction, erasure

Categories of Personal Data (Customer):

• first name, last name and professional email address, password
• Technical data (IP address, etc.) 

Categories of Sensitive Data: Non-applicable.

Categories of Data Subjects: Users (employees’ Customer)

Subprocessors: List of subprocessors accessible at the following link.