Data Processing Agreement

This Data Processing Agreement (“Agreement“) forms part of the Contract for Services (“Principal Agreement“) between YOUR COMPANY + ADDRESS (the “Company”) and MOFFI SAS, 225 Rue des Templier, 59000, LILLE, FRANCE (the “Data Processor”)
(together as the “Parties”)

WHEREAS

(A) The Company acts as a Data Controller.

(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

• “Agreement” means this Data Processing Agreement and all Schedules;
• “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;
• “Contracted Processor” means a Subprocessor;
• “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
• “EEA” means the European Economic Area;
• “EU Data Protection Laws” means EU Directive 95/46/EC, as amended or replaced by the GDPR and any applicable laws implementing or supplementing the GDPR;
• “GDPR” means EU General Data Protection Regulation 2016/679;
• “Data Transfer” means:
  • a transfer of Company Personal Data from the Company to a Contracted Processor;
  • or an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, where such transfer would be prohibited by Data Protection Laws.
• “Services” means the application and services the Company provides.
• “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

1.2 The terms used shall have the same meaning as defined in the GDPR.

2. Nature and purpose of the processing

Waldo is a desk and parking reservation tool for Microsoft Teams. It processes data to:

• Inform users who is working where.
• Reserve desks and/or parking spots for users.

3. Type of personal data and categories of data subjects

Waldo does not store personal data. User information (e.g. name) is pulled via Microsoft 365 APIs and processed in-memory only.

More information: Architecture and Data Article

4. Processing of Company Personal Data

• Processor shall comply with applicable Data Protection Laws.
• Processor shall only process data on documented instructions from the Company.

5. Processor Personnel

Processor shall ensure personnel accessing Company data are bound by confidentiality and only access what’s strictly necessary.

6. Security

Processor shall implement appropriate technical and organisational measures in accordance with Article 32(1) GDPR.

7. Subprocessing

Processor shall not appoint any Subprocessor without prior written authorization from the Company.

8. Data Subject Rights

• Assist the Company in fulfilling requests from Data Subjects.
• Notify the Company of any such request and act only under documented instructions.

9. Personal Data Breach

• Notify the Company without delay upon becoming aware of a breach.
• Support investigations and remediation efforts.

10. Data Protection Impact Assessment

Processor shall assist the Company with necessary data protection impact assessments as per Article 35 and 36 of the GDPR.

11. Deletion or return of Company Personal Data

Upon termination, Processor shall delete all Company Personal Data within 10 business days.

12. Audit rights

Processor shall provide access to relevant data for audit purposes to demonstrate compliance.

13. Data Transfer

No data shall be transferred outside the EU/EEA without prior written consent. If done, EU Standard Contractual Clauses shall apply.

14. General Terms

• Confidentiality: Both Parties shall treat the Agreement and related information as confidential.
• Notices: Communications must be made in writing to the contact details provided.

15. Governing Law and Jurisdiction

• This Agreement is governed by the laws of France.
• Jurisdiction lies with the court of TO DEFINE, subject to appeal in Lille.

IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.

MOFFI SAS
Signature ______________________________
Name: Edouard COISNE
Title: CEO
Date Signed: __________________________

YOUR COMPANY NAME
Signature ______________________________
Name _________________________________
Title ___________________________________
Date Signed ___________________________