This subcontracting agreement is applicable to any customer who has authorized Kavkom to process on its behalf the personal data processed within the business telephony and customer relationship management software solutions published by Kavkom (hereinafter the “Solution ”) and used by the customer following its order and its acceptance of Kavkom’s general terms and conditions of sale.

In this context, Kavkom will be required to process personal data for which the customer is the data controller and will therefore act solely on the basis of the customer’s instructions, in accordance with Kavkom’s role as processor under the applicable regulations on the protection of personal data.

For the purposes of this Agreement, the terms “processing”, “controller ”, “processor”, “data subjects”, and “personal data” shall have the meaning given by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, the “GDPR”).

1. Description of outsourced processing operations

Kavkom is authorized, in its capacity as processor, to process the personal data necessary for the following purposes on behalf of the customer, in its capacity as data controller:

• Managing a contact database via the Solution
• Management of telephone call and email campaigns via the Solution
• Recording of telephone conversations to improve customer service via the Solution
• Management of opposition requests from data subjects via the Solution

Nature of processing : Collection, recording, consultation, communication and deletion

Types of personal data processed : Identification data, contact data, business data, billing data, telephone conversations

Categories of data subjects: Customers and prospects, employees, suppliers and other business partners

Duration of processing : Data is deleted 30 days after the end of the service contract. Data can be deleted and/or exported from the Solution at any time by the customer.

2. General obligations of Kavkom in its capacity as processor under the RGPD.

In its capacity as subcontractor, Kavkom undertakes to implement all necessary measures enabling the customer to comply with the RGPD and applicable regulations on the protection of personal data. In this sense, Kavkom undertakes to:

• process personal data within the strict and necessary framework of the services provided under the contract concluded with the customer and, in general, to act only on the customer’s written and documented instructions;
• immediately inform the customer if one of his instructions constitutes a violation of the regulations applicable to the protection of personal data, and suspend the execution of said instruction until the customer confirms or modifies the instruction;
• ensure that persons authorized to access personal data are aware of the customer’s instructions and undertake to process them only in strict compliance with them;
• ensure that persons authorized to access personal data receive the necessary training in the protection of personal data;
• not to concede, rent, transfer or otherwise communicate to any person, all or part of the personal data, even free of charge, and, more generally, not to use the personal data for purposes other than those strictly provided for in the contract, in particular, for any use of commercial, marketing and/or other prospecting;
• where necessary, assist customers in carrying out impact analyses relating to the protection of personal data;
• where necessary, assist the customer in carrying out prior consultation with the supervisory authority.

3. Subsequent subcontracting – Location of processing

Kavkom is authorized under this contract to host the personal data entrusted to it by the customer within the hosting infrastructures of Amazon Web Services. These infrastructures are located in Europe, more specifically in Paris, France.

Kavkom may also use the services of certain third-party service providers, who may have access to personal data hosted on the Solution in the course of their business. The services provided by these service providers are necessary for the operation of the Solution and the services offered by Kavkom, such as the service provider enabling customers to send SMS messages to their contacts via the Solution.

All service providers used by Kavkom are located in the European Economic Area. However, some of Kavkom’s teams are located in Israel, a country that has been granted an adequacy decision by the European Commission, establishing that it provides an adequate level of protection for personal data.

During the course of the contract, Kavkom may call upon another subcontractor to carry out specific processing activities. In this case, Kavkom will inform the customer in advance and in writing of any changes envisaged concerning the addition or replacement of other subcontractors. The customer will have a maximum of one (1) month from the date of receipt of this information to present any objections. This subcontracting can only be carried out if the customer has not raised any objections within the agreed period.

Kavkom ensures that any subcontractor it uses presents the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the RGPD. Kavkom remains in any event fully liable to the customer for the performance by any other subcontractor of its obligations.

4. Right to information and exercise of data subject’s rights

The Customer warrants to Kavkom that it has complied with all the obligations necessary for the collection and processing of the personal data collected, incumbent on it in particular under the terms of the RGPD and that it has informed the persons concerned of the use that is made of the said personal data via the Solution.

To the extent possible, Kavkom will assist the customer in fulfilling its obligation to comply with requests to exercise the rights of data subjects: right of access, rectification, erasure and objection, right to limitation of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).

Where the persons concerned make requests to Kavkom to exercise their rights, Kavkom will also send these requests upon receipt by e-mail to the customer at the address indicated in the customer’s order.

5. Applicable technical and organizational safety measures

During the term of the contract, the parties shall take all appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, deterioration, unauthorized distribution or access, in particular during the process of data transmission over a network, and against any unlawful processing.

Kavkom also implements the following specific measures to ensure the security of personal data entrusted to it by the customer:

– Verification of activity on the Solution thanks to a system of logs and analyses,

– Kavkom personnel with access to data are made aware of the risks associated with data handling and must be specifically authorized,

– Kavkom and its service providers (in particular Checkpoint) regularly perform tests on the Solution to verify its security (penetration tests, security scans, threat detection, etc.),

– Staff terminals are protected by automatic locking procedures, antivirus/firewalls and the ability to lock and disable terminals remotely,

– Regular review of codes and change procedures to verify compliance of any changes with safety procedures,

– AWS servers are located in highly secure infrastructures guaranteeing :

• Means to guarantee the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
• the means to restore availability and access to personal data within an appropriate timeframe, and at most within twenty-four hours, in the event of a physical or technical incident,
• procedures for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

6. Notification of personal data breaches

Kavkom will notify the customer of any personal data breach within 48 hours of becoming aware of it and by any appropriate means of contact, in particular by e-mail or telephone.

This notification is accompanied by any useful documentation to enable the customer, if necessary, to notify this violation to the competent supervisory authority.

7. Assistance and Audit

Kavkom shall make available to the customer the documentation necessary to demonstrate compliance with all of its obligations and to enable and contribute to audits, including inspections, by the customer or another auditor appointed by the customer.

It is however specified that these audits will be carried out at the customer’s expense and strictly limited to the audit of measures taken to protect personal data, within the limit of one audit per year notified in advance to Kavkom.

8. Fate of personal data

At the end of the contract, Kavkom undertakes to destroy any personal data still in its possession within thirty (30) days of the end of the service contract.

Data can also be exported from the Solution at any time by the Customer.

9. Customer’s obligations to Kavkom

The customer agrees to :

• Document in writing any additional instructions to the stipulations of this agreement;
• Ensure, beforehand and throughout the processing, compliance with the obligations set out in the RGPD;
• To inform the persons concerned by the subcontracted processing of the information required by the RGPD and collect their consent where relevant ;

Delete personal data that has reached its maximum retention period from the Solution;

• Supervise processing, including Kavkom audits and inspections.