Data Processing Agreement
This data processing agreement is applicable to any client who has authorized Kavkom to process on its behalf the personal data processed within the business telephony and customer relationship management software solutions published by Kavkom (hereinafter the “Solution”) used by the customer following its order and acceptance of Kavkom’s general sales conditions.
Kavkom shall process personal data for which the customer is the data controller and shall therefore act solely on the basis of the customer’s instructions, in accordance with Kavkom’s role as a processor under the applicable data protection regulations.
For the purposes of this Agreement, the terms “processing“, “controller“, “processor“, “data subjects“, and “personal data” shall have the meaning given by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, “GDPR“).
Details of the processing operations
Kavkom is authorized as a processor to process personal data on behalf of the customer as a data controller for the following purposes :
- Management of a contact database via the Solution
- Management of phone calls and emailing campaigns via the Solution
- Recording of telephone conversations for the purpose of improving customer service via the Solution
- Management of rights requests from data subjects via the Solution
Nature of the processing: Collection, recording, access, communication and deletion
Types of personal data processed: Identification data, contact data, work-related data, billing data, telephone conversations
Categories of data subjects: Customers and prospects, employees, suppliers and other business partners.
Duration of processing: Data is deleted 30 days after the end of the services contract. Data can be deleted and/or exported at any time from the Solution by the customer.
General obligations of Kavkom as a processor under the GDPR
In its quality of processor, Kavkom undertakes to implement all the necessary measures enabling the customer to comply with GDPR and the applicable regulations on the protection of personal data. To this extent, Kavkom undertakes to:
- process personal data within the strict and necessary framework of the services provided for under the contract concluded with the customer and, in general, to act only on the customer’s written and documented instructions;
- immediately inform the customer if any of his instructions constitute a violation of the applicable regulations on the protection of personal data and suspend the execution of the said instruction until the customer confirms or modifies the instruction;
- ensure that the persons authorized to access personal data are aware of the client’s instructions and undertake to process them only in strict compliance with such instructions;
- ensure that persons authorized to access personal data receive the necessary training on the protection of personal data;
- not assign, rent, transfer or otherwise communicate to any person, all or part of the personal data, even free of charge, as well as, more generally, not to use the personal data for other purposes than those strictly provided for in the contract, in particular, for any use of commercial prospecting, marketing and/or other;
- if necessary, to assist the client in carrying out impact analyses relating to the protection of personal data;
- if necessary, assist the client in carrying out prior consultation with the supervisory authority.
Subprocessing – Hosting location
Kavkom is authorized under this contract to host the personal data entrusted by the customer within the Amazon Web Services hosting infrastructure. These infrastructures are located in Europe, more specifically in Paris, France.
Kavkom may also use certain third-party service providers who may have access to the personal data hosted on the Solution as part of their activity. The services provided by these service providers are necessary for the operation of the Solution and for the services offered by Kavkom, such as the service provider enabling customers to send SMS messages to their contacts via the Solution.
All service providers used by Kavkom are located in the European Economic Area. However, some of KAVKOM’s teams are located in Israel, a country that has received an adequacy decision from the European Commission establishing that this country provides an adequate level of protection for personal data.
During the course of the contract, Kavkom may call upon the services of another processor to carry out specific processing activities. In this case, Kavkom shall inform the customer in advance and in writing of any intended changes regarding the addition or replacement of other subprocessors. The customer shall have a maximum of one (1) month from the date of receipt of such information to submit objections. This subprocessor can only be carried out if the customer has not raised any objections within the agreed period.
KAVKOM shall ensure that any subprocessor it uses has the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR. KAVKOM shall in any case remain fully responsible to the customer for the performance by any other subprocessor of its obligations.
Right to information and exercise of rights of data subjects
The Customer warrants to Kavkom that it has complied with all the obligations necessary for the collection and processing of the personal data collected, in compliance with the provisions of the GDPR, and that it has informed the persons concerned of the use made of said personal data via the Solution.
To the extent possible, Kavkom will assist the Customer in fulfilling its obligation to comply with requests to exercise the rights of data subjects: right of access, rectification, erasure and objection, right to limitation of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
Where data subjects make requests to Kavkom to exercise their rights, Kavkom will also send such requests upon receipt by e-mail to the customer at the address indicated in the customer’s order.
Applicable technical and organizational security measures
During the term of the contract, the parties shall take all appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, deterioration, unauthorized dissemination or access, in particular during the process of transmitting data over a network, and against any unlawful processing.
Kavkom also takes the following specific measures to ensure the security of the personal data entrusted by the customer:
– Verification of the activity on the Solution with a system of logs and analysis,
– Kavkom personnel with access to the data are made aware of the risks associated with handling the data and must be specifically authorized,
– Kavkom and its service providers (including Checkpoint) regularly test the solution to verify its security (penetration tests, security scans, threat detection, etc.),
– Staff terminals are protected by automatic locking procedures, antivirus/firewalls and the ability to lock and disable terminals remotely,
– Regular review of codes and change procedures to ensure compliance with any changes to security procedures,
– AWS servers are located in highly secure infrastructures that ensure:
- Means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services,
- the means to restore the availability of personal data and access to them within an appropriate timeframe and at most within twenty-four hours in the event of a physical or technical incident,
- procedures to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.
Notification of personal data breaches
KAVKOM shall notify the customer of any breach of personal data within 48 hours of becoming aware of it and by any appropriate means of contact, including e-mail or telephone.
This notification shall be accompanied by any useful documentation to enable the customer, if necessary, to notify the competent supervisory authority of this data breach.
Assistance and Audit
KAVKOM shall make available to the customer the documentation necessary to demonstrate compliance with all of its obligations and to permit and assist in audits, including inspections, by the customer or another auditor appointed by the customer.
However, it is specified that these audits will be carried out at the customer’s expense and strictly limited to the audit of the measures taken in the area of personal data protection, up to a limit of one audit per year notified in advance to KAVKOM.
Fate of personal data
At the end of the contract, Kavkom undertakes to destroy the personal data still in its possession within thirty (30) days from the date of termination of the service contract.
Data can also be exported at any time from the Solution by the Customer.
Obligations of the customer to Kavkom
The customer agrees to:
- Document in writing any additional instructions to the terms of this agreement;
- To ensure, beforehand and throughout the processing, that the obligations set out in the GDPR are respected;
- To inform the data subjects of the outsourced processing of the information required by the GDPR and collect their consent where relevant;
- Delete personal data that have reached their maximum retention period from the Solution;
- Supervise processing, including conducting audits and inspections at KAVKOM.