DATA PROCESSING TERMS OF SERVICES

The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of Personal Data in accordance with the requirements of Data Protection Regulations.

In respect of the processing of Personal Data of the Customer by Hook0 under the Terms of Services, the parties acknowledge that the Customer is the Data Controller and Hook0 is the Data Processor and both agree to comply with all corresponding obligations as per the Data Protection Regulations.

The Customer gives instructions to Hook0 to process such Personal Data on its behalf as it is necessary for the purposes of the Terms of Services as defined in Appendix 1 “Description of Personal Data processing”. The Appendix 1 is filled out by the Customer and shall be updated if any change is made by the Customer.

1. COMPLIANCE WITH DATA PROTECTION REGULATIONS

Each party shall comply with its obligations under the Data Protection Regulations.

All capitalized words in the DPA shall have the meaning ascribed to them in the GDPR, the Data Protection Regulations and in the Terms of Services.

2. DATA PROCESSING OPERATIONS UNDER THE DPA

As a reminder, for every processing carried out under this DPA, the Customer shall:

• Document the instructions related to Personal Data,
• Provide the information related to the processing to fill the Appendix 1 by contacting Hook0 via the support email address: [email protected].

The Customer warrants to Hook0 that it is entitled to transfer the Personal Data to the Hook0 and/or the Sub-processor(s) in full compliance with Data Protection Regulations, including as needed, compliance to any prior required formalities and Data Subject rights, such as information and/or consent when such is required under Data Protection Regulations.

The Customer acknowledges that it is and shall remain solely responsible for determining the purposes and the means of Hook0’s processing the Personal Data. The Data Controller remains solely responsible for the accuracy and adequacy of the aforementioned instructions. Any changes to the instructions given or the security measures that are required by the Customer, including in order to comply with applicable data protection laws, shall be agreed by the parties and/or via an amendment to this DPA. Any costs incurred by Hook0 in complying with such changes shall be borne by the Customer.

The Customer undertakes that the Data Subjects have been informed or will be informed before the transfer of their Personal Data to Hook0 in the scope of the Services.

The Product is not intended to process Special Categories of Personal Data. Therefore, the Customer undertakes to prevent any processing of Special Categories of Personal Data through the Product and the Services. However, at the Customer request, processing of Special Categories of Personal Data may be performed by Hook0. In such case, the Processing shall be covered by a specific addendum to the DPA to be entered into between the Customer and Hook0.

In case the Customer expressly requests the assistance of Hook0 for the fulfilment of its obligation under the Data Protection Regulations, then Hook0 shall address to the Customer the estimated costs for such assistance. Upon express acceptation of the estimated cost, Hook0 shall provide assistance pursuant to the instructions of the Customer and the terms of the present DPA.

3. SCOPE & INSTRUCTIONS

Hook0 undertakes to:

1. solely process the Customer’s Personal Data disclosed by the Customer as well as those collected or produced during the Terms of Services for the purpose(s) fulfilling its obligations under the Terms of Services and in compliance under the Customer’s documented instructions, unless otherwise required by applicable Data Protection Regulations;
2. ensure that any person acting under its authority, who has access to the Customer’s Personal Data disclosed by the Customer as well as those collected or produced during the Terms of Services, will process those data solely for the purpose of fulfilling Hook0’s obligations under this Terms of Services and on instructions from the Customer, unless required by applicable Data Protection Regulations;
3. refrain from using Customer’s Personal Data for any misappropriated, fraudulent or personal use, including for commercial purposes;
4. immediately inform the Customer if, in its opinion, a Customer’s instruction infringes applicable Data Protection Regulations.

4. COMMUNICATION OF CUSTOMER’S PERSONAL DATA TO THIRD PARTIES

The Customer’s Personal Data processed under the DPA shall not be subject to any assignment, lease, concession, communication or disclosure to a third party, including sub-Processors of Hook0, except otherwise required by the Terms of Services or by a legal or regulatory mandatory provision.

In such a case, Hook0 shall inform the Customer of that legal requirement before Processing, unless that legal or regulatory mandatory provision prohibits such information on important grounds of public interest.

5. SUB-PROCESSING

With respect to the conditions referred to in paragraphs 2 and 4 of article 28 of GDPR for engaging another Data Processor (the “Sub-processor”), the Customer agrees that Hook0 may sub-process the Processing of the Customer’s Personal Data.

Notwithstanding the general consent given by the Customer, Hook0 shall inform the Customer of any intended changes concerning the addition or replacement of any Sub-processor within a reasonable time prior to implementation of such change. The list of the sub-Processors under the authority of Hook0 is available to the Customer at Hook0 / GDPR Sub-processors.

Where Hook0 engages a Sub-processor who shall process the Customer’s Personal Data, the same data protection obligations as set out in the DPA shall be imposed on the Sub-processor by Hook0.

This agreement must in particular provide for an obligation of the Sub-processor to provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of Data Protection Regulations and of the DPA.

6. TRANSFER OF CUSTOMER’S PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

Hook0 warranties the Customer that the Customer’s Personal Data are located in France or in the European Union. Hook0 undertakes not to carry out any transfer of Customer’s Personal Data outside the EEA without the written consent of the Customer.

At the request of the Customer and upon instructions, Hook0 shall store or transfer Personal Data to other Hook0 entities and/or to Sub-processors located in countries outside the EEA (“Third Countries”). In that case and when Third Countries have not been subject to an adequacy decision of the European Commission, Hook0 undertakes that the transfer will be carried out in accordance with the Data Protection Regulations and will be subject to appropriate safeguards to guarantee a level of protection equivalent to the one guaranteed by the Data Protection Regulations, such as the signing of the Standard Contractual Clauses adopted by the European Commission and available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

The Customer hereby mandates Hook0 to sign on its behalf the Standard Contractual Clauses with Hook0 entities and sub-Processors located in Third Countries.

At the request of the Customer, Hook0 agrees to assist the Customer to perform a transfer impact assessments to identify any gaps between the Data Protection Regulations and the laws of the Third Country and to implement the necessary supplementary measures to guarantee a level protection equivalent to the one guaranteed by the Data Protection Regulations.

7. SECURITY MEASURES AND CONFIDENTIALITY OF THE PROCESSING

Hook0 shall take, insofar as this is relevant to the provision of the Services or compliance with its other obligations in the DPA, adequate measures to ensure a level of security of the Customer’s Personal Data appropriate to the risk and to take into account the principles of data protection by design and by default in the execution of the DPA.

Hook0 undertakes to:

1. implement all appropriate technical and organisational measures in order to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Data transmitted, stored or otherwise processed and, in particular, all the measures mentioned in Appendix 2;
2. respect all the instructions communicated by the Customer in relation to security and confidentiality measures that can be reasonably implemented;
3. make Customer’s Personal Data accessible and consultable only to duly authorised persons;
4. ensure confidentiality of the Customer’s Personal Data processed under the DPA and that all the persons authorised to process the Customer’s Personal Data under the authority of Hook0 (including employees and sub-Processors) undertake to respect the confidentiality of the said data or are under an appropriate statutory obligation of confidentiality.

8. PERSONAL DATA BREACH NOTIFICATION

Hook0 shall notify the Customer of any Personal Data Breach without undue delay and in writing after it becomes aware of a Personal Data Breach. When the information is available to Hook0, such notification shall:

1. describe the nature of the Personal Data Breach including where possible, the categories and approximate number of the concerned Data Subjects and the categories and approximate number of Personal Data concerned;
2. communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained;
3. describe the likely consequences of the Personal Data Breach;
4. describe the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

At the request of the Customer, Hook0 also undertakes to provide the Customer with reasonable assistance and co-operation to notify the Personal Data Breach to the competent Data Protection Authority and to communicate such Personal Data Breach to the Data Subjects, in compliance with applicable Data Protection Regulations.

9. RIGHTS OF THE DATA SUBJECTS

Based on the nature of the Personal Data Processing activities, Hook0 undertakes to:

1. promptly notify the Customer of any request or complaint received relating to data protection of Customer’s Personal Data;
2. at the request of the Customer, provide the Customer with reasonable assistance and co-operation, to allow the Customer to respond (i) to requests presented by Data Subjects for exercising their rights (right of access, rights to rectification, erasure, limitation, portability and object), or (ii) to respond to the competent data protection authorities’ requests or the Customer’s Data Protection Officer requests; in particular, implement appropriate technical and organisational measures to allow the Customer to promptly satisfy in writing to any request for information of the Customer;
3. duly provide the Data Subjects with the adequate information on the Personal Data Processing operations carried out concerning their Personal Data under the Terms of Services, where requested by and at the expense of the Customer.

10. DATA PROTECTION IMPACT ASSESSMENT

At the request of the Customer, Hook0 undertakes to provide the Customer with reasonable assistance and co-operation to carry out an assessment of the impact of the Personal Data Processing operations carried out under the present DPA on the protection of Personal Data and to consult the competent data protection authorities, where necessary and at the expense of the Customer (based on a time and materials fee).

11. RETENTION, RETURN OR DESTRUCTION OF THE PERSONAL DATA

The Customer remains solely responsible for implementing and managing Personal Data retention periods, and undertakes to use the Product accordingly.

Without prejudice to the applicable laws and regulations Hook0 undertakes to, at the end of the Terms of Services:

1. return or destroy, at the Customer’s request, all Customer’s Personal Data in an automated or manual way, following processes and prescriptions previously agreed between the Parties;
2. delete all existing copies of the Personal Data unless and to the extent that Hook0 is required to retain copies of the Personal Data in accordance with applicable laws;
3. Certify the destruction of the Personal data in writing.

12. DOCUMENTATION AND AUDIT

Upon prior written notice of thirty (30) business days sent by the Customer, Hook0 shall disclose to the Customer the information strictly necessary to demonstrate compliance with the obligations laid down in this Terms of Services.

At the request of the Customer and once a year, Hook0 undertakes to allow for and contribute to reasonable audits, including inspections, conducted by or on behalf of the Customer, for the purposes of assessing the Hook0’s compliance with the Data Protection Regulations and the provisions of the DPA.

Hook0 also undertakes to allow for and contribute to audits conducted by competent Data Protection Authorities.

The Customer shall have no right to view or access any systems, data, records or other information relating or pertaining to Hook0’s other customers.

Any such audit by or on behalf of the Customer shall be conducted at its own costs. The Customer shall provide Hook0 with a copy of the audit report.

In the event that the Customer is subject to an investigation or a request for information by a competent data protection authority and concerning any of the processing operations carried out by Hook0 on behalf of the Customer, the Customer undertakes to inform Hook0 as soon as possible and to satisfy such investigation or request, to the best of its ability, at the expense of the Customer, and in accordance with the procedures adopted by the data protection authority.

The Customer undertakes to comply with any confidentiality provisions, policies and/or site rules Hook0 may notify to the Customer in relation to the audit.

APPENDIX 1 - PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY HOOK0 ON BEHALF OF THE CUSTOMER

Nature of the Processing operations	[to be completed by the Customer]
Purpose(s) of Processing	[to be completed by the Customer]
Name and contact details of the Customer’s Data Protection Officer (if applicable)	[to be completed by the Customer]
Category/ies of Personal Data	[to be completed by the Customer] At the Customer's request, processing of Special Categories of Personal Data may be performed by Hook0. In such case, the Processing shall be covered by a specific addendum to the DPA to be entered into between the Customer and Hook0.
Category/ies of Data Subjects	[to be completed by the Customer]
Location(s) of Processing operations	France or EEA If the Customer requests the Personal Data to be located outside the EEA, such Processing shall be covered by a separate agreement between the Customer and Hook0. Please see: Hook0 / GDPR Sub-processors
Identity of the sub-Processor(s)	Please see: Hook0 / GDPR Sub-processors
Duration of Processing operations	For the duration of the Terms of Services.

APPENDIX 2 – APPROPRIATE TECHNICAL AND ORGANISATIONAL MEASURES IMPLEMENTED

The following technical and organisational measures are implemented by Hook0 in order to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, or access to Personal Data transmitted, stored or otherwise processed:

People, Awareness, and HR

• All recruitments follow a screening process according to the principles of the Hook0 background check policy;
• In each contract, each employee has Non-Disclosure Agreements clauses;
• Code of Ethics awareness training (including a test) is a yearly obligation for all employees and is to be performed through a dedicated e-learning module;
• Group IT Acceptable Use policy or local version, are shared with all employees;
• Security policy statement signed by the Management is shared with all employees;
• Hook0 staff is obliged on a yearly basis to follow the Hook0 Data Protection policy, Information Security and Safety training (including a test);
• Regular awareness trainings on GDPR for all employees (in addition to Hook0 Data Protection policy, Information Security and Safety training);
• Access to systems is provided on a ‘need to have basis’ taken into account segregation of duties;
• Regular internal security audits are conducted to verify the security practices.

Physical Security and Paper Records

Compliance with the Hook0 Physical and Environmental Security policy:

• Access control and visitor management systems implemented for all visitors/guests;
• Physical access reviews as per defined periodicity;
• Clean desk, clear screen and follow me printing, process implemented;
• Information, which includes paper documents, handled by the data importer is classified, labelled, protected and handled according to the Hook0 information classification policy;
• Except with prior specific authorization, laptops and desktops are not taken off the site;
• CCTV surveillance to protect restricted areas;
• Fire alarm and fire-fighting systems implemented for employee safety;
• Fire evacuation drills are conducted at specified frequencies;

Remote End User Devices are Protected

The remote users are working with laptop and desktop on Hook0 secured network. Following security measures are incorporated in addition:

• Encryption of the hard disk on company-assigned laptops;
• 2 Factors Authentication (PKI / Alternative);
• Centrally managed and anti-virus protection;
• Management and monitoring of the software to control an authorized software installation;
• Vendor supplied updates are installed;
• All the laptops and desktops working on the Hook0 projects follow a strong overwriting process before it is reassigned;
• Login ID and password controls are implemented to access information;
• Periodic access review is implemented;
• E-mails are automatically scanned by anti-virus and anti-spam software.

Remote Access Security

2-factor authentication is used in general for remote access to the critical Hook0 target systems. If the source of the remote connection is a Hook0 controlled system then device authentication based on a certificate on the device is implemented. If the source is not under Hook0 control, it should connect to a virtual desktop system.

Any other set up of connections needs to be upfront approved by the security department.

Generic security measures are a.o.:

• Data is only stored in the EU Data Centers or in case of laptops encrypted on the local device;
• Termination of access connection in Demilitarized Zone;
• All connectivity up to the secured area (PCI zone) is encrypted;
• Access to PCI zone only possible via strong authentication via Hook0 provided security client;
• Multiple layers of firewalls & intrusion detection need to be passed;
• Access managed according to Role Based Access Control principles.

Access control to Personal Data

Employees with access to private data can only access the data that are necessary for the purpose of the activities under their responsibility. Access authorisation is provided based on the ‘need to know’ and ‘need to access’ and is either role based or name based. Access logs are in place and the responsibility for access control is assigned.

Following measures are in place:

• Obligation for employees to comply with the applicable Hook0 security policies and data protection policies;
• Work instructions on handling private data;
• User (password) codes for access to Private Data;
• Differentiated access regulations (e.g. partial blocking);
• Access Logging and control;
• Controlled destruction of data media;
• Procedures for Checking compliance with procedures and work instructions are in place;
• Formalised Control frameworks and TPA to take care that not a single person can access, modify or use critical information assets without authorization or detection;

Security and confidentiality of personal data

Based on a risk assessment (and if required an additional DPIA) Hook0 will ensure a level of security appropriate to the risk, including inter alia as appropriate:

• The anonymization, pseudonymisation (e.g. tokenization) and encryption of Personal Data;
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
• Ensure a logical separation between its own data, the data of its customers and suppliers;
• Set up a process to keep processed data accurate, reliable and up-to-date;
• Process registers according to GDPR requirements;
• Access log systems’ use with relevant for the purposes of being able to detect unauthorized access attempts.
• Customer Data (including back-ups and archives) will only be stored for as long as it serves the purposes for which the data was collected unless there is a legal or contractual obligation to retain the data for a longer period of time.

Organization Control

The Data Processor shall maintain its internal organization in a manner that meets the requirements of the applicable legislation and the Data Controller requirements on data security. This shall be accomplished by:

• Internal data processing policies and procedures, guidelines, work instructions, process descriptions and regulations for programming, testing, and release, insofar as they relate to the Personal Data transferred by the Controller;
• Implementing a Data Protection control framework that is audited on compliance on a yearly basis;
• Having an emergency plan with procedures and allocation of responsibilities in place (backup contingency plan).