Data Processing Agreement

1. Purpose

This agreement governs the processing of personal data by Shared Sight on behalf of the Client.

2. Roles of the parties

The Client acts as data controller. Shared Sight acts as data processor, within the meaning of Article 4 GDPR, only for processing necessary to perform the contracted services.

3. Description of processing

Nature and purpose: processing related to services entrusted by the Client (consulting, integration, support, maintenance, training).

Duration: for the term of the services, then according to the return/deletion rules set out in this agreement.

Categories of data: identification and contact data, technical service data, operational logs, and any data required to perform the services according to Client instructions.

Categories of data subjects: Client employees, authorized users, operational contacts and, where applicable, Client end-customers within the contractual scope.

4. Documented instructions

Shared Sight processes personal data only on documented instructions from the Client, including regarding transfers to a third country, unless otherwise required by law.

5. Confidentiality

Shared Sight ensures that persons authorized to process personal data are bound by confidentiality and have access only to data strictly necessary for their mission.

6. Security measures

Shared Sight implements technical and organizational measures appropriate to risk, including, depending on context: access control, authorization management, logging, encryption in transit, and backup/restore capabilities.

7. Assistance to the Client

Shared Sight provides reasonable assistance to help the Client address data subject rights requests and meet GDPR obligations (security, breach notification, DPIA, prior consultation with supervisory authority).

8. Breach notification

In the event of a personal data breach, Shared Sight notifies the Client as soon as possible and, where possible, within 72 hours after becoming aware of it, with available information.

9. Client obligations

The Client ensures the lawfulness of processing and valid legal bases. It provides clear, complete, and documented instructions.

10. Sub-processing

Shared Sight will not share data with any other provider without prior written consent from the Client.

A list of sub-processors used by Shared Sight is provided on request and kept up to date. Any significant change will be communicated in advance.

11. Transfers outside the EU

No transfer of personal data outside the European Union is made without Client instruction and without appropriate legal safeguards under GDPR.

12. End-of-contract data handling

At the end of the services, Shared Sight returns personal data in a usable format, then deletes it, unless legal retention applies or the Client instructs otherwise. Return occurs within a maximum of 30 calendar days after contract end, in a reasonably usable format (CSV, JSON, ZIP, or equivalent). Upon request, Shared Sight provides written confirmation of deletion.

13. Information and audit

Shared Sight provides information reasonably necessary to demonstrate processor compliance. The Client may request a proportionate audit, with reasonable notice, while preserving confidentiality and security for other clients.

14. GDPR contact

For any data protection matter: contact@shared-sight.com.

15. Language

This agreement is drafted in French. Any translation is provided for convenience only. In the event of a discrepancy, the French version shall prevail.

16. Governing law

French law applies. Jurisdiction: Commercial Court of Caen, France.