G

Data Processing Agreement

Annex to the General Terms of Service.

PREAMBLE

This Data Processing Agreement (hereinafter the "DPA") forms an integral part of the Contract concluded between REFLECT and the Customer and is entered into pursuant to article 28 of Regulation (EU) 2016/679 ("GDPR"). Acceptance of the REFLECT General Terms of Service (the "GTS") entails acceptance of this DPA by the Customer. Capitalized terms not defined in this DPA have the meaning given to them in the GTS.

ARTICLE 1 - DEFINITIONS

The terms "Personal Data", "Data Subject", "Controller", "Processor", "Processing", "Personal Data Breach" and "Supervisory Authority" have the meaning given to them by article 4 of the GDPR.For the purposes of this DPA:

"Data": the Personal Data processed by REFLECT on behalf of the Customer in connection with the provision of the Solution and the Services, as described in Annex 1;

"Anonymized Data": data resulting from an irreversible anonymization process which no longer allows, by reasonable means, the re-identification of a natural person; it does not constitute Personal Data within the meaning of the GDPR;

"Data Protection Regulations": the GDPR, French Act No. 78-17 of 6 January 1978 as amended, and any applicable regulation relating to the protection of Personal Data;

"AI Act": Regulation (EU) 2024/1689 of 13 June 2024 laying down harmonized rules on artificial intelligence;

"Sub-processor": any processor engaged by REFLECT, within the meaning of article 28(4) of the GDPR, to carry out specific processing activities on behalf of the Customer, bound by data protection obligations at least equivalent to those of this DPA;

"Sources": the Customer's third-party software and services to which the Solution connects, with the Customer's authorization, in order to collect data therefrom, within the meaning of the GTS;

"Transfer": any processing, physical transfer or remote access to Data from or to an entity established outside the European Economic Area ("EEA").

ARTICLE 2 - PURPOSE AND SCOPE

The purpose of this DPA is to govern, in accordance with article 28(3) and (4) of the GDPR, the Processing operations that REFLECT carries out as Processor, on behalf of the Customer acting as Controller, in connection with the provision of the Solution and the Services.

This DPA does not apply to the Processing that REFLECT carries out as Controller, for its own purposes, which is governed by its Privacy Policy, in particular:
- Processing related to the management of the customer and commercial relationship (account management, invoicing, support, prospecting, audience and usage statistics);
- Processing intended to ensure the operation, security, supervision and maintenance of the Solution and the Services, in particular logging;
- Processing intended to measure, improve and develop the Solution, the Services and their AI Features, carried out on the basis of Anonymized Data under the conditions of Article 8.

ARTICLE 3 - HIERARCHY

In the event of contradiction between this DPA and the other contractual documents in relation to the protection of Personal Data, this DPA prevails. This DPA supersedes and replaces any prior agreement having the same subject matter.

ARTICLE 4 - ROLES OF THE PARTIES

The Customer alone determines the purposes and means of the Processing carried out by means of the Solution. It acts as Controller of the Data of the Data Subjects (in particular its employees, staff, candidates and Users), or, where applicable, as a processor acting on behalf of its own customers, in which case it warrants compliance with the corresponding obligations.

For the Data processed by means of the Solution and the Services, REFLECT acts as Processor of the Customer and processes such Data only for the purposes of providing the Services and on the Customer's documented instructions.

ARTICLE 5 - DESCRIPTION OF THE PROCESSING

The categories of Data Subjects, the categories of Data, the nature and purposes of the Processing as well as its duration are described in Annex 1, in accordance with article 28(3) of the GDPR. The Customer warrants the accuracy and completeness of these elements with regard to the Processing it implements.

ARTICLE 6 - OBLIGATIONS OF REFLECT

6.1 Documented instructions

REFLECT processes the Data only on the Customer's documented instructions, including with regard to the location of hosting and to transfers, as set out in the Contract, this DPA and Annex 1, or as subsequently communicated in writing, unless required by Union or Member State law.

In such a case, REFLECT informs the Customer of that legal requirement before Processing, unless legally prohibited on important grounds of public interest. REFLECT informs the Customer if, in its opinion, an instruction constitutes a breach of the Data Protection Regulations.

6.2 Purposes and duration

REFLECT processes the Data only for the purposes described in Annex 1 and for the term of the Contract, unless otherwise instructed by the Customer or required by a legal retention obligation. The Controller remains solely responsible for the lawfulness of the retention periods it determines.

6.3 Confidentiality

REFLECT ensures that the persons authorized to process the Data undertake to respect its confidentiality, through commitments surviving the termination of their duties, or are subject to an appropriate statutory obligation. REFLECT is not responsible for the Customer's management of its Users' access rights.

6.4 Security

REFLECT implements the appropriate technical and organizational measures described in Annex 2 in order to ensure a level of security appropriate to the risk, in accordance with article 32 of the GDPR. The Data is hosted and processed within the European Union, with cloud providers certified ISO/IEC 27001 and SOC 2. REFLECT's own information security management system is ISO/IEC 27001 certified.

REFLECT may modify these measures, in particular according to the state of the art, risks and regulations, provided that it maintains an equivalent level of security.

6.5 Record of processing activities

REFLECT keeps and maintains up to date, in accordance with article 30(2) of the GDPR, a written record of the categories of processing activities carried out on behalf of the Customer, which it makes available to the Supervisory Authority.

6.6 Sub-processors

The Customer grants REFLECT general authorization to engage Sub-processors for the performance of the Services. The up-to-date and dated list appears in Annex 3 and is deemed accepted by the Customer. REFLECT informs the Customer in writing of any intended addition or replacement, subject to a notice of at least thirty (30) calendar days, in order to allow the Customer to object on legitimate and reasonable grounds relating to the protection of the Data. In the event of a persistent legitimate objection, REFLECT may, at its option:
- propose another Sub-processor;
- forgo the intended change;
- maintain the change, in which case the Customer may terminate the Service concerned subject to a thirty (30) day notice, without indemnity on either side, the sums due remaining payable.

REFLECT imposes on its Sub-processors, by contract, data protection obligations at least equivalent to those of this DPA and remains responsible, vis-à-vis the Customer, for the performance of their obligations.

6.7 Location and transfers outside the EEA

The actual processing of the Data is carried out within the European Union. Some Sub-processors are established outside the EEA; where they are liable to carry out actual processing outside the EEA, they receive no identifying data of the Customer's employees. Any Transfer outside the EEA is governed by a mechanism compliant with the Data Protection Regulations, in particular the European Commission's Standard Contractual Clauses, the Customer mandating REFLECT to conclude them on its behalf where necessary. The location, the country of actual processing and the transfer framework of each Sub-processor appear in Annex 3.

6.8 Assistance to the Customer

Taking into account the nature of the Processing and the information available to it, REFLECT assists the Customer, by appropriate technical and organizational measures and insofar as possible, to:
- respond to requests for the exercise of Data Subjects' rights (access, rectification, erasure, objection, restriction, portability, no automated decision-making); REFLECT forwards to the Customer any request received directly, without responding to it itself;
- provide, at the Customer's request, a copy of the Data in a format prescribed by the Customer, in particular for portability purposes;
- ensure compliance with security obligations (article 32 of the GDPR);
- notify Personal Data Breaches to the Supervisory Authority and to the Data Subjects (articles 33 and 34 of the GDPR);
- carry out data protection impact assessments (article 35) and, where applicable, prior consultations of the Supervisory Authority (article 36).

This assistance is provided to the extent reasonable; any service exceeding this scope may be subject to dedicated invoicing, on conditions agreed between the Parties.

6.9 Notification of Personal Data Breaches

REFLECT notifies the Customer of any Personal Data Breach concerning the Data in any event within forty-eight (48) hours after becoming aware of it.

The notification contains, within the limits of the available elements, the description of the event, its provisional qualification and the first precautionary measures taken. REFLECT cooperates with the Customer in order to enable it to comply with its obligations and communicates, insofar as possible:
- the description of the nature of the Breach, including, where possible, the categories and approximate number of Data Subjects and records concerned;
- the contact details of the data protection officer or other point of contact;
- the likely consequences of the Breach and the measures taken or proposed to remedy it and mitigate its effects.

Any public communication or official notification to the Supervisory Authority or to the Data Subjects is approved in advance by the Customer.

6.10 Documentation and audits

REFLECT makes available to the Customer the information necessary to demonstrate compliance with its obligations under article 28 of the GDPR. At the Customer's request, REFLECT allows for and contributes to audits, including inspections, once (1) per contract year, subject to reasonable notice of at least thirty (30) days.

The audit is conducted at the Customer's expense, preferably on a documentary basis, by the Customer or an independent third party subject to a confidentiality obligation and not a competitor of REFLECT, excluding any document of a financial or accounting nature and any element relating to REFLECT's other customers. The reasonable costs incurred by REFLECT in connection with the audit are borne by the Customer.

ARTICLE 7 - ARTIFICIAL INTELLIGENCE

In connection with the Services, REFLECT processes the Data by means of the optional artificial intelligence feature "Prism", on behalf of and on the instructions of the Customer, for the purposes of analysis, rendering and decision support. The characteristics of Prism, its hosting within the European Union and its classification under the AI Act appear in the AI Annex, which forms an integral part of the Contract.

Prism is activated only upon the explicit and voluntary action of a User; absent such an action, no Data is transmitted to the model. Customer Data is not used to train or improve third-party artificial intelligence models and is not retained by the model provider for abuse-monitoring purposes.

Prism constitutes a decision-support tool under human supervision. It implements no decision producing legal effects or similarly significantly affecting the Data Subjects, based solely on automated processing within the meaning of article 22 of the GDPR, the decision remaining that of the Customer.

ARTICLE 8 - ANONYMIZATION

The Customer expressly authorizes REFLECT to implement Data anonymization processes. Anonymized Data no longer constitutes Personal Data and is excluded from the scope of this DPA. REFLECT may, as Controller and without time limitation, freely retain and exploit Anonymized Data, as well as the aggregated statistics and usage data derived therefrom, for the purposes of operation, security, measurement, improvement and development of the Solution, the Services and their artificial intelligence models. REFLECT warrants the effective and robust nature of the anonymization, in accordance with the state of the art and the applicable guidelines.

ARTICLE 9 - OBLIGATIONS OF THE CUSTOMER

The Customer, as Controller, warrants compliance with the Data Protection Regulations. It warrants in particular the lawfulness, fairness and transparency of the Processing, the relevance of the Data transmitted to REFLECT, the information of the Data Subjects and the existence of an appropriate legal basis. It warrants that the Data and content processed on its behalf do not infringe the rights of third parties or the applicable regulations. The Customer documents in writing any Processing instruction addressed to REFLECT and indemnifies REFLECT against any third-party claim resulting from a breach by the Customer of its obligations under this DPA.

ARTICLE 10 - FATE OF THE DATA AT THE END OF THE CONTRACT

At the end of the Contract, REFLECT, according to the Customer's choice expressed in writing, returns the Data in a standard usable format and then erases it, or erases it and certifies such erasure, unless required by a legal retention obligation. Absent any instruction from the Customer within thirty (30) days following the end of the Contract, REFLECT retains the Data for a maximum period of three (3) months, then proceeds to erase it, subject to the applicable legal obligations and to the Anonymized Data, which remains excluded from this DPA.

ARTICLE 11 - DATA PROTECTION OFFICER AND CONTACT

REFLECT has appointed a Data Protection Officer (DPO), registered with the CNIL: Mr. Baptiste Jan (baptiste@getreflect.io), 3 rue Villebois-Mareuil, 75017 Paris. The DPO performs its duties in full independence in accordance with articles 37 to 39 of the GDPR. Any change of DPO is notified to the Customer within fifteen (15) calendar days. This address is reserved for questions relating to data protection and does not handle functional or contractual support requests.

ANNEXE 1

La présente annexe décrit, conformément à l'article 28 §3 du RGPD, les Traitements réalisés par REFLECT en qualité de Sous-traitant pour le compte du Client. Les Traitements sont réalisés au sein de l'Union européenne.

Annex 1 - Description of the processing

ItemDescription
Categories of Data Subjects
  • employees, former employees, staff, temporary workers and trainees of the Customer;
  • candidates and prospects onboarded by the Customer;
  • external contributors (consultants, service providers);
  • representatives, directors and corporate officers;
  • Users, HR Administrators and managers designated by the Customer.
Categories of Data
  • identification (title, surname, first name, postal and email address, telephone, date and place of birth);
  • login and technical data (credentials, logs, IP address, device identifiers);
  • professional life (position, role, department, establishment, status, seniority, type of contract, manager, socio-professional category);
  • contractual data (contracts, amendments, documents related to the employment relationship);
  • economic and financial data (remuneration, salaries, bonuses, benefits, variable payroll items);
  • working time (schedules, hours, attendance, absences, leave, sick leave, absenteeism);
  • recruitment (CVs, applications, career history, status in the process);
  • evaluation, training and professional performance;
  • emergency contacts;
  • diversity and professional equality data necessary for compliance reports (in particular the Egapro Index);
  • location data, where applicable and on the Customer's instruction;
  • data generated or enriched by the Prism AI feature;
  • and more generally, any Data entered by the Customer or collected from the Sources with the Customer's authorization.
Special categories of Data the Customer refrains, save on documented instruction and with an appropriate legal basis, from transmitting sensitive data within the meaning of article 9 of the GDPR; where applicable, the Processing thereof is the sole responsibility of the Customer.
Nature of the Processing
  • collection, recording, organization, structuring, storage;
  • adaptation, alteration, retrieval, consultation, use;
  • aggregation, matching and interconnection of data from the Sources;
  • analysis, statistical profiling and rendering, including by means of Prism;
  • communication by transmission and making available (Dashboards, exports, reports);
  • pseudonymization, anonymization, restriction, erasure and destruction.
Purposes
  • provision, operation and maintenance of the Solution and the Services;
  • secure connection to the Sources and aggregation of the Customer's HR data;
  • production of Dashboards, analyses and HR-management indicators;
  • workforce management and recruitment tracking;
  • control and improvement of HR data quality;
  • production of compliance reports (in particular BDESE, Egapro Index, CSRD);
  • analysis and rendering by means of the Prism artificial intelligence agent;
  • hosting, backup and storage of the Data;
  • support, assistance and notifications to Users;
  • transmission to the Customer's service providers and Sources where necessary for the performance of the Services.
Duration of the Processing the term of the Contract, increased by the retention periods provided for in Article 10 and by the applicable legal obligations.

Annex 2 - Technical and organizational measures

CategoryMeasures
Data security
  • encryption of communication channels via TLS (1.2 or higher) and encryption of Data at rest;
  • systematic code review prior to deployment;
  • Content-Security-Policy restricting content to authorized Users only;
  • database access restricted to the Solution's private network only.
Confidentiality
  • separation of tasks and areas of responsibility;
  • access to administration tools and interfaces limited to strictly authorized persons;
  • unique identifier for any person with legitimate access;
  • access to Data based on the need-to-know and least-privilege principles;
  • permanent deletion of Data when it leaves the production zone.
Availability and segregation
  • identification of the Data useful for each business process;
  • logical separation of Data and management of differentiated access rights by process;
  • multi-zone replication within the European Union and business continuity and disaster recovery plans.
Integrity measures to prevent injection attacks (SQL, scripts) when writing to the database.
Authentication and access management
  • authentication delegated to a third-party identity provider via SSO, excluding any local authentication mode;
  • multi-factor authentication (MFA) for administrator accounts accessing Customer Data;
  • account and rights management via a dedicated administration interface, based on least privilege.
Vulnerability and patch management
  • static code analysis and continuous dependency analysis at each release;
  • blocking of any production release presenting an unresolved high-criticality vulnerability;
  • differentiated remediation timeframes according to criticality;
  • independent penetration test carried out annually.
Logging, traceability and supervision
  • production and protection of application, system and access logs covering operations on the Data, with a minimum retention of twelve (12) months;
  • guarantees of integrity and confidentiality of the logs;
  • native supervision by the cloud hosts and dedicated detection and alerting tools, including for the AI component.
Incident response
  • internal notification to the security officer and qualification of the incident within short timeframes;
  • handling and resolution according to differentiated timeframes depending on criticality;
  • documented incident response plan kept available.
Development and hosting security
  • systematic code review prior to deployment;
  • hosting within the European Union with cloud providers certified ISO/IEC 27001 and SOC 2;
  • encryption of flows and network segregation of the database.
Personnel
  • confidentiality undertakings surviving the termination of duties and proportionate prior checks;
  • access governed by the need-to-know and least-privilege principles;
  • ongoing training in data protection and cybersecurity.