Data Processing Agreement

The present Data Processing Agreement (“DPA”) reflects the Parties’ agreement with respect to the terms governing the Processing of Personal Data under the Agreement.

1. Definitions

The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement. The DPA is part of the Agreement.

2. Purpose of the DPA

The purpose of this Agreement is to set out the relevant legislation and to describe the steps the Provider is taking to ensure its compliance with the Data Privacy Regulation.

Each of the Parties reciprocally undertakes to comply with the regulations in force regarding personal data (“Personal Data”). For the purpose of the DPA, notably, the terms “Personal Data,” “Processing,” “Data Subject,” “Data Controller,” “Data Processor,” and “Personal Data Subject” have the meaning given by the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”) and the French Data Protection Act entitled “Loi Informatique et Libertés” No. 78-17 of 6 January 1978 as amended (the “LIL”) (altogether the “Data Privacy Regulation”).

3. User’s Instructions

The Processing carried out by the Provider as a Processor is described in Exhibit 1. The Parties expressly agree that Provider only acts in accordance with the User’s instructions and orders; it is therefore the User’s Data Processor under Data Privacy Regulation for the supply of access to the API, being agreed that for the maintenance Provider acts as the Data Controller.

The term of the DPA is the term of the Agreement.

4. User’s Obligations

User undertakes to fulfil all the obligations incumbent on any Data Controller. In this respect, it represents and warrants that it will assume at its own expense the following obligations in particular:

(i) To take all necessary steps, in particular:

a. Requesting an opinion and/or authorization from the relevant authorities including the Commission Nationale de l'Informatique et des Libertés (French Data Protection Authority) as well as any other steps (such as where applicable Data Protection Impact Assessment).

b. Duly inform the Persons Concerned by the Processing of their Personal Data of the characteristics of the said Processing.

c. To ensure the existence of the legal basis for the Processing, in particular by seeking the prior consent of the Persons Concerned when this is required by the Data Privacy Regulations, the practice of the supervisory authorities, or customary practice.

(ii) To hold the Provider harmless against any condemnation/financial consequences to which it may be exposed in the event of claims or actions of any kind relating to the User's failure to comply with its own obligations.

5. Provider's Obligations

Therefore, in accordance with Data Privacy Regulation, Provider when acting as a Data Processor shall:

(i) Only process Personal Data under the User’s written instruction such as the Agreement, this DPA, and its Exhibit 1 and inform the User if an instruction does not comply with the Data Privacy Regulation including regarding Data transfers to any third country or international organization unless it must do so under EU Law or the law of the State Member to which the Data Processor is subject; in this case, Data Processor informs the User about this legal obligation before the Processing unless if the applicable law prevents such information for general interest reasons.

(ii) Ensure the persons authorized to process the Personal Data shall comply with the confidentiality or be subject to an adequate legal obligation of confidentiality.

(iii)Implement all appropriate technical and organizational measures to ensure Personal Data security and integrity.

(iv) Inform the User and collect its potential legitimate objections in case of change of Subprocessor accessing the Personal Data**, it being specified that the Parties agree that the User accepts the Subprocessors used on the date of signature of the Agreement as available upon request. The Processor may at any time and without justification appoint a new Subprocessor provided that the Processor provides seven (7) days’ prior notice and the Controller does not legitimately object to such changes within that timeframe. The Processor shall be responsible for the acts or omissions of Subprocessors to the same extent it is responsible for its own actions or omissions under the DPA.

(v) The Provider uses Subprocessors who process Personal Data on its behalf and for its account. **User expressly authorizes the Provider to entrust all or part of the Services to one or more subcontractors of its choice and duly selected by it.** User acknowledges that the Provider uses Subprocessors, in particular, a host for the API and for the Personal Data. Some of these Subprocessors process Users' Data. A list of the Provider's Subprocessors at the date of signature of the Agreement is provided in Exhibit 2. Additional information, in particular concerning existing guarantees and the names of subcontractors, may be obtained on written request.

(vi) Reasonably assist the User through adequate technical and organizational measures as reasonable as possible to fulfil its obligation of answering the Data Subjects’ requests in order to exercise his/her rights (access, erasure, etc.)** by transferring the request to the User to perform Data Protection Impact Assessment and prior consultations.

(vii) In the particular case of receipt of a Data Subject’s request to exercise his/her rights, notify the User and forward it the request and do not answer the request unless the User expressly instructs the Provider to do so.

(viii) To provide reasonable assistance to the User in ensuring compliance with its security obligation taking into account the nature of the Processing and the information at its disposal.

(ix) Delete all Personal Data held in a digital format and return to the User send those in paper format at the end of the Services relating to the Processing and destroy the existing copies unless otherwise specified by EU Law or if the Member State law requires the retention of the Personal Data.

(x) Make available to the User within a reasonable period of time all information necessary to demonstrate compliance with the obligations set out in this DPA and to enable and assist in one audit per year including inspections by the User or another auditor appointed by the User**, it being understood that any penetration test shall be subject to prior written agreement on its terms and scope.

(xi) Notify the User as soon as possible and if possible within 72 hours of becoming aware of any Personal Data Breach at the Provider or the host of the Personal Data and assist the User in providing information to the CNIL and to the Data Subjects following such a breach where appropriate.

(xii) Cooperate reasonably with the CNIL if necessary.

(xiii) Cease all Processing upon termination or expiry of the Agreement other than as necessary to provide the reversibility of Personal Data referred to in (viii) above.**

User acknowledges that the above-mentioned obligations of the Provider enable it to fully meet its obligations as Data Controller regarding Data Privacy Regulation.

User hereby authorizes the Provider to sign in its name and on its behalf the standard contractual clauses with the Subcontractors processing the User's Personal Data located outside the European Union. This mandate to sign is governed by the provisions of Articles 1153 et seq. of the Civil Code in the context of perfect representation.

In the context of the DPA, the Controller undertakes to formulate its requests in sufficient time to enable the Processor to respond without disrupting its activity or having to work in a hurry unless there is a compelling reason beyond the Controller's control. The services referred to in this article will be provided by the Processor at no extra cost, without prejudice to any additional requests from the Controller which will be invoiced in accordance with the financial conditions set out in the Agreement or - if not specifically provided for therein - in accordance with an estimate approved in advance by the Controller and except in an emergency (in which case the services will be provided at the rate in force on the date of the request).

6. Optimization of the Performance of the Provider's Solutions

In accordance with the General Conditions, the Controller authorizes the Processor to use the Personal Data relating to the User’s Data listed in Exhibit 1 of the DPA for the purposes of testing, optimizing performance, and improving its solution(s) by using among other things, modeling and/or machine learning methods including in the context of continuous improvement.

This further processing carried out by the Sub-Processor is considered to be compatible with the initial purpose(s) of the collection as defined herein, it being specified that these optimizations and improvements may benefit the Provider's customers as part of its services.

In this context, the Provider will act as the person responsible for further processing and therefore undertakes to process the Personal Data in accordance with the regulations in force, in particular by complying with the principle of minimization and by implementing the organizational and technical measures set out in its internal policy on the use of Personal Data.

The legal basis for this further processing is the legitimate interest of the processor in improving its services.

To carry out the aforementioned processing activities, the Provider may call upon the services of Subprocessors.

The Personal Data will be kept for the time required for the above-mentioned operations, at the end of which it will be destroyed.

The Persons Concerned may exercise their rights by contacting the Provider.

It should be noted that it is the responsibility of the initial Controller to inform Data Subjects of the transfer of data to a new Data Controller for a new purpose specifying the possibility of objecting. In order to make the exercise of their information obligations more efficient, the Parties agree that the User will provide the Data Subjects with all the information on the further processing carried out by the Provider as described above.

7. User’s Personal Data

The Provider may process Personal Data (identification data and professional data i.e.: surname, first name, professional email address, professional telephone number, position held, etc.) of the User's operational, legal, or commercial employees, etc. (hereinafter the “Contacts").

The purpose of this processing is:

• The management of the commercial relationship with the Provider including invoicing and the communication that this relationship entails.
• The collection and verification of compliance information required by the laws in force.

Processing is based on:

• Provider's legitimate interest as regards the need to manage the commercial relationship.
• A legal obligation to verify the compliance of third parties.

The Personal Data is intended for the competent departments of the Provider.

The Personal Data is kept for the duration of the commercial relationship plus the statutory limitation period.

Depending on the legal basis for the processing, the User’s Contacts have a right of access, rectification, erasure, opposition (including the right not to be subject to a decision based exclusively on automated processing) as well as the right to limit the processing of their Personal Data. To exercise these rights, they may contact the Provider at the following email address contact@scrapingbee.com or by mail at the following address: VostokInc, 66 Avenue des Champs Élysées – 75008 Paris – France.

Further information on how the Provider processes Personal Data as a Data Controller can be found in its Privacy Policy.

The request must indicate the surname and first name, email, or postal address of the Contact concerned and be signed. In case of doubt, the Provider may request a copy of a valid proof of identity. If the person concerned considers that his/her rights have not been respected, he/she may lodge a complaint with the CNIL.

It is the User's responsibility to inform his Contacts accordingly.

Description of Personal Data Processing

Subject-matter and Nature of the Processing

The subject matter of Processing of Personal Data by Processor is the provision of the Services to the Controller that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in the Agreement and a Purchase Order.

Purpose(s) and Duration of the Processing

Personal Data will be processed for purposes of providing the Services set out and otherwise agreed to in the Agreement and any applicable Purchase Order.

Personal Data will be processed for the duration of the Agreement.

Type of Personal Data

The Personal Data Processed concerns the following categories of Personal Data:

• Contact Information the extent of which is determined and controlled by the User in its sole discretion and other Personal Data such as navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by Subsidiary User via the Services.

Categories of Data Subjects

The Personal Data Processed concerns the following categories of Data Subjects:

• Controller’s Contacts and other end users including Controller’s employees, contractors, collaborators, customers, prospects, suppliers, and subcontractors.
• Data Subjects also include individuals attempting to communicate with or transfer Personal Data to the Controller’s end users.

Subcontractors – Subprocessors

Subprocessors (processing Personal Data)

Other Subcontractors (not processing Personal Data)