Data processing agreement

Updated March 6, 2025

This Data Processing Agreement (hereinafter, the "Agreement") defines the conditions under which IS Decisions S.A., a software vendor specializing in cybersecurity (hereinafter, the "Processor"), processes personal data on behalf of its clients (hereinafter, the "Controller").

This Agreement complies with Regulation (EU) 2016/679 of April 27, 2016 (General Data Protection Regulation – "GDPR") and applies to all processing activities carried out by IS Decisions S.A. as part of the services provided to its clients.

1. Purpose and scope

This Agreement governs the processing of personal data performed by IS Decisions S.A. on behalf of its clients in connection with the services provided, including cybersecurity, information system protection, and digital threat management.

It applies to any contract, order, or service involving the processing of personal data on behalf of the Controller.

2. Description of processing

2.1 Nature and purpose of processing

The Processor processes personal data in the context of the services provided to the Controller, including but not limited to:

  • Data hosting and security;

  • Threat analysis and incident prevention;

  • Access management and user authentication;

  • Any other purpose related to the agreed-upon services.

2.2 Categories of personal data processed

The categories of personal data that may be processed include, but are not limited to:

  • Identifiers (name, surname, email address, login credentials);

  • Technical data (IP addresses, connection logs, metadata);

  • Professional data (job title, company, professional contact details);

  • Any other data necessary for the performance of the services.

2.3 Categories of data subjects

The processing may concern:

  • The employees and collaborators of the Controller;

  • The Controller’s clients and service users;

  • Any third parties whose data is collected and processed as part of the services.

3. Controller's obligations

The Controller agrees to:

  • Determine the purposes and means of processing;

  • Provide clear and GDPR-compliant instructions to the Processor;

  • Ensure the lawfulness of the data processing and inform data subjects accordingly;

  • Ensure that only necessary data is transmitted to the Processor.

4. Processor's commitments

The Processor agrees to:4.1 Processing in Compliance with Instructions

  • Process personal data only based on documented instructions from the Controller unless legally required otherwise.

4.2 Security and confidentiality

  • Guarantee the confidentiality of the data processed;

  • Implement appropriate technical and organizational measures to protect the data from unauthorized access, loss, destruction, or alteration.

4.3 Assistance to the Controller

  • Assist the Controller in responding to data subject requests (access, rectification, deletion, portability, etc.);

  • Promptly notify the Controller of any data breach and provide all necessary assistance to manage the incident.

4.4 Subprocessing

  • Not subcontract any part of the processing without prior written authorization from the Controller;

  • Ensure that any sub-processor complies with the same data protection obligations.

5. Data transfers outside the EU

If personal data needs to be transferred outside the European Union, the Processor agrees to:

  • Inform the Controller and obtain prior approval;

  • Implement appropriate safeguards in accordance with Articles 44 to 49 of the GDPR (Standard Contractual Clauses, certifications, Binding Corporate Rules, etc.).

6. Data retention and deletion

Personal data processed by the Processor is retained for the duration necessary for the performance of services and in compliance with applicable legal obligations.
Upon termination of the contract or at the Controller’s request, the data will be:

  • Returned to the Controller; or

  • Securely deleted unless legal obligations require otherwise.

7. Audits and controls

The Controller may verify the Processor’s compliance with this Agreement, including through audits or requests for information, with reasonable prior notice.
The Processor agrees to cooperate fully and provide any necessary documentation to demonstrate compliance.

8. Liability

The Processor is liable for damages resulting from any violation of this Agreement or the GDPR, subject to the contractual liability limitations agreed with the Controller.

In case of non-compliance, the Controller may hold the Processor accountable in accordance with applicable legal provisions.

9. Modification and duration of the agreement

This Agreement remains in effect as long as the Processor processes personal data on behalf of the Controller.

IS Decisions S.A. reserves the right to modify this Agreement at any time to comply with legal and regulatory changes. Any substantial modifications will be communicated to clients.

10. Governing law and jurisdiction

This Agreement is governed by the laws of France.

In case of a dispute, the parties agree to seek an amicable resolution before taking any legal action. If no agreement is reached, any dispute shall be submitted to the competent courts of Bayonne, France.

11. Contact

For any questions related to data protection and processing activities, you can contact our Data Protection Officer (DPO) at dpo@isdecisions.com.

This Data Processing Agreement is made available to our clients to ensure full transparency regarding how we process personal data as part of our services.

"This translation is provided for informational purposes only. In the event of discrepancies, the original French version shall prevail."