DATA PROCESSING AGREEMENT (DPA)

You have entered into a contract with (RE)SET for the provision of services to you (the "Contract"). In the event that the "Personal Data Processing" Appendix indicates that (RE)SET processes personal data on your behalf, acting as a data processor, this Data Processing Agreement (DPA) applies in accordance with Article 28 of the GDPR.

***

The obligations set out in this DPA apply to processing for which (RE)SET acts as a Processor, as defined in the "Personal Data Processing" Appendix.

When (RE)SET acts as a Processor, the Client acts as the Data Controller.

The Parties undertake to comply with all the obligations set forth in this DPA in order to adhere to the provisions of Article 28 of the GDPR.

All terms and concepts related to Personal Data protection have the meaning given to them by the Personal Data Regulations.

1. Description of the Personal Data Processing for which (RE)SET acts as a Processor.

The details of the Personal Data processing carried out by (RE)SET in its capacity as a Processor on behalf of the Client, including the subject matter, duration, nature, and purposes of the Personal Data processing, the categories of Personal Data, the categories of data subjects, and the purposes are specified in the "Personal Data Processing" Appendix.

2. Compliance with the Client's documented instructions

(RE)SET processes Personal Data only on the documented instructions of the Client, acting as the Data Controller, including regarding transfers of Personal Data outside the European Economic Area, unless required to do so under a provision of French law to which (RE)SET is subject. In such a case, (RE)SET shall inform the Client of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. Instructions may also be provided subsequently by the Client throughout the duration of the Personal Data processing, provided they are given in writing and are not contradictory to the initial instructions, unless the Parties agree in writing beforehand to the change in instructions.

(RE)SET shall immediately inform the Client if, in its opinion, an instruction provided by the Client constitutes a violation of the Personal Data Regulations.

3. Purpose Limitation

(RE)SET processes Personal Data only for the processing purposes as defined in the "Personal Data Processing" Appendix, unless otherwise instructed by the Client's additional documented instructions.

4. Duration of the processing

(RE)SET will process the Personal Data for the duration of the Contract.

5. Security of processing

(RE)SET implements the technical and organizational measures specified in the "Personal Data Processing" Appendix to ensure the security of the Personal Data. These measures include safeguards designed to protect Personal Data against any security breach that could lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data (a personal data breach). When assessing the appropriate level of security, the Parties shall duly consider the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risks to the rights and freedoms of data subjects.

(RE)SET grants its personnel access to the Personal Data subject to processing only to the extent strictly necessary for the execution, management, and monitoring of this DPA.

(RE)SET ensures that persons authorized to process the Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Engagement of Subsequent Sub-processors

(RE)SET has the Client's general authorization for the engagement of Subsequent Sub-processors based on an agreed list included in the "Personal Data Processing" Appendix.

(RE)SET shall inform the Client in writing of any intended change concerning the addition or replacement of Subsequent Sub-processors at least fifteen (15) days in advance, thereby giving the Client sufficient time to object to such changes before the engagement of the concerned Subsequent Sub-processor(s). This notification will be sent to the contact address provided at the time of contracting.

(RE)SET provides the Client with the necessary information to enable it to exercise its right to object, namely the name of the Subsequent Sub-processor, its location, and the processing activities entrusted to it.

If the Client does not submit an objection within fifteen (15) days of receiving the aforementioned information, it will be deemed to have accepted the new Subsequent Sub-processor.

If the Client objects within the aforementioned period, the Parties agree to meet in order to find a solution that satisfies the interests of all Parties. If no solution satisfactory to all Parties is found, the Client is entitled to terminate the Contract by providing thirty (30) days' prior written notice. In this case, the Client must pay all amounts due for the Services performed by (RE)SET up to the effective date of the Contract's termination.

When (RE)SET engages a Subsequent Sub-processor to carry out processing activities on behalf of the Client, it does so under a contract that imposes on the Subsequent Sub-processor, in substance, the same data protection obligations as those imposed on (RE)SET under this DPA. (RE)SET ensures that the Subsequent Sub-processor complies with the obligations to which it is itself subject under the GDPR.

(RE)SET remains fully liable to the Client for the performance of the Subsequent Sub-processor's obligations in accordance with the contract concluded with the Subsequent Sub-processor.

7. International Transfers

The Client authorizes (RE)SET to transfer Personal Data outside the European Economic Area in the course of providing its Services, which constitutes a documented instruction within the meaning of Article 28 of the GDPR.

Where applicable, (RE)SET undertakes to ensure that transfers of Personal Data are carried out in compliance with Chapter V of the GDPR, and to conclude, when legally required, standard contractual clauses as defined in Article 46 of the GDPR.

8. Requests to Exercise Rights

The Client is fully responsible for informing data subjects about the Processing of their Personal Data and for responding to their requests to exercise their rights.

(RE)SET, taking into account the nature of the Processing, assists the Client, through appropriate technical and organizational measures and to the extent possible, in fulfilling its obligation to respond to requests from data subjects seeking to exercise their rights under Chapter III of the GDPR.

In the event that (RE)SET receives a request from a data subject regarding the Processing of their Personal Data or the exercise of a right, (RE)SET undertakes to inform the Client as soon as possible and not to respond directly to the request itself.

(RE)SET provides assistance to the Client, to the extent possible, in fulfilling its obligation to respond to data subjects' requests to exercise their rights, taking into account the nature of the Processing. In fulfilling its obligations under this DPA, (RE)SET complies with the Client's documented instructions.

The Client acknowledges and agrees that, should (RE)SET's assistance require significant resources on its part, the cost of such assistance may be billed to the Client. (RE)SET will inform the Client in advance to obtain prior approval. If the Client does not provide its approval, (RE)SET will then provide the Client with reasonable assistance.

9. Personal Data Breach

(RE)SET assists the Client in ensuring compliance with its obligations under Article 33 of the GDPR, taking into account the nature of the Processing and the information available to (RE)SET.

If (RE)SET becomes aware of a Personal Data Breach, it undertakes to inform the Client as soon as possible after becoming aware of it.

The information provided by (RE)SET will include, to the extent possible and subject to the information available to (RE)SET, the nature of the Personal Data Breach, the likely consequences of the Personal Data Breach, the approximate number of data subjects affected, and, where applicable, the measures taken or proposed by (RE)SET in response to the Personal Data Breach.

10. Obligation to Assist the Client

(RE)SET provides reasonable assistance to the Client in ensuring compliance with the following obligations, taking into account the nature of the processing and the information available to (RE)SET:

1) the obligation to carry out a data protection impact assessment when a type of Personal Data Processing is likely to result in a high risk to the rights and freedoms of data subjects;

2) the obligation to consult the competent supervisory authority/authorities prior to the Processing of Personal Data when a data protection impact assessment indicates that the Processing would result in a high risk if the Client did not take measures to mitigate the risk;

3) the obligation to ensure that Personal Data is accurate and up to date.

(RE)SET shall make available to the Client, upon request, all information necessary to demonstrate compliance with the obligations to which it is subject under Article 28 of the GDPR.

If the information provided is insufficient to demonstrate (RE)SET's compliance with its obligations and upon the Client's written request, (RE)SET also permits and contributes to audits of the personal data processing activities covered by this subcontracting agreement.

If the Client wishes to conduct an audit, it must notify (RE)SET by registered letter with proof of receipt sixty (60) business days prior to the audit. The Parties must agree on the audit arrangements in advance, it being specified that an audit may be conducted only once per year, on business days between 9:00 AM and 6:00 PM, for a maximum duration of two (2) days, and it must in no way disrupt the normal course of (RE)SET's operations.

If the Client uses an external auditor, the Client undertakes to ensure that said auditor is bound by confidentiality obligations regarding (RE)SET's activities. The Client undertakes not to use a provider that is a competitor of (RE)SET.

(RE)SET reserves the right not to disclose information protected by business secrecy, intellectual property rights, or existing confidentiality agreements.

The Client acknowledges and agrees that, should (RE)SET's assistance in conducting an audit require significant resources on its part, the cost of such assistance may be billed to the Client. (RE)SET will inform the Client in advance to obtain prior approval. If the Client does not provide its approval, (RE)SET will then provide the Client with reasonable assistance.

11. Deletion and Return of Personal Data

At the Client's choice, (RE)SET will delete or return all Personal Data to the Client within 6 months of the completion of the services provided to the Client, and will destroy existing copies, unless (RE)SET is required to retain the Personal Data to comply with a legal obligation.

12. Client Obligations

The Client undertakes to provide (RE)SET with all Personal Data necessary for the performance of the Services.

The Client undertakes to comply with all obligations incumbent upon it as a data controller under the Personal Data Regulations.

***