DPA
1. Purpose
This Addendum relating to the processing of personal information (“DPA”) governs the processing of Personal Information contained in the Client Data when Vorellis processes such information on behalf of the Client in connection with the Services.
This PPA forms an integral part of the Agreement. Unless otherwise defined in this PPA, terms defined in the Agreement shall have the same meaning in this PPA.
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail solely in respect of matters relating to the processing of Personal Information on behalf of the Client.
2. Roles of the Parties
The Client determines the purposes and the principal means of processing the Personal Information contained in the Client Data.
Vorellis processes such Personal Information on behalf of the Customer to provide the Services, in accordance with the Contract, the applicable Purchase Order, this DPA and the Customer’s documented instructions.
Depending on applicable laws, the Client may act, inter alia, as a data controller, personal information controller, responsible organisation or equivalent entity, and Vorellis may act, inter alia, as a supplier, service provider, sub-processor, processor or equivalent entity.
3. Client’s Instructions
The Client instructs Vorellis to process Personal Information only to the extent necessary to:
a) provide, operate, maintain, secure and support the Services;
b) create, configure, administer and manage the Account;
c) process support requests;
d) produce the Generated Results requested by the Customer or its authorised Users;
e) prevent, detect and rectify errors, misuse, incidents, vulnerabilities or non-compliant use;
f) comply with the Contract, this DPA and applicable laws.
Vorellis shall not process Personal Data for any other purpose, unless instructed in writing by the Client or where required by law applicable to Vorellis.
4. Description of the processing
The purpose, duration, nature, categories of Personal Information and categories of data subjects are described in Appendix 1 – Description of Processing.
The Client remains responsible for ensuring that the Personal Information submitted to the Services is necessary, proportionate, accurate, authorised and compliant with applicable laws.
5. Vorellis’ obligations
Vorellis must:
a) process Personal Information in accordance with the Contract, this DPA and the Client’s documented instructions;
b) restrict access to Personal Information to those persons who need access to it to provide, secure, maintain, support or administer the Services;
c) impose appropriate confidentiality obligations on persons authorised to process Personal Information;
d) implement reasonable security measures in accordance with Appendix 2 – Security Measures;
e) not retain Personal Information after the end of the term, except to the extent permitted by the Contract, this DPA or applicable law;
f) notify the Client in accordance with Section 9 in the event of a Data Breach affecting Personal Information;
g) cooperate reasonably with the Client to respond to requests relating to Personal Information, to the extent provided for in this DPA.
6. Obligations of the Client
The Client shall:
a) have the necessary rights, powers, consents, authorisations or legal bases to submit Personal Information to the Services;
(b) provide lawful, documented instructions that are compatible with the Services;
c) determine the laws applicable to its activities and to Personal Information;
d) respond to requests from data subjects and authorities, unless Vorellis has been specifically instructed otherwise;
e) keep the Client’s Data accurate and up to date;
f) limit the Personal Information submitted to the Services to what is necessary and proportionate;
g) use the Services in accordance with the Contract and this DPA.
7. Vorellis’s Sub-processors
The Customer authorises Vorellis to use Sub-processors to provide, host, secure, maintain, support, invoice, or administer the Services.
The main authorised Sub-processors are set out in Appendix 3 – Authorised Sub-processors or in any list of sub-processors maintained by Vorellis and made available to the Customer.
Vorellis must impose on its Sub-processors obligations regarding the protection of Personal Data that are reasonably equivalent to those set out in this DPA.
Vorellis remains liable to the Client for the performance of the obligations entrusted to its Sub-processors, within the limits set out in the Contract.
Vorellis may add or replace a Sub-processor, subject to the Client’s reasonable notice. The Client may object to the appointment of a new Sub-processor on reasonable grounds relating to the protection of Personal Information. If the Parties are unable to resolve the objection in good faith, the Client may cease using the relevant part of the Services or may not renew the Subscription.
8. Places of processing and transfers outside the jurisdiction
Personal Information may be processed, hosted, accessed or stored at the locations specified in Appendix 3, in the Purchase Order or in the applicable Documentation.
Where the Customer uses the Services to process Personal Information subject to restrictions on cross-border transfers, the Customer remains responsible for determining whether the transfer is authorised and for carrying out any analysis or assessment required by applicable law, unless a separate mandate is entrusted to Vorellis.
Vorellis must implement reasonable contractual, technical and organisational safeguards for transfers carried out by Vorellis or its Sub-processors in connection with the Services.
9. Data Breaches
Vorellis must notify the Client within a reasonable time after confirming a Data Breach affecting Personal Information processed on the Client’s behalf.
The notice must include reasonably available information, including:
a) the general nature of the breach;
b) the categories of Personal Information concerned, where known;
c) the measures taken or envisaged by Vorellis;
d) the information reasonably necessary to enable the Client to assess its own notification obligations.
The Client remains responsible for determining whether the incident must be notified to an authority, a data subject, a client, an insurer or another third party, unless a separate mandate has been entrusted to Vorellis.
10. Assistance to the Client
Taking into account the nature of the Services and the information available, Vorellis shall provide reasonable assistance to the Client to:
a) respond to requests for access, rectification, erasure, portability, objection or other requests from data subjects;
b) investigate a data breach;
c) document the processing carried out within the Services;
d) respond to a reasonable request from a competent authority;
e) export or delete certain Customer Data in accordance with the available features.
Any personalised, complex, urgent, legal, advanced technical, documentary, or support beyond standard assistance may be treated as a separate professional Service.
11. Return and deletion
Upon termination of the Subscription, Vorellis will make the Customer’s Data available or delete it in accordance with the Contract and the available features.
Unless otherwise required by law or permitted by the Agreement, Vorellis shall delete or render inaccessible Personal Information after the end of the Subscription, subject to backups, logs, technical archives, security obligations, tax obligations, accounting obligations, legal obligations or reasonable contractual evidence requirements.
Any residual copies retained in routine backups remain protected in accordance with this DPA until they are deleted, in accordance with Vorellis’ standard retention cycles.
12. Audits and Compliance Information
Vorellis may make available to the Customer reasonable information regarding its security measures, its Sub-processors and its processing practices, including through this DPA, Annex 2, Annex 3, the Documentation, certifications or reasonable responses to security questionnaires.
Any active technical audit of Vorellis’ systems remains subject to the restrictions set out in the Contract, in particular in Clause 6.6.
Any request for a customised audit or verification must be reasonable, limited to what is necessary, subject to confidentiality obligations and treated as a separate Professional Service.
13. Vorellis’ own processing and payment services
This DPA does not apply to Personal Data that Vorellis processes for its own purposes, including for billing, payments, customer relationship management, general security, permitted marketing communications, website management or compliance with Vorellis’ legal obligations.
Such processing is governed by Vorellis’ or Agent AlexArc’s applicable privacy policy.
Certain payment service providers may process payment information in accordance with their own terms and conditions, legal obligations, roles and applicable policies. The Client must ensure that data subjects are provided with appropriate information when payment or billing data is processed in the context of the business relationship with Vorellis.
14. Term
This DPA shall remain in force for as long as Vorellis processes Personal Data on behalf of the Client in connection with the Services.
Obligations which, by their nature, are intended to survive the termination of the DPA shall continue to apply, including obligations relating to confidentiality, security, erasure, residual data, contractual evidence and limitations of liability set out in the Contract.
Any material change that adversely affects the Client’s rights or obligations in relation to the processing of Personal Information shall be subject to reasonable notice, except in cases of emergency, legal requirement, security, compliance or a necessary change imposed by a Sub-processor or an essential supplier.
Vorellis may amend this DPA in accordance with the amendment provisions set out in the Contract.
ANNEX 1 – DESCRIPTION OF THE PROCESSING
1. Purpose of the processing
Provision, operation, security, maintenance, support and administration of the Agent AlexArc Services.
2. Duration of processing
For the duration of the Subscription, and thereafter for any period necessary for deletion, restoration, backup, security, compliance, contractual evidence or applicable legal obligations.
3. Nature and purposes of the processing
Processing may include collection, entry, hosting, storage, consultation, organisation, classification, analysis, generation, display, transmission, export, logging, security, backup, deletion and support.
The purposes are the provision of the Services, Account management, support, security, the production of generated Results, the administration of Modules and compliance with the Contract. As of the effective date of this DPA, no external AI Functionality is connected to Agent AlexArc, unless subsequently activated in accordance with the Contract and this DPA.
4. Categories of data subjects
According to the Client’s Data, data subjects may include:
a) the Client’s employees, officers, directors and representatives;
b) the Client’s customers, prospects, end users or beneficiaries;
c) suppliers, service providers, partners or representatives of third parties;
d) individuals affected by a request for access, an incident, a record, an assessment, a processing operation or a document managed in Agent AlexArc;
e) any other person whose details are provided by the Client to the Services.
5. Categories of Personal Information
Depending on the Client’s Data, the categories may include:
a) identification details and business contact information;
b) account, role, access and logging information;
c) information relating to processing activities, suppliers, incidents, requests, evidence, records or assessments;
d) the contents of documents uploaded by the Customer;
e) responses, comments, tasks, decisions, statuses or approvals entered in Agent AlexArc;
f) other Personal Information submitted by the Customer.
The Client must not submit sensitive or high-risk Personal Information unless it is necessary, proportionate, authorised and in accordance with the Contract.
APPENDIX 2 – SECURITY MEASURES
Vorellis implements reasonable measures, taking into account the nature of the Services, in particular:
a) system access controls;
b) authentication and management of Credentials;
c) restriction of internal access according to access requirements;
d) encryption measures in transit where technically feasible;
e) reasonable backups or business continuity mechanisms;
f) appropriate logging or technical monitoring;
g) measures to protect against unauthorised access;
h) reasonable management of vulnerabilities and updates;
i) confidentiality obligations for authorised staff;
j) use of reputable cloud or technical service providers;
k) reasonable incident response procedures;
l) measures for deletion, archiving or deactivation in accordance with the applicable cycles.
Vorellis relies on OVHcloud for hosting and certain security measures relating to the back-end infrastructure. Vorellis remains responsible for application configuration, application access, security settings for Agent AlexArc, and organisational security measures under its direct control.
Vorellis may use security tools, services or providers to protect the Services, technical environments, code, access, logs, vulnerabilities, configurations, workstations, communications and infrastructure used to provide Agent AlexArc.
These tools may include, but are not limited to, monitoring, logging, anomaly detection, vulnerability analysis, malware protection, patch management, access protection, code security analysis, incident response and abuse prevention.
For security reasons, Vorellis does not necessarily publish a detailed list of its tools or suppliers in this DPA. Where such tools or suppliers process Personal Data on behalf of the Customer to a significant extent, Vorellis binds them contractually to this DPA and may provide additional information to the Customer where reasonably required, subject to appropriate confidentiality obligations.
Security measures may evolve, provided that Vorellis does not materially reduce the overall level of protection during a current Subscription Period, unless such a change is necessary for technical, legal, security or operational reasons.
APPENDIX 3 – AUTHORISED SUPPLIERS AND SUBCONTRACTORS
1. Principle
Vorellis may use suppliers and Sub-processors to provide, host, secure, maintain, support, bill for or administer the Services.
This Appendix 3 identifies the main authorised suppliers and Subcontractors that may process Customer Data or Personal Information in connection with the Services.
2. List of key authorised suppliers and Sub-processors
Supplier / Subcontractor | Role | Main place of processing | Type of data concerned |
OVHcloud | Application hosting, backend infrastructure, infrastructure services and backend infrastructure security | Quebec / Canada, depending on the services configured by Vorellis | Customer data hosted in Agent AlexArc, technical data, application logs and data necessary for the secure operation of the Services |
Twilio, SendGrid / SMS provider | Sending transactional emails, SMS messages relating to multi-factor authentication, verification codes, security alerts, system notifications and communications relating to the Services | Depending on the Twilio and SendGrid infrastructure and the settings applicable to the service | Recipients’ business contact details, delivery metadata, and content of transactional emails or notifications sent via the Services |
Stripe | Payment, billing, transaction processing and management of certain payment data | Depending on Stripe’s infrastructure and the settings applicable to the service | Billing data, payment data, business contact details, transaction information and metadata necessary for processing payments |
3. Security, monitoring and protection tools
The security, monitoring and protection tools used by Vorellis are described in general terms in Appendix 2. For security reasons, Vorellis does not necessarily publish a detailed list of its tools or suppliers, subject to the obligations set out in this DPA.
4. Support and CRM
Customer support and CRM functions related to Agent AlexArc are managed internally within the Agent AlexArc administration module.
No external customer support or CRM providers are used, unless otherwise notified to the Customer in accordance with this DPA.
5. AI Features
As of the effective date of this DPA, no external artificial intelligence features are connected to Agent AlexArc.
No external provider of AI models, AI APIs or AI infrastructure is authorised as a Processor, unless subsequently added in accordance with this DPA and the Contract.
6. Update to Appendix 3
Vorellis may update this Annex 3 in accordance with this DPA.
The Customer may be notified of a significant addition or replacement of a Sub-processor by email, in-app notification, dedicated contract page, or any other reasonable means.
ANNEX 4 — GDPR / EEA ADDENDUM
1. Purpose and scope
This Annex 4 — GDPR/EEA Addendum (“GDPR Addendum”) supplements this DPA where the General Data Protection Regulation, namely Regulation (EU) 2016/679 (“GDPR”), applies to the processing of Personal Data carried out by Vorellis on behalf of the Customer in connection with the Services.
This GDPR Addendum applies only to the extent that the Client’s Data includes Personal Data subject to the GDPR and where Vorellis acts as a data processor for the Client within the meaning of the GDPR.
This GDPR Addendum does not apply to personal information that Vorellis processes for its own purposes, which is governed by Vorellis’s applicable privacy policy.
2. Definitions specific to the GDPR
For this GDPR Addendum:
a) “Personal Data” means personal data within the meaning of the GDPR;
b) “Data Controller” means the Client that determines the purposes and means of the processing of Personal Data;
c) “Processor” means Vorellis when it processes Personal Data on behalf of the Client;
d) “Data subject” means an identifiable natural person whose Personal Data is processed;
e) “Personal Data Breach” means a breach of security leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Data;
f) the terms “processing”, “sub-processor”, “supervisory authority”, “Member State” and other terms specific to the GDPR shall have the meanings assigned to them by the GDPR.
3. Roles of the Parties
For the processing operations covered by this GDPR Addendum, the Client generally acts as the Data Controller, and Vorellis acts as the Data Processor.
The Client remains responsible for determining the purposes, main means, legal bases, notifications, consents (where applicable), retention periods, responses to Data Subjects, and communications with supervisory authorities.
Vorellis processes Personal Data solely on behalf of the Client, in accordance with the Contract, the DPA, this GDPR Addendum, the applicable Purchase Order and the Client’s documented instructions.
4. Documented Instructions
The Client instructs Vorellis to process Personal Data only to the extent necessary for the provision, operation, security, maintenance, support and administration of the Services.
Vorellis shall not process Personal Data for any other purpose, unless instructed in writing by the Client or where required by law applicable to Vorellis.
Where Vorellis considers that an instruction from the Client breaches the GDPR or any other applicable data protection provision, Vorellis shall inform the Client thereof, unless prohibited by applicable law.
5. Vorellis’ obligations as a Data Processor
Where Vorellis acts as a Data Processor within the meaning of the GDPR, it must:
a) process Personal Data only based on documented instructions from the Client;
b) ensure that persons authorised to process Personal Data are subject to an appropriate duty of confidentiality;
c) implement reasonable technical and organisational measures, taking into account the nature of the Services and in accordance with the DPA;
d) comply with the rules applicable to sub-processors;
e) provide reasonable assistance to the Client, taking into account the nature of the processing and the information available, in responding to requests from Data Subjects;
f) reasonably assist the Client in relation to security, personal data breaches, data protection impact assessments and prior consultations, to the extent applicable;
g) delete or return the Personal Data in accordance with the DPA upon termination of the Services;
h) make available to the Client the information reasonably necessary to demonstrate compliance with the obligations applicable to the Processor, subject to the confidentiality, security and proportionality limitations set out in the DPA and the Contract.
6. Obligations of the Customer as Data Controller
The Client must:
a) have a valid legal basis for the processing of Personal Data within the Services;
b) provide the required privacy notices to Data Subjects;
c) obtain the necessary consents, where consent is the applicable legal basis;
d) ensure that the Personal Data submitted to the Services is adequate, relevant, limited, accurate and necessary;
e) determine whether a data protection impact assessment is required;
f) respond to requests from Data Subjects;
g) comply with notification obligations to supervisory authorities and data subjects;
h) document its processing activities in accordance with the GDPR;
i) not to use the Services in a manner that would breach the GDPR.
7. Sub-processors
The Customer authorises Vorellis to use sub-processors to provide, host, secure, maintain, support, invoice or administer the Services, in accordance with the DPA.
Vorellis must impose on its sub-processors obligations regarding the protection of Personal Data that are reasonably equivalent to those set out in the DPA and this GDPR Addendum.
Vorellis may add or replace a sub-processor in accordance with the DPA. Where required by the GDPR, Vorellis shall provide the Customer with reasonable notice to enable the Customer to object on reasonable grounds relating to the protection of Personal Data.
If the Parties are unable to resolve the objection in good faith, the Client may cease using the relevant part of the Services or may not renew the Subscription, unless another remedy is expressly provided for in the Contract or required by applicable law.
8. Assistance regarding the rights of Data Subjects
Taking into account the nature of the Services and the information available, Vorellis shall assist the Customer, reasonably, in responding to requests from Data Subjects to exercise their rights, in particular requests for access, rectification, erasure, restriction, portability, or objection.
The Customer remains responsible for responding to Data Subjects, unless a separate mandate is expressly entrusted to Vorellis.
Where Vorellis receives a request directly from a Data Subject concerning Personal Data processed on behalf of the Client, Vorellis may invite that person to contact the Client or forward the request to the Client, where appropriate.
9. Personal Data Breach
Vorellis shall notify the Client within a reasonable time after confirming a Personal Data Breach affecting Personal Data processed on behalf of the Client.
The notice shall include any information reasonably available, including the general nature of the breach, the categories of Personal Data concerned, where known, the measures taken or envisaged by Vorellis, and any information reasonably necessary to enable the Customer to assess its obligations.
The Customer remains responsible for determining whether notification to a supervisory authority or a Data Subject is required.
10. Security
Vorellis implements reasonable technical and organisational measures to protect the Personal Data processed on behalf of the Customer, in accordance with the DPA and its Annex 2 — Security Measures.
The Client acknowledges that security also depends on its own practices, including the management of its Authorised Users, Credentials, devices, networks, configurations, exports, internal access, policies and Client Data.
11. Audits and Compliance Information
Vorellis shall provide the Client with reasonable information regarding its security measures, processors, and processing practices, in accordance with the DPA.
Any active technical verification, penetration test, scan, inspection or technical audit of Vorellis’ systems remains subject to the restrictions set out in the Contract, including prior written authorisation from Vorellis.
Any request for a bespoke audit must be reasonable, proportionate, limited to what is necessary, subject to appropriate confidentiality obligations and treated as a separate Professional Service.
12. International Transfers
Personal Data may be processed, hosted, accessed or stored in the locations specified in the DPA, the Purchase Order or the applicable Documentation.
Where Personal Data subject to the GDPR is transferred from the European Economic Area to a third country, the Parties must, where applicable, rely on a transfer mechanism recognised by the GDPR.
To the extent applicable, such mechanisms may include:
a) an applicable adequacy decision;
b) the standard contractual clauses adopted by the European Commission;
c) any other transfer mechanism recognised by the GDPR.
Where standard contractual clauses are required for a relevant transfer, the Parties agree to cooperate reasonably to implement them or to rely on those already concluded with the relevant suppliers, depending on the Parties’ roles and the data flow concerned.
13. Representative in the European Union
Where the GDPR requires Vorellis to appoint a representative in the European Union pursuant to Article 27, Vorellis shall take the reasonable steps necessary to comply with this requirement.
This clause shall not be interpreted as an automatic acknowledgement that Vorellis is required to appoint a representative within the European Union in all cases. The assessment depends, in particular, on the actual scope of activities, the services offered, the data subjects, whether the processing is occasional, the risks, and the applicable requirements.
14. Priority
In the event of any conflict between this GDPR Addendum and the DPA, this GDPR Addendum shall prevail solely in respect of the processing of Personal Data subject to the GDPR.
In the event of any conflict between this GDPR Addendum and the Contract, the order of priority set out in the Contract shall apply, subject to the mandatory requirements of the GDPR applicable to the processing in question.
15. No Extension of Services
This GDPR Addendum does not create any professional service, DPO mandate, legal adviser mandate, European representative mandate, GDPR compliance mandate, audit, certification, legal opinion or regulatory validation.
Any personalised, legal, documentary, advanced technical, urgent or support-beyond-standard assistance may be treated as a separate Professional Service, unless otherwise provided for in a Purchase Order, Statement of Work or separate contract.