IP-LABEL Finland OY (the “Company”) is a company with capital of 2 500 €, located at Bulevardi 7, 00120 Helsinki, Finland, and registered under the number 2122612-1, whose core business is the provisionof services which enable its clients to manage and optimize their digital experience (“IP-LABEL Services”).

IP-LABEL Services measure the quality of the experience of the users (hereinafter the “Users”) of all digital services, such as web, business, and mobile applications as well as telephony, video, voice, etc. Some IPLABEL Services (centered on user experience) serve to improve the availability, response times, and performance of its clients’ critical applications. The Client has signed an agreement with the Company (the “Agreement”) to benefit from one or more IP-LABEL Services.

It follows from the above that the Company (i) collects personal data and processes it on its own behalf and (ii) collects personal data in the name of and on behalf of the Client, IP-LABEL acting as a processor, in other words, as an external party processing personal data in accordance with the instructions and under the authority of the controller, which is the Client. Personal data means “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (“Personal Data”).

The Personal Data which is collected shall remain the exclusive property of the Users from which it is collected. Such Personal Data is entrusted by mandate to the Company and to the Client solely for the purposes of the Services which the Client has subscribed to, by express consent and on the basis of detailed information about the purposes of the Services in question, with full transparency.

The Company shall submit to an independent European supervisory authority (hereinafter the Supervisory Authority”) all declarations for Personal Data processing which it performs on its own behalf. No specific declaration shall be made by the Company with regard to its collection and processing activities on behalf of the Client, insofar as the Client is legally responsible for the processing of Personal Data collected on its behalf, processing over which the Company is not entitled to exercise actual control.

Nevertheless, in compliance with the stipulations of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “European Regulation”), the Company and the Client shall undertake to conform to the stipulations of the present Charter for the entire duration of
the Agreement in the context of the collection, management, and use of the Personal Data of the Users.

The protection of Personal Data and the respect for the privacy of Users is of utmost importance to the Company. The Company consequently undertakes to implement, throughout the entire process of collection, hosting, processing, and circulation, all necessary technical and organisational means to ensure such protection and respect, and to work only with parties which implement equivalent means and which themselves adhere to the present Charter, in accordance with the commitments hereinunder:

The Company undertakes to:

1. process the Personal Data of Users solely for the purpose(s) which are the object of the Agreement;

2. process the Personal Data of Users in accordance with the instructions documented by the controller representative designated by the Client in the Annex to the Agreement. Should the Company deem that an instruction constitutes a violation of the European Regulation or of any other provision of
European Union or Member State law on data protection, it shall immediately inform the Client’s controller representative. Furthermore, should the Company be required to transfer data to third countries or international organisations, it shall, under European Union law or the Member State law
which is applicable to the Company, notify the Client’s controller representative of this legal requirement prior to processing, unless the law in question prohibits such notification;

3. guarantee the confidentiality of the Personal Data of Users which is processed during the performance of the Agreement and Services;

4. ensure that the personnel of the Company which is authorized to process the Personal Data of Users pursuant to the Agreement (a) undertake to uphold confidentiality or be under an appropriate legal obligation of confidentiality, and (b) have the necessary training in protecting Personal Data;

5. take into account the principles of the protection of the Personal Data of Users when designing and developing its products and/or Services;

6. inform the Client’s controller representative in writing prior to any planned addition or replacement of any processors subcontracted by the Company. This notification must clearly indicate the subcontracted processing activities, the identity and contact details of the subcontracted processor, and the dates of the processing subcontract. The Client shall have a minimum of thirty (30) days from the date it receives notification to raise any objections. In the event the Client raises an objection, it must – within the thirty (30) days and prior to the effective date of the addition or replacement of a subcontracted processor – send the Company a registered letter with return receipt, to declare the termination of the Service(s) to which the addition or replacement of the subcontracted processor applies. This termination shall take effect at the end of the thirty (30) days referred to above. The Client bears responsibility for any consequences of advancing the termination date specified in the Agreement. In the absence of a termination Notice addressed by the Client to the Company within the thirty (30) days referred to above, it shall be deemed that Client has irrevocably agreed to the addition or replacement of the subcontracted processor(s). All subcontracted processors are bound to uphold the provisions of this Charter. It is the Company’s responsibility to ensure that its subcontracted processors provide the same adequate guarantees concerning the implementation of appropriate technical and organisational measures such that the processing meets the requirements of the European Regulation. The Company remains fully liable toward the Client for the performance of its obligations by the subcontracted processor(s).

7. implement security measures to guarantee the privacy and integrity of Personal Data, to prevent unauthorized third parties from modifying, damaging, or simply accessing it. The Company shall use means proportionate to the value or criticality of the Personal Data in question, including but
not limited to, depending on the need:

  (i) pseudonymization and encryption of Personal Data;

  (ii)the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing
systems and services;

  (iii) ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

  (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security
of the processing.

8. notify by e-mail the Client’s controller representative after becoming aware of any breach of Personal Data of Users, with confirmation by registered mail with return receipt. Such notification shall include any information which may be useful to the Client, when necessary, for notifying the breach to the
competent Supervisory Authority.

9. assist the Client, insofar as possible and applying any fees stipulated under the Agreement, in the fulfillment of the Client’s obligation to respond to requests from Users to exercise their rights: the right of access, rectification or erasure of Personal Data or restriction of processing, the right to data
portability, the right to refuse automated decision-making (including profiling). Should a User send the Company a request to exercise his or her rights, the Company shall forward these requests by email as soon as it receives them to the controller representative designated by the Client.

10. delete all Personal Data of Users upon termination of the Services relating to the processing.

11. assist the Client, in the context of the subscribed Services and applying any fees stipulated under the Agreement, in ensuring the protection of Personal Data of Users. The Company shall assist the Client with any prior consultation of the Supervisory Authority.

12. make available to the Client all information necessary to demonstrate compliance with all of its obligations and allow for and contribute to audits, including inspections, conducted by an auditor which the Client shall mandate (a “Mandated Auditor”). The Client shall therefore be entitled, at its own cost, to be assisted by any Mandated Auditor it shall designate, on the condition that the Mandated Auditor has received a certification granted by the Supervisory Authority, exercises no activity in direct or indirect competition with that of the Company, and is associated with no company whose business is directly or indirectly to that of the Company, and which shall have provided prior written agreement to be subjected to the obligation of confidentiality as laid down in the Agreement, and has submitted a declaration of absence of conflict of interests. The Company shall be entitled to
recuse the designated Mandated Auditor on justified grounds, without prejudice to the right of the Client to designate another Mandated Auditor in accordance with the conditions above. The Client shall be limited to one audit per year of the Agreement, after sending the Company a notice fifteen
(15) days beforehand. The audit shall conform to the provisions and methodology laid down by CNIL Deliberation no. 2011-316 of 6 October 2011, which pertains to the adoption of a standard for issuing privacy seals for audit procedures to protect data subjects with respect to the processing
of Personal Data.

13. maintain a written record of all categories of processing activities undertaken on behalf of the Client, including:

  (a) the name and contact details of the controller representative on behalf of which the Company is acting, any subcontractors, and, where applicable, the data protection officer;

  (b) the categories of processing carried out on behalf of the controller;

  (c) where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the European Regulation on data protection, the documentation of suitable safeguards;

  (d) where possible, a general description of the technical and organisational security measures, including but not limited to, depending on the need: pseudonymization and encryption of Personal Data;

  (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

  (iii) ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

  (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

For its part, the Client affirms:

1. that no collection or processing of Personal Data shall be entrusted to the Company without a declaration from the Client or authorization obtained by the Client from a Supervisory Authority;

2. that the purpose of the processing of Personal Data entrusted to the Company is determined, explicit, and lawful. The ‘opt-in’ consent which the Client obtains from the User is informed, on the basis of a service whose purpose and bounds are explained unambiguously, without any possibility of
misappropriation.

The Client shall undertake additionally to:

1. refrain from reselling or exploiting Personal Data outside of the strict bounds consented to by the Users, who retain the right to change their consent at any time and on any digital medium provided to them, in accordance with the applicable legislation;

2. ensure any User’s right to access, rectify, and delete any or all of his or her Personal Data. Therefore any User may, free of charge and upon request, be granted access to all of the information about him/her, and correct it, complete it, or oppose processing of it;

3. designate a controller representative for the purposes of the Agreement and inform the Company of his or her last name, first name, and contact details by registered mail with return receipt, otherwise the Client’s legal representative shall be considered the controller representative. The Client may at any time during the performance of the Agreement replace a previously designated controller representative by sending written notification to the Company.

This Charter shall be effective from the date of the signing of the Agreement for the duration of the Agreement.

The present Charter is governed by French law. Any dispute arising out of the interpretation, performance, or validity of the Charter shall be subject to the jurisdiction of the Tribunal de Commerce de Paris, including in the event of emergency proceedings and notwithstanding multiple respondents or third-party appeals.

Failure on the part of either party to exercise its rights upon a breach by the other party of any one of the obligations under the Charter shall not be construed as a waiver of the obligation in question or as an amendment to the Charter and shall not prevent the non-defaulting party from exercising its rights subsequently.

Should one or more of the provisions of the Charter be deemed, rendered or declared invalid as the result of a law, regulation or decision handed down by a competent court, the parties shall confer to agree on one or more provisions to replace the invalid provision(s), so as to preserve, insofar as possible, the intent of the original provision(s). All other stipulations of the Charter shall remain in force to their full extent.