Terms and Conditions.

Terms and Conditions

Article 1. Recitals

The Service Provider offers an IT solution intended for dentists enabling smile design to be produced.

After reading this Agreement, the Client acknowledges having received all necessary information to subscribe to the Services at the time of accepting this Agreement.

Article 2. Definitions

The terms defined below shall have the following meanings between the Parties:

- « Client » : Natural person or legal entity contracting with the Service Provider

- « Agreement » : contractual whole formed by these General Terms of Sale;

- « Personal Information » ou « personal data » : means any information relating to an identified or identifiable natural person « data subject »). An « identifiable natural person » is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

- « Parties » : the Client and the Service Provider;

- « Service Provider » : Deepsmile Technology, a company in société par actions simplifiée, listed with the Trade and Companies Register (RCS) of Aix en Provence under No. 848407987, whose registered offices are located in Aix en Provence, at 37 Boulevard Aristide Briand – email address: contact@udini.com – intracommunity VAT No. FR 39 848407987;

- « Services » : all services by the Service Provider, as described in the appendix, « Description of the Services » ;

- "Solution": IT solution allowing access and use of the Services, presented in the form of a mobile application, available for iOS and Android, which may be used by the Customer;

- « Processing » : means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

- « User » : natural person having permission to access the Services that are the subject of this Agreement.

Article 3. Purpose

The purpose of this Agreement is to define the terms and conditions under which the Service Provider:

- Grants the Client, who agrees, a right to access the Solution and to use the Services;

- Provides the Client the ancillary services to enable such access and use.

Article 4. Contractual Documents

The contractual documents are, in descending order of priority:

- Any amendments to the Agreement;

- The Agreement;

- The appendices to the Agreement;

In the event of a contradiction between documents of a different type or different rank, it is expressly agreed between the parties that the provisions contained in the higher ranking document shall take precedence for obligations subject to a conflict of interpretation. In the event of a contradiction between the terms of documents of the same order, the most recent documents shall take precedence over the others.

Notwithstanding the contract interpretation rules defined in the French Civil Code, the ranking criteria shall be applied according to the following principles:

- Obligation by obligation;

- Or, otherwise, paragraph by paragraph;

- Or, otherwise, clause by clause;

Article 5. Requirements

5.1 Legal capacity

The Client hereby acknowledges that it has full legal capacity, competence, and the resources necessary to subscribe to the Services.

Article 6. Subscribing to the Services

The use of the Services requires the creation of a customer account and taking out a subscription directly on the website, at the address, udini.ai.

The Client shall fill out the different fields on the online subscription form, with it being specified that mandatory fields are marked with an asterisk. In particular, the Client shall create their login ID and password, which must be compliant with the recommendations of the French Data Protection Authority (CNIL) regarding the creation of passwords in order to ensure security, otherwise, it will be rejected.

He chooses a subscription plan, knowing that the monthly and annual subscription contract are automatically renewable:

- Free trial formula, where the user has one month offered to test the service;

- Monthly formula, the user is committed for one month;

- Annual formula, the user is committed for one year;

The Client has read the Agreement and checked the box, « I have read and expressly agree to these General Terms of Sale, » formalizing their acceptance. If the Client does not the subscription process is interrupted.

The Customer chooses a method of payment, except when he chooses the Free Trial option offered by the Service Provider. He is then directed to a secure page on which he fills in his banking information.

The Client is then asked to verify all of the information entered. In the event an error, they can change the information directly in the fields of the subscription form. The Client then validates their subscription on the subscription form selected.

The Customer receives a subscription confirmation email at the address completed in the online subscription form with a download link of the mobile application on the Apple store or the Google play store.

The Client hereby agrees to make sure that the Client’s information is accurate and thorough and to update it regularly. The Client may edit their information any time by going to the « My Account » section.

Article 7. Effective Date – Duration

This Agreement will take effect starting from the date on which the subscription is taken out by the Client.

The Agreement shall have an initial duration of one (1) month (monthly subscription) or one (1) year (annual subscription) and may be renewed tacitly in monthly or annual periods, depending on the subscription plan, unless waived by either of the Parties in accordance with the article entitled « Cancellation » in this Agreement.

Article 8. Enforceability – Changes to the Agreement

Any subscription by the Client shall constitute an irrevocable acceptance of the Agreement, which henceforth become enforceable upon the Client. The acceptance of the Agreement cannot be called into question except within the limits provided for herein.

The current General Terms of Sale in effect are accessible at any time by the Client at the address, udini.ai. The Client has the option to save and print this Agreement using the standard features of their web browser.

The Agreement is subject to change or adjustment at any time by the Service Provider with each new monthly or annual subscription period, depending on the subscription plan.

In the event of a change to the Agreement, the new General Terms of Sale shall be notified to the Client and take effect one (1) month after the notification of the new provisions.

Article 9. Provision of the Services

9.1 Scope

The specifications for the Services are contained in the appendix, « Description of the Services ».

9.2 Compliance

The Client agrees to test the Services that are the subject of this Agreement before any professional use thereof. The use of the Services implies the definitive acceptance of said Services.

9.3 Suspension of the Services

However, the Service Provider reserves the right to restrict the access to the Services, totally or partially, in order to conduct maintenance, in the context of scheduled outages, its computer configuration, and infrastructure used to provide the Services.

9.4 Changes to the Services

The Service Provider reserves the right to make any technical decision aimed at improving the Services, subject to ensuring their continuity and backward compatibility.

Article 10. The Client’s Obligations

10.1 Obligations regarding the use of the Services

The Client agrees to:

- Use the Services loyally, in compliance with this Agreement, and current legislation and regulations in effect;

- Work with the Service Provider, and in particular to report to the Service Provider any breakdown of the Services that they observe and any manifestly unlawful content;

The Client also agrees to comply with all obligations contained in the appendix, « Description of the Services. »

10.2 Improving the Solution and Services

The Client agrees to contribute to improving the Solution and Services, by reporting any malfunctions and, as applicable, suggesting any improvements. With that in mind, the Client is invited to contact the Service Provider or pass that commitment along to the User(s):

- By email: contact@udini.com.

10.3 Respect for patients’ rights

The Client, as the data controller for the patients’ Personal Data, is exclusively responsible for:

- Information related to the processing of Personal Data;

- Collecting the consent from each patient, as a basis for the lawfulness of the data processing.

The Client and each User are also obligated to comply with all applicable patients’ rights derived from the data protection regulations.

As applicable, the Service Provider may advise the Client regarding resources to be implemented and/or provide informational notice templates appropriate for one or more data processing operations.

However, providing information, gathering consent, and respecting patients’ rights shall be carried out by the Client by any means the Client deems appropriate to their organization.

Article 11. Property

The Services are the property of the Service Provider.

All the elements composing the Solution, including the interfaces made available to the Customer and / or Users in the context of the execution hereof, the information provided by the Service Provider to the Client are and remain the exclusive property of the Service Provider.

Consequently, the Client is prohibited from any schemes or acts that may directly or indirectly infringe upon the intellectual property rights over the Services, as well as, generally speaking, the associated trademarks.

The Service Provider grants the Client, who accepts it, a non-exclusive and non-transferable right to access and use the Services, for the full duration of this Agreement.

Access and use not expressly authorized by the Service Provider under this Agreement is unlawful, in accordance with the Provisions of Article L.122-6 of the French Intellectual Property Code.

Thus, the Client is prohibited from:

- Any performance, diffusion, or distribution of the Services, whether in exchange for consideration or free of charge, and in particular any networking not established by this Agreement.

- Any form of use of the Services, in any manner whatsoever, for the purposes of designing, creating, distributing, or marketing similar or equivalent substitution services;

- Adapting, modifying, transforming, arranging the Services, for any reason whatsoever, including to correct errors;

- Any direct or indirect transcription, any translation into other languages of the Solution and the Services;

- Any use for processing not authorized by the Service Provider;

- Any modification or deviation of the production code, notably including passwords or logins.

Article 12. Maintenance of the Service

12.1 Support

The Client and/or Users may report any difficulties and questions regarding the functioning of the Services. To do so, the Service Provider has made resources available, such as email, ticketing tools, the terms and conditions of which are supplied in the appendix to this Agreement entitled, « Description of the Services. »

The responses shall be provided by the Service Provider using the method by which it was contacted.

12.2 Corrective Maintenance

The corrective maintenance service consists of correcting any reproducible anomaly that appears in the use of remote access to the Services, according to the terms and conditions contained in the « Description of the Services » appendix.

It is the Client’s responsibility to refer to the Service Provider’s instructions before each support request, in order to be able to accurately, thoroughly describe the problems encountered.

Any anomaly shall be identified by the Client and reported to the Service Provider using the appropriate support resource, with sufficient precision so that the latter may take action. An incomplete or unfounded notification will release the Service Provider from its obligations.

While awaiting a permanent solution, the Service Provider may recommend a temporary workaround solution.

12.3 Scalable Maintenance

Updates to the Solution and Services may be released by the Service Provider, as they become available.

Such updates, that are decided unilaterally by the Service Provider, shall be made available to the Client by remote access from its server at no additional cost.

The Client is informed that certain updates may require additional services to be performed.

12.4 Exclusions

Maintenance will not be provided in the following cases:

- Version used is no longer a currently supported version;

- The Client refuses to accept an update offered by the Service Provider;

- Use of the Services not in compliance with the Agreement;

- Unauthorized intervention by the Client or a third party;

- Anomaly generated by the Client’s or User’s hardware or software or their access equipment;

In such cases, the Client may not claim any compensation.

Article 13. Hosting

Hosting of the Services is provided by a third-party host, referred to in the appendix entitled « Protection of Personal Information » in the « sub-processing » clause.

Article 14. Protection of Personal Information

As part of their contractual relations, the Parties hereby agree to comply with the applicable regulations governing personal data protection, including Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the « GDPR, » and any subsequent regulations.

The Client in this context acts as the data controller and the Service Provider acts as the processor within the meaning of the General Data Protection Regulation.

In this capacity, the Service Provider hereby agrees to process the Personal Data entrusted to it under the Agreement in compliance with the Client’s written instructions as contained in the « Data Protection » appendix.

Article 15. Compensation for the Services

15.1 Price

In exchange for the performance of the Services, the Client agrees to pay the price corresponding to their subscription. The prices are those listed on the udini.aiwebsite as of the day of the Client’s order.

The prices are specified excluding taxes and are charged including taxes, particularly the VAT in effect as of the billing date.

15.2 Changes to the Prices

The Service Provider is free to change the prices for its Services. Price changes shall be applicable to all subscriptions, particularly those in progress. In that case, the Client shall be informed of the price change by any means one (1) month before the new rates take effect.

If the Client rejects the price increase applied to the Services, they may cancel their subscription at any time.

15.3 Payment Deadlines and Terms

Invoices are prepared on a monthly or annual basis, and shall be paid in euros including taxes by bank card online or by automatic monthly withdrawal as of the billing date for the month or year in advance.

When payment is made by automatic withdrawal, the Client shall immediately inform the Service Provider if any change in direct debit information.

In the event of a payment incident, the related banking fees shall be payable by the Client.

In the event of non-payment by the Customer of all or part of an invoice issued in the deadline, the Service Provider may automatically suspend the service or proceed to termination of the contract.

Article 16. Warranties

16.1 Reciprocal undisturbed use warranty

16.1.1 The Service Provider’s warranty

The Service Provider hereby warrants to the Client that it has the necessary rights to grant the right to use the Services.

The Service provider shall be responsible for all damages that the Client may be ordered to pay by a final court ruling based exclusively on the demonstration of infringement.

This commitment is subject to the following express conditions:

- That the Client was notified as soon as possible, in writing, of the infringement suit or declaration preceding an infringement suit;

- That the Service Provider has been able to defend its own interests and those of the Client and, to do so, the Client has loyally collaborated in said defense by providing all elements, information, and assistance necessary to the success of such a defense.

The preceding provisions establish the limits of the Service Provider’s responsibility regarding infringement, patent, and copyrights due to the use of the Services.

16.1.2 The Client’s Warranty

The Client hereby warrants to the Service Provider that it has all of the necessary usage rights attached to its data.

The Client agrees to hold the Service Provider against all legal action, complaints, claims, objections by any person invoking any sort of right to the data communicated by the Client to which the performance of this Agreement is alleged to have caused harm.

In such a case, the compensation or fees of any nature paid by the Service Provider to defend itself, including attorneys’ fees, as well as all damages it may be ordered to pay, shall be paid by the Client.

16.2 Availability Warranty

Starting from the production launch, the Service Provider hereby warrants to the Client that it will be able to remotely access the service levels defined in the appendix entitled, « Description of the Services ».

Article 17. Responsibility

17.1 The Service Provider’s Responsibility

By mutual agreement, the Parties hereby expressly agree that the Service Provider may not be held liable by the Client except in the event of proven misconduct and that, in the context of this Agreement, the Service Provider shall be subject to a best-efforts obligation.

The Service Provider may not be held liable due to disruptions or damages inherent to the Internet or having the characteristics of a force majeure event.

By mutual agreement, the Parties hereby agree that the Service Provider shall not be held liable except for direct damages, and that indirect harm shall be excluded from compensation.

Indirect damages include lost data, time, financing, income, patients, legal action, or image harm, expected results and third-party legal action.

The Service Provider’s responsibility for the Service shall be, by mutual agreement, limited to the amount of the monies actually paid by the Client for the Services for the year in which the damage occurs.

This clause shall remain applicable in the event of the invalidity, cancellation, termination, or elimination of these contractual relations.

17.2 The Client’s Responsibility

The Client agrees to use the Services under its exclusive responsibility. The Client is solely responsible for the use of the Services in compliance with the provisions of this Agreement by each User.

Furthermore, the Client is solely responsible for:

- The suitability of the Services for their own needs, particularly based on the indications supplied by the Service Provider or on its website;

- The compatibility of the hardware and software environment used by each User with the Services.

The Client also warrants the Service Provider against any legal action by a User or a third party, based on the use of the Services.

Article 18. Force majeure

Initially, force majeure events shall suspend the performance of the Agreement.

If the force majeure events last longer than two months, this Agreement shall be terminated automatically, unless the parties agree otherwise.

The following are expressly considered force majeure events or acts of god, those usually accepted by French case law and courts, as well as the following events:

- War, riots, fires, internal or external strikes, lockouts, occupancy of the Service Provider’s facilities, storms, earthquakes, floods, water damage, statutory or government restrictions, statutory or regulatory changes to forms of sale, any sort of accidents, epidemics, pandemics, diseases affecting over 10% of the Service Provider’s staff within a period of two consecutive months, the lack of energy supplies, partial or total shutdown of the Internet network and, more generally speaking, of the private or public telecommunications networks, blocked roads and inability to obtain supplies or any other event outside the express control of the parties preventing the normal performance of this Agreement.

Article 19. Insurance

The Service Provider hereby warrants that it has taken out an insurance policy with a reputably solvent insurance company based in France for all financial consequences of its civil, professional, criminal and/or contractual liability due to physical, material, and immaterial harm caused to the Client and to any third party in the performance of this Agreement.

Article 20. Subcontracting

This Agreement may be the subject of subcontracting by the Service Provider according to the terms and conditions contained in the « Data Protection » appendix.

Article 21. Confidentiality

In the context of this Agreement, considered confidential are the Service Provider’s Services, their features, computer applications, data templates, graphic interfaces, as well as the ideas, principles, know-how, methods behind the Services, algorithms, data organization, browsing, and any other element included in the Services, referred to hereinafter as the « Confidential Information. »

The Client hereby agrees that the Confidential Information:

- Must be protected and kept strictly confidential;

- Must be protected and kept strictly confidential;

- Must not be disclosed, or be likely to be directly or indirectly disclosed to any third party;

- Must not be disclosed internally except to the members of the Client’s staff that need to know the contents thereof;

- Must not be used except within the purpose specified in the recitals of this commitment and exclusively in the context of performing this Agreement, and particularly must never be used for the purpose of creating a competing or similar service;

- Must not be copied or reproduced, or duplicated, totally or partially.

Furthermore, the Client hereby agrees:

- Not to infringe, in any way, on intellectual property rights;

- To retain any copyright wording and other property right mentions contained on the various elements and documents provided, whether originals or copies.

For its part, the Service Provider agrees to respect the confidentiality of the Client’s data under the terms and conditions provided for in this Agreement.

Article 22. Termination

22.1 Termination for Breach

In the event of failure by one of the Parties to comply with any obligation hereof, and in particularly those indicated in Article 7 of the Contract, the other Party may pronounce automatically the termination or termination of the Contract without prejudice to any damage and interests to which it could claim under the present.

22.2 Subscription Termination

In the event of a monthly or annual subscription, the subscription contract can be terminated at any time by the customer before the date of the next renewal. The service provider can cancel the subscription at any time by simple email.

Any payment for the current month shall remain payable.

Article 23. Consequences of the end of the Agreement

In the event of the cessation of contractual relations, for any reason whatsoever, the Service Provider shall destroy, as soon as possible after the cessation of contractual relations, any data supplied by the Client to the Service Provider.

In this context, access to the Services will no longer be permitted and the Client hereby agrees to no longer use or attempt to use the Services.

Article 24. General Provisions

24.1 Commercial references

Each of the Parties may mention the name of the other party as a commercial reference in accordance with standard business practices.

24.2 Evidence

The computerized registries retained in the Service Provider’s computer systems, under reasonable security conditions, shall be considered proof of the communication and sending of registration forms, as well as the various transmissions of information by the Client to the Service Provider enabling the Service Provider to conduct the processing desired by the Client.

In the event of a conflict between the Service Provider’s computerized registries and any of the Client’s documents on written media or electronic files, it is hereby expressly agreed between the Parties that the Service Provider’s computerized registries shall take precedence over the Client’s documents and alone shall be admissible as evidence.

24.3 Tolerance

The Parties mutually agree that the fact that one of the Parties tolerates a situation shall not have the effect of granting the other Party any rights.

Moreover, such tolerance shall not be interpreted as waiving the rights in question.

24.4 Sincerity

The Parties hereby declare that these commitments are sincere.

In this respect, the Parties warrant that they do not have any elements that, to their knowledge, if they had been communicated, would have changed the other Party’s consent.

24.5 Independence of the Parties

The Parties acknowledge that they are each acting on their own behalf as parties independent from one another and expressly declare that they are and shall remain, for the duration of this Agreement, independent partners and professionals.

This Agreement does not constitute any partnership, or franchise, or mandate given by either of the Parties to the other Party and may not in any case be interpreted as a sales agent agreement or any representation agreement, without the express consent of the Parties.

Neither of the Parties shall make a commitment in the name of and on behalf of the other Party, without the express consent of the Parties.

Furthermore, each of the Parties remains solely responsible for its actions, allegations, commitments, services, products, and staff.

24.6 Titles

In the event of difficulties in interpretation resulting from a contradiction between any of the titles contained at the top of the clauses and any of the clauses, the titles shall be declared non-existent.

24.7 Invalidity

If one or more provisions of this Agreement are found to be invalid or are declared as such in accordance with a law, regulation, or following a res judicata decision handed down by a competent court, the other provisions shall retain their full force and scope.

24.8 Full agreement

This Agreement cancels and replaces all quasi-contracts, implicit and explicit commitments, and promises on the same subject as this Agreement.

However, the purpose of this clause is not to prevent the use of said documents but to evaluate in legal terms the quality of the consents granted in the formation of this Agreement.

24.9 Transfer of the Agreement

This Agreement may not be the subject of a total or partial transfer, in exchange for consideration or free of charge, by either of the Parties, without the prior written consent of the other Party.

24.10 Addresses for Service

For the performance of this Agreement and unless there are special provisions to the contrary, the Parties hereby agree to send all correspondence to their respective registered offices.

Any change in address shall be reported to the other Party by registered letter with acknowledgment of receipt.

24.11 Governing Law

This Agreement is governed by French law.

The same applies to substantive rules and formal rules, with the places of performance of the substantive or ancillary obligations notwithstanding.

24.12 Indivisibility

This Agreement forms an indivisible whole, so that one of the legal operations may not take place without the obligations under the Agreement being carried out simultaneously.

24.13 Prescription

All legal actions between the parties shall be considered lapsed, excluding public policy provisions, if they have not been introduced within a period of two years starting from the first claim notified by registered letter with acknowledgment of receipt.

24.14 Forum Selection Clause

In the event of a dispute regarding all of the contractual or extra-contractual relations, express jurisdiction is hereby granted to the District Court of Aix en Provence, multiple defendants or being called in as a third party notwithstanding, even for urgent proceedings or protective urgent or on-demand proceedings.

Article 25. List of Appendices

The appendices to this Agreement are as follows:

- Appendix 1: Description of the Services

- Appendix 2: Data Protection

Appendix 1 Description of the services

1. Features

Smile design solution presented on the udini.ai website

2. Support

Support is provided by the Service Provider through email responses No intervention at the Client’s site is provided for in the context of this Agreement.

APPENDIX 2 DATA PROTECTION

1. Recitals

As part of the performance of the Agreement by the Service Provider, the Service Provider may access the personal data of patients or Users, in the context of the performance of the Services which constitutes personal data Processing within the meaning of the current data protection regulations.

The Service Provider acknowledges the strictly confidential nature of all personal data to which it thus has access. Consequently, the Service Provider acknowledges that all of the data processed in the performance of the Agreement:

- Is subject to compliance with the regulations applicable in France and in the European Union on the subject of personal data protection (hereinafter, the « data protection regulations »), notably including:

- The French Data Protection Act;

- The General Data Protection Regulation;

- As applicable, texts adopted in the European Union and local laws that may apply to the personal data processed under the Agreement;

- The texts and decisions issued by data protection authorities, particularly the French Data Protection Authority (hereinafter, « CNIL »);

- As applicable, the texts, recommendations established or taken up as such by the European Data Protection board or any organization or authority in the personal data protection sector;

- As applicable, the industry reference systems applicable to personal health data Processing.

- Falling under privacy and professional secrecy

2. Purpose

This appendix is an integral part of the Agreement and its purpose is to specify the conditions under which the Service Provider is committed to perform on behalf of the Client the personal data Processing operations under the Agreement.

3. Description of the Processing to be subcontracted

The Service Provider is authorized, throughout the full duration of the Agreement, to process on behalf of the Client the personal data required to provide the following services: export, analysis, installation, configuration, monitoring, maintenance, support, hosting, deletion.

The operations conducted on the personal data are as follows:

- User account creation;

- Managing data streams;

- Loading and downloading data;

- Data transformation;

- Data hosting;

- Data deletion.

The purposes of the Processing are as follows: making it possible to transform the images uploaded by the User according to the standard defined in the appendix entitled, « Description of the Services ».

The personal data processed are as follows:

- Photos of the patients’ face and teeth;

- Data regarding the identity, authentication and actions of the Users.

The categories of data subjects are as follows:

- Patients;

- les Utilisateurs.

The persons authorized to process personal data under the Agreement are as follows:

- The Service Provider’s staff (technicians, engineers);

- The Service Provider’s subcontractors as mentioned in the « Subcontracting » clause of this appendix;

- (.).

4. The Service Provider’s Obligations to the Client

The Service Provider shall make its best efforts to ensure to the Client that its legal and regulatory obligations will be respected, particularly the data protection regulations, in addition to compliance with its obligations under this Agreement.

Thus, the Service Provider shall make its best efforts in order to:

- Process the Personal Data only for the purposes of the subcontracting referred to above;

- Process the Personal Data in accordance with the Client’s documented instructions regarding transfers of personal data to a third party country or international organization. If the Service Provider feels that an instruction constitutes a violation of the data protection regulations, it shall immediately inform the Client of that Furthermore, if the Service Provider is obligated to conduct a personal transfer to a third party or to an international organization under a mandatory legal provision in the European Union or the law of the Member State to which it is subject, it must inform the Client of that legal obligation before Processing personal data, unless the law concerned prohibits such a disclosure for significant reasons of public interest;

- Ensuring the confidentiality of the Personal Data processed. Thus, the Service Provider shall take all measures for preventing any unauthorized, malicious, or fraudulent use of the Personal Data

- Refrain from:

- Processing and/or consulting the Personal Data for purposes other than the performance of the services that it provides to the Client under the Agreement, (even if access to such data is technically possible);

- Disclosing, in any form whatsoever, all or part of the personal data processed;

- Making copies or storing, regardless of the form or purpose, all or part of the personal information or data contained on the media or documents which have been entrusted to it or which it has collected in the performance of the Agreement, outside of the cases covered by this appendix.

- Make sure that the persons authorized to process the personal data under the Agreement:

- Agree to respect the confidentiality thereof or are subject to an appropriate legal non-disclosure obligation;

- Receive the necessary information on data protection.

- Take into account, with regard to its tools, products, applications, or services, data protection principles starting from the design and default data protection in Article 25 GDPR.

The Parties agree to define the concept of instruction as being received when the Service Provider is acting in the context of the performance of this Agreement.

5. Processors

The Client hereby authorizes the Service Provider to subcontract out all or part of the services to a processor, within the meaning of the data protection regulations, particularly to a country not located in the European Union under the reservations listed in the article entitled, « Cross-Border Streams of Personal Data » in this appendix.

In all cases, the Service Provider shall make its best efforts to:

- Inform and sign with its sub-processor a written agreement requiring the processor to comply with the same data protection obligations as those established in this appendix and in this Agreement;

- Pass on to its processor all necessary obligations in order to ensure compliance with the confidentiality, security, and integrity of the data, and so that said data may not be transferred or leased to a third party, free of charge or otherwise, nor used for purposes other than those specified in this appendix;

- Inform the Client of any planned change regarding the addition or replacement of other sub-processors.

When sub-processors do not meet their personal data protection obligations, the Service Provider shall remain fully responsible with regard to the Client for the performance by sub-processors of their obligations.

6. The Rights of Data Subjects

It is the Client’s responsibility to provide the information (in accordance with the requirements of the data protection regulations, and in particular Articles 13 and 14 GDPR) to the data subjects of the Processing operations when their Personal Data is collected and to gather their consent for the processing of their data.

To the extent possible, the Service Provider shall help the Client to provide the aforementioned information and to fulfill its obligation to follow up on requests to exercise the rights of Data Subjects, and particularly the following rights: right of access, correction, deletion, and objection, right to limit Processing, right of data portability, right not to be the subject of an automated individual decision.

7. Notification of Personal Data Breaches

The Service Provider shall notify the Client as soon as possible after finding out about any personal data breach, or any security breach resulting, accidentally or unlawfully, in the destruction, loss, alteration, or unauthorized disclosure of the personal data transmitted, processed, or stored in a manner not compliant with the Client’s instructions and with the data protection regulations, or unauthorized access of such Personal Data, and by any means.

The Service Provider shall communicate, at the same time or subsequently (but promptly, in any case), all useful documentation in order to enable the Client, if necessary, to notify and/or communicate that breach to the competent data protection authority (hereinafter, « CNIL »).

The Client also agrees to notify the Service Provider, as soon as it finds out, of any personal data breach by any means.

8. Support from the Service Provider in the context of compliance by the Client with its obligations

The Service Provider shall help the Client, to the extent possible, in complying with its obligations under the data protection regulations, including:

- Its obligations to notify CNIL or inform the data subject of a personal data breach;

- Its prior consultation obligation toward CNIL, referred to in Article 36 GDPR.

Furthermore, when the Client decides or is forced to conduct an impact assessment regarding data protection for one or more of the Processing it conducts, the Service Provider shall make its best efforts to support the Client in conducting such assessments. Such services will be the subject of a separate invoice issued by the Service Provider.

In the event of a CNIL audit, the Parties agree to cooperate with one another and with CNIL. More particularly, in the event of an audit conducted at the Service Provider’s site regarding the Processing implemented in the name of and on behalf of the Client, the Service Provider shall immediately inform the Client of that and make no commitments on its behalf.

In the event of a CNIL audit at the Client’s site, dealing in particular with the services provided by the Service Provider, the latter shall cooperate with the Client and provide it with all information it might need or which may prove necessary.

9. Security measures

9.1. General security measures applicable to all Processing

In accordance with the data protection regulations, the Service Provider shall make its best efforts to take all useful precautions, particularly with regard to the nature of the personal data and the risks presented by Processing, in order to protect the security and confidentiality of the personal data transmitted, processed, or stored, and to prevent its deformation, alteration, damage, destruction, accidentally or unlawfully, loss, disclosure, and/or any access to such data by third parties not authorized in advance, accidentally or unlawfully.

The Service Provider shall make its best efforts to implement all appropriate technical and organizational measures to protect the personal data, taking into account the current state of knowledge, the costs of implementation, and the nature, scope, context, and purposes of the Processing, as well as the risks, whose degree of probability and severity vary, for the rights and freedoms of natural persons, in order to ensure a level of security adapted to the risk.

In this capacity, the Service Provider shall make its best efforts to conduct the Processing outsourced by the Client under this Agreement and, depending on the needs, to implement the following measures based on current standards, as applicable drawing inspiration from the rules derived from the general health IT systems security policy published by ASIP Santé:

- Pseudonymization and encryption of Personal Data;

- Informing and raising awareness of its staff, particularly by having each person acting on behalf of the Service Provider sign:

- An individual non-disclosure agreement attached to their employment contract;

- An individual commitment limiting their actions to the sole purposes of the assignment entrusted to them;

- Access to data using an authentication method compliant with CNIL recommendations;

- Specifying permission profiles, elimination of obsolete access rights and limiting access to administration tools and interfaces solely to authorized persons;

- Use of automatic tracking systems (logs);

- Specifying a security policy adapted to the risks of Processing and including security objectives as well as the physical, logical, and organizational security measures making it possible to achieve those objectives;

- Using resources for ensuring the ongoing confidentiality, integrity, availability, and resilience of the solution and Processing services;

- Using resources making it possible to reestablish the availability of Personal Data and access thereto within appropriate time limits in the event of a physical or technical incident;

- Implementation of a procedure aimed at regularly testing, analyzing, and evaluating the effectiveness of the technical and organizational measures to ensure the security of Processing;

10. Fate of Personal Data

With regard to data concerning patients:

- the only identifying data stored are those useful for the customer, in the aim to enable it to find them in its history;

- Non-identifying data are retained in a form that does not make it possible to re-identify patients, in order to enable development of the tool.

With regard to data concerning the User(s):

- Data regarding the User accounts and the Client’s account are deleted at the end of the subscription;

- Data related to connections to and use of the Services are stored over a rolling period not to exceed six months.

Within the aforementioned time limits, the Service Provider shall destroy the Personal Data, except in the event of a mandatory provision to the contrary resulting from EU law or the law of a European Union Member State applicable to the Processing that is the subject of this Agreement.

11. Data Protection Officer

The Service Provider shall provide the Client with the name and contact information of its Data Protection Officer, if one has been appointed, in accordance with Article 37 GDPR.

12. Register of Processing activities categories

The Service Provider shall keep a register of all categories of processing activities performed on behalf of the Client, in accordance with the provisions of Article 30 GDPR.

13. Cross-border streams of Personal Data

To date, no data transfer to a third-party country not belonging to the European Union, or to an international organization has been conducted.

In the event of such a transfer, the Service Provider shall obtain the Client’s prior written consent. If such consent is given, the Service Provider shall make its best efforts to cooperate with the Client in order to ensure:

- Compliance with procedures making it possible to comply with the data protection regulations;

- If necessary, entering into one or more contracts for establishing cross-border streams of personal data. To the extent possible, the Service Provider agrees in particular, if necessary, to sign such contracts with the Client and/or to obtain the conclusion of such contracts by its sub-processors. To do so, it is hereby agreed between the parties that the standard contractual clauses published by the European Commission will be used to establish cross-border streams of personal data.

14. Documentation

The Service Provider shall provides the Client with all necessary documentation in order to demonstrate compliance with all of its obligations and to enable audits to be conducted, including inspections, by the Client or another auditor appointed by it, and to contribute to such audits.

15. The Client’s Obligations to the Service Provider

The Client shall make its best efforts to ensure to the Service Provider that its legal and regulatory obligations will be respected, particularly the data protection regulations, in addition to compliance with its obligations under this Agreement.

The Client agrees to:

- Enable the Service Provider to access the Personal Data concerned by the Agreement;

- Document in writing any instruction regarding the Processing of Personal Data by the Service Provider, in the context of this Agreement;

- Oversee, before and during processing, compliance by the Service Provider with the obligations provided for by the data protection regulations;

- Supervise the processing, including conducting audits and inspections at the Service Provider’s site.