GENERAL TERMS AND CONDITIONS OF SALE AND USE

The present general terms and conditions of sale and use, also referred to as the “Contract” are agreed to between the undersigned:

The FORMETRIS company, a limited liability company with a capital of 62.871 Euros, headquartered at 109 rue Montmartre 75002 Paris, registered with the Paris Trade and Companies Register under number 480 191 485,

The Client, having explicitly accepted the business proposal of FORMETRIS, hereafter referred to as the “Client,”

Collectively referred to as “the Parties”

FORMETRIS is a company that is specialised in the evaluation of training courses, seminars and events and in post-training self-coaching, its services given through the use of on-line software in Saas mode, specially created by FORMETRIS, (hereafter referred to as the “Software”).

The Client’s acceptation of a business proposal issued by FORMETRIS and/or an estimate signed by the Client or its representative acting on its behalf implies the unconditional acceptance of the client of the following general terms and conditions of use and sale.

The general terms and conditions of sale and use are equally valid in case of a free test of FORMETRIS solutions.

Article 1 – DEFINITION

 

The Client designates the company or organization having bought the on-line training, seminar evaluation or self-coaching Service of FORMETRIS.

The User designates with the Client’s administrator the tools of FORMETRIS or the sponsor of a self-coaching Service.

The Trainee designates the Client’s collaborator who is profiting from a training course or event that is the subject of an evaluation and/or follow-up by FORMETRIS.

ARTICLE 2 – DEFINITION OF FORMETRIS’ SERVICE

 

FORMETRIS’s Service is of several cumulative forms:

2.1. EVALUATION OF TRAINING COURSES

Availability to the Users of a dedicated account on FORMETRIS’s on-line platform offering access to a number of functions allowing one to send training evaluations to Trainees, generate evaluation reports and analyze results.

The list of evaluation functions available to the Users is specified in the business proposal accepted by the Client. Amongst the principal functions which could be activated include: a quiz before or after training, initial evaluation, follow-up evaluation, evaluation by the Trainee’s manager, collecting feedback from the trainer, access to a library of standard questionnaires in 16 languages, access to 10 on-line analysis tools, access to a support team.

2.2. EVALUATION OF SEMINARS AND EVENTS

Availability to the Client’s Users of a dedicated account on FORMETRIS’s on-line platform offering access to a number of functions allowing one to send on-line questionnaires to Trainees and generate inquiry reports.

2.3. CONTENT OF THE SERVICE– FIL: post-training self-coaching tool

Availability to Trainees of a personal on-line post-training follow-up space and an iPhone/android mobile application allowing them to do activities of different natures (thought, elaboration of action plans, feedback exercises, etc.) with the goal of favoring the implementation of their training course.

FORMETRIS provides availability to Users of Trainees’ use statistics of this platform.

2.4. OPERATIONAL ASSISTANCE FOR THE SOFTWARE

FORMETRIS will make available to its Users, for the duration of the service, operational assistance by email and telephone during the following hours: Monday to Friday from 9 a.m. to 6 p.m. (CET), except bank holidays in France. This assistance provides responses to technical questions to Users within two (2) working days.

In addition to user guides and video tutorials made available to Users, they also have at their disposal a step-by-step steering webinar at the price of 250 euros before tax per 2 hours maximum webinar.

ARTICLE 3 – MEANS OF USING THE SERVICE

3.1. ACCESS TO THE SOFTWARE

3.1.1. Means of access to the User space

Evaluation of training courses and Seminars (2.1 and 2.2): The User can access the Software and his personal space via the site www.FORMETRIS.com, by means of an identification name and a personal password, communicated by FORMETRIS to the User by email.

Access to the Software requires no installation or supplementary material on the User’s computer.

FIL (2.3): each Trainee accesses his personal space on-line via a personal secured link that is provided by FORMETRIS by email.

Access to the FIL iPhone/android mobile application is done from a mobile telephone connected to the internet by the Trainee using the personal identification codes provided by FORMETRIS.

Access to FORMETRIS’s Services requires internet access. Such access is no not included in FORMETRIS’s Service and the Client is personally responsible for internet access with the service provider of its choosing. FORMETRIS cannot be held responsible for any malfunction of the internet or any antivirus protection system installed by the Client.

Users and Trainees undertake to immediately notify FORMETRIS of any theft or breach of confidentiality pertaining to its IDs and passwords.

The Software programs of FORMETRIS are compatible with the following browsers:

– Google Chrome™: last stable versions

– Mozilla® Firefox®: last stable versions

– Microsoft® Internet Explorer®: versions 9, 10 and 11

– Apple® Safari® pour macOS: last stable versions beginning with 9.x

– Microsoft® Edge®: last stable versions

For optimal use, Users and Trainees are recommended to use the most upgraded version of their browser supported by FORMETRIS.

Cookies and Javascript must be activated to use the service.

For the best experience, Users and Trainees are recommended to use the latest version of their browser supported by FORMETRIS.

3.2. REMINDERS

Evaluation of training courses and Seminars (2.1 and 2.2)

The Training / Seminar or Event to be Evaluated must be registered on the Software by the User at least two (2) working days before the end date of the Training / Seminar or Event to be Evaluated. Otherwise, each day of delay may result in a one-day delay in the performance of the Service.

Email reminders are performed to obtain an optimal response rate. These Reminders will be limited to three (3) email Reminders per Trainee.

Any additional reminders are subject to additional charges.

FIL (2.3)

The information necessary for the on-line self-coaching Service must be provided by the User at least three (3) working dates before the end of the Training Course that is the subject of a self-coaching follow-up. If not, each day of delay can result in a delay of one day in the performance of the Service.

Trainees are invited to use the FIL self-coaching tool by email by making an appointment at their convenience on FORMETRIS’s internet site. Each meeting thus scheduled is followed by a specific invitation communicated to the Trainee by FORMETRIS by email and in his electronic agenda if applicable.

FORMETRIS sends to the Trainees a reminder by email one hour before each FIL meeting. If the Trainee does not honor the FIL meeting, FORMETRIS will send as many as three (3) reminders by email after each missed meeting over a period of 1 month.

The mobile FIL application allows the User to parameter the frequency of the application’s notifications: once per day at the most, up to 7 times per week, or never.

(2.1, 2.2, 2.3) Whereas FORMETRIS commits itself to remind Trainees, FORMETRIS is only obliged to use its means and is not obliged to have a minimum response rate of the Trainees. FORMETRIS is not obliged to remind Trainees should their email addresses prove to be incorrect.

ARTICLE 4 – RESPONSIBILITIES OF THE PARTIES

 

FORMETRIS has an obligation to provide its best endeavour.

FORMETRIS will make competent personnel available to perform the Service within the agreed timeframes.

ARTICLE 5 – INTELLECTUAL PROPERTY

5.1. OWNERSHIP OF THE SOFTWARE AND THE SITE

5.1.1. FORMETRIS is and remains the sole owner of the Software, Website, methods, process, questionnaires, analysis tools, techniques, development and knowledge used during performance of the Service, as part of the Contract (hereinafter referred to together as the “FORMETRIS System”), that the Client acknowledges expressly.

In this capacity, FORMETRIS is vested with all rights, including copyrights, on the FORMETRIS System, in accordance with the Code of Intellectual Property.

The Client is prohibited from any reproduction and/or representation of the FORMETRIS System, whether in whole or in part, of any kind.

The Contract does not transfer any ownership or rights of any kind to the Client for the FORMETRIS System; the Client only has the right to temporary and partial use of the FORMETRIS System within the framework of this Contract.

5.1.2. All trademarks, photographs, texts, comments, illustrations, animated and still images, video sequences, sounds, and all computer applications that could be used to operate the Site and the Software, and more generally all elements used or reproduced on the Site and the Software, are protected by the relevant intellectual property laws in force.

They are the sole and exclusive property of FORMETRIS or its partners. All reproduction, representation, use or modification, in any form whatsoever, of all or in part of these elements, including computer applications, without the express written permission of the Provider, is strictly prohibited. The fact that FORMETRIS may not initiate proceedings upon becoming aware of any non-authorized use does not constitute acceptance of this use and does not waive its right to prosecute.

FORMETRIS is a semi-figurative French trademark belonging to the Provider, filed with the INPI under number 3892289 and registered on May 18, 2012.

FORMETRIS Intelligent Learning is a French trademark owned by FORMETRIS, registered at INPI under number 4308659 and registered on October 19, 2016

5.2. OWNERWHIP AND USE OF DOCUMENTS ISSUED BY FORMETRIS

Regarding the content of reports, documents, memos, summary tables and other documents provided or made available to the Client as part of the Service (hereinafter referred to as the “Documents”):

The Parties may use the Documents according to the following conditions:

5.2.1 FORMETRIS agrees to never make public any Documents mentioning the Client’s name and to use them only in an anonymous manner, to perform said inter-client benchmarking analyses.

5.2.2 The Client is free to use the Documents as it sees fit, without restriction, whether it is for personal needs or those of third parties, including its subsidiaries, and to do so freely or for a fee.

The Client may freely communicate the Documents to third parties, and reproduce said reports without limitation. It may also present them publically or publish the reports in specialized media.

5.3. OWNERSHIP AND USE OF INFORMATION COLLECTED BY FORMETRIS

Regarding information collected by FORMETRIS in the context of its Services for Users and Trainees (hereinafter referred to as “Information”):

The Parties may use the Information under the following conditions:

5.3.1. FORMETRIS may only use the information gathered from the Client’s Users and Trainees (other than personal and nominative information) anonymously and in the context of inter-client benchmark analyses, ranking of the best training courses, general studies concerning training, and this on all types of media (whether material or immaterial) and by all means, across the world and during the entirety of the rights protecting the said information.

5.3.2. Individual Information transmitted by the Trainees (action plan, responses to activities, etc.) in the context of the self-coaching Service (2.3) are not accessible to the Client’s Users, who have no right to ownership of this Information. FORMETRIS maintains the right to use this Information anonymously and can submit analyses to the Client under the condition that these remain anonymous and confidential.

ARTICLE 6 – REFERENCES

The Client authorizes FORMETRIS to include it as one of its business references and to make use of the Client’s name and logo for this purpose on its website, as well as on all media and communication and marketing documents.

ARTICLE 7 – CONFIDENTIALITY

As part of the service, FORMETRIS may have access to the Client’s confidential information. FORMETRIS undertakes to not use this confidential information, whether directly or indirectly (beyond the purposes indicated below). FORMETRIS also undertakes to not disclose this confidential information to a third party (beyond what is agreed within this Contract) and to take all measures necessary to ensure the safekeeping of this confidential information.

FORMETRIS undertakes to enforce this duty upon its employees, parent company, subsidiaries and any prospective sub-contractors.

Furthermore, FORMETRIS will not use the email addresses provided by the Client for the FORMETRIS evaluation process, except to perform the Service. In particular, the Provider will not use the Trainees’ contact information for marketing purposes.

ARTICLE 8 – LIABILITY

 

FORMETRIS’s liability will be limited to direct material damage caused to the Client resulting from fault attributable to the Provider in performance of the Contract. FORMETRIS is not required to repair damage(s) as a consequence of negligence by the Client or third parties in connection with the execution of the Contract. Under no circumstances shall FORMETRIS be liable to indemnify immaterial or indirect damage such as: operating losses, profit, opportunity, business losses or shortfalls.

FORMETRIS’s liability is, in any case, limited to a capped amount at the price of the Service charged on the day when the damage occurred.

ARTICLE 9 – PRICE

9.1. PURCHASE OF PREPAID PACKAGES

9.1.1. In the event of the purchase of a prepaid package corresponding to the Services of evaluation or self-coaching (2.1, 2.2, 2.3), the Client commits to pay the total amount at the beginning of the validity period. The validity duration of the package must be explicitly indicated by FORMETRIS to the Client in its business proposal, as well as the purchase price and the foreseen number of evaluation and/or self-coaching services.

9.1.2. In the event of non-payment at the beginning of the period, FORMETRIS reserves the right to not begin its Service.

9.1.3. Should the Client need additional services before the end of the validity of the package, a new package will be proposed by FORMETRIS to the Client.

9.1.4. In the event that the Client does not use the entirety of the evaluation or self-coaching services initially foreseen in the package during the limit of the validity period, FORMETRIS is not required to reimburse the Client for them.

9.2. PURCHASE PRICE OF THE SERVICE

The price of the Service will be communicated by FORMETRIS to the Client and must be explicitly agreed to by the Client (signed estimate or order, written acceptance…), and it is here specified that FORMETRIS’s activities are subject to the VAT, which will be paid by the Client in addition to the stipulated pre-tax price. The prices are susceptible to change and must in this case be the subject of a new explicit agreement by the Client.

9.3 PAYMENT METHODS

FORMETRIS’s invoices are payable within thirty (30) days following receipt of the invoice.

Payment is to be done by bank transfer to FORMETRIS’s bank account. The RIB (bank account details) is annexed hereto.

In case of late payment, any balance due will be automatically subject to interest at a rate equal to three (3) times the statutory interest rate.

In case of non-payment of the due sum, FORMETRIS reserves the right to suspend the Service.

All correspondence concerning invoices and payment is to be addressed to: FORMETRIS – 109 rue Montmartre 75002 PARIS (France) or: comptabilite@FORMETRIS.com

ARTICLE 10 – COMMENCEMENT DATE AND DURATION

The Contract is concluded for a precise period of time specified in FORMETRIS’s business proposal. Beyond that, it will be prolonged, unless previously agreed, for successive periods of one (1) year by tacit agreement, unless one of the Parties has ended it by registered letter with acknowledgement of receipt at least three (3) months before the end of the contract.

In the case of prepaid rates (9.1), the commencement date is that of the activation of the first evaluation Service (2.1 or 2.2) or post-training self-coaching (2.3) by the User.

The evaluation process of training courses and/or seminars (2.1 or 2.2) in the process of being evaluated (i.e. training course registered on the FORMETRIS site and having taken place) at the stop date will be carried out. Only these evaluations will be invoiced.

The FIL self-coaching process (2.3) will end according to the wishes of the Trainees. Any self-coaching Service begun during the valid period of the payment gives right to the entirety of the FIL self-coaching course.

The Trainee may access his FIL space and the entirety of his information for one (1) year after the end of the payment’s validity.

ARTICLE 11 – TERMINATION FOR A PARTY’S BREACH OF RESPONSIBILITIES

In case of non-compliance by either Party of its responsibilities under the Contract, it may be terminated at the injured party’s discretion.

It is expressly understood that this termination will be effective ipso jure thirty (30) days after sending a formal demand to execute it remains, all or in part, ineffective. The formal demand may be delivered by registered letter with acknowledgement of receipt or by any extrajudicial act.

In any case, the injured Party may apply to the court to grant damages and interest, without prejudice to the application of late penalties provided for in this Contract.

ARTICLE 12 – PERSONAL INFORMATION

Personal information collected by the Software and/or the Site is used exclusively by the Provider to perform the Service. It is recorded in the Provider’s client file, and the file developed from personal information is declared to the CNIL.

In accordance with the provisions of law n° 78-17 of January 6, 1978 (amended), relating to data, files and freedoms, the Client, Trainees and Trainers have a right of access, to inquire, modify and remove information that involves them; a right exercisable at any time with the Provider or by post mail at the following address: FORMETRIS. 109, rue Montmartre. 75002 Paris, France.

For security reasons and to prevent fraudulent activity, this request must be accompanied with proof of identity (for example, a copy of an identification card). After processing the request, this proof will be immediately destroyed.

Personal information collected may eventually be communicated to third parties related to the Provider by contract for execution of sub-contracted tasks required for the performance of the Service and without requiring the Client to provide its authorization. In this event, this information will be used by the third party in accordance with the terms of this Agreement.

In case of infringement of the legal or regulatory provisions, personal information collected under the Contract may be subject to a specific request and motivated by the legal authorities.

When specific personal information is required to access specific functions of the Software, FORMETRIS will indicate mandatory information required at the time of data entry.

ARTICLE 13 – SUB-CONTRACTING

FORMETRIS may sub-contract, at its option, all or part of the Contract. FORMETRIS will remain responsible for proper performance of the Service to the Client within the terms of the Contract.

ARTICLE 14 – TRANSFER OF CONTRACT

 

The Contract having been created “intuitu personae”, the Parties will refrain from transferring the Contract, for any reason and in any form whatsoever, for a fee or freely, as well as any of their rights and responsibilities to a third party.

However, these restrictions may not be contrary to the legal requirements of public order, nor with the prior written consent of the Parties.

Nevertheless, the Client and the Provider are authorized to transfer the Contract as part of a sale of their business or of their respective companies, provided that they have notified the other Party at least thirty (30) days prior to the said assignment by registered letter with acknowledgment of receipt.

ARTICLE 15 – CHANGE

The General Terms and Conditions of Sale and Use may be modified by FORMETRIS, which engages itself in this case to make them available to the Client.

No exception to these general terms of conditions of sale and use are permitted without the explicit and previous agreement of FORMETRIS.

ARTICLE 16– FORCE MAJEURE

Each Party’s responsibility cannot be sought if the performance of the Contract is delayed or prevented due to force majeure or equivalent, or due to a fortuitous event, because of another Party or a third party, or external causes such as social conflicts, pandemics, epidemics, intervention of civil and military authorities, declared or undeclared war or hostility, terrorism, riots, natural catastrophes, fires, water damage, malfunction or interruption of the telecommunications network or of the electrical network.

In all cases, the impeded Party will do everything in its power to limit the duration and mitigate the impact of the fortuitous event, the force majeure or the external cause.

In case the event extends beyond a period of three (3) months, the Contract may be terminated by registered letter with acknowledgement of receipt, unless otherwise agreed between the Parties.

ARTICLE 17 – LIMITED EFFECT OF WAIVER

It is officially agreed that any acceptance or waiver of one of the Parties, in the application of all or part of the commitments agreed within the Contract, whatever may have been the frequency and duration, will not be considered as modification of this Contract, nor generate any right whatsoever.

ARTICLE 18 – CONTRACTUAL DOCUMENTS

This contract and its annexes, which form an integral part of it (hereinafter referred to together as the “Contract”), is an expression of the full and complete agreement of the Parties. These provisions cancel and replace any provisions contained in any document relating to the purpose of this Contract that could have been established prior to the effective date of this Contract.

ARTICLE 19 – PARTIAL INVALIDITY

The invalidity or unenforceability of any provision of the General Terms and Conditions of Sale and Use shall not nullify any of the other provisions, which will retain their full force and effect.  However, the Parties may, by mutual agreement, agree to replace the invalid provision(s). Any specific agreement concluded between FORMETRIS and the Client will prevail over the General Terms and Conditions of Sale and Use.

ARTICLE 20 – APPLICABLE LAW – CONTRACT LANGUAGE

By express agreement between the Parties, this Contract is subject to French law, to the exclusion of any other legislation.

It was originally written in French. In the event it is translated into one or many languages, the French text shall prevail in case of dispute.

Any dispute relating to the outcome, interpretation, execution or termination of the Contract will be subject to the exclusive jurisdiction of the Tribunal de commerce de Paris (Commercial Court of Paris), including summary proceedings, notwithstanding appeal as collateral or multiple defendants.

GPDR Annex

 I. SUBJECT

These clauses defining the conditions under which FORMETRIS (“the Data processor”) undertakes to carry out on behalf of the Client the personal data processing operations defined hereinafter.

In the context of their contractual relationship, the parties undertake to respect current regulations applicable to personal data and, in particular, EU Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 applicable from 25 May 2018 (hereinafter, “the European regulation on data protection”).

II. Description of processing for the contracted services

The Data processor is authorized to process on behalf of the Client personal data that is necessary according to the elements described below:

to provide the following service(s): learning evaluation
nature of operations performed on the data: data collection relating to training and statistical analysis
purpose of processing: training courses evaluation, seminars & events evaluation
personal data processed: name, first name, email address, personal signature
categories of data subjects: Client’s employees (participants to training sessions and their managers, trainers, HR specialists)
necessary information provided by the Client to the Data processor name, first name, email address, information about training sessions (date, location, participants, type of training, etc.)

to provide the following service(s): FIL: post-training self-coaching tool
nature of operations performed on the data: data collection relating to training and statistical analysis
purpose of processing: post-training support
personal data processed: name, first name, email address
categories of data subjects: Client’s employees (participants to training sessions and their managers, trainers, HR specialists)
necessary information provided by the Client to the Data processor name, first name, email address, information about training sessions (date, location, participants, type of training, etc.)

III. Duration

 

These clauses have the same duration as the contract they complete.

 

IV. Obligations of the Data processor toward the Client

The Data processor undertakes to:

1. process data only for the purpose(s) of the service

  1. process data in conformity with the Client’s documented instructions as stated in the appendix of this contract.

If the Data processor considers that an instruction is a breach of the European regulation on data protection or any other provision of Union or Member State law relative to the protection of data, he shall immediately inform the Client. Furthermore, if the Data processor is required to transfer data to a third country or an international organization, pursuant to Union law or law of the Member State to which it is subject, he must inform the processing controller of this legal obligation before processing, except if the concerned law forbids such information on the grounds of public interest

  1. guarantee the confidentiality of personal data processed in the context of this contract
  2. ensure that persons authorized to process personal data pursuant to this contract: undertake to respect confidentiality or are subject to an appropriate legal confidentiality clause receive the necessary training in the protection of personal data
  3. take into account, for its tools, products, applications or services, data protection principles from the design stage and by default
  4. service
    The Data processor can call upon another service provider (hereinafter, “the Sub-processor”) for all or some of the specific processing activities.

The Sub-processor is required to respect the obligations of this contract on behalf of and according to the Client’s instructions. It is the responsibility of the Data processor to ensure that the Sub-processor offers the same guarantees of implementing appropriate technical and organizational measures so that processing meets the requirements of the European regulation on data protection.

The current sub-processors of the Data processor to perform the data processing as described in section II are:
Alterway Hosting

7. The right of data subjects to be informed
It is the responsibility of the Client to provide information to data subjects concerned by the processing operations at the time of data collection.

8. Exercise of the data subject’s rights
To the extent possible, the Data processor must assist the Client in meeting his obligation to respond to requests by data subjects to exercise their rights: right of access, rectification, erasure and objection, right to the limitation of processing, right to data portability, right to not be the subject of an automated individual decision (including profiling).

The Data processor must respond, in the name and on the behalf of the Client and within the time period set out in the European regulation on data protection, to requests by data subjects exercising their rights regarding the data collected for the expected benefit in this contract.

9. Notification of personal data breaches
The Data processor notifies the Client of any breach of personal data within a maximum of 72 hours after having become aware of this breach and by the following means: email to the Client’s project manager. This notification is accompanied by any and all useful documentation in order to allow the Client, if necessary, to notify the competent supervisory authority.

Upon agreement from the Client, the Data processor notifies the competent supervisory authority (the CNIL), in the name of and on behalf of the Client, of personal data breaches at the earliest opportunity and, if possible, 72 hours at the latest after having become aware of it, unless the breach in question is susceptible of engendering a risk to the rights and freedoms of natural persons.

The notification contains at least:

– a description of the nature of the personal data breach including, if possible, the categories and approximate number of data subjects concerned by the breach and the categories and approximate number of concerned recordings of personal data;

  • the name and contact information of the data protection officer or another contact person from whom supplementary information can be obtained;
  • a description of the probable consequences of the personal data breach;

a description of measures taken or that the processing controller proposes to take to remedy the personal data breach, including, if applicable, measures to attenuate possible negative consequences.

If, and to the extent that it is not possible to provide all this information at the same time, information can be communicated over time with due diligence.

Upon agreement from the Client, the Data processor notifies, in the name and on behalf of the Client, the data subject of the personal data breach at the earliest opportunity when this breach is susceptible of engendering an increased hazard to the rights and freedoms of a natural person.

The notification to the Client describes, in clear and simple terms, the nature of the personal data breach and contains at least

a description of the nature of the personal data breach including, if possible, the categories and approximate number of data subjects concerned by the breach and the categories and approximate number of concerned recordings of personal data;
the name and contact information of the data protection officer or another contact person from whom supplementary information can be obtained;
a description of the probable consequences of the personal data breach;
a description of measures taken or that the processing controller proposes to take to remedy the personal data breach, including, if applicable, measures to attenuate possible negative consequences.

Assistance of the Data processor to the Client in respecting its obligations
The Data processor assists the Client in conducting impact analyses relative to data protection.

The Data processor assists the Client with the production of the prior consultation with the supervisory authority.

11. Security measures
The Data processor undertakes to implement the following security measures:

From a technical point of view:
Password hashing
Client connections -> server secured by https
Server connections -> server secured by ssh and/or sftp
Data stored in several datacentres to avoid losses in case of malfunction of a centre
Data saved in different locations (EU zone) to be recovered in the context of a BCP/DRP
Pseudonymisation of personal data in testing and development environments;
Anonymisation of personal data 3 years after response to a survey (or see exceptions in specific conditions)

From an organisational point of view:
Reporting of any theft / loss of proprietary information
Use of proprietary information in a strictly professional framework,
Administrators retain permanent access to equipment and system monitoring,
Physical classification of sensitive zones: public zones without access to data, private zones with limited access, and sensitive zones with restricted access,
Password creation policy in accordance with the standards of the SANS Institute,
Notification and resolution plan in case of a security breach for employees and affected persons,
Security breach and vulnerability management plan by a designated team,
Password protection and automatic locking of devices with access to data,
Verification of data security (physical and electronic) at the end of the working day and during holidays,
Password confidentiality assurance,
Securing of sensitive data sent by email,
BCP/DRP tested and reviewed at least once a year,
Security audits at least once a year (update of good security practices, penetration tests…)

11.1 Data transfer
In the context of projects, the Client may be led to transfer its employees’ personal data to the Data processor. For these needs, the Data processor shall provide a secure means to transfer (sftp, secure email address, encryption…) to the Client, while guaranteeing that these data shall transit solely by servers based in Europe.

If despite this the Client chooses another means to transfer not provided by the Data processor (such as, for example, email from a non-secure address), the preceding clause is no longer applicable and the Data processor cannot guarantee that the data shall remain in Europe (since they will transit through the servers of an international company).

12. Fate of data
At the end of services related to the processing of these data, the Data processor undertakes to:

destroy all personal data by anonymising them
return all personal data to the Client upon request and within 3 months
13. Data protection officer
The Data processor has designated a data protection officer, in order to contact him directly:

dpo@FORMETRIS.com

14. Record of categories of processing activities
The Data processor declares to have a written record of all categories of processing activities carried out on behalf of the Client, including:

the name and contact information of the Client on whose behalf he is acting, possible Sub-processors, and, if applicable, the data protection officer;

the categories of processing carried out on behalf of the processing controller;

if applicable, personal data transfers toward a third country or an international organisation, including the identification of this third country or international organisation and, in the case of transfers addressed in article 49, paragraph 1, subparagraph 2 of the European regulation on data protection, documents attesting to the existence of appropriate guarantees;

15. Documentation
The Data processor shall make available to the Client the necessary documentation to demonstrate compliance with all his obligations and allow audits, including inspections, by the processing controller or any other mandated auditor, and participate in these audits.

V. Obligations of the Client toward the Data processor

The Client undertakes to:

provide the Data processor with the data described in clause II of this document
document in writing all instructions concerning the processing of data by the Data processor
ensure, before and during the entire duration of processing, the respect of the obligations of the European regulation on data protection by the Data processor
supervise processing, including audits and inspections of the Data processor

Paris, August 30 2019