Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the entity that has agreed to the Uply Terms of Service ("Controller", "you", "your") and ECOMMERCE RTM ("Processor", "we", "us", "our"), governing the processing of personal data by the Processor on behalf of the Controller in connection with the Uply service. This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

For the purposes of this DPA, the following definitions apply:

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of this DPA, the Controller is the entity that has installed Uply in its Slack workspace.

"Processor" means ECOMMERCE RTM, which processes personal data on behalf of the Controller in connection with the provision of the Uply service.

"Sub-processor" means any third party engaged by the Processor to assist in the processing of personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.

"Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

"Data Subject" means the identified or identifiable natural person to whom the personal data relates.

2. Scope & Purpose of Processing

The Processor processes personal data solely for the purpose of providing the Uply service to the Controller, as described in the Terms of Service and Privacy Policy. The categories of personal data processed include: Slack workspace information (workspace name and workspace ID), user profile information (display names and Slack user IDs), user responses to daily questions delivered through Uply, and aggregated scores and rankings derived from user participation. The categories of data subjects include employees, contractors, and other individuals within the Controller's Slack workspace who interact with the Uply application. The processing activities include: collection and storage of the above data, delivery of daily questions via Slack, calculation of individual scores and streaks, generation of leaderboard rankings, and analytics related to usage patterns and content effectiveness.

3. Obligations of the Processor

The Processor shall: process personal data only on documented instructions from the Controller, unless required to do so by European Union or Member State law to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing unless prohibited by law; ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 6 of this DPA; respect the conditions for engaging sub-processors as set out in Section 5 of this DPA; taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to requests for exercising data subject rights; assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor; at the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless storage is required by applicable law; and make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

4. Instructions from the Controller

The Processor shall process personal data only in accordance with the Controller's documented instructions. The Controller's initial instructions are defined by the scope of this DPA, the Terms of Service, and the Privacy Policy. Additional or modified instructions may be provided by the Controller in writing (including by email) and must be reasonable and consistent with the nature of the Service. If the Processor believes that an instruction from the Controller infringes the GDPR or other applicable data protection provisions, the Processor shall immediately inform the Controller. The Processor shall not be liable for any non-compliance resulting from following the Controller's lawful instructions.

5. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors to assist in the provision of the Service. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within thirty (30) days. If the Controller objects on reasonable grounds, the parties shall discuss the objection in good faith. If no resolution can be reached, the Controller may terminate the agreement. The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable for the acts and omissions of its sub-processors.

As of the date of this DPA, the Processor uses the following sub-processors:

• Slack Technologies (Salesforce) — Delivery of questions and collection of responses via the Slack API. Data processed: Slack workspace information, user IDs, display names, message interactions. Location: data processed in accordance with Slack's data processing terms.
• EU hosting provider — Infrastructure hosting and data storage. All data is stored within the European Union. Data processed: all personal data described in Section 2. Location: European Union.

6. Data Security Measures

The Processor implements and maintains the following technical and organizational security measures to protect personal data: encryption of data at rest using AES-256 or equivalent standard; encryption of data in transit using TLS 1.2 or higher; strict access controls based on the principle of least privilege, ensuring that only authorized personnel with a legitimate need can access personal data; role-based access control (RBAC) for internal systems; regular security reviews and assessments of infrastructure and application security; secure software development practices; logging and monitoring of access to systems containing personal data; and incident response procedures designed to detect, report, and investigate data breaches promptly. The Processor shall regularly review and update these measures to ensure they remain appropriate to the risks posed by the processing.

7. Data Breach Notification

In the event of a Data Breach affecting personal data processed on behalf of the Controller, the Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach. The notification shall include: a description of the nature of the breach, including where possible the categories and approximate number of data subjects and personal data records concerned; the name and contact details of the Processor's point of contact for further information; a description of the likely consequences of the breach; and a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects. The Processor shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of any Data Breach.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under the GDPR, including the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, and right to object. If the Processor receives a request directly from a data subject, the Processor shall promptly forward the request to the Controller and shall not respond to the request directly unless authorized to do so by the Controller. The Processor shall provide reasonable technical and organizational assistance to enable the Controller to respond to data subject requests within the timeframes required by the GDPR.

9. Data Transfers

The Processor stores and processes all personal data exclusively within the European Union. The Processor shall not transfer personal data to any country or territory outside the European Economic Area (EEA) without the prior written consent of the Controller. In the event that a transfer outside the EEA becomes necessary (for example, due to a change in sub-processors), the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, such as Standard Contractual Clauses approved by the European Commission, and shall notify the Controller in advance.

10. Audit Rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the GDPR. The Controller (or an independent third-party auditor mandated by the Controller) shall have the right to conduct audits and inspections of the Processor's processing activities and facilities, subject to the following conditions: the Controller shall provide at least thirty (30) days' prior written notice of any intended audit; audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations; the Controller shall bear the costs of the audit unless the audit reveals a material breach of this DPA by the Processor; any third-party auditor must be bound by appropriate confidentiality obligations; and audits shall not be conducted more than once per year unless required by a supervisory authority or following a Data Breach.

11. Duration & Termination

This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller in connection with the Uply service. Upon termination of the Service agreement (whether by uninstallation of the Uply application, expiration, or otherwise), the Processor shall, at the Controller's choice, delete or return all personal data within thirty (30) days of termination. The Processor shall provide written confirmation of deletion upon request. Notwithstanding the foregoing, the Processor may retain personal data to the extent required by applicable law, provided that such retained data continues to be protected in accordance with this DPA. The obligations of the Processor under this DPA shall survive termination to the extent necessary to protect any personal data that is retained.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except where such limitations are prohibited by the GDPR or other applicable data protection law. Nothing in this DPA shall limit either party's liability for breaches of its obligations under the GDPR to the extent that such limitations are not permitted by applicable law.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of France, without regard to its conflict of law provisions. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Lille, France.

14. Contact

For any questions or requests related to this Data Processing Agreement or the processing of personal data, please contact us:

ECOMMERCE RTM
1 PL LEROUX DE FAUQUEMONT, 59000 LILLE, France
Siret: 87904454300012
Email: privacy@uply.work
Website: uply.work