Version: 2.0 – Last updated: May 19, 2026.
These legal notices are written in French. Any translation, particularly into English, is provided for informational purposes only. In case of any discrepancy, ambiguity, or difficulty in interpretation between the French version and a translated version, the French version alone shall prevail.

Data Processing Agreement

Purpose and Scope of the Agreement

This Data Processing Agreement (" Agreement " or DPA) defines the conditions under which Ask Technologies SAS (hereinafter “ Ask Technologies ” or the Data Processor), in its capacity as a publisher of generative AI chatbot solutions, processes personal data on behalf of its client (hereinafter the Client or Data Controller) within the scope of services provided by Ask Technologies. This Agreement is an integral part of the service contract between Ask Technologies and the Client and aims to ensure compliance with Regulation (EU) 2016/679, known as the General Data Protection Regulation (GDPR). It complies with the requirements of Article 28(3) of the GDPR, specifying in particular the subject matter, duration, nature, and purpose of the processing carried out, the types of personal data concerned, the categories of data subjects, as well as the obligations and rights of each party.

By default, Ask Technologies' services do not require any collection of personal data: no personal data is recorded or used without the knowledge of end-users when the Ask Technologies chatbot is used without specific Client configuration. The chatbot can therefore be deployed without personal data by default. However, depending on the use and settings configured by the Client, personal data may potentially be processed via the Ask Technologies platform. This DPA applies exclusively to the processing of personal data carried out by Ask Technologies as the Client's data processor. Data processing for which Ask Technologies determines the purposes and means (for example, Client registration data for the administration platform) does not fall under this Agreement and is covered by Ask Technologies' privacy policy, where applicable.

Ask Technologies SAS is a simplified joint-stock company under French law, registered with the Paris Trade and Companies Register under number 879 858 876, with a share capital of €1759.28, and its registered office at 4 PLACE ALBERT EINSTEIN 56000 VANNES FRANCE. Ask Technologies primarily operates in France and plans to expand its activities within the European Union, in compliance with applicable data protection legislation. The Client refers to the entity (company, administration, or other organization) that has subscribed to Ask Technologies' services and acts as the data controller for the data it decides to process via these services.

The Client and Ask Technologies are hereinafter collectively referred to as “ The Parties ».

Definitions

For the purposes of this Agreement, the following terms shall have the meanings set forth below, whether used in the singular or plural:

-Personal Data (or Personal Data): any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.

-Processing (or Process/Processed): any operation or set of operations performed on Personal Data (collection, storage, consultation, use, transmission, erasure, etc.), whether or not by automated means, as defined in Article 4(2) of the GDPR.

-Controller : the natural or legal person, public authority, agency or other body which, alone or jointly, determines the purposes and means of the Processing. For the purposes of this Agreement, the Client is the Controller of the Personal Data it decides to process via Ask Technologies' services.

-Processor : the natural or legal person who Processes Personal Data on behalf of the Controller. In this instance, Ask Technologies acts as the Processor for the services covered by this DPA.

-Further Sub-processor (or Subsequent Sub-processor or Sub-processor, equivalent to the English term 'sub-processor'): any third-party entity engaged by the Processor (Ask Technologies) to perform specific Processing activities on behalf of the Controller. The authorized subsequent Sub-processors under this Agreement are listed in section Authorized Sub-processors below.

-Services : the SaaS platform, generative AI chatbots, and generally the software solutions provided by Ask Technologies to the Client, as described in the main agreement between the Parties (general terms of service, commercial contract, or any equivalent document).

-Applicable Data Protection Legislation : the GDPR, as well as any applicable national law or regulation (such as the amended French Data Protection Act No. 78-17) and any other applicable legal text governing the protection of Personal Data relevant to the Processing activities subject to this Agreement.

Term of the Agreement

This DPA shall enter into force on the effective date of the main agreement between Ask Technologies and the Client or on the date of the Client's acceptance of the DPA (if later). It shall remain in effect for the entire duration of the contractual relationship during which Ask Technologies processes Personal Data on behalf of the Client. In practice, the Agreement covers any period during which Ask Technologies holds or processes Client Personal Data, including potentially after the termination of the main agreement, until the complete return or deletion of the data in accordance with the Client's instructions and the provisions of this DPA.

The obligations set forth in this Agreement (particularly regarding confidentiality and security) shall survive its expiration or termination for as long as Ask Technologies retains Client Personal Data in accordance with the 'Data Disposition' section below, or as long as required by law.

Description of Processing Activities

This DPA applies only to Personal Data Processing operations performed by Ask Technologies within the scope of the Services provided to the Client. The characteristics of these Processing operations are as follows:

-Purpose of Processing – Objective : Provision, by Ask Technologies, of a generative artificial intelligence chatbot platform and associated services, enabling the Client to configure and deploy conversational agents (chatbots) that answer end-user questions. The Processing operations have the sole purpose of ensuring the proper execution of the Services requested by the Client (e.g., responding to user queries via the chatbot, accessing a knowledge base configured by the Client, providing technical support, etc.), in accordance with the Client's instructions and the terms of the main contract. No other use of Personal Data by Ask Technologies is carried out without the Client's instruction or authorization.

-Nature of Processing Operations : Ask Technologies performs data storage, organization, algorithmic analysis (response generation by the AI engine), transmission, and deletion operations, as required by the Service. By default, user interactions with the chatbot are not retained by Ask Technologies. Thus, Ask Technologies does not permanently store the content of conversations, unless the Client explicitly activates a logging or recording feature. In the latter case, retention is carried out according to the terms determined by the Client (e.g., configurable retention period via the administration interface or specific instructions).

-Types of Personal Data Processed : By design, the Service can be used without processing identifying Personal Data. However, depending on the use, the processed Data may include any type of data that the Client chooses to integrate into the chatbot or the underlying knowledge base. This may include identification data (e.g., end-user's first name, last name, pseudonym), contact details (email address, phone number), professional data (position, department), data provided via questions asked to the chatbot (which could contain personal information inserted by the end-user), or any other category of data that the Client decides to use via the Service. By default, none of this data is required to use the Service, and any inclusion of Personal Data is solely at the Client's initiative. The Client is advised to avoid submitting special categories of data (sensitive data as defined in Article 9 of the GDPR, such as health data, biometric data, etc.) to the Service, unless necessary and with appropriate additional protective measures.

-Categories of Data Subjects : The natural persons whose data may be processed within the scope of the Service are determined by the Client. These may primarily include (i) end-users of the chatbot deployed by the Client (e.g., customers, citizens, or employees asking questions to the chatbot and likely to provide their information in their queries), (ii) employees, collaborators, or agents of the Client whose data would be included in the knowledge base or in the content used by the chatbot to formulate responses, and (iii) more generally, of any natural person whose data would be integrated by the Client into the content used via the Service. As Ask Technologies has no direct contact with the data subjects (chatbot end-users or other third parties whose data is processed), it is the Client's responsibility to provide the required legal information to these individuals and to obtain, where applicable, the adequate legal bases (e.g., consent) for the Processing carried out via the Service.

-Processing Duration – Retention : Ask Technologies processes the Client's Personal Data only for the duration necessary for the provision of the Services and in accordance with the Client's instructions and this DPA. Unless otherwise instructed, Personal Data occasionally processed via the chatbot (e.g., content of a question asked) is not persistently stored (no permanent storage by Ask Technologies, excluding anonymized technical logs), unless the Client activates retention options (such as conversation recording or data archiving). In any event, data will not be retained by Ask Technologies beyond the term of the service contract, subject to applicable legal retention obligations. The terms for returning or deleting data upon termination of the Services are specified in section Data Disposition of this Agreement.

Ask Technologies' Obligations as a Data Processor

In accordance with the GDPR, Ask Technologies undertakes to comply with the following obligations when processing Personal Data on behalf of the Client:

-Processing on Documented Instruction : Ask Technologies processes the Client's Personal Data only upon documented instruction from the Client, including with regard to data transfers to a third country. The Client's use of the Services, in accordance with the main contract and Ask Technologies' documentation, constitutes the Client's instruction to Ask Technologies to process the data for the intended purposes. Ask Technologies shall refrain from any use, access, or processing of the Client's Personal Data for other purposes (including for its own, commercial, or marketing purposes) without the Client's prior authorization. If Ask Technologies considers that a Client instruction infringes the GDPR or other applicable data protection provisions, it shall inform the Client without delay (unless legally prohibited).

-Personnel Confidentiality : Ask Technologies guarantees that individuals authorized to process the Client's Personal Data (personnel, collaborators, and subsequent sub-processors) commit to the strictest confidentiality. All individuals with access to data are subject to an appropriate legal or contractual confidentiality obligation. Ask Technologies ensures that access to Personal Data is limited to only those employees and agents who need it to perform the Service, and that these accesses are regularly reviewed.

-Data Security : Ask Technologies implements appropriate technical and organizational measures to protect Personal Data against destruction, loss, alteration, unauthorized disclosure, or unauthorized access, in a manner adapted to the risk. In particular, Ask Technologies applies industry best security practices: encryption of data in transit (secure communications via SSL/TLS) and, where applicable, encryption of data at rest on servers or databases. Data access is strictly controlled and logged, so that only duly authorized Ask Technologies personnel (or the Client, in the case of dedicated environments) can access the necessary information, in compliance with confidentiality commitments. Ask Technologies has also implemented perimeter protection and proactive monitoring systems to prevent intrusions and malicious software (firewalls, intrusion detection/prevention systems, etc.), and regularly updates its systems to quickly correct any known vulnerabilities. Generally, Ask Technologies ensures that the infrastructure used for the Service is secure and compliant with the state of the art in data protection (including by using certified and reliable data centers, see section Authorized Sub-processors).

-Privacy by Design : Ask Technologies adheres to the principles of Privacy by Design and by Default. The Services are designed to minimize the collection of Personal Data (no nominative data is required by default to use the chatbot). Ask Technologies integrates data protection from the design phase and throughout the product and service lifecycle.

-Subsequent Sub-processing : Ask Technologies will only engage subsequent Sub-Processors (secondary sub-processors) for Processing operations with the Client's authorization. The Client hereby grants Ask Technologies general authorization to use the Sub-Processors listed in section Authorized Sub-Processors below, it being understood that Ask Technologies ensures that each of these sub-processors complies with obligations equivalent to its own regarding data protection (via a sub-processing agreement compliant with Article 28 of the GDPR). Ask Technologies will inform the Client of any planned changes concerning the addition or replacement of sub-processors within a reasonable timeframe, so that the Client has the opportunity to raise objections for legitimate reasons. In the absence of an objection within the specified period, the new sub-processor will be deemed accepted.

-Assistance with Client Obligations : Ask Technologies assists the Client in fulfilling its own obligations under the Applicable Regulations. In particular, Ask Technologies helps the Client, through appropriate technical and organizational measures, to respond to requests from data subjects exercising their rights (access, rectification, erasure, objection, etc.) received by the Client, to the extent that the Client cannot respond to them itself via the functionalities provided. Similarly, Ask Technologies will provide the Client with the necessary assistance to carry out, where applicable, Data Protection Impact Assessments (DPIAs) related to the Processing performed as part of the Service, and to conduct any prior consultations with the competent supervisory authority, insofar as this information is in Ask Technologies' possession. This assistance is provided upon the Client's written request and may include providing documentation on security measures, the technical organization of processing operations, and more generally any information useful to the Client to demonstrate the processing's compliance with legal obligations.

-Data Breach Notification : Ask Technologies will notify the Client of any security breach affecting the Personal Data processed (personal data breach within the meaning of Article 4(12) of the GDPR) as soon as it becomes aware of it. This notification will be made as soon as possible (and if possible within 48 hours of incident detection), accompanied by all useful documentation to enable the Client, if necessary, to notify this breach to the data protection authority and/or the data subjects, in accordance with Articles 33 and 34 of the GDPR. Ask Technologies will provide the Client with available information on the nature of the breach, the categories and volume of potentially affected data, the probable consequences, as well as corrective measures already taken or envisaged to remedy the breach and mitigate its effects. Ask Technologies undertakes to promptly investigate any breach and take appropriate measures to restore the integrity, security, and confidentiality of the data. It will collaborate in good faith with the Client to facilitate compliance with legal obligations resulting from the breach.

- Data Handling upon Contract Termination : Upon expiration or early termination of the service contract, Ask Technologies will, at the Client's choice and instruction, delete entirely

all Personal Data processed on behalf of the Client, or will return all such data to the Client in a structured and commonly used format, and then delete all existing copies from its systems (unless legally obliged otherwise). Unless specific contrary instructions are communicated by the Client before the end of the contract, Ask Technologies will, by default, securely delete any residual data still in its possession within a reasonable period following the end of the contract. Ask Technologies may retain a copy of the data if required by Union or Member State law (e.g., for evidentiary purposes or compliance with accounting obligations); in such a case, Ask Technologies guarantees that this data will remain subject to appropriate protection measures and will no longer be actively processed except to satisfy the relevant legal requirements.- Documentation and Right to Audit

: Ask Technologies shall make available to the Client all reasonable information necessary to demonstrate compliance with the obligations set forth in this DPA and to enable the conduct of compliance audits. In practice, Ask Technologies may provide the Client, upon request, with its security and confidentiality documentation, including internal policies, certifications, or third-party audits where applicable, attesting to the level of protection implemented. The Client is entitled to conduct or have conducted, at most once per year (unless otherwise required by law or in the event of a proven incident), an audit of Ask Technologies' activities related to the Processing carried out on its behalf. This audit must be carried out by the Client or an independent third party mandated by them, with at least 15 business days' prior notice, and must not significantly disrupt Ask Technologies' operations. The scope of the audit will be limited to the facilities, systems, and documents relevant to the Client's data. Ask Technologies will cooperate in good faith with the audit by providing access to the requested information, subject to appropriate confidentiality measures. Audit costs shall be borne by the Client, unless the audit reveals a serious breach by Ask Technologies of the obligations of this Agreement.

Client's Obligations as Data Controller

The Client, as Data Controller, undertakes to comply with the following obligations when using Ask Technologies' Services:- Compliance and Legal Basis

: The Client guarantees that the Processing of Personal Data entrusted to Ask Technologies is carried out in compliance with the Applicable Regulations. It is notably the Client's responsibility to determine and document a valid legal basis for each piece of Personal Data processed via the Service (e.g., data subject's consent, legitimate interest, legal obligation, or contract performance) and to ensure that the purposes pursued are authorized by law. The Client declares and guarantees that they are duly authorized to process and have processed the Personal Data concerned and that they have completed all potentially required formalities (including, where necessary, obtaining the consent of data subjects for the use of their data within the scope of the Service).- : It is the Client's responsibility to provide data subjects with the information required by Articles 13 and 14 of the GDPR concerning the Processing of their data via Ask Technologies' services. The Client shall ensure that end-users are clearly informed of the chatbot's presence and that their interactions may be processed electronically, as well as, where applicable, of any collection of personal data concerning them. For example, if the Client enables logging of chatbot conversations that include personal information, they must notify users in advance and, if necessary, obtain their consent. [SEG 7] Information for Data Subjects

-Data Quality and Proportionalitys: The Client is responsible for the data they integrate into the Service. They undertake to provide Ask Technologies only with Personal Data that is accurate, up-to-date, and strictly necessary for the purposes of using the Service. The Client is prohibited from misusing Ask Technologies' Service to massively collect or process data unrelated to the chatbot's purposes, and undertakes not to store illicit or sensitive data disproportionately via Ask Technologies' platform without appropriate measures.
Service Configuration: Insofar as the Service offers configuration options impacting data protection (e.g., setting a conversation retention period, etc.), the Client is responsible for the configuration choices made via the administration interface. It is the Client's responsibility to configure the Service in accordance with data minimization principles and to limit the retention of personal data to what is strictly necessary. Ask Technologies provides tools and settings enabling the Client to maintain control over the data (content deletion, knowledge export, etc.), which the Client must use to comply with their regulatory obligations.

-Client-Side Security : The Client undertakes to use Ask Technologies' Service in a secure technical environment. In particular, it must preserve the confidentiality of access credentials to the Ask Technologies platform and ensure that access to its instance is secure. The Client shall promptly notify Ask Technologies in case of suspected unauthorized access or compromise of its credentials, to enable Ask Technologies to take appropriate measures. Furthermore, if the Client collects data directly from users to inject into the Service (for example, via forms connected to the chatbot), it is responsible for ensuring the security of this collection and for transmitting the data to Ask Technologies via encrypted and secure communication channels.

-Cooperation : The Client shall cooperate in good faith with Ask Technologies to facilitate compliance with this DPA. Specifically, the Client shall provide Ask Technologies with information on the processing it intends to carry out via the Service if this is necessary for Ask Technologies to fulfill its own obligations (e.g., in the event of an impact assessment, the Client shall share the relevant sections with Ask Technologies). Similarly, in the event of a request or inquiry from a data protection authority concerning the Service, the Client shall involve Ask Technologies as appropriate to obtain the technical elements pertaining to the latter.

-Compliant Use : The Client ensures that its use of Ask Technologies' Services will remain compliant with the terms and purposes stipulated in the contract. The Client undertakes not to request Ask Technologies to process Personal Data in a manner that would violate the Applicable Regulations. If the Client provides a Processing instruction to Ask Technologies, it must be lawful and necessary for the performance of the Services. In case of doubt regarding the legality of an instruction or a particular use of the Service, the Client undertakes to consult Ask Technologies and, if necessary, the competent data protection authority before proceeding.

Authorized Sub-processors (List of Subsequent Sub-processors)

Ask Technologies uses carefully selected sub-processors to assist in the provision of its Services. These sub-processors act solely on Ask Technologies' instructions and provide sufficient guarantees regarding the implementation of data protection measures compliant with the GDPR. The Client expressly authorizes Ask Technologies to engage the following Sub-processors for the Processing carried out on its behalf:

-OVHcloud (OVH SAS, France) – Primary cloud host. OVHcloud provides the hosting infrastructure on which Ask Technologies' applications and data are deployed. The servers are located in France. Ask Technologies notably hosts its software suite on OVH's secure infrastructure, with a focus on sovereignty and security.

-Dassault Systèmes (Outscale) (France) – Alternative cloud host. Ask Technologies can also rely on 3DS Outscale (Dassault Systèmes' cloud subsidiary) for hosting certain dedicated instances or environments, particularly for clients requiring a level of sovereign cloud certified (Outscale notably holds the SecNumCloud qualification issued by ANSSI). Outscale's data centers used by Ask Technologies are located in France. This subcontractor is subject to the same security and compliance requirements as OVH.

-Sarbacane Software (France) – Transactional email sending solution. Ask Technologies uses the Sarbacane platform (also known as Mailify) for sending emails related to the Services, particularly emails issued by the application app.polaria.ai (for example: confirmation emails, user notifications, password resets, etc.). In this context, the email addresses of the Client's end-users or administrators, as well as the content of necessary messages (email text, links), are transmitted to Sarbacane's servers for dispatch. Sarbacane Software SAS is a French company, and the email data processed is hosted on servers located in France. This sub-processor commits to complying with GDPR regulations (Sarbacane has an internal DPO and an active GDPR-compliant data protection policy). No data is transmitted by Sarbacane to third parties, except for the technical necessity of routing via messaging operators.

Ask Technologies commits not to add or replace any sub-processor without prior notification to the Client. In the event of a change in sub-processor, Ask Technologies will notify the Client by any agreed means of contact (e.g., email or publication on the corporate website) at least 15 days before the effective change. The Client has the right to raise a reasoned objection if, in their opinion, the proposed new sub-processor presents a substantial risk to the protection of their data. In the event of a legitimate and unresolved objection, the Client may terminate the service concerned in accordance with the terms of the main contract. In all cases, Ask Technologies remains fully responsible to the Client for the proper performance by its sub-processors of their data protection obligations. Each sub-processor is bound to Ask Technologies by a sub-processing agreement compliant with Article 28 of the GDPR, including security, confidentiality, and instruction compliance obligations equivalent to those in this DPA.

Data Location and International Transfers

Ask Technologies prioritizes an infrastructure entirely localized in France for the processing and storage of the Client's Personal Data. By default, data is hosted in France, notably via OVHcloud or Dassault Systèmes Outscale. Thus, Personal Data entrusted to Ask Technologies remains on French territory.

Ask Technologies confirms that, as of the signing date of this DPA, no mass or systematic transfer of the Client's Personal Data to non-EU countries is carried out beyond the specific uses mentioned. If the Client desires a different data location, they may request it from Ask Technologies, which will endeavor to propose a suitable solution (potentially via an optional offering). Ask Technologies commits to informing the Client if, during the execution of the contract, it intends to transfer the Client's Personal Data outside the EU under conditions not provided for in this Agreement.

Data Subject Rights and Processor Assistance

Given the nature of the Processing activities, Ask Technologies will assist the Client in fulfilling its obligation to respond to requests for exercising the data subject rights (right of access, rectification, erasure, objection, restriction, data portability, etc.).

-If a data subject directly addresses Ask Technologies with a request concerning their Personal Data processed via the Services (which would be rare, as Ask Technologies is not in direct contact with the Client's end-users), Ask Technologies will forward this request to the Client without undue delay without responding to it directly (unless otherwise instructed by the Client or if Ask Technologies has a direct legal obligation to do so). It is the Client's responsibility, as the Data Controller, to provide the appropriate follow-up to the request. Ask Technologies will assist the Client, upon request, by providing the necessary information and tools to respond to the request (for example, by extracting relevant data or applying an erasure measure).

-Through the Service's administration interface or upon request to Ask Technologies support, the Client can access, rectify, or delete Personal Data under its control. Ask Technologies will implement the actions requested by the Client regarding the data (e.g., deletion of a set of content containing personal data, restoration of a specific record, etc.) without undue delay and in accordance with the documented instructions received.

-If the complexity of a data subject rights request requires specific technical assistance from Ask Technologies (e.g., data extraction from a backup, specific log search), Ask Technologies will endeavor to provide such assistance. Depending on the workload incurred, Ask Technologies and the Client may agree on financial terms to cover the reasonable cost of this exceptional assistance, in accordance with Article 12(5) of the GDPR (which allows for reasonable fees to be charged for manifestly unfounded or excessive requests, or for additional requests).

Furthermore, Ask Technologies will assist the Client in ensuring compliance with other obligations stipulated in Articles 32 to 36 of the GDPR (security of processing, breach notification, impact assessments, and prior consultation). The provisions relating to security and data breaches are set out in this Agreement. Regarding Data Protection Impact Assessments (DPIA), Ask Technologies will provide the Client, upon request, with all information related to the Services necessary for conducting the DPIA (including technical description of the processing operations, security measures applied, sub-processors involved, etc.). Should the supervisory authority require a prior consultation prior to using the Service, Ask Technologies will assist the Client by providing the information required by said authority.

In summary, Ask Technologies commits to actively cooperate with the Client to enable the latter to fulfill its obligations towards data subjects and data protection authorities. All this assistance is provided within the limits of the information available to Ask Technologies and to the extent that the Client does not have the means to meet the obligations in question themselves.

Data Breach Notification

In the event of a personal data breach (accidental or unlawful) concerning Personal Data processed on behalf of the Client, Ask Technologies will notify the Client of such breach without undue delay, and no later than within 48 hours after becoming aware of it. This notification will include, where possible, the following information:

-the nature of the breach (e.g., unauthorized access, loss, disclosure, alteration, or destruction of data) and, if available, the categories and approximate number of data subjects and data records affected;
-the probable consequences of the breach for the data subjects (potential privacy impacts, risks incurred);
-the technical and organizational measures already implemented by Ask Technologies prior to the breach (e.g., encryption) likely to limit its impact, as well as the immediate corrective measures taken or proposed to remedy the breach (e.g., isolation of the affected system, data restoration, security patches);
-the name and contact details of the Ask Technologies contact person from whom further information can be obtained.

Ask Technologies will provide the Client with regular updates regarding the ongoing investigation and actions taken, as additional information about the incident becomes available. It is then the Client's responsibility, as the Data Controller, to assess whether the breach needs to be notified to the competent supervisory authority and/or the data subjects, in accordance with Articles 33 and 34 of the GDPR. Ask Technologies will assist the Client in this process if necessary, by providing additional information or required incident reports.

Ask Technologies will internally document any data breach, recording the facts relating to the breach, its effects, and the measures taken, in accordance with Article 33(5) of the GDPR. Upon request, Ask Technologies will make this documentation available to the Client and the supervisory authority to enable verification of compliance with legal obligations.

Fate of Data Upon Contract Termination

Upon termination of the provision of Services involving the Processing of Personal Data (particularly in the event of termination or expiration of the contract between Ask Technologies and the Client, or in the event of cessation of a Service functionality), the fate of the Client's Personal Data will be as follows:

-Data Return : Upon the Client's express request, made no later than the contract end date, Ask Technologies will return to the Client all Personal Data processed on their behalf. This return may take the form of one or more files extractable via the administration interface or provided by Ask Technologies (e.g., export of knowledge bases, any saved conversation logs, etc.), in a structured, commonly used, and machine-readable format. Ask Technologies will also provide, upon request, the documents or media necessary for understanding the returned data (e.g., data dictionary if applicable).

-Data Deletion : Once the data has been returned (or if the Client has not requested its return by the contract's expiration), Ask Technologies will proceed with the complete and definitive deletion of the Client's Personal Data still in its possession. Deletion includes the erasure of data from active databases, as well as the purging of backup copies and logs, within reasonable operational timeframes. Ask Technologies undertakes that the Client's data will no longer be used for any purpose whatsoever from the end of the contract, and that it will be securely eliminated from all its production and backup systems (unless legally required otherwise). If, for technical reasons, the immediate deletion of certain backup data is not possible, Ask Technologies guarantees that this residual data will be protected by appropriate security measures and will be destroyed according to the maximum pre-established retention cycles.

-Proof of Destruction : Upon the Client's request, Ask Technologies may provide written confirmation that the Personal Data has been deleted in accordance with the terms of this Agreement. This confirmation may take the form of a certificate of destruction or an official email from Ask Technologies' technical manager or data protection officer, once all erasure operations have been completed.

-Legal Exception : If applicable European Union or Member State legislation imposes an obligation on Ask Technologies to retain certain Personal Data beyond the end of the contract (e.g., legal archiving, retention of billing data, evidence in case of litigation), Ask Technologies will inform the Client of this obligation. In such a case, Ask Technologies undertakes to process this retained data only to comply with applicable law and for no other purpose, and to delete it upon the expiration of the legal retention period.

The Client is invited to retrieve any data they wish to retain before the end of the contract, as Ask Technologies is not obligated to store Client data beyond the stipulated contractual period (subject to the provisions above). In any event, after deletion or return, Ask Technologies will no longer have any obligation to retain Client data and disclaims all responsibility for any permanent loss of data following the termination of the contract, provided that these actions were carried out in accordance with the Client's instructions and the terms of this DPA.

Client Documentation and Audit Rights

Ask Technologies undertakes to maintain internal documentation regarding the Processing carried out on behalf of the Client, in accordance with Article 30(2) of the GDPR (processor's record of processing activities). Upon request, Ask Technologies may provide the Client with the relevant elements of this record concerning the categories of activities performed for them, provided that no sensitive or confidential information relating to other clients is disclosed.

Furthermore, Ask Technologies will provide the Client with all necessary information to demonstrate compliance with the obligations set forth in this DPA and to allow for and contribute to audits, including inspections, by the Client or another authorized auditor. The terms for exercising the audit rights by the Client are described above (section "Documentation and Audit Rights" of Ask Technologies' obligations).

Ask Technologies considers that independent third-party audit reports it may obtain constitute valid proof of its compliance with the requirements of this Agreement. The Client shall in good faith agree to take such reports/certificates into account to reduce the frequency or scope of its own audits, in a spirit of collaboration.

In the event of an audit initiated by a supervisory authority (e.g., CNIL) concerning Ask Technologies' activities in connection with this DPA, Ask Technologies will inform the Client if it directly concerns the Client's data (unless legally prohibited). Ask Technologies will provide the necessary access and cooperation to the authority under the conditions required by law.

Contact Points and Data Protection Officer

Each Party designates a point of contact for data protection-related questions under this Agreement. On Ask Technologies' side, any request or question concerning this DPA or the processed data can be addressed to its Data Protection Officer (DPO) at the following email address: dpo (at) polaria (dot) ai​. This contact can be used, in particular, to: report a data breach, ask questions about security measures, request assistance regarding data subject rights, or any other personal data-related query.

Ask Technologies undertakes to respond promptly to Client requests via its DPO or its data protection team. Additionally, the Client may also contact their usual commercial or technical contact at Ask Technologies, who will forward the request to the relevant internal personnel.

The Client shall, for its part, provide Ask Technologies with the contact details of its own data protection representative (e.g., the Client's DPO or Data Protection Officer, if one has been appointed). This contact will be used by Ask Technologies to send any data-related information (breach notification, information on a new sub-processor, etc.). It is the Client's responsibility to keep this contact information up to date and to notify Ask Technologies of any changes.

Applicable Law and Jurisdiction

This Agreement is governed by French law, including with respect to its validity, interpretation, execution, or termination, and without prejudice to the direct application of the GDPR and any mandatory laws locally applicable to the Client. In the event of a dispute relating to the interpretation or execution of this Agreement, the Parties shall endeavor to resolve the dispute amicably in a spirit of cooperation and good faith. Failing an amicable agreement, and subject to more protective mandatory legal provisions, the competent courts within the jurisdiction of Ask Technologies' registered office (namely the courts of Paris, France) shall have exclusive jurisdiction over any dispute arising from this DPA, including, where applicable, summary proceedings or applications.

This jurisdiction clause applies provided that the competent court under the main contract binding the Parties is located in a Member State of the European Union. If the main contract provides for another jurisdiction or applicable law, exceptions may be made to the above provisions, provided that this does not lead to a reduction in the data protection guarantees provided by this DPA and by the GDPR. In any event, the GDPR remains applicable to Processing falling within its territorial scope, and any clause of this Agreement shall be interpreted in light of this regulation.

Executed in Paris, in two digital copies, on the date of the last electronic acceptance. The Parties declare that they have read, understood, and accepted the content of this Data Processing Agreement, which comes into force upon its acceptance by the Client via the agreed procedure (electronic signature, online validation, or tacit acceptance of the general terms and conditions including this DPA).

Curious to learn more? Book a free 30-minute demo with our team today!

Schedule a demo
Notre produit IA
100% souverain