Version: 2.0 — Update date: February 11, 2025.

Data Processing Agreement

Purpose and Scope of the Agreement

This Data Processing Agreement (” Accord ” or DPA) defines the conditions under which Polaria Technologies SAS (hereinafter” Polaria Technologies ” or the Subcontractor), in its capacity as a publisher of generative AI chatbot solutions, processes personal data on behalf of its client (hereinafter the Customer or Data Controller) as part of the services provided by Polaria Technologies. This Agreement is an integral part of the service contract between Polaria Technologies and the Customer and aims to ensure compliance with Regulation (EU) 2016/679, known as the General Data Protection Regulation (RGPD). It complies with the requirements of article 28 (3) of the GDPR, in particular by specifying the object, duration, nature and purpose of the processing carried out, the types of personal data concerned, the categories of persons concerned, as well as the obligations and rights of each party.

By default, Polaria Technologies' services do not require any collection of personal data: no personal data is recorded or exploited without the knowledge of end users when the Polaria Technologies chatbot is used without specific configuration by the Customer. The chatbot can thus be deployed without personal data by default. However, depending on the use and settings made by the Customer, personal data may be processed via the Polaria Technologies platform. This DPA applies exclusively to the processing of personal data carried out by Polaria Technologies as a subcontractor of the Customer. Data processing for which Polaria Technologies determines the purposes and means (for example, the Customer's registration data for the administration platform) is not subject to this Agreement and is covered by Polaria Technologies' privacy policy where applicable.

Polaria Technologies SAS is a simplified joint stock company under French law, registered with the Paris Trade and Companies Register under number 849 997 945, with a share capital of €1,000, whose head office is located at 15 rue des Halles, 75001 Paris, France. Polaria Technologies operates mainly in France and plans to expand its activities within the European Union, in compliance with applicable data protection laws. The Customer refers to the entity (company, administration or other organization) that has subscribed to the services of Polaria Technologies and acts as the data controller that it decides to process via these services.

The Customer and Polaria Technologies are hereinafter collectively referred to as “” The Parties ”.

Definitions

For the purposes of this Agreement, the following terms have the meanings set out below, whether used in the singular or plural:

-Personal data (or Personal data): any information relating to an identified or identifiable natural person, as defined in article 4 (1) of the GDPR.

-Treatment (or Treat/Treaty): any operation or set of operations applied to Personal Data (collection, storage, consultation, use, transmission, deletion, etc.), whether or not they are carried out by automated means, within the meaning of article 4 (2) of the RGPD.

-Data Controller : the natural or legal person, public authority, service or any other body that, alone or jointly, determines the purposes and means of the Processing. Under this Agreement, the Customer is the Data Controller of the Personal Data that it decides to process via the services of Polaria Technologies.

-Subcontractor : the natural or legal person who Processes Personal Data on behalf of the Data Controller. In this case, Polaria Technologies acts as a Subcontractor for the services covered by this DPA.

-Subcontractor (or Subcontractor or Secondary subcontractor, equivalent of the term sub-processor in English): any third party entity engaged by the Subcontractor (Polaria Technologies) to carry out specific Processing activities on behalf of the Data Controller. Subsequent Sub-Processors authorized under this Agreement are listed in section Authorized subcontractors below.

-Services : the SaaS platform, generative AI chatbots and in general the software solutions provided by Polaria Technologies to the Customer, as described in the main contract between the Parties (general terms of service, commercial contract or any equivalent document).

-Applicable Data Protection Regulations : the RGPD, as well as any applicable national law or regulation (such as the French Data Protection Act No. 78-17 amended) and any other text in force governing the protection of Personal Data applicable to the Treatments subject to this Agreement.

Duration of the Agreement

This DPA comes into force on the effective date of the main contract between Polaria Technologies and the Customer or on the date of acceptance of the DPA by the Customer (whichever is later). It remains in force throughout the duration of the contractual relationship where Polaria Technologies processes Personal Data on behalf of the Customer. In practice, the Agreement covers any period during which Polaria Technologies disposes of or processes Customer Personal Data, including possibly after the end of the main contract, until the complete return or deletion of the data in accordance with Customer's instructions and the provisions of this DPA.

The obligations under this Agreement (in particular with respect to confidentiality and security) survive the expiration or termination of this Agreement for as long as Polaria Technologies maintains Customer Personal Data in accordance with the “Data Management” section below, or as required by law.

Description of the Treatments concerned

This DPA only applies to Personal Data Processing operations carried out by Polaria Technologies as part of the Services provided to the Customer. The characteristics of these Treatments are as follows:

-Purpose of the Treatment — Purpose : Supply, by Polaria Technologies, of a generative artificial intelligence chatbot platform and associated services, allowing the Customer to configure and deploy conversational agents (chatbots) answering questions from end users. The sole purpose of the Treatments is the proper execution of the Services requested by the Customer (e.g. responding to user requests via the chatbot, accessing a knowledge base configured by the Customer, providing technical support, etc.), in accordance with the Customer's instructions, etc.), in accordance with the Customer's instructions and the conditions of the main contract. No other use of Personal Data by Polaria Technologies is made without instructions or authorization from the Customer.

-Nature of Processing Operations : Polaria Technologies carries out storage, organization, algorithmic analysis (generation of responses by the AI engine), transmission and deletion of data, according to the needs of the Service. By default, user interactions with the chatbot are not retained by Polaria Technologies. Thus, Polaria Technologies does not permanently store the content of conversations, unless the Customer explicitly activates a logging or recording feature. In the latter case, conservation is carried out according to the methods determined by the Customer (for example, retention period configurable via the administration interface or specific instructions).

-Types of Personal Data Processed : By design, the Service can be used without processing Personally Identifying Data. However, depending on the use, the Data processed may include any type of data that the Customer chooses to integrate into the chatbot or the underlying knowledge base. This may include identification data (e.g. name, first name, nickname of an end user), contact details (email address, telephone number), professional data (position, department), data provided via questions asked to the chatbot (which could contain personal information inserted by the end user), or any other category of data that the Customer decides to use via the Service. By default, none of this data is required to use the Service., and any inclusion of Personal Data is the sole initiative of the Customer. The Customer is advised to avoid submitting particular categories of data (sensitive data within the meaning of article 9 of the GDPR, such as health data, biometric data, etc.) in the Service, unless necessary and appropriate additional protective measures.

-Categories of Persons Concerned : The natural persons whose data may be processed as part of the Service are determined by the Customer. It can be mainly (i) end users of the chatbot deployed by the Customer (for example customers, administrators or employees asking questions to the chatbot and likely to provide their information in their requests), (ii) employees, collaborators or agents of the Customer whose data would appear in the knowledge base or in the content used by the chatbot to formulate answers, and (iii) more generally, of any natural person whose data would be integrated by the Customer into the content operated via the Service. Since Polaria Technologies does not have direct contact with the persons concerned (chatbot end users or other third parties whose data is processed), it is the Customer's responsibility to provide the legal information required to these persons and to collect, where appropriate, the appropriate legal bases (e.g. consent) for the Treatments carried out via the Service.

-Duration of Treatment — Storage : Polaria Technologies processes Customer Personal Data only for as long as necessary to provide the Services and in accordance with Customer's instructions and this DPA. Unless otherwise specified, Personal Data processed from time to time via the chatbot (e.g. content of a question asked) is not retained in a persistent manner (no permanent storage by Polaria Technologies, excluding anonymized technical logs), unless the Customer activates retention options (such as recording conversations or archiving data). In any event, the data will not be retained by Polaria Technologies beyond the duration of the service contract, subject to applicable legal retention obligations. The procedures for returning or deleting data at the end of the Services are specified in section Data fate of this Agreement.

Polaria Technologies' Obligations as a Subcontractor

In accordance with the RGPD, Polaria Technologies undertakes to comply with the following obligations when it processes Personal Data on behalf of the Customer:

-Treatment on documented instructions : Polaria Technologies only processes Customer Personal Data upon documented instructions from the Customer, including with respect to data transfers to a third country. The use of the Services by the Customer, in accordance with the main contract and the documentation of Polaria Technologies, constitutes an instruction by the Customer to Polaria Technologies to process the data for the purposes intended. Polaria Technologies will refrain from any use, access or processing of Customer Personal Data for other purposes (including for its own, commercial or marketing purposes) without the prior authorization of the Customer. If Polaria Technologies considers that an instruction from the Customer violates the GDPR or other applicable data protection provisions, it shall inform the Customer without delay (unless prohibited by law).

-Staff confidentiality : Polaria Technologies guarantees that the persons authorized to process the Customer's Personal Data (staff, collaborators and subsequent subcontractors) are committed to the strictest confidentiality. All persons who have access to the data are subject to an appropriate legal or contractual obligation of confidentiality. Polaria Technologies ensures that access to Personal Data is limited to only those employees and agents who need it to perform the Service, and that such access is regularly reviewed.

-Data Security : Polaria Technologies implements appropriate technical and organizational measures in order to protect Personal Data against destruction, loss, alteration, unauthorized disclosure or unauthorized access, in a manner adapted to the risk. In particular, Polaria Technologies applies industry best security practices: encryption of data in transit (secure communications via SSL/TLS) and, when applicable, encryption of data at rest on servers or databases. Access to data is strictly controlled and logged, so that only duly authorized personnel from Polaria Technologies (or the Customer, in the case of dedicated environments) can access the necessary information, in compliance with confidentiality commitments. Polaria Technologies has also implemented perimeter protection and proactive surveillance systems to prevent intrusions and malicious software (firewalls, intrusion detection/prevention systems, etc.), and regularly updates its systems in order to quickly correct any known vulnerabilities. In general, Polaria Technologies ensures that the infrastructure used for the Service is Secured and in accordance with the state of the art in terms of data protection (including by using certified and reliable data centers, see Authorized Subcontractors section).

-Respect for privacy by design : Polaria Technologies adheres to the principles of Privacy by Design and by Default. The Services are designed to minimize the collection of Personal Data (no personally identifiable data is required by default to use the chatbot). Polaria Technologies integrates data protection from the design phase and throughout the life cycle of products and services.

-Subsequent subcontracting : Polaria Technologies only uses subsequent Subcontractors (secondary subcontractors) to carry out Processing operations with the Customer's authorization. The Customer hereby grants general authorization to Polaria Technologies to use the Subcontractors listed in section Authorized subcontractors below, provided that Polaria Technologies ensures that each of these subcontractors complies with obligations equivalent to its own in terms of data protection (via a subcontracting contract in accordance with article 28 of the RGPD). Polaria Technologies will inform the Customer of any planned changes concerning the addition or replacement of subcontractors, within a reasonable period of time, so that the Customer has the opportunity to raise objections for legitimate reasons. In the absence of an objection within the specified period, the new subcontractor will be deemed to have been accepted.

-Assistance in complying with the Customer's obligations : Polaria Technologies provides assistance to the Customer to enable it to comply with its own obligations under the Applicable Regulations. In particular, Polaria Technologies helps the Customer, through appropriate technical and organizational measures, to satisfy requests to exercise the rights of the persons concerned (access, rectification, deletion, opposition, etc.) received by the Customer, insofar as the Customer cannot respond to them himself via the functionalities made available. Likewise, Polaria Technologies will provide the Customer with the necessary assistance to carry out, if necessary, data protection impact analyses (DPIA) relating to the Treatments carried out as part of the Service, and to carry out any prior consultations with the competent supervisory authority, insofar as this information is in the possession of Polaria Technologies. This assistance is provided at the Customer's written request and may include the provision of documentation on security measures, the technical organization of processing, and more generally any information useful to the Customer to demonstrate the compliance of the processing with legal obligations.

-Data Breach Notification : Polaria Technologies notifies the Customer of any security breach affecting the Personal Data processed (personal data breach within the meaning of article 4 (12) of the RGPD) as soon as it is aware of it. This notification will be made as soon as possible (and if possible within 48 hours following the detection of the incident), accompanied by any useful documentation to allow the Customer, if necessary, to notify this violation to the data protection authority and/or to the persons concerned, in accordance with articles 33 and 34 of the GDPR. Polaria Technologies will provide the Customer with available information on the nature of the breach, the categories and volume of data potentially concerned, the probable consequences, as well as the corrective measures already taken or envisaged to remedy the violation and mitigate its effects. Polaria Technologies is committed to promptly investigating any breach and taking appropriate measures to restore data integrity, security, and confidentiality. It will collaborate in good faith with the Customer to facilitate compliance with legal obligations resulting from the violation.

-Data fate at the end of the contract : At the expiration of the service contract or in the event of its early termination, Polaria Technologies, at the Customer's choice and on the instructions of the latter, will delete integrally all Personal Data processed on behalf of the Customer, or will return to the Customer all of this data in a structured and commonly used format, and then delete all existing copies in its systems (unless otherwise required by law). Unless otherwise specified by the Customer communicated before the end of the contract, Polaria Technologies will, by default, proceed with the secure deletion of residual data still in its possession at the end of a reasonable period of time following the end of the contract. Polaria Technologies may keep a copy of the data if required to do so by Union or Member State law (for example, for evidentiary purposes or to comply with accounting obligations); in this case, Polaria Technologies guarantees that this data will remain subject to appropriate protection measures and will no longer be actively processed except to meet the legal requirements in question.

-Documentation and audit rights : Polaria Technologies provides the Customer with all reasonable information necessary to demonstrate compliance with the obligations provided for in this DPA and to allow compliance audits to be carried out. In practice, Polaria Technologies may provide the Customer, upon request, with its security and confidentiality documentation, including internal policies, certifications or third-party audits as appropriate, attesting to the level of protection put in place. The Customer is entitled to carry out or have carried out, once a year at most (unless otherwise specified by law or in the event of a proven incident), an audit of Polaria Technologies' activities related to the Treatments carried out on its behalf. This audit must be carried out by the Customer or an independent third party authorized by him, with a notice of at least 15 working days, and must not significantly disrupt the operations of Polaria Technologies. The scope of the audit will be limited to installations, systems and documents relevant to the Customer's data. Polaria Technologies will cooperate in good faith with the audit by providing access to the information requested, subject to appropriate confidentiality measures. The audit fees are borne by the Customer, unless the audit reveals a serious breach by Polaria Technologies of the obligations of this Agreement.

Obligations of the Customer as Data Controller

The Customer, in its capacity as Data Controller, undertakes to comply with the following obligations in the context of the use of Polaria Technologies Services:

-Compliance and legal basis : The Customer guarantees that the Personal Data Processing that it entrusts to Polaria Technologies is carried out in accordance with the Applicable Regulations. In particular, it is the Customer's responsibility to determine and document a valid legal basis for each Personal Data processed via the Service (for example, consent of the person concerned, legitimate interest, legal obligation or execution of a contract) and to ensure that the purposes pursued are authorized by law. The Customer declares and guarantees that he is duly authorized to process and have the Personal Data concerned processed and that he has completed all the formalities that may be required (including, when necessary, obtaining the consent of the persons concerned for the use of their data as part of the Service).

-Information for the persons concerned : It is the Customer's responsibility to provide the persons concerned with the information required by articles 13 and 14 of the RGPD concerning the Processing of their data via the services of Polaria Technologies. The Customer will ensure that end users are clearly informed of the presence of the chatbot and of the fact that their interactions can be processed by computer, as well as, where appropriate, of any collection of personal data concerning them. For example, if the Customer activates the logging of chatbot conversations including personal information, it must notify users in advance and, if necessary, obtain their consent.

-Data quality and proportionalitys: The Customer is responsible for the data that he integrates into the Service. He undertakes to provide Polaria Technologies with only accurate, up-to-date and strictly necessary Personal Data for the purposes of using the Service. The Customer undertakes not to misuse the Polaria Technologies Service to massively collect or process data unrelated to the purposes of the chatbot, and undertakes not to store unlawful or sensitive data disproportionately via the Polaria Technologies platform without appropriate measures.
Service configuration: Insofar as the Service offers configuration options that impact data protection (for example, defining a conversation retention period, etc.), the Customer is responsible for the configuration choices made via the administration interface. It is the Customer's responsibility to configure the Service in a manner consistent with the principles of data minimization and to limit the retention of personal data to what is strictly necessary. Polaria Technologies provides tools and settings that allow the Customer to maintain control over the data (deletion of content, export of knowledge, etc.), which the Customer must use to comply with its regulatory obligations.

-Client-side security : The Customer undertakes to use the Polaria Technologies Service in a safe technical environment. In particular, he must maintain the confidentiality of access identifiers to the Polaria Technologies platform and ensure that access to his instance is secure. The Customer will notify Polaria Technologies without delay in the event of suspicion of unauthorized access or compromise of its identifiers, in order to allow Polaria Technologies to take appropriate measures. In addition, if the Customer himself collects data from users in order to inject them into the Service (for example via forms connected to the chatbot), it is his responsibility to ensure the security of this collection and to transmit the data to Polaria Technologies by encrypted and secure means of communication.

-Cooperation : The Customer will cooperate in good faith with Polaria Technologies to facilitate compliance with this DPA. In particular, the Customer will provide Polaria Technologies with information on the treatments it intends to carry out via the Service if this is necessary for Polaria Technologies to fulfill its own obligations (e.g. in the event of carrying out an impact analysis, the Customer will share the relevant sections with Polaria Technologies). Likewise, in the event of a request or investigation by a data protection authority concerning the Service, the Customer will involve Polaria Technologies as appropriate to obtain the technical elements relevant to the latter.

-Proper use : The Customer ensures that its use of the Polaria Technologies Services will remain in accordance with the terms and purposes provided for in the contract. The Customer undertakes not to ask Polaria Technologies to process Personal Data in a manner that would violate the Applicable Regulations. If the Customer gives a Processing instruction to Polaria Technologies, it must be lawful and necessary for the performance of the Services. In case of doubt about the legality of an instruction or a particular use of the Service, the Customer undertakes to consult Polaria Technologies and, if necessary, the competent data protection authority before continuing.

Authorized Subcontractors (List of Subsequent Subcontractors)

Polaria Technologies uses carefully selected subcontractors to assist it in the provision of its Services. These subcontractors act only according to the instructions of Polaria Technologies and provide sufficient guarantees as to the implementation of data protection measures in accordance with the GDPR. The Customer expressly authorizes Polaria Technologies to use the following Subcontractors as part of the Treatments carried out on its behalf:

-OVHcloud (OVH SAS, France) — Main cloud hosting provider. OVHcloud provides the hosting infrastructure on which Polaria Technologies' applications and data are deployed. The servers are located in France. In particular, Polaria Technologies hosts its software suite on OVH's secure infrastructure, with a view to sovereignty and security.

-Dassault Systèmes (Outscale) (France) — Alternative cloud host. Polaria Technologies can also rely on 3DS Outscale (a cloud subsidiary of Dassault Systèmes) to host certain instances or dedicated environments, in particular for customers requiring a level of Sovereign cloud certified (Outscale having in particular the SecNumCloud qualification issued by ANSSI). The Outscale data centers used by Polaria Technologies are located in France. This subcontractor is subject to the same security and compliance requirements as OVH.

-Sarbacane Software (France) — Solution for sending transactional emails. Polaria Technologies uses the Sarbacane platform (also known as Mailify) to send emails related to the Services, in particular emails sent by the application app.polaria.ai (for example: confirmation emails, user notifications, password resets, etc.) In this context, the email addresses of the Customer's end users or administrators, as well as the content of the necessary messages (email text, links) are transmitted to Sarbacane's servers for dispatch. Sarbacane Software SAS is a French company, and the email data processed is hosted on servers located in France. This subcontractor is committed to complying with the RGPD regulations (Sarbacane has an internal DPO and an active data protection policy in accordance with the RGPD). No data is transmitted by Sarbacane to third parties, except for the technical necessity of routing via messaging operators.

Polaria Technologies undertakes not to add or replace subcontractors without first informing the Customer. In the event of a subsequent change of subcontractor, Polaria Technologies will notify the Customer by any agreed means of contact (for example, email or publication on the corporate website) at least 15 days before the actual change. The Customer has the right to raise a reasoned objection if the proposed new subcontractor presents, in his opinion, a substantial risk for the protection of his data. In the event of a legitimate and unresolved objection, the Customer may cancel the service in question in accordance with the terms of the main contract. In all cases, Polaria Technologies remains fully responsible to the Customer for the proper execution by its subcontractors of their data protection obligations. Each subsequent subcontractor is bound to Polaria Technologies by a subcontract in accordance with article 28 of the GDPR, including security, confidentiality and compliance obligations equivalent to those of this DPA.

Data Localization and International Transfers

Polaria Technologies favors an infrastructure entirely located in France for the processing and storage of Customer Personal Data. By default, the data is hosted in France, in particular via OVHcloud or Dassault Systèmes Outscale. Thus, the Personal Data provided to Polaria Technologies remains on French territory.

Polaria Technologies confirms that as of the date of signature of this DPA, no massive or systematic transfer of Customer Personal Data to countries outside the EU is carried out outside of the specific uses mentioned. If the Customer wants a different location of the data, he can request it from Polaria Technologies, which will endeavor to offer an adapted solution (potentially via an optional offer). Polaria Technologies undertakes to inform the Customer if, during the execution of the contract, it should consider transferring Customer Personal Data outside the EU under conditions not provided for in this Agreement.

Rights of Data Subjects and Subcontractor Assistance

Given the nature of the Treatments, Polaria Technologies will help the Customer to fulfill its obligation to respond to requests to exercise rights of the persons concerned (right of access, rectification, deletion, deletion, opposition, limitation, portability, etc.).

-If a data subject sends a request directly to Polaria Technologies concerning their Personal Data processed via the Services (which would be rare, Polaria Technologies is not in direct contact with the Customer's end users), Polaria Technologies will forward this request to the Customer as soon as possible without responding to it itself (unless otherwise instructed by the Customer or under a direct legal obligation to Polaria Technologies). It is up to the Customer, as Data Controller, to provide the appropriate response to the request. Polaria Technologies will assist the Customer, upon request, by providing the information and tools necessary to respond to the request (for example, by extracting relevant data or by applying an erasure measure).

-Via the Service administration interface or upon request to the support of Polaria Technologies, the Customer can access, rectify or delete the Personal Data under its control. Polaria Technologies will implement the actions requested by the Customer concerning the data (e.g. deleting a set of contents containing personal data, returning a specific record, etc.) as soon as possible and in accordance with the documented instructions received.

-If the complexity of a request to exercise rights requires specific technical assistance from Polaria Technologies (e.g. extraction of data from a backup, specific search in logs), Polaria Technologies will endeavor to provide this assistance. Depending on the workload induced, Polaria Technologies and the Customer may agree on financial terms to cover the reasonable cost of this exceptional assistance, in accordance with article 12 (5) of the GDPR (which allows reasonable fees to be charged in the event of clearly unfounded or excessive requests, or in the event of additional requests).

In addition, Polaria Technologies will help the Customer to ensure compliance with the other obligations provided for in articles 32 to 36 of the RGPD (security of treatments, notification of violations, impact assessments and prior consultation). Security and data breach provisions are included in this Agreement. With regard to privacy impact assessments (DPIA), Polaria Technologies will provide the Customer upon request with all information relating to the Services necessary to carry out the DPIA (in particular technical description of the treatments carried out, security measures applied, subcontractors involved, etc.). If the supervisory authority were to require a prior consultation prior to using the Service, Polaria Technologies will assist the Customer by providing the information required by said authority.

In summary, Polaria Technologies is committed to actively cooperating with the Customer to enable the Customer to comply with its obligations towards the persons concerned and the data protection authorities. All this assistance is provided within the limits of the information available to Polaria Technologies and to the extent that the Customer does not himself have the means to meet the obligations in question.

Data Breach Notification

In case of personal data breach (accidental or unlawful) concerning Personal Data processed on behalf of the Customer, Polaria Technologies will notify the Customer of such violation without unnecessary delay, and at the latest within 48 hours after having read it. Where possible, this notification will include the following information:

-the nature of the breach (for example, unauthorized access, loss, disclosure, alteration, or destruction of data) and, if available, the categories and approximate number of data subjects and data records affected;
-the probable consequences of the violation on the persons concerned (potential impacts on privacy, risks incurred);
-the technical and organizational measures already implemented by Polaria Technologies before the breach (e.g. encryption) that may limit the impact of the breach, as well as the immediate corrective measures taken or proposed to remedy the violation (e.g.: isolation of the affected system, isolation of the affected system, data restoration, security patches);
-the name and contact details of the contact person at Polaria Technologies from whom additional information can be obtained.

Polaria Technologies will provide the Customer with regular updates regarding the ongoing investigation and actions taken as additional information on the incident becomes available. It is then up to the Customer, as Data Controller, to assess whether the violation should be notified to the competent supervisory authority and/or to the persons concerned, in accordance with articles 33 and 34 of the GDPR. Polaria Technologies will assist the Customer in this process if necessary, by providing additional information or incident reports as required.

Polaria Technologies will internally document any data breach, recording the facts relating to the breach, its effects, and the actions taken, in accordance with Article 33 (5) of the GDPR. On request, Polaria Technologies will make this documentation available to the Customer and the supervisory authority, in order to be able to verify compliance with legal obligations.

Data fate at the end of the Contract

At the end of the provision of Services involving the Processing of Personal Data (in particular in the event of termination or expiration of the contract between Polaria Technologies and the Customer, or in the event of cessation of a functionality of the Service), the fate of the Customer's Personal Data will be as follows:

-Restitution of data : At the express request of the Customer, formulated no later than the end date of the contract, Polaria Technologies will return to the Customer all the Personal Data processed on its behalf. This retrieval may take the form of one or more files that can be extracted via the administration interface or provided by Polaria Technologies (for example, export of knowledge bases, possible saved conversation logs, etc.), in a structured, commonly used and machine-readable format. Polaria Technologies will also provide, upon request, the documents or supports necessary to understand the returned data (e.g. data dictionary if applicable).

-Deleting data : Once the return has been made (or if the Customer has not requested a refund by the end of the contract), Polaria Technologies will proceed with the complete and permanent removal Personal Data of the Customer still in his possession. Deleting includes deleting data from active databases, as well as purging backup copies and logs, within a reasonable operational timeframe. Polaria Technologies undertakes that the Customer's data will no longer be used for any purpose whatsoever from the end of the contract, and that they will be securely eliminated from all its production and backup systems (unless otherwise required by law). If, for technical reasons, the immediate deletion of certain backup data is not possible, Polaria Technologies guarantees that such residual data will be protected by appropriate security measures and that it will be destroyed according to pre-established maximum retention cycles.

-Proof of destruction : At the Customer's request, Polaria Technologies may provide a written certificate confirming that the deletion of Personal Data has been completed in accordance with the terms of this Agreement. This certificate may take the form of a certificate of destruction or an official email from the technical manager or data protection officer of Polaria Technologies, once all the deletion operations have been carried out.

-Legal exception : If the legislation of the European Union or the applicable Member State imposes on Polaria Technologies an obligation to keep certain Personal Data beyond the end of the contract (for example, legal archiving, storage of billing data, evidence in case of litigation), Polaria Technologies informs the Customer of this obligation. In this case, Polaria Technologies undertakes to process these retained data only to comply with applicable law and for no other purpose, and to delete them as soon as the legal retention period expires.

The Customer is invited to recover, before the end of the contract, the data he wishes to keep, since Polaria Technologies is not obliged to store the Customer's data beyond the planned contractual period (subject to the provisions above). In any event, after deletion or return, Polaria Technologies no longer has any obligation to keep the Customer's data and declines all responsibility in the event of a permanent loss of data following the end of the contract, as long as these actions have been carried out in accordance with the Customer's instructions and under this DPA.

Customer Documentation and Audit Rights

Polaria Technologies undertakes to maintain internal documentation relating to the Treatments carried out on behalf of the Customer, in accordance with article 30 (2) of the RGPD (register of subcontractor activities). Upon request, Polaria Technologies may provide the Customer with the relevant elements of this register concerning the categories of activities carried out for it, provided that it does not disclose sensitive or confidential information relating to other customers.

In addition, Polaria Technologies provides the Customer with all the information necessary to demonstrate compliance with the obligations provided for in this DPA and to enable the conduct of audits, including inspections, by the Customer or another authorized auditor, and to contribute to these audits. The modalities of exercising the right to audit by the Customer are described above (“Documentation and Audit Rights” section of Polaria Technologies' obligations).

Polaria Technologies considers that any independent third party audit reports that it may obtain constitute valid evidence of its compliance with the requirements of this Agreement. The Customer will agree in good faith to take into account such reports/certificates to reduce the frequency or extent of its own audits, in a spirit of collaboration.

In the event of an audit initiated by a supervisory authority (e.g. CNIL) concerning Polaria Technologies' activities in connection with this DPA, Polaria Technologies will inform the Customer if this directly concerns the Customer's data (unless prohibited by law). Polaria Technologies will provide the necessary access and cooperation to the authority under the conditions required by law.

Contact Points and Data Protection Officer

Each Party shall specify a contact point for data protection issues under this Agreement. On the side of Polaria Technologies, any request or question concerning this DPA or the data processed can be sent to its Data Protection Officer (DPO) to the following email address: dpo (at) polaria (dot) ai. This contact can be used for example to: report a data breach, ask questions about security measures, request assistance relating to individual rights, or any other request related to personal data.

Polaria Technologies is committed to responding promptly to Customer requests via its DPO or its data protection team. In addition, the Customer may also contact their usual commercial or technical contact person at Polaria Technologies, who will forward the request to the competent persons internally.

For its part, the Customer must provide Polaria Technologies with the contact details of its own contact person for data protection issues (for example, the Customer's Data Protection Officer or Data Protection Officer, if he has appointed one). This contact will be used for Polaria Technologies to send any information relating to the data (notification of a violation, information on a new subcontractor, etc.). It is the Customer's responsibility to keep this contact information up to date and to notify Polaria Technologies in the event of changes.

Applicable Law and Jurisdiction

This Agreement is governed by the French law, including with regard to its validity, interpretation, execution or termination, and this without prejudice to the direct application of the RGPD and mandatory laws applicable locally to the Customer where applicable. In the event of a dispute relating to the interpretation or execution of this Agreement, the Parties will endeavour to resolve the dispute amicably in a spirit of cooperation and good faith. In the absence of an amicable agreement, and subject to more protective mandatory legal provisions, the competent courts under the jurisdiction of the seat of Polaria Technologies (namely the courts of Paris, Francia) will have sole jurisdiction to hear any dispute arising under this DPA, including, where appropriate, summary proceedings or applications.

This jurisdiction clause applies provided that the competent court under the main contract binding the Parties is located in a member state of the European Union. If the main contract provides for another jurisdiction or applicable law, an exception to the above provisions may be made, provided that this does not lead to a reduction in the data protection guarantees provided for by this DPA and by the GDPR. In any event, the RGPD remains applicable to Treatments falling within its territorial scope of application, and any clause of this Agreement will be interpreted in the light of this regulation.

Done in Paris, in two digital copies, on the date of the last electronic acceptance. The Parties declare that they have read, understood and accepted the content of this Data Processing Agreement, which comes into force as soon as it is accepted by the Customer via the provided process (electronic signature, online validation, or tacit acceptance of the general conditions including this DPA).

Curious to learn more? Book a free 30-minute demo with our team today!

Schedule a demo
Our AI product
100% sovereign
Made in Webflow