Article 1. Recitals
The Service Provider offers an electronic solution aimed at orthodontists making it possible to transform images according to a standard format used in order to send them to dentists and orthodontists.
After reading this Agreement, the Client acknowledges having received all necessary information to subscribe to the Services at the time of accepting this Agreement.
Article 2. Definitions
The terms defined below shall have the following meanings between the Parties:
- « Client » : Natural person or legal entity contracting with the Service Provider
- « Agreement » : contractual whole formed by these General Terms of Sale;
- « Personal Information » ou « personal data » : means any information relating to an identified or identifiable natural person « data subject »). An « identifiable natural person » is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- « Parties » : the Client and the Service Provider;
- « Service Provider » : Deepsmile Technology, a company in société par actions simplifiée, listed with the Trade and Companies Register (RCS) of Aix en Provence under No. 848 407 987, whose registered offices are located in Aix en Provence, at 37 Boulevard Aristide Briand – email address: firstname.lastname@example.org – intracommunity VAT No. FR 39 848407987;
- « Services » : all services by the Service Provider, as described in the appendix, « Description of the Services » ;
- « Solution » : electronic solution enabling access to and use of the Services, presented in the form of a webapp or an API linked to certain business applications, listed on the website, www.oralpix.com, and which may be used by the Client;
- « Processing » : means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- « User » : natural person having permission to access the Services that are the subject of this Agreement. When the Solo plan is subscribed, the User is the Client;
Article 3. Purpose
The purpose of this Agreement is to define the terms and conditions under which the Service Provider:
- Grants the Client, who agrees, a right to access the Solution and to use the Services;
- Provides the Client the ancillary services to enable such access and use.
Article 4. Contractual Documents
The contractual documents are, in descending order of priority:
- Any amendments to the Agreement;
- The Agreement;
- The appendices to the Agreement;
In the event of a contradiction between documents of a different type or different rank, it is expressly agreed between the parties that the provisions contained in the higher ranking document shall take precedence for obligations subject to a conflict of interpretation. In the event of a contradiction between the terms of documents of the same order, the most recent documents shall take precedence over the others.
Notwithstanding the contract interpretation rules defined in the French Civil Code, the ranking criteria shall be applied according to the following principles:
- Obligation by obligation;
- Or, otherwise, paragraph by paragraph;
- Or, otherwise, clause by clause;
Article 5. Requirements
5.1 Legal capacity
The Client hereby acknowledges that it has full legal capacity, competence, and the resources necessary to subscribe to the Services.
5.2 Hardware compatibility
The Services may be accessed using a computer (fixed or mobile, Mac or PC).
The Client is urged to verify the compatibility of the hardware and computer configuration of the User(s) with the Solution. The Client must make sure that they have the following minimum configurations:
In addition to a computer, the User must have a minimum of the following browser versions:
- Internet Explorer :
- IE 11 under Windows 8 +
- IE 11 under Windows 7 with the Flash plug-in installed
- Edge 14+
- Firefox 51+
- Chrome 49+
- Safari 10+
- Opera 44+
The Client is solely responsible for the use and security of the terminals and IT systems used, and shall be solely responsible for electronic communications costs (Internet access in particular).
Article 6. Subscribing to the Services
The use of the Services requires the creation of a customer account and taking out a subscription directly on the website, at the address, www.oralpix.com.
The Client shall fill out the different fields on the online subscription form, with it being specified that mandatory fields are marked with an asterisk. In particular, the Client shall create their login ID and password, which must be compliant with the recommendations of the French Data Protection Authority (CNIL) regarding the creation of passwords in order to ensure security, otherwise, it will be rejected.
They shall select a subscription plan, keeping in mind that the subscription agreement may be renewed tacitly:
- Solo plan, by annual or monthly subscription, for one User;
- Office plan, by annual or monthly subscription, for two or more Users;
The Client has read the Agreement and checked the box, « I have read and expressly agree to these General Terms of Sale, » formalizing their acceptance. If the Client does not agree, the subscription process is interrupted.
The Client selects a payment method, except when they have received a free trial period offered by the Service Provider. They are then directed to a secure page where they enter their banking information.
The Client is then asked to verify all of the information entered. In the event an error, they can change the information directly in the fields of the subscription form. The Client then validates their subscription on the subscription form selected.
The Client receives a subscription confirmation email at the address entered on the online subscription form with a link to the webapp used to access the Services, as well as the details of the procedure for using the Services with the business applications listed on the website, www.oralpix.com.
The Client hereby agrees to make sure that the Client’s information is accurate and thorough and to update it regularly. The Client may edit their information any time by going to the « My Account » section.
Article 7. Effective Date – Duration
This Agreement will take effect starting from the date on which the subscription is taken out by the Client.
The Agreement shall have an initial duration of one (1) month (monthly subscription) or one (1) year (annual subscription) and may be renewed tacitly in monthly or annual periods, depending on the subscription plan, unless waived by either of the Parties in accordance with the article entitled « Cancellation » in this Agreement.
Article 8. Enforceability – Changes to the Agreement
Any subscription by the Client shall constitute an irrevocable acceptance of the Agreement, which henceforth become enforceable upon the Client. The acceptance of the Agreement cannot be called into question except within the limits provided for herein.
The current General Terms of Sale in effect are accessible at any time by the Client at the address, www.oralpix.com. The Client has the option to save and print this Agreement using the standard features of their web browser.
The Agreement is subject to change or adjustment at any time by the Service Provider with each new monthly or annual subscription period, depending on the subscription plan.
In the event of a change to the Agreement, the new General Terms of Sale shall be notified to the Client and take effect one (1) month after the notification of the new provisions.
Article 9. Provision of the Services
The specifications for the Services are contained in the appendix, « Description of the Services ».
The Client agrees to test the Services that are the subject of this Agreement before any professional use thereof. The use of the Services implies the definitive acceptance of said Services.
9.3 Support with getting started and training
The Service Provider shall provide the training and support with getting started services described in the appendix, « Description of the Services, » particularly configuring the features of the Services.
9.4 Access to and use of the Services
The Services are accessible via:
- A webapp available at the following address: www.oralpix.com
- Compatible business applications listed on the website, www.oralpix.com, which the Client has subscribed to outside the context of this Agreement.
The connection of the User(s) to the Solution is carried out using authentication by means of with a login ID and password via an individual user account.
When the Solo plan has been chosen, the Services are accessed through an account created when subscribing to the Services.
When the Office plan has been chosen, a User account must be created for each additional User.
9.5 Suspension of the Services
However, the Service Provider reserves the right to restrict the access to the Services, totally or partially, in order to conduct maintenance, in the context of scheduled outages, its computer configuration, and infrastructure used to provide the Services.
9.6 Changes to the Services
The Service Provider reserves the right to make any technical decision aimed at improving the Services, subject to ensuring their continuity and backward compatibility.
Article 10. The Client's Obligations
10.1 Obligations regarding the use of the Services
The Client agrees to:
- Use the Services loyally, in compliance with this Agreement, and current legislation and regulations in effect;
- Work with the Service Provider, and in particular to report to the Service Provider any breakdown of the Services that they observe and any manifestly unlawful content;
The Client also agrees to comply with all obligations contained in the appendix, « Description of the Services. »
When the Office plan is selected, the Client is responsible for the permissions of each User in accordance with their permission procedure and/or policy.
In this context, the Service Provider agrees to:
- Enable the creation of an individual user account for each additional User, with sharing a single account not being permitted
- Delete the account of an authorized User in the event of departures and changes in assignment within the Client’s operating structure.
In any event, the Client also agrees to limit the number of Users to one when the Solo plan is subscribed to, or to three, when the Office plan has been subscribed to, and to prevent any sharing of a single user account by multiple Users.
In this capacity, the Service Provider reserves the right to conduct any verification it deems useful to observe compliance or non-compliance by the Client with these obligations, particularly through audits making it possible to detect any abnormal or unauthorized use of the Services. In this context, the Client agrees to supply the Service Provider with all necessary information to provide proof of compliance with the obligations provided for in this Agreement.
As applicable, the Client vouches for compliance by each User with the aforementioned commitments.
10.2 Improving the Solution and Services
The Client agrees to contribute to improving the Solution and Services, by reporting any malfunctions and, as applicable, suggesting any improvements. With that in mind, the Client is invited to contact the Service Provider or pass that commitment along to the User(s):
- By email: email@example.com.
10.3 Respect for patients’ rights
The Client, as the data controller for the patients’ Personal Data, is exclusively responsible for:
- Information related to the processing of Personal Data;
- Collecting the consent from each patient, as a basis for the lawfulness of the data processing.
The Client and each User are also obligated to comply with all applicable patients’ rights derived from the data protection regulations.
As applicable, the Service Provider may advise the Client regarding resources to be implemented and/or provide informational notice templates appropriate for one or more data processing operations.
However, providing information, gathering consent, and respecting patients’ rights shall be carried out by the Client by any means the Client deems appropriate to their organization.
Furthermore, the Client agrees to download into the Solution only images that do not contain directly identifying data on the patient (last name, first name, etc.).
Article 11. Property
The Services are the property of the Service Provider or of the owners of the rights thereto, in accordance with the provisions of the French Intellectual Property Code.
All intellectual property elements comprising the Solution, including interfaces made available to the Client and/or Users in the context of the performance of this Agreement, the information supplied by the Service Provider to the Client are and shall remain the exclusive property of the Service Provider or its partners.
Consequently, the Client is prohibited from any schemes or acts that may directly or indirectly infringe upon the intellectual property rights over the Services, as well as, generally speaking, the associated trademarks.
The Service Provider grants the Client, who accepts it, a non-exclusive and non-transferable right to access and use the Services, for the full duration of this Agreement, for:
- Solo plan: the Client as the User.
- Office plan: the User(s) identified and authorized by the Client.
Access and use not expressly authorized by the Service Provider under this Agreement is unlawful, in accordance with the Provisions of Article L.122-6 of the French Intellectual Property Code.
Thus, the Client is prohibited from:
- Any performance, diffusion, or distribution of the Services, whether in exchange for consideration or free of charge, and in particular any networking not established by this Agreement.
- Any form of use of the Services, in any manner whatsoever, for the purposes of designing, creating, distributing, or marketing similar or equivalent substitution services;
- Adapting, modifying, transforming, arranging the Services, for any reason whatsoever, including to correct errors;
- Any direct or indirect transcription, any translation into other languages of the Solution and the Services;
- Any use for processing not authorized by the Service Provider;
- Any modification or deviation of the production code, notably including passwords or logins.
Article 12. Maintenance of the Service
The Client and/or Users may report any difficulties and questions regarding the functioning of the Services. To do so, the Service Provider has made resources available, such as email, ticketing tools, the terms and conditions of which are supplied in the appendix to this Agreement entitled, « Description of the Services. »
The responses shall be provided by the Service Provider using the method by which it was contacted.
12.2 Corrective Maintenance
The corrective maintenance service consists of correcting any reproducible anomaly that appears in the use of remote access to the Services, according to the terms and conditions contained in the « Description of the Services » appendix.
It is the Client's responsibility to refer to the Service Provider's instructions before each support request, in order to be able to accurately, thoroughly describe the problems encountered.
Any anomaly shall be identified by the Client and reported to the Service Provider using the appropriate support resource, with sufficient precision so that the latter may take action. An incomplete or unfounded notification will release the Service Provider from its obligations.
While awaiting a permanent solution, the Service Provider may recommend a temporary workaround solution.
12.3 Scalable Maintenance
Updates to the Solution and Services may be released by the Service Provider, as they become available.
Such updates, that are decided unilaterally by the Service Provider, shall be made available to the Client by remote access from its server at no additional cost.
The Client is informed that certain updates may require additional services to be performed.
Maintenance will not be provided in the following cases:
- Version used is no longer a currently supported version;
- The Client refuses to accept an update offered by the Service Provider;
- Use of the Services not in compliance with the Agreement;
- Unauthorized intervention by the Client or a third party;
- Anomaly generated by the Client’s or User’s hardware or software or their access equipment;
In such cases, the Client may not claim any compensation.
Article 13. Hosting
Hosting of the Services is provided by a third-party host, referred to in the appendix entitled « Protection of Personal Information » in the « sub-processing » clause.
Article 14. Protection of Personal Information
As part of their contractual relations, the Parties hereby agree to comply with the applicable regulations governing personal data protection, including Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the « GDPR, » and any subsequent regulations.
The Client in this context acts as the data controller and the Service Provider acts as the processor within the meaning of the General Data Protection Regulation.
In this capacity, the Service Provider hereby agrees to process the Personal Data entrusted to it under the Agreement in compliance with the Client’s written instructions as contained in the « Data Protection » appendix.
Article 15. Compensation for the Services
In exchange for the performance of the Services, the Client agrees to pay the price corresponding to their subscription. The prices are those listed on the www.oralpix.com website as of the day of the Client’s order.
The prices are specified excluding taxes and are charged including taxes, particularly the VAT in effect as of the billing date.
15.2 Changes to the Prices
The Service Provider is free to change the prices for its Services. Price changes shall be applicable to all subscriptions, particularly those in progress. In that case, the Client shall be informed of the price change by any means one (1) month before the new rates take effect.
If the Client rejects the price increase applied to the Services, they may cancel their subscription at any time by registered letter with acknowledgment of receipt sent to the Service Provider.
15.3 Payment Deadlines and Terms
Invoices are prepared on a monthly or annual basis, and shall be paid in euros including taxes by bank card online or by automatic monthly withdrawal as of the billing date for the month or year in advance.
When payment is made by automatic withdrawal, the Client shall immediately inform the Service Provider if any change in direct debit information.
In the event of a payment incident, the related banking fees shall be payable by the Client.
In the event of a missed payment by the Client for all or part of an invoice sent within the period specified above, the Service Provider may automatically apply the following penalties to the Client for late interest, without prejudice to its right to claim compensation for the harm related to late payment.
If payment is not made and, in accordance with Article L. 441-10 of the French Code of Commerce, late interest shall be applied, calculated based on the interest rate of the European Central Bank applied to its most recent refinancing operation, plus 10 percentage points.
Pursuant to Article D 441-5 of the French Code of Commerce: « The amount of the flat-rate penalty for collections costs [...] is set at 40 euros. »
Article 16. Warranties
16.1 Reciprocal undisturbed use warranty
16.1.1 The Service Provider's warranty
The Service Provider hereby warrants to the Client that it has the necessary rights to grant the right to use the Services.
The Service provider shall be responsible for all damages that the Client may be ordered to pay by a final court ruling based exclusively on the demonstration of infringement.
This commitment is subject to the following express conditions:
- That the Client was notified as soon as possible, in writing, of the infringement suit or declaration preceding an infringement suit;
- That the Service Provider has been able to defend its own interests and those of the Client and, to do so, the Client has loyally collaborated in said defense by providing all elements, information, and assistance necessary to the success of such a defense.
The preceding provisions establish the limits of the Service Provider's responsibility regarding infringement, patent, and copyrights due to the use of the Services.
16.1.2 The Client's Warranty
The Client hereby warrants to the Service Provider that it has all of the necessary usage rights attached to its data.
The Client agrees to hold the Service Provider against all legal action, complaints, claims, objections by any person invoking any sort of right to the data communicated by the Client to which the performance of this Agreement is alleged to have caused harm.
In such a case, the compensation or fees of any nature paid by the Service Provider to defend itself, including attorneys’ fees, as well as all damages it may be ordered to pay, shall be paid by the Client.
16.2 Availability Warranty
Starting from the production launch, the Service Provider hereby warrants to the Client that it will be able to remotely access the service levels defined in the appendix entitled, « Description of the Services ».
Article 17. Responsibility
17.1 The Service Provider's Responsibility
By mutual agreement, the Parties hereby expressly agree that the Service Provider may not be held liable by the Client except in the event of proven misconduct and that, in the context of this Agreement, the Service Provider shall be subject to a best-efforts obligation.
The Service Provider may not be held liable due to disruptions or damages inherent to the Internet or having the characteristics of a force majeure event.
By mutual agreement, the Parties hereby agree that the Service Provider shall not be held liable except for direct damages, and that indirect harm shall be excluded from compensation.
Indirect damages include lost data, time, financing, income, patients, legal action, or image harm, expected results and third-party legal action.
The Service Provider’s responsibility for the Service shall be, by mutual agreement, limited to the amount of the monies actually paid by the Client for the Services for the year in which the damage occurs.
This clause shall remain applicable in the event of the invalidity, cancellation, termination, or elimination of these contractual relations.
17.2 The Client's Responsibility
The Client agrees to use the Services under its exclusive responsibility. The Client is solely responsible for the use of the Services in compliance with the provisions of this Agreement by each User.
Furthermore, the Client is solely responsible for:
- The suitability of the Services for their own needs, particularly based on the indications supplied by the Service Provider or on its website;
- The compatibility of the hardware and software environment used by each User with the Services.
The Client also warrants the Service Provider against any legal action by a User or a third party, based on the use of the Services.
Article 18. Force majeure
Initially, force majeure events shall suspend the performance of the Agreement.
If the force majeure events last longer than two months, this Agreement shall be terminated automatically, unless the parties agree otherwise.
The following are expressly considered force majeure events or acts of god, those usually accepted by French case law and courts, as well as the following events:
- War, riots, fires, internal or external strikes, lockouts, occupancy of the Service Provider's facilities, storms, earthquakes, floods, water damage, statutory or government restrictions, statutory or regulatory changes to forms of sale, any sort of accidents, epidemics, pandemics, diseases affecting over 10% of the Service Provider's staff within a period of two consecutive months, the lack of energy supplies, partial or total shutdown of the Internet network and, more generally speaking, of the private or public telecommunications networks, blocked roads and inability to obtain supplies or any other event outside the express control of the parties preventing the normal performance of this Agreement.
Article 19. Insurance
The Service Provider hereby warrants that it has taken out an insurance policy with a reputably solvent insurance company based in France for all financial consequences of its civil, professional, criminal and/or contractual liability due to physical, material, and immaterial harm caused to the Client and to any third party in the performance of this Agreement.
Article 20. Subcontracting
This Agreement may be the subject of subcontracting by the Service Provider according to the terms and conditions contained in the « Data Protection » appendix.
Article 21. Confidentiality
In the context of this Agreement, considered confidential are the Service Provider's Services, their features, computer applications, data templates, graphic interfaces, as well as the ideas, principles, know-how, methods behind the Services, algorithms, data organization, browsing, and any other element included in the Services, referred to hereinafter as the « Confidential Information. »
The Client hereby agrees that the Confidential Information:
- Must be protected and kept strictly confidential;
- Must be protected and kept strictly confidential;
- Must not be disclosed, or be likely to be directly or indirectly disclosed to any third party;
- Must not be disclosed internally except to the members of the Client’s staff that need to know the contents thereof;
- Must not be used except within the purpose specified in the recitals of this commitment and exclusively in the context of performing this Agreement, and particularly must never be used for the purpose of creating a competing or similar service;
- Must not be copied or reproduced, or duplicated, totally or partially.
Furthermore, the Client hereby agrees:
- Not to infringe, in any way, on intellectual property rights;
- To retain any copyright wording and other property right mentions contained on the various elements and documents provided, whether originals or copies.
For its part, the Service Provider agrees to respect the confidentiality of the Client's data under the terms and conditions provided for in this Agreement.
Article 22. Termination
22.1 Termination for Breach
In the event of a breach by either of the Parties of any obligation in this Agreement, and in particular those indicated in Article 7 of the Agreement, and in the event of non-compliance with the number of authorized users or non-payment of the price by the Client, which is not corrected within a period of 8 days starting from the sending of a registered letter with acknowledgment of receipt reporting the breach in question, the other Party may automatically terminate or cancel the Agreement without prejudice to any damages that it may claim under this Agreement.
22.2 Subscription Termination
In the event of a monthly subscription, the subscription agreement may be terminated at any time by either of the Parties sending a registered letter with acknowledgment of receipt to the other Party, with ten (10) days advance notice before the monthly due date. In the event of an annual subscription, the advance notice period shall be one (1) month before the annual due date.
Any payment for the current month shall remain payable.
Article 23. Consequences of the end of the Agreement
In the event of the cessation of contractual relations, for any reason whatsoever, the Service Provider shall destroy, as soon as possible after the cessation of contractual relations, any data supplied by the Client to the Service Provider.
In this context, access to the Services will no longer be permitted and the Client hereby agrees to no longer use or attempt to use the Services.
Article 24. General Provisions
24.1 Commercial references
Each of the Parties may mention the name of the other party as a commercial reference in accordance with standard business practices.
The computerized registries retained in the Service Provider's computer systems, under reasonable security conditions, shall be considered proof of the communication and sending of registration forms, as well as the various transmissions of information by the Client to the Service Provider enabling the Service Provider to conduct the processing desired by the Client.
In the event of a conflict between the Service Provider's computerized registries and any of the Client’s documents on written media or electronic files, it is hereby expressly agreed between the Parties that the Service Provider's computerized registries shall take precedence over the Client’s documents and alone shall be admissible as evidence.
The Parties mutually agree that the fact that one of the Parties tolerates a situation shall not have the effect of granting the other Party any rights.
Moreover, such tolerance shall not be interpreted as waiving the rights in question.
The Parties hereby declare that these commitments are sincere.
In this respect, the Parties warrant that they do not have any elements that, to their knowledge, if they had been communicated, would have changed the other Party’s consent.
24.5 Independence of the Parties
The Parties acknowledge that they are each acting on their own behalf as parties independent from one another and expressly declare that they are and shall remain, for the duration of this Agreement, independent partners and professionals.
This Agreement does not constitute any partnership, or franchise, or mandate given by either of the Parties to the other Party and may not in any case be interpreted as a sales agent agreement or any representation agreement, without the express consent of the Parties.
Neither of the Parties shall make a commitment in the name of and on behalf of the other Party, without the express consent of the Parties.
Furthermore, each of the Parties remains solely responsible for its actions, allegations, commitments, services, products, and staff.
In the event of difficulties in interpretation resulting from a contradiction between any of the titles contained at the top of the clauses and any of the clauses, the titles shall be declared non-existent.
If one or more provisions of this Agreement are found to be invalid or are declared as such in accordance with a law, regulation, or following a res judicata decision handed down by a competent court, the other provisions shall retain their full force and scope.
24.8 Full agreement
This Agreement cancels and replaces all quasi-contracts, implicit and explicit commitments, and promises on the same subject as this Agreement.
However, the purpose of this clause is not to prevent the use of said documents but to evaluate in legal terms the quality of the consents granted in the formation of this Agreement.
24.9 Transfer of the Agreement
This Agreement may not be the subject of a total or partial transfer, in exchange for consideration or free of charge, by either of the Parties, without the prior written consent of the other Party.
24.10 Addresses for Service
For the performance of this Agreement and unless there are special provisions to the contrary, the Parties hereby agree to send all correspondence to their respective registered offices.
Any change in address shall be reported to the other Party by registered letter with acknowledgment of receipt.
24.11 Governing Law
This Agreement is governed by French law.
The same applies to substantive rules and formal rules, with the places of performance of the substantive or ancillary obligations notwithstanding.
This Agreement forms an indivisible whole, so that one of the legal operations may not take place without the obligations under the Agreement being carried out simultaneously.
All legal actions between the parties shall be considered lapsed, excluding public policy provisions, if they have not been introduced within a period of two years starting from the first claim notified by registered letter with acknowledgment of receipt.
24.14 Forum Selection Clause
In the event of a dispute regarding all of the contractual or extra-contractual relations, express jurisdiction is hereby granted to the District Court of Aix en Provence, multiple defendants or being called in as a third party notwithstanding, even for urgent proceedings or protective urgent or on-demand proceedings.
Article 25. List of Appendices
The appendices to this Agreement are as follows:
- Appendix 1: Description of the Services
- Appendix 2: Data Protection
Appendix 1 Description of the services
Photo editing solution presented on the www.oralpix.com website
Support is provided by the Service Provider through email responses No intervention at the Client’s site is provided for in the context of this Agreement.
APPENDIX 2 DATA PROTECTION
As part of the performance of the Agreement by the Service Provider, the Service Provider may access the personal data of patients or Users, in the context of the performance of the Services which constitutes personal data Processing within the meaning of the current data protection regulations.
The Service Provider acknowledges the strictly confidential nature of all personal data to which it thus has access. Consequently, the Service Provider acknowledges that all of the data processed in the performance of the Agreement:
- Is subject to compliance with the regulations applicable in France and in the European Union on the subject of personal data protection (hereinafter, the « data protection regulations »), notably including:
- The French Data Protection Act;
- The General Data Protection Regulation;
- As applicable, texts adopted in the European Union and local laws that may apply to the personal data processed under the Agreement;
- The texts and decisions issued by data protection authorities, particularly the French Data Protection Authority (hereinafter, « CNIL »);
- As applicable, the texts, recommendations established or taken up as such by the European Data Protection board or any organization or authority in the personal data protection sector;
- As applicable, the industry reference systems applicable to personal health data Processing.
- Falling under privacy and professional secrecy
This appendix is an integral part of the Agreement and its purpose is to specify the conditions under which the Service Provider is committed to perform on behalf of the Client the personal data Processing operations under the Agreement.
3. Description of the Processing to be subcontracted
The Service Provider is authorized, throughout the full duration of the Agreement, to process on behalf of the Client the personal data required to provide the following services: export, analysis, installation, configuration, monitoring, maintenance, support, hosting, deletion.
The operations conducted on the personal data are as follows:
- User account creation;
- Managing data streams;
- Loading and downloading data;
- Data transformation;
- Data hosting;
- Data deletion.
The purposes of the Processing are as follows: making it possible to transform the images uploaded by the User according to the standard defined in the appendix entitled, « Description of the Services ».
The personal data processed are as follows:
- Photos of the patients’ face and teeth, without directly identifying the patients;
- Data regarding the identity, authentication and actions of the Users.
The categories of data subjects are as follows:
- les Utilisateurs.
The persons authorized to process personal data under the Agreement are as follows:
- The Service Provider's staff (technicians, engineers);
- The Service Provider's subcontractors as mentioned in the « Subcontracting » clause of this appendix;
4. The Service Provider's Obligations to the Client
The Service Provider shall make its best efforts to ensure to the Client that its legal and regulatory obligations will be respected, particularly the data protection regulations, in addition to compliance with its obligations under this Agreement.
Thus, the Service Provider shall make its best efforts in order to:
- Process the Personal Data only for the purposes of the subcontracting referred to above;
- Process the Personal Data in accordance with the Client’s documented instructions regarding transfers of personal data to a third party country or international organization. If the Service Provider feels that an instruction constitutes a violation of the data protection regulations, it shall immediately inform the Client of that Furthermore, if the Service Provider is obligated to conduct a personal transfer to a third party or to an international organization under a mandatory legal provision in the European Union or the law of the Member State to which it is subject, it must inform the Client of that legal obligation before Processing personal data, unless the law concerned prohibits such a disclosure for significant reasons of public interest;
- Ensuring the confidentiality of the Personal Data processed. Thus, the Service Provider shall take all measures for preventing any unauthorized, malicious, or fraudulent use of the Personal Data
- Refrain from:
- Processing and/or consulting the Personal Data for purposes other than the performance of the services that it provides to the Client under the Agreement, (even if access to such data is technically possible);
- Disclosing, in any form whatsoever, all or part of the personal data processed;
- Making copies or storing, regardless of the form or purpose, all or part of the personal information or data contained on the media or documents which have been entrusted to it or which it has collected in the performance of the Agreement, outside of the cases covered by this appendix.
- Make sure that the persons authorized to process the personal data under the Agreement:
- Agree to respect the confidentiality thereof or are subject to an appropriate legal non-disclosure obligation;
- Receive the necessary information on data protection.
- Take into account, with regard to its tools, products, applications, or services, data protection principles starting from the design and default data protection in Article 25 GDPR.
The Parties agree to define the concept of instruction as being received when the Service Provider is acting in the context of the performance of this Agreement.
The Client hereby authorizes the Service Provider to subcontract out all or part of the services to a processor, within the meaning of the data protection regulations, particularly to a country not located in the European Union under the reservations listed in the article entitled, « Cross-Border Streams of Personal Data » in this appendix.
In all cases, the Service Provider shall make its best efforts to:
- Inform and sign with its sub-processor a written agreement requiring the processor to comply with the same data protection obligations as those established in this appendix and in this Agreement;
- Pass on to its processor all necessary obligations in order to ensure compliance with the confidentiality, security, and integrity of the data, and so that said data may not be transferred or leased to a third party, free of charge or otherwise, nor used for purposes other than those specified in this appendix;
- Inform the Client of any planned change regarding the addition or replacement of other sub-processors.
When sub-processors do not meet their personal data protection obligations, the Service Provider shall remain fully responsible with regard to the Client for the performance by sub-processors of their obligations.
The Service Provider employs the company, AMAZON WEB SERVICES EMEA SARL, whose registered offices are located at 38 AVE JOHN F KENNEDY L 1855 99137 LUXEMBOURG for hosting activities.
6. The Rights of Data Subjects
It is the Client’s responsibility to provide the information (in accordance with the requirements of the data protection regulations, and in particular Articles 13 and 14 GDPR) to the data subjects of the Processing operations when their Personal Data is collected and to gather their consent for the processing of their data.
To the extent possible, the Service Provider shall help the Client to provide the aforementioned information and to fulfill its obligation to follow up on requests to exercise the rights of Data Subjects, and particularly the following rights: right of access, correction, deletion, and objection, right to limit Processing, right of data portability, right not to be the subject of an automated individual decision.
7. Notification of Personal Data Breaches
The Service Provider shall notify the Client as soon as possible after finding out about any personal data breach, or any security breach resulting, accidentally or unlawfully, in the destruction, loss, alteration, or unauthorized disclosure of the personal data transmitted, processed, or stored in a manner not compliant with the Client’s instructions and with the data protection regulations, or unauthorized access of such Personal Data, and by any means.
The Service Provider shall communicate, at the same time or subsequently (but promptly, in any case), all useful documentation in order to enable the Client, if necessary, to notify and/or communicate that breach to the competent data protection authority (hereinafter, « CNIL »).
The Client also agrees to notify the Service Provider, as soon as it finds out, of any personal data breach by any means.
8. Support from the Service Provider in the context of compliance by the Client with its obligations
The Service Provider shall help the Client, to the extent possible, in complying with its obligations under the data protection regulations, including:
- Its obligations to notify CNIL or inform the data subject of a personal data breach;
- Its prior consultation obligation toward CNIL, referred to in Article 36 GDPR.
Furthermore, when the Client decides or is forced to conduct an impact assessment regarding data protection for one or more of the Processing it conducts, the Service Provider shall make its best efforts to support the Client in conducting such assessments. Such services will be the subject of a separate invoice issued by the Service Provider.
In the event of a CNIL audit, the Parties agree to cooperate with one another and with CNIL. More particularly, in the event of an audit conducted at the Service Provider's site regarding the Processing implemented in the name of and on behalf of the Client, the Service Provider shall immediately inform the Client of that and make no commitments on its behalf.
In the event of a CNIL audit at the Client’s site, dealing in particular with the services provided by the Service Provider, the latter shall cooperate with the Client and provide it with all information it might need or which may prove necessary.
9. Security measures
9.1. General security measures applicable to all Processing
In accordance with the data protection regulations, the Service Provider shall make its best efforts to take all useful precautions, particularly with regard to the nature of the personal data and the risks presented by Processing, in order to protect the security and confidentiality of the personal data transmitted, processed, or stored, and to prevent its deformation, alteration, damage, destruction, accidentally or unlawfully, loss, disclosure, and/or any access to such data by third parties not authorized in advance, accidentally or unlawfully.
The Service Provider shall make its best efforts to implement all appropriate technical and organizational measures to protect the personal data, taking into account the current state of knowledge, the costs of implementation, and the nature, scope, context, and purposes of the Processing, as well as the risks, whose degree of probability and severity vary, for the rights and freedoms of natural persons, in order to ensure a level of security adapted to the risk.
In this capacity, the Service Provider shall make its best efforts to conduct the Processing outsourced by the Client under this Agreement and, depending on the needs, to implement the following measures based on current standards, as applicable drawing inspiration from the rules derived from the general health IT systems security policy published by ASIP Santé:
- Pseudonymization and encryption of Personal Data;
- Informing and raising awareness of its staff, particularly by having each person acting on behalf of the Service Provider sign:
- An individual non-disclosure agreement attached to their employment contract;
- An individual commitment limiting their actions to the sole purposes of the assignment entrusted to them;
- Access to data using an authentication method compliant with CNIL recommendations;
- Specifying permission profiles, elimination of obsolete access rights and limiting access to administration tools and interfaces solely to authorized persons;
- Use of automatic tracking systems (logs);
- Specifying a security policy adapted to the risks of Processing and including security objectives as well as the physical, logical, and organizational security measures making it possible to achieve those objectives;
- Using resources for ensuring the ongoing confidentiality, integrity, availability, and resilience of the solution and Processing services;
- Using resources making it possible to reestablish the availability of Personal Data and access thereto within appropriate time limits in the event of a physical or technical incident;
- Implementation of a procedure aimed at regularly testing, analyzing, and evaluating the effectiveness of the technical and organizational measures to ensure the security of Processing;
10. Fate of Personal Data
With regard to data concerning patients:
- Directly identifying data are deleted at the end of transformation of the image, once the image is uploaded/downloaded or, as applicable, when the User logs out from the webapp;
- Non-identifying data are retained in a form that does not make it possible to re-identify patients, in order to enable development of the tool.
With regard to data concerning the User(s):
- Data regarding the User accounts and the Client’s account are deleted at the end of the subscription;
- Data related to connections to and use of the Services are stored over a rolling period not to exceed six months.
Within the aforementioned time limits, the Service Provider shall destroy the Personal Data, except in the event of a mandatory provision to the contrary resulting from EU law or the law of a European Union Member State applicable to the Processing that is the subject of this Agreement.
11. Data Protection Officer
The Service Provider shall provide the Client with the name and contact information of its Data Protection Officer, if one has been appointed, in accordance with Article 37 GDPR.
12. Register of Processing activities categories
The Service Provider shall keep a register of all categories of processing activities performed on behalf of the Client, in accordance with the provisions of Article 30 GDPR.
13. Cross-border streams of Personal Data
To date, no data transfer to a third-party country not belonging to the European Union, or to an international organization has been conducted.
In the event of such a transfer, the Service Provider shall obtain the Client's prior written consent. If such consent is given, the Service Provider shall make its best efforts to cooperate with the Client in order to ensure:
- Compliance with procedures making it possible to comply with the data protection regulations;
- If necessary, entering into one or more contracts for establishing cross-border streams of personal data. To the extent possible, the Service Provider agrees in particular, if necessary, to sign such contracts with the Client and/or to obtain the conclusion of such contracts by its sub-processors. To do so, it is hereby agreed between the parties that the standard contractual clauses published by the European Commission will be used to establish cross-border streams of personal data.
The Service Provider shall provides the Client with all necessary documentation in order to demonstrate compliance with all of its obligations and to enable audits to be conducted, including inspections, by the Client or another auditor appointed by it, and to contribute to such audits.
15. The Client's Obligations to the Service Provider
The Client shall make its best efforts to ensure to the Service Provider that its legal and regulatory obligations will be respected, particularly the data protection regulations, in addition to compliance with its obligations under this Agreement.
The Client agrees to:
- Enable the Service Provider to access the Personal Data concerned by the Agreement;
- Document in writing any instruction regarding the Processing of Personal Data by the Service Provider, in the context of this Agreement;
- Oversee, before and during processing, compliance by the Service Provider with the obligations provided for by the data protection regulations;
- Supervise the processing, including conducting audits and inspections at the Service Provider's site.