Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is concluded between the hosting provider having claimed its listing on the RackList platform, acting as controller, and RackList, acting as processor. It supplements and forms an integral part of the general terms of use and the general terms of sale accepted at the time the listing is claimed.

Controller

The hosting provider identified in the listing claim area, represented by the natural person who validated this DPA at the claim step.

Processor

Mr Alexandre ETEOCLE, sole trader (entrepreneur individuel) under French law, SIRET 910 906 841 00010, 20 rue Samaritaine, 01000 Bourg-en-Bresse, France. Contact: contact@racklist.eu

This DPA is accepted by the controller through an explicit opt-in checkbox at the time the listing is claimed, with time-stamping and storage of the accepted version in the database. A PDF copy is made available upon written request.

Terms used in this DPA have the meaning given to them by Article 4 of the GDPR. The following definitions are recalled on a non-exhaustive basis:

• "Personal data" means any information relating to an identified or identifiable natural person (art. 4.1).
• "Processing" means any operation or set of operations performed on personal data (art. 4.2).
• "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the processing (art. 4.7).
• "Processor" means the entity that processes personal data on behalf of the controller (art. 4.8).
• "Sub-processor" means any processor engaged by the initial processor to carry out specific processing activities on behalf of the controller.
• "Data subject" means the identified or identifiable natural person to whom the personal data relates.
• "Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (art. 4.12).
• "EEA" means the European Economic Area.
• "Documented instructions" means instructions given by the controller to the processor in writing or by any equivalent means allowing them to be traced (email, ticket, account settings, contract).
• "TOMs" means technical and organisational measures intended to ensure the security of the processing (art. 32).

The purpose of this DPA is to define the conditions under which RackList, as processor, processes personal data on behalf of the hosting provider, as controller, strictly within the scope of the platform's B2B features.

For flows outside this DPA, processing is governed by the privacy policy published on the platform.

In accordance with the chapeau of Article 28.3 of the GDPR, the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects are described in Annex 1 to this DPA.

Annex 1 constitutes a full contractual provision. Any substantial modification is the subject of an amendment or a new version of the DPA brought to the attention of the controller.

RackList processes personal data solely on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation.

The controller's initial instructions result from this DPA, the general terms and the configuration of the hosting provider's account on the platform (scope of the listing, authorised sub-users, configured webhooks).

Any additional instruction is transmitted in writing, to contact@racklist.eu or through an authenticated support channel that keeps a time-stamped record of the request.

If a legal obligation of the European Union or a Member State requires RackList to carry out processing not covered by the instructions, RackList informs the controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.

RackList ensures that any natural person acting under its authority who has access to personal data processes them only on documented instructions from the controller.

Authorised persons are bound by a contractual confidentiality obligation, as well as by applicable legal obligations.

RackList trains its staff on GDPR requirements, security policies, incident-handling procedures and secret-management best practices. Records of this training are kept and may be communicated to the controller upon request.

Accesses are revoked without delay in the event of departure or role change of an authorised person, following a documented and logged procedure.

RackList implements and maintains the appropriate technical and organisational measures detailed in Annex 2, in order to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.

These measures are reviewed regularly and updated to take into account the state of the art, the cost of implementation, and the nature, scope, context and purposes of the processing.

Any substantial modification of the measures is brought to the attention of the controller within a reasonable time allowing its impact to be assessed.

RackList may engage sub-processors to carry out specific processing activities on behalf of the controller, under a general authorisation. The list of initially authorised sub-processors is set out in Annex 3.

Any intended change concerning the addition or replacement of a sub-processor is notified to the controller at least thirty (30) days before its implementation, by email to the contact address recorded in the hosting provider's account, and through publication of the updated Annex 3 on this page.

The controller has a right to object, on reasoned grounds, during this notice period. In the event of a serious and reasoned objection, the parties seek an alternative solution in good faith. Failing agreement, the controller may terminate without cost the part of the contract affected by the change.

RackList imposes contractually on each sub-processor the same data-protection obligations as those set out in this DPA, in particular those providing sufficient guarantees as to the implementation of appropriate technical and organisational measures ("mirror clause").

RackList assists the controller, through appropriate technical and organisational measures, to fulfil its obligation to respond to requests from data subjects to exercise their rights (Articles 12 to 23 of the GDPR).

Assistance requests are sent to contact@racklist.eu. They are traced and acknowledged.

SLA

Standard assistance time-frame: seventy-two (72) working hours from receipt of the complete request.

SLA critique

Expedited assistance time-frame in case of substantiated urgency (risk to rights and freedoms, request subject to an imperative deadline imposed on the controller by an authority): twenty-four (24) hours.

A reasonable volume of requests, proportionate to the main contract, is included in the subscription. Above a threshold agreed and notified in advance, a processing cost may be applied, without prejudice to the data subjects' rights.

RackList assists the controller in ensuring compliance with the obligations laid down in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to it.

• Under Article 32, RackList provides the controller, upon request, with an up-to-date description of the technical and organisational measures implemented (Annex 2).
• Under Articles 33 and 34, the breach-notification procedure is detailed in section 11 of this DPA.
• Under Article 35 (DPIA), RackList provides the controller with the information relating to processing carried out on its behalf that is necessary to perform a data-protection impact assessment.
• Under Article 36 (prior consultation of the authority), RackList cooperates with the controller by communicating any information useful for consulting the supervisory authority.

The notification is sent to the DPO or privacy contact address recorded in the hosting provider's account, with a copy to the dedicated channel contact@racklist.eu, together with the opening of a tracked incident.

Where such information cannot be provided at the same time, it is transmitted in phases, as soon as possible, without further undue delay. RackList cooperates with the controller to enable it, where applicable, to notify the breach to the competent supervisory authority within the seventy-two (72) hours provided for in Article 33.1, and to communicate the breach to the data subjects pursuant to Article 34.

Upon termination of the main contract, for any reason whatsoever, RackList proceeds, at the controller's written choice expressed within thirty (30) days following termination, with:

Failing an option expressed within the allotted time, deletion applies by default.

Upon written request, a certificate of deletion or return, dated and signed, is delivered to the controller.

By way of exception, RackList may retain certain data where Union or Member State law requires it (accounting obligations, civil or criminal statutes of limitation). In such cases, the duration and legal basis of the retention are communicated to the controller, and the data concerned remain subject to the security and confidentiality obligations of this DPA.

RackList makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and to allow audits, including inspections, conducted by the controller or a third-party auditor mandated by it.

• As a matter of principle, audits are conducted on a documentary basis, through the provision of reports, certifications, penetration-test results, internal policies and sub-processor attestations.
• On-site inspections may be organised, subject to written notice of thirty (30) days, during business hours, under conditions compatible with the continuity of the service and the confidentiality owed to RackList's other clients.
• The controller may mandate an independent third-party auditor, provided that the auditor is not a direct competitor of RackList and signs a confidentiality undertaking equivalent to that applicable to the controller.
• Save in the event of a substantiated security incident or a request from the supervisory authority, audits are limited to one (1) per twelve (12) month period.
• Audit costs are borne by the controller, save in the event of a documented substantial non-conformity, in which case they are borne by RackList, without prejudice to any other rights and remedies.

RackList does not carry out any transfer of personal data outside the European Economic Area, except strictly within the legal bases provided for in Chapter V of the GDPR.

In accordance with the Schrems II judgment of the Court of Justice of the European Union (C-311/18, 16 July 2020) and EDPB Recommendations 01/2020, RackList performs and maintains a Transfer Impact Assessment per destination, and implements the necessary supplementary measures (encryption, pseudonymisation).

The up-to-date list of sub-processors and associated processing country is provided in Annex 3.

Each party bears liability for the damage caused by processing that infringes the GDPR, under the conditions of Article 82. The processor is liable for the damage only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to the controller's lawful instructions.

This cap does not apply in cases of gross negligence, wilful misconduct, deliberate breach of this DPA, or where a mandatory rule prohibits such limitation, in particular under Article 82 of the GDPR or the applicable articles of the French Civil Code.

RackList declares that it holds professional civil-liability insurance covering the risks associated with the processing of personal data. A certificate of insurance can be communicated upon written request.

This DPA enters into force on the date of its acceptance by the controller, when the listing is claimed, and remains applicable throughout the duration of the main contract.

By way of exception, provisions relating to confidentiality, to any ongoing breach notification, to assistance with data subject rights, to the fate of data (section 12) and to audits survive the termination of the main contract, for the time strictly necessary for their performance.

RackList may amend this DPA to take into account a regulatory change, a decision or guideline of a supervisory authority, or a substantial modification of the service's architecture. The new version is notified to the controller at least thirty (30) days before its entry into force. The controller has a right to object, on reasoned grounds, during this period. Failing objection, the new version becomes enforceable against it.

This DPA is governed by French law. The mandatory provisions of the GDPR and of Union law apply in all circumstances and cannot be set aside by the provisions of this contract.

Any dispute relating to the formation, performance, interpretation or termination of this DPA that could not be resolved amicably within a reasonable time is submitted to the exclusive jurisdiction of the courts within the jurisdiction of the Lyon Court of Appeal, subject to the mandatory rules of territorial jurisdiction applicable in consumer-protection matters and to the rules of Union law.

This DPA is drafted in French, which alone is authoritative between the parties. An English courtesy translation may be provided for information purposes only and is not enforceable.