Privacy Policy

1 “PROTECTION AND SECURITY OF CLIENT DATA”
1.1 “this schedule shall prevail over any other provision in the Contract”
1.1.1 This schedule shall prevail over any other provision in the Contract and replace any previous contractual provision between the parties relating to the protection of the CLIENT’s personal data processed by the SaaS Service.
1.2 “ONE2TEAM certificate of compliance with standard ISO 27018”
1.2.1 ONE2TEAM has embarked on having its SaaS Service brought into compliance with standard ISO 27018 by an accredited auditor to offer the CLIENT the guarantee of strict compliance with personal data legislation and the obligation on secure treatment of the CLIENT’s data in particular. The main commitments made by ONE2TEAM on compliance with standard ISO 27018 will be noted at points in the provisions of this schedule.
1.3 “ONE2TEAM certification to standard ISO 27001”
1.3.1 ONE2TEAM has embarked on having its SaaS Service brought into compliance with standard ISO 27001 by an accredited auditor to offer the CLIENT the guarantee of working with a trusted provider. The main commitments made by ONE2TEAM on certification to standard ISO 27001 will be noted at points in the provisions of this schedule.
1.4 “definitions”
1.4.1 “database” means the electronic database produced by the CLIENT (as defined in Directive 96/9/EC of 11 March 1996 and French Act no. 98-536 of 1 July 1998) of the data it contains. The right of use granted by the CLIENT to ONE2TEAM over the data held in the CLIENT’s database is described in this Schedule.
1.4.2 “data” means any data held by the CLIENT in an electronic format, regardless of whether said data constitute personal data or data protected by an intellectual or industrial property right. These data constitute the content of the database produced by the CLIENT and made available to ONE2TEAM to provide the SaaS Service.
1.4.3 “Personal data legislation” means any legislation applicable in France on the protection of the personal data of natural persons, in particular the French Data Protection Act no. 78-17 of 6 January 1978 (as amended by French Act no. 2018-493 of 20 June 2018), Directive 2002/58 EC of 12 July 2002 privacy and electronic communications as amended by Directive 2009/136/EC of 25 November 2009 and Regulation EU no. 2016/679 of 27 April 2016 “GDPR” on the protection of personal data. The terms “controller”, “processor”, “processing”, “data subject”, “data breach” and “personal data” used in the Contract shall have the meanings defined in Article 4 GDPR.
1.4.4 “Security Measures” means all the technical and organisational measures applied by ONE2TEAM (i) to ensure “the ongoing confidentiality, integrity, availability and resilience of processing systems and services” (art.32.1 GDPR) of the data held in the CLIENT database processed by the SaaS Service and (ii) to allow its Information System, (ii) to “restore the availability” of data and the CLIENT’s “access” to their data “within an appropriate time frame in the case of a physical or technical incident” and (iii) to prevent or limit the impact of any incident that might compromise “the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data” (“NIS” Directive no. 2016/1148/EU of 6 July 2016 and the French “SRSI” Act no. 2018-133 of 26 February 2018) by ONE2TEAM in relation to the SaaS Service.
1.4.5 “Information System” means for both the CLIENT and for ONE2TEAM (i) “any device or group of interconnected or related devices,” via an electronic communications network, “one or more of which, pursuant to a program, perform automatic processing of digital data” and (ii) “digital data stored, processed, retrieved or transmitted” by this device via an electronic communications network “for the purposes of their operation, use, protection and maintenance” (“NIS” Directive no. 2016/1148/EU of 6 July 2016 and the French “SRSI” Act no. 2018-133 of 26 February 2018) (iii) which are the property or under the control of a party and (iii) more generally, any hardware and/or software, internal or external to one party’s business, necessary for the smooth running of its Information System (air conditioning, power supply, etc.) and used by said party to provide or benefit from the SaaS Service.
1.5 “the CLIENT is the producer of the content of its database”
1.5.1 The CLIENT has invested in hardware and committed human and financial resources (Art. L.342-1 of the French Intellectual Property Code – CPI) to carry out its commercial activities, giving it the quality of producer of the content of its database. Accordingly, the CLIENT has the right to prohibit any extraction and/or reuse of the content of its database or any substantial part thereof, measured in qualitative or quantitative terms (Art. L.342-2 CPI).
1.6 “granting of a right of extraction to ONE2TEAM”
1.6.1 In order to allow ONE2TEAM to provide the SaaS Service, the CLIENT grants ONE2TEAM a non-exclusive right, free of charge, to extraction of all the content of the database, solely for the purpose of delivering the services comprising the SaaS Service and only during the period of legitimate actual use of the SaaS Service by the CLIENT or (i) to monitor the security of its Information System (Software + Hosting Platform) or (ii) to improve the technical operation of the Software and/or SaaS Service. The temporary right of extraction granted by the CLIENT to ONE2TEAM does not give ONE2TEAM the right to create a database from the content of the CLIENT’s database, of which ONE2TEAM would be the producer. It is expressly agreed between the parties that the results of processing the content of the database using the SaaS Service will constitute a part of the content of the CLIENT’s database only.
1.7 “the CLIENT is solely responsible for the processing of personal data held in the database”
1.7.1 The CLIENT guarantees to ONE2TEAM that the CLIENT only shall determine (i) the purposes and (ii) the means of processing (Art. 4.7 GDPR) that it carries out on the personal data held in the database. Accordingly, the CLIENT declares that by paying the fee for the use of the SaaS Service, it is free to determine, at its own discretion the (pecuniary and/or physical) resources that it decides to implement to process any or all of the content of its database.
1.7.2 Accordingly, ONE2TEAM reminds the CLIENT that the SaaS Service is a standard service designed for businesses of varying sizes, operating in different areas of activity. It is therefore the CLIENT’s responsibility, on the signature of the Contract:
(i) to check that the SaaS Service reflects the definition of its requirements, notably in respect of the purpose of processing the data and in particular, the personal data held in its database, and to ensure that the SaaS Service is on an appropriate scale for the fulfilment of its professional objectives, which ONE2TEAM is not in a position to know;
(ii) to check that the purpose of the processing provided as standard by ONE2TEAM through its SaaS Service is compatible with the purpose of processing by the CLIENT of the personal data held in its database, of which the CLIENT, as the controller, has previously informed the data subjects.
1.7.3 ONE2TEAM expressly acknowledges and accepts (i) that it does not have the right to define the use of personal data held in the CLIENT’s database and (ii) undertakes only to process the personal data held in the CLIENT’s database in its capacity as a processor (Art. 4.8 GDPR) for the CLIENT, exclusively on behalf of the CLIENT and only under the conditions set out in the Contract. Unless otherwise agreed in writing by the CLIENT, ONE2TEAM undertakes not to extract and/or reuse the content of the CLIENT’s database, except in the limited conditions agreed in the Contract.
1.8 “CLIENT guarantees concerning personal data”
1.8.1 Prior to any use of the Software or the SaaS Service by the CLIENT, and throughout the period of legitimate actual use of the SaaS Service by the CLIENT, the CLIENT warrants to ONE2TEAM that in its capacity as a controller (Art. 4.7 GDPR) of the personal data held in its database:
(i) the CLIENT has collected and processed the personal data lawfully, fairly and transparently, for determined, explicit and legitimate purposes defined solely by the CLIENT, and which ONE2TEAM is not in a position to know;
(ii) the CLIENT can prove that it provided information in advance (Art. 12 GDPR) to those persons whose personal data it processes of all its obligations in relation to them (notably, determining the “legal basis” for processing, its precise purposes and the retention period of the data processed);
(iii) the CLIENT has informed the data subjects that their rights (Art. 15 to 22 GDPR) must be exercised directly with the CLIENT and not through ONE2TEAM. ONE2TEAM undertakes to comply with any reasonable, lawful instruction from the CLIENT writing in this respect;
(iv) the CLIENT has made all the potential prior declarations incumbent on it to its Supervisory Authority (Art. 51 GDPR) associated with the processing of personal data from its database, notably by ONE2TEAM in its capacity as a processor for the CLIENT (Art. 4.8 GDPR) in respect of the SaaS Service.
1.9 “characteristic elements of the processing entrusted to ONE2TEAM by the CLIENT”
1.9.1 ONE2TEAM is authorised to process personal data on behalf of the CLIENT for the purpose of providing the SaaS Service described in the Contract.
1.9.2 The personal data are the contact data for the users of the SaaS Service authorised by the CLIENT to use the SaaS Service.
1.10 “CLIENT guarantees and explicit essential characteristics”
1.10.1 The guarantees given to ONE2TEAM by the CLIENT in respect of Article ““CLIENT guarantees concerning personal data” are all explicit essential qualities of the service (Art. 1133 [new] French Civil Code) incumbent on the CLIENT; accordingly, ONE2TEAM cannot be held criminally liable in this respect on any basis whatsoever. Otherwise, the CLIENT undertakes to hold ONE2TEAM harmless without any restriction or reservation, from any financial or other consequences for which ONE2TEAM may be held liable in this respect.
1.11 “ONE2TEAM guarantees”
1.11.1 ONE2TEAM expressly acknowledges and accepts that:
(i) the CLIENT only shall determine the purposes and means of processing personal data arising notably, from the use of the SaaS Service;
(ii) the use by the CLIENT of the SaaS Service does not entitle ONE2TEAM (a) to define other means or other purposes of processing the personal data held in the CLIENT database, nor (b) to process the personal data for its own needs or other purposes than those defined by the CLIENT in respect of the Contract, without the CLIENT’s prior agreement in writing.
1.12 “ONE2TEAM is the processor of the CLIENT’s personal data”
1.12.1 ONE2TEAM shall act in its capacity as processor of the CLIENT’s personal data (Art. 28 GDPR). Accordingly, ONE2TEAM undertakes (i) not to process the personal data held in the CLIENT’s database other than in accordance with the conditions of the Contract and (ii) not to carry out any other processing of the personal data in the CLIENT’s database that is not provided for in the Contract, except on the CLIENT’s written, document and lawful prior instruction. This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27018.
1.12.2 ONE2TEAM hereby reminds the CLIENT that any instruction from the CLIENT to ONE2TEAM that could result in a failure to comply with the GDPR or French personal data protection law (Art. 28.3 para. 2 GDPR) shall oblige ONE2TEAM to inform the CLIENT immediately. ONE2TEAM reserves the right to refuse instructions from the CLIENT that it considers unlawful (Art. 82.2 GDPR). In this case, a written, documented refusal by ONE2TEAM would not allow the CLIENT to terminate the Contract, unless the CLIENT is willing to be held liable in respect of ONE2TEAM for termination of the Contract “without legitimate grounds”.
1.13 “transfer of personal data outside the EU”
1.13.1 The data subjects’ personal data are stored and processed by ONE2TEAM on servers located exclusively in the territory of countries (i) in the European Union or European Free Trade Association (Iceland, Norway and Liechtenstein) or (ii) for which an adequacy decision has been adopted by the European Union (principally Argentina, Canada, Israel, New Zealand, Switzerland, Uruguay and Japan since 23 January 2019 and “Privacy Shield”), which allows ONE2TEAM to export personal data without “specific authorisation” (Art. 45.1 GDPR) from the data subjects. This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27018.
1.13.2 Any transfer of personal data to another country will be subject to a prior or written agreement from the CLIENT, except for (i) a transfer under the CLIENT’s B.C.R. (Binding Corporate Rules) in accordance with personal data legislation or (ii) a written data transfer contract in strict compliance with the Decision of the European Commission no. 2010/87/EU of 5 February 2010 on “standard contractual clauses for the transfer of personal data to processors established in third countries” and only after the processor has sent the CLIENT a signed copy of the data transfer contract, provided the CLIENT informs those whose data it is asking ONE2TEAM to process.
1.14 “record of processing activities”
1.14.1 ONE2TEAM undertakes to maintain an up-to-date record of processing activities in accordance with Article 30.1 GDPR.
1.15 “ONE2TEAM subcontracting commitment”
1.15.1 The obligations incumbent on ONE2TEAM, particularly in relation to Hosting Platform services, may be performed by a service provider acting as a subcontractor to ONE2TEAM. In general terms, ONE2TEAM undertakes not to subcontract its own services to a sub-subcontractor that does not comply with GDPR (Art. 28 GDPR) and to prioritise service providers (i) who offer appropriate safeguards (Art. 46 GDPR) or (ii) have adhered to a code of conduct (Art. 40 GDPR) or (iii) are certified (Art. 42 GDPR) or If ONE2TEAM’s subcontractor does not fulfil its obligations in respect of protecting the personal data held in the CLIENT’s database, ONE2TEAM will remain fully liable in respect of the CLIENT. This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27018.
1.15.2 As well as defining specifically (i) the subject-matter and duration of the processing envisaged, (ii) the nature and purpose of the processing envisaged and (iii) the type of personal data and categories of data subjects (Art. 28.3 para.1 GDPR), each subcontracting agreement entered into by ONE2TEAM with a third-party subcontractor must, as a minimum, include a commitment from the subcontractor:
(a) only to process the CLIENT’s personal data following a documented instruction from ONE2TEAM and/or the CLIENT, including with regard to transfers of personal data to a non-EU country (unless it is obliged to do so pursuant to personal data legislation);
(b) to ensure that the individuals it authorises to process the CLIENT’s personal data undertake to maintain confidentiality or are subject to a legal confidentiality obligation;
(c) to take all the requisite Security Measures (Art. 32 GDPR) to protect the CLIENT’s personal data from a data breach;
(d) not to sub-subcontract in turn, any or all of the services to be provided for ONE2TEAM and the CLIENT to another service provider, unless the subcontractor’s subcontractor undertakes to comply with all the commitments set out in this article;
(e) to assist the CLIENT, using appropriate technical and organisational measures, as far as possible, to fulfil its obligation to respond to requests from data subjects who contact it in order to exercise their rights;
(f) to help the CLIENT to comply with its obligations in respect of (i) security (Art. 32 GDPR), (ii) notification to the CNIL (Art. 33 GDPR) of any data breaches (Art. 33 GDPR), (iii) communications in respect of any data subjects affected by a data breach (Art. 34 GDPR), particularly with regard to any unauthorised copying of their personal data, (iv) carrying out a prior impact assessment (Art. 35 GDPR) and (v) the requirement to check with the CNIL when carrying out an impact assessment, given the nature of the processing and information available to ONE2TEAM;
(g) as stated in the article “reversibility and return of data to the CLIENT” of the SaaS Service Contract, to delete all the CLIENT’s personal data after they have been returned to it at the end of the SaaS Service and to destroy existing copies under its control (including the Hosting Platform). This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27018.
(h) to make available to the CLIENT all the information required to demonstrate compliance with the obligations set out in this article and to allow audits, including inspections, to be carried out by the CLIENT (or an auditor appointed by it) and contribute to said audits.
1.16 “subcontracting and change of Hosting Platform”
1.16.1 In accordance with French Act no. 75-1334 of 31 December 1975, in signing this Contract, the CLIENT expressly approves the “Hosting Platform” identified below as a subcontractor of ONE2TEAM solely for hosting services and storage of the Software and CLIENT’s data, including personal data, processed using the SaaS Service:
EQUINIX France SAS – registered office 114 rue Ambroise Croizat 93200 Saint-Denis – identification no. 429 840 853 RCS Bobigny – ONE2TEAM payment terms for EQUINIX invoices: thirty (30) days date of invoice.
1.16.2 Insofar as numerous clients use its standard SaaS Service from its Hosting Platform, it is not possible for ONE2TEAM to seek the CLIENT’s prior approval for a change of Hosting Platform. The CLIENT hereby acknowledges and accepts that ONE2TEAM may freely change the Hosting Platform, subject to (i) informing the CLIENT in advance and strict compliance with the four (4) following cumulative conditions:
(i) the new Hosting Platform offers performance in terms of security and service level that is at least equal to the performance of the Hosting Platform identified in the Contract;
(ii) the switch of hosting and storage of the Software and/or CLIENT’s data to the new Hosting Platform shall be carried out by ONE2TEAM without any interruption to the SaaS Service provided to the CLIENT;
(iii) the new Hosting Platform fulfils all the commitments made by ONE2TEAM in respect of personal data legislation and those set out in the Contract;
(iv) ONE2TEAM does not change the fee payable for the use of the SaaS Service.
1.17 List of other ONE2TEAM subcontractors processing the CLIENT’s data
1.17.1 In accordance with French Act no. 75-1334 of 31 December 1975, in signing this Contract, the CLIENT expressly approves the companies identified below as subcontractors of ONE2TEAM:
(i) Datadog [identification no. 813 140 357 RCS Paris]: supervision and support for the SaaS Service;
(ii) Auth0 [SIRET no. 843 526 815 000 17 – registered office 3rd Floor Union House 182-194 Union Street London, SE1 0LH, UK] only if the CLIENT has signed up for the “Single-Sign-On” (SSO) functionality of the SaaS Service;
(iii) Prosymmetry LLC [registered office 25800 Science Park Dr., Beachwood, Ohio 44122 USA] only if the CLIENT has signed up for the “Resource management” functionality of the SaaS Service.
1.17.2 In all other cases, ONE2TEAM undertakes to ask for the CLIENT’s prior agreement in writing for all subcontracting of any or all of the services included in the SaaS Service, where these services relate to the personal data held in the CLIENT database. This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27018.
1.18 “changes to personal data legislation”
1.18.1 Should there be a change to the personal data legislation, the mandatory provisions of which would have a significant impact on the obligations incumbent on either of the parties, (for example, the requirement for prior consent in the case of using the processing and/or storage capacities of a device belonging to a user of the SaaS Service, collecting information issued or transmitted by a device belonging to a user of the SaaS Service, etc.), the parties will work together to plan the implementation of the new regulations in good faith, or to terminate the Contract by the effective date of the new regulations at the latest.

2 “DATA SECURITY”
2.1 “ONE2TEAM is responsible for Security Measures”
2.1.1 Each party shall bear full responsibility for the Security Measures to be implemented in its networks and Information Systems. ONE2TEAM has ISO 27001:2013 certification, which demonstrates the implementation of an effective “Information Security Management System” for its SaaS Service.
2.1.2 In its capacity as the operator of the SaaS Service (Art.14 LCEN no. 2004-575 of 21 June 2004) and processor (Art.28 GDPR) of the CLIENT’s data, ONE2TEAM has automatic responsibility in respect of the CLIENT for the implementation and monitoring of the Security Measures applicable to the CLIENT’s data, whether they are personal data or not. ONE2TEAM acknowledges that for the CLIENT, the implementation of the Security Measures is an essential and explicit element of the service (art.1133 [new] Civil Code) incumbent on ONE2TEAM.
2.1.3 ONE2TEAM hereby reminds the CLIENT that the SaaS Service is accessible via the web browser used by the CLIENT’s Employees and as a result, does not require the installation of any software specific to ONE2TEAM in the CLIENT’s Information System.
2.1.4 Any significant change to the Security Measures by ONE2TEAM or the Hosting Platform must be documented and sent to the CLIENT for information. Said changes must not, under any circumstances, reduce the level of security applied by ONE2TEAM to the CLIENT’s data during its period of legitimate actual use of the SaaS Service. This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27018.
2.2 “confidentiality and integrity of CLIENT data”
2.2.1 ONE2TEAM’s commitment to ongoing confidentiality and integrity is provided by strict logical separation of each area of the Software installed on the Hosting Platform: only ONE2TEAM and the CLIENT’s administrator have access to the data held in the CLIENT’s database.
2.2.2 The commitment to ongoing availability and resilience is provided primarily by the Hosting Platform acting on behalf of ONE2TEAM and for the Software, by ONE2TEAM’s maintenance services.
2.3 “commitment to contractual transparency”
2.3.1 ONE2TEAM shall make available to the CLIENT any or all of the subcontracting agreement entered into by ONE2TEAM and the Hosting Platform relating (i) to service levels and/or (ii) the description of the Security Measures implemented by the Hosting Platform and/or (iii) the commitments made by the Hosting Platform in respect of GDPR as a processor for ONE2TEAM.
2.3.2 As a minimum, ONE2TEAM undertakes to send the CLIENT on request, or a Supervisory Authority such as the CNIL in France, any or all of the contractual documents entered into with the Hosting Platform in relation to the following provisions:
(i) guaranteed and controlled network access (bandwidth, response time, intrusion detection, vulnerability testing and audit, etc.);
(ii) ongoing monitoring of network and software service levels with detection of hardware, software and network availability anomalies;
(iii) commitment to a quantified response time after a network or hardware anomaly has been identified;
(iv) commitment to a quantified lead time for network and hardware restoration;
(v) monitoring and installation policy for updates, notably security updates, implemented by software developers;
(vi) quantifiable and regular back-up of CLIENT data with automatic alerts and immediate follow-up if an anomaly occurs.
2.4 “data availability and access”
2.4.1 As a result of the Hosting Platform selected by ONE2TEAM, ONE2TEAM has the hardware, software and infrastructure for access to an electronic communications network using the TCP/IP protocol with “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident” (Art. 32.1 GDPR), in accordance with current technical and commercial conditions. In this respect, the Hosting Provider provides redundant “mirror site”-type and/or back-up services with a commitment to a quantified lead time for restoring access to the network and the CLIENT’s data.
2.5 “monitoring and evaluation of Security Measures”
2.5.1 As a result of the Hosting Platform selected by ONE2TEAM and third-party professional providers of information systems security services, ONE2TEAM has and implements software tools and “a process for regularly testing, assessing and evaluating the effectiveness” of the Security Measures applied to the CLIENT’s data (Art. 32.1 GDPR). The commitment to ensuring that ONE2TEAM’s SaaS Service is compliant with standard ISO 27018 is intended to fulfil this requirement under GDPR, without prejudice to the CLIENT’s right to carry out a security audit of the SaaS Service itself or on its behalf (by a third party who is not a direct competitor of ONE2TEAM), including potential penetration tests in strict accordance with Articles 323-1 to 323-8 of the French Criminal Code
2.5.2 ONE2TEAM will provide the CLIENT with the relevant extracts from the auditor’s report on its compliance check with standard ISO 27018 at least once a year.
2.6 “physical security of the Hosting Platform infrastructure”
(i) geographical location providing access to the Hosting Platform guarded and monitored 24/7;
(ii) access to the site secured and restricted to the Hosting Platform’s systems administrator and ONE2TEAM;
(iii) electrical safety – air conditioning – hygrometry of the Hosting Platform’s servers;
(iv) fire protection.
2.7 “encryption”
2.7.1 ONE2TEAM undertakes to encrypt inactive back-ups of the CLIENT’s database (“cold” encryption).
2.7.2 In order to limit the risk of damage or unauthorised disclosure of the CLIENT’s personal data when they are transmitted via electronic communications networks, ONE2TEAM implements an encryption technique for transferring data from its Information System to the CLIENT’s system (HTTPS protocol via a server certificate).
2.8 “notification of data breaches”
2.8.1 A “personal data breach” as defined in Article 4.12 GDPR is any breach of the CLIENT’s personal data processed on the Hosting Platform via the SaaS Service when said breach involves accidental or unlawful access or unauthorised disclosure, damage, loss or destruction of the CLIENT’s personal data.
2.8.2 ONE2TEAM undertakes to inform the CLIENT of any breach of personal data processed by the SaaS Service, regardless of the scale of the breach, as soon as it becomes aware of it. This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27018. The CLIENT shall have sole discretion over whether to inform (i) the Supervisory Authority responsible for it (Art. 33 GDPR) and (ii) the data subjects (Art. 34 GDPR) when it receives a report of a breach from ONE2TEAM.
2.8.3 ONE2TEAM will provide all of the following elements relating to the breach identified (Art. 33.3 GDPR) to the CLIENT in writing, within seventy-two (72) hours of its discovery of the data breach:
(i) the nature of the personal data breach including, if possible, the categories and approximate number of data subjects and the categories and approximate number of personal data records concerned;
(ii) the name and contact details of the DPO or another point of contact (MD / Legal Director / Information Systems Director / Information Systems Security Manager, etc.) who can provide additional information on the breach identified;
(iii) the probable consequences of the breach in respect of the data subjects’ right to personal data protection;
(iv) the measures taken or which ONE2TEAM proposes to take to remedy the breach identified, including, if necessary, measures to mitigate any negative consequences.
2.8.4 If, and insofar as it is not possible for ONE2TEAM to provide the CLIENT with all this information at the same time, ONE2TEAM undertakes to communicate said information to the CLIENT “in phases without undue further delay” (Art. 33.4 GDPR)
2.9 “commitment to resolve and document”
2.9.1 Should a breach of the CLIENT’s personal data occur, ONE2TEAM undertakes (i) to take the appropriate Security Measures in relation to the Software and/or the SaaS Service as soon as possible, to stop the breach identified, notably in order to make the personal data incomprehensible to anyone who is not authorised to have access to them and (ii) to provide evidence thereof to the CLIENT in writing without delay.
2.9.2 ONE2TEAM undertakes to document in writing any breach of the CLIENT’s personal data that occurs on the Hosting Platform, indicating (i) the facts of the breach identified, (ii) its effects and (iii) the technical measures actually taken by ONE2TEAM to resolve it. This documentation will be made available to the CLIENT and/or any Supervisory Authority.
2.9.3 Should a breach of the CLIENT’s personal data occur, ONE2TEAM undertakes to ensure that there is a formal, written and documented record of the discussions between the CLIENT and ONE2TEAM relating to the “actions undertaken”, “corrections made” and “recommendations that could be formulated” in terms of personal data security (CNIL deliberation no. SAN-2018-002 of 7 May 2018).
2.9.4 ONE2TEAM HEREBY REMINDS THE CLIENT (i) THAT THE SAAS SERVICE IS PROVIDED BY ONE2TEAM “FROM THE HOSTING PLATFORM” AND (ii) THAT THE INTERNET, WHICH ALLOWS ONE2TEAM TO PROVIDE THE SAAS SERVICE FROM THE HOSTING PLATFORM, IS AN OPEN AND NON-SECURE NETWORK, CREATED BY INTERNATIONAL INTERCONNECTIONS BETWEEN INDEPENDENT COMPUTER NETWORKS USING THE TECHNICAL PROTOCOL TCP/IP, WITH NO OBLIGATION ON PROVIDING A SERVICE OR THE QUALITY OF SERVICE PROVIDED BETWEEN NETWORK OPERATORS. AS A CONSEQUENCE, ONE2TEAM CANNOT BE HELD LIABLE IN ANY WAY FOR A BREACH OF THE CLIENT’S PERSONAL DATA THAT OCCURS OUTSIDE THE HOSTING PLATFORM.

3 “SPECIFIC POINTS”
3.1 “Preamble”
3.1.1 Prior to any production use of the software service in SaaS mode (the “SaaS Service” offered by ONE2TEAM), ONE2TEAM undertakes (i) to comply strictly with personal data legislation and (ii) implement all the Security Measures detailed in this article.
3.2 “strict logical separation of each area of the Software”
3.2.1 ONE2TEAM’s commitment to the confidentiality and integrity of the CLIENT’s data is ensured by the strict separation of each area of the ONE2TEAM software (the “Software”): only the CLIENT, ONE2TEAM and – in the event of an emergency only, and only if necessary – the Hosting Platform as a subcontractor to ONE2TEAM, can access the CLIENT’s data. This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27001.
3.2.2 The ongoing availability and resilience of the SaaS Service is ensured by the regular back-up procedures used for the Software and the CLIENT’s data, notably by the ONE2TEAM Hosting Platform. This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27001.
3.3 “transparency commitment”
3.3.1 ONE2TEAM undertakes to make available to the CLIENT any or all of the subcontracting agreement entered into by ONE2TEAM and any Hosting Platform (or any other subcontractor providing any or all of the SaaS Service provided to the CLIENT by ONE2TEAM) relating to (i) service levels and/or (ii) the description of the Security Measures implemented by ONE2TEAM and each of its subcontractors and/or (iii) the commitments made by ONE2TEAM and its subcontractors in respect of the personal data.
3.3.2 As a minimum, ONE2TEAM undertakes to send the CLIENT on request, or a Supervisory Authority such as the CNIL in France, any or all of the contractual documents entered into with a subcontractor (including the Hosting Platform) in relation to the following technical provisions:
(i) guaranteed and controlled network access (bandwidth, response time, intrusion detection, vulnerability testing and audit, etc.);
(ii) ongoing monitoring of network and software service levels with detection of hardware, software and network availability anomalies;
(iii) commitment to a quantified response time after a network or hardware anomaly has been identified;
(iv) commitment to a quantified lead time for network and hardware restoration;
(v) monitoring and installation policy for updates, notably security updates, implemented by software developers;
(vi) quantifiable and regular back-up of CLIENT data with automatic alerts and immediate follow-up if an anomaly occurs.
3.4 “data availability and access”
3.4.1 ONE2TEAM undertakes to have the hardware, software and infrastructure for access to an electronic communications network using the TCP/IP protocol with “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident” (Art. 32.1 GDPR), in accordance with the best possible technical and commercial conditions currently in use. In this respect, ONE2TEAM undertakes to ensure that both it and its subcontractors provide redundant “mirror site”-type and/or back-up services with a commitment to a quantified lead time for restoring access to the network and the CLIENT’s data.
3.5 “authorisation and authentication management”
3.5.1 ONE2TEAM undertakes to ensure the confidentiality of the CLIENT’s data and processing carried out in relation to the SaaS Service and ensure that its Employees and those of its subcontractors are subject to a contractual obligation of confidentiality or professional secrecy in accordance with Article 226-13 of the French Criminal Code. ONE2TEAM undertakes to provide evidence thereof at the CLIENT’s request.
3.5.2 ONE2TEAM undertakes to implement a “documented authorisation and authentication management and control policy” (CNIL deliberation no. SAN-2018-002 of 7 May 2018) for its employees and those of its subcontractors who are authorised to access the SaaS Service and/or process the CLIENT’s data:
(i) using an individual, customisable login and password as indicated in the article ““password management” and/or
(ii) using a session cookie (CNIL deliberation no. SAN-2018-003 of 21 June 2018) and/or a “filtering of IP addresses, even if this would require a long development” (CNIL deliberation no. SAN-2018-011 of 19 December 2018) and or the “creation of a VPN” (CNIL deliberation no. SAN 2018-008 of 24 July 2018).
3.5.3 This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27001.
3.5.4 ONE2TEAM undertakes to implement an “authorisation withdrawal process” in the event of the departure of its employees (or those of its service providers) who were previously authorised (CNIL deliberation no. SAN-2018-011 of 19 December 2018). This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27001.
3.5.5 For any new functionality or any major new version of its Software or SaaS Service, ONE2TEAM undertakes to implement “privacy by design” “secure access measures” in relation to its Information System (CNIL deliberation no. SAN 2018-008 of 24 July 2018).
3.5.6 ONE2TEAM undertakes to ensure “specific monitoring” of its authentication and authorisation management software modules and carry out regular “checks, notably in relation to security audits” (CNIL deliberation no. SAN 2018-003 of 21 June 2018). This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27001.
3.6 “password management”
3.6.1 ONE2TEAM undertakes to implement “a binding policy on the passwords used by accounts that access [the CLIENT’s] database or the administration platforms, in accordance with one of the following methods” in respect of its employees and those of its subcontractors (CNIL deliberation no. MED-2018-043 of 8 October 2018):
(i) “passwords shall consist of a minimum of 12 characters, containing at least one uppercase letter, one lowercase letter, one digit and one special character”;
(ii) “passwords shall consist of at least eight characters, containing three of the four categories of characters (uppercase letters, lowercase letters, digits and special characters) and be combined with an additional security measure, for example, a time-out on access to the account after several failed attempts (temporary suspension of access, which increases in length the more attempts are made), implementing protective measures to prevent automated submissions and repeated sign-in attempts (e.g. captcha) and/or blocking the account after several failed authentication attempts (maximum 10)”.
3.6.2 ONE2TEAM undertakes to (i) avoid “the presence of unencrypted access credentials to the server […] in the source code stored on a platform” external to ONE2TEAM which could constitute a “central working tool in the development of the activities” of ONE2TEAM and (ii) that “credentials are not stored in a file that is not protected” (CNIL deliberation no. SAN-2018-011 of 19 December 2018).
3.7 “online publication of documents”
3.7.1 Should the SaaS Service enable the CLIENT (or the CLIENT’s contractual partners) to access digital documents via a specific URL (online “uploading” of documents via a website), ONE2TEAM undertakes to implement a “function changing the name of the files saved”, a “system to prevent the predictability of URLs” and to protect the “directories containing the documents” to avoid identifying “the access path to the files saved”, so that “the data are not accessible via a simple modification of the URL” (CNIL deliberation no. SAN 2018-003 of 21 June 2018).
3.8 “commitments prior to and after start of production”
3.8.1 Each Party shall be fully liable for the Security Measures to be applied to its own Information System.
3.8.2 “Prior to the start of production” (CNIL deliberation no. SAN-2018-002 of 7 May 2018) of a new functionality, major upgrade or major new version of its Software, ONE2TEAM undertakes to implement “elementary security measures in accordance with current industry standards” (CNIL deliberation no. SAN-2018-002 of 7 May 2018), notably the implementation of a “full testing protocol” (CNIL deliberation no. SAN-2018-003 of 21 June 2018) to verify “the absence of any vulnerability” (CNIL deliberation no. SAN-2017-010 of 18 July 2017). ONE2TEAM undertakes to document these measures and protocols in writing and make the documentation available to the CLIENT and any Supervisory Authority. This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27001.
3.8.3 “After the deployment” (CNIL deliberation no. SAN-2017-012 of 16 November 2017) in production of a new functionality, upgrade or new version of its Software and/or its SaaS Service, ONE2TEAM undertakes to carry out “regular checks of the security measures” implemented (CNIL deliberation no. SAN 2018-003 of 21 June 2018), and to carry out “intrusion tests” and “audits of the code… according to the specific situation” (CNIL deliberation no. SAN-2018-012 of 26 December 2018) of the CLIENT’s database used for the provision of the SaaS Service. ONE2TEAM undertakes to document these checks in writing and make the documentation available to the CLIENT and any Supervisory Authority. This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27001.
3.8.4 ONE2TEAM undertakes to pay particular attention to the technical Security Measures to be implemented in relation to any “delicate operation requiring particular attention” on its Information System (Software, SaaS Service and/or Hosting Platform) such as, for example “a change of server… used to communicate with a payment service provider” (CNIL deliberation no. SAN-2017-010 of 18 July 2017). This commitment by ONE2TEAM is one of the points of the ONE2TEAM SaaS Service checked for compliance with the standard ISO 27001.
3.9 “specific commitments by the CLIENT”
3.9.1 In addition to the commitments made by ONE2TEAM in relation to security, the CLIENT undertakes to carry out “elementary security tests” of the SaaS Service (CNIL deliberation no. SAN-2018-001 of 8 January 2018), for example, by conducting or arranging for a third party to conduct penetration and vulnerability tests on the SaaS Service at its own expense and under its responsibility, in strict accordance with Articles 323-1 to 323-8 of the French Criminal Code.

4 “PROCESSING OF THE CLIENT’S EMPLOYEES’ DATA BY ONE2TEAM”
4.1.1 ONE2TEAM is responsible for processing the personal contact details of the CLIENT’s employees, directors, agents or representatives (the “Employees”), which ONE2TEAM collects directly (Art. 13 GDPR) from the Employees in relation to the performance of the SaaS Service for the following purposes only:
(i) processing necessary for the performance, checking, invoicing and recovery of the SaaS Service between ONE2TEAM and the CLIENT and ONE2TEAM’s management of authorisations for the CLIENT’s Employees authorised by the CLIENT to use the SaaS Service (Art. 6.1 (b) GDPR);
(ii) processing necessary for the legitimate security interests of ONE2TEAM’s Information System (Art. 6.1 (f) GDPR);
(iii) processing necessary for ONE2TEAM’s legitimate direct marketing interests (Art. 6.1 (f) GDPR) for its other products and services with a free, immediate http unsubscribe link (right to be forgotten Art. 17 GDPR) included in every electronic communication sent to the Employees by ONE2TEAM. ONE2TEAM does not carry out any profiling on the personal data of the CLIENT’s Employees.
4.1.2 ONE2TEAM retains the personal data of Employees for the period necessary for the performance of the SaaS Service and beyond that, for the period necessary for any legal proceedings that may be instigated between the parties in relation to the performance of the SaaS Service. At the end of the statutory period of limitation for legal action in France, the personal data of Employees required for the performance of the SaaS Service will be erased (right to be forgotten Art. 17 GDPR) from ONE2TEAM’s digital databases.
4.1.3 All Employees have a right of access (Art. 15 GDPR) and rectification (Art. 16 GDPR) in respect of their personal data processed by ONE2TEAM for the performance of the SaaS Service, which they may exercise via email at the address below. ONE2TEAM undertakes to respond to all Employee emails within thirty (30) days of receipt of their request by ONE2TEAM. Should they fail to receive a response from ONE2TEAM within this time frame, the Employee will be entitled to refer the failure to respond to the French Information Commission (Commission Nationale de l’Informatique et des Libertés). It is the CLIENT’s responsibility to inform each of its Employees of the rights available through ONE2TEAM in respect of GDPR, notably by emailing gdpr@one2team.com.
4.1.4 Any subcontracting by ONE2TEAM of the technical management of the database containing the data of the CLIENT’s Employees will be subject to a written contract between ONE2TEAM and its subcontractor; ONE2TEAM undertakes that the professional subcontractor will comply strictly with the provisions of the Contract and guarantee the security and confidentiality of the personal data entrusted to it by ONE2TEAM.
4.1.5 Any other type of processing of the personal data of the CLIENT’s Employees (for example, forwarding with or without financial consideration to third parties for direct or indirect marketing purposes, including profiling) will only be implemented by ONE2TEAM if it has obtained each Employee’s individual informed consent in advance (Art. 6.1 (a) GDPR). Each electronic communication sent by ONE2TEAM will include a clear and concise reminder of the existence of rights under GDPR (Art. 15 to 22 GDPR) available to each of the CLIENT’s Employees through ONE2TEAM, in particular the right to object to direct marketing and profiling (Art. 21 GDPR).
4.1.6 ONE2TEAM undertakes to inform the CNIL, as soon as it becomes aware of it, of any breach of the Employees’ personal data involving accidental or unlawful access or unauthorised disclosure, damage, loss or destruction of any or all of said data. The Security Measures applicable to the Employees’ personal data are shown in this Schedule.

5 “DATA SECURITY – SECURITY INCIDENT – OES AND DSP”
5.1.1 Should (i) ONE2TEAM and/or the CLIENT be designated by decree as an Operator of Essential Services (OES) or (ii) should ONE2TEAM or the CLIENT be a Digital Services Provider (DSP) (online marketplace, online search engine or cloud computing service with over fifty (50) employees or annual turnover in excess of €10 million) (“NIS” Directive no. 2016/1148/EU of 6 July 2016 and French “SRSI” Act no. 2018-133 of 26 February 2018):
(i) the party concerned undertakes to inform the other party immediately;
(ii) the party concerned undertakes, at its own expense, to implement all the appropriate Security Measures (a) using hardware or software systems or IT services whose security has been certified and (b) which guarantee a level of security appropriate to the existing risk, given the knowledge available, notably in order to prevent any incident that might compromise the security of the Information System (including personal data) used by the party concerned in order to ensure continuity or limit the impact of the incident concerned.
(iii) the party concerned undertakes to report any incident affecting its Information System to the ANSSI as soon as it becomes aware of it, to the extent required by “NIS” Directive no. 2016/1148/EU of 6 July 2016 and French “SRSI” Act no. 2018-133 of 26 February 2018.
(iv) in the event of a report from the ANSSI or a qualified service provider indicating the necessity of implementing additional Security Measures, ONE2TEAM and/or the CLIENT undertake to implement said additional Security Measures as soon as possible and to inform the other party thereof.

One2Team est une plateforme d’Enterprise Work Management qui aide les entreprises à gagner en productivité, en efficacité et en compétitivité dans un environnement de plus en plus complexe. 

SUIVEZ-NOUS

©2018 One2Team  Mentions légales  Cookies

One2Team collects cookies to enable the proper functioning and security of our website, and help us offer you the best possible user experience. By clicking on Accept cookies, you consent to the use of these cookies. You can change your cookie settings at any time. For more information, please read the One2Team policy page.

Below you can choose which kind of cookies you allow on this website. Click on the "Save cookie settings" button to apply your choice.