Data Protection Agreement

PERSONAL DATA PROTECTION AGREEMENT

This Agreement defines the conditions under which FASTERIZE carries out, on behalf of its customers – “Data Controller”, Personal Data processing operations within the framework of the execution of the Contract and the application of the legal and regulatory provisions applicable in regarding the protection of Personal Data resulting from EU Regulation 2016/679, EU Regulation 2018/1725 and Law No. 78-17 of 6 January 1978 relating to data processing, files and freedoms and Commission decisions (hereinafter referred to as “Regulations”).

When terms begin with a capital letter in this Agreement, they have the meaning given to them in the General Conditions or in the said Regulations.

The provisions of this Agreement must be read and interpreted in light of the provisions of the Regulations and the nature of the processing described below.


The provisions of this Agreement have been drafted on the basis of the standard contractual clauses between controllers and processors resulting from Commission Implementing Decision (EU) 2021/915 of 4 June 2021 taken under the 28 GDPR.


In the event of a contradiction between the provisions of this Agreement and those of the other contractual documents governing the relations between the Parties, those of this Agreement shall prevail.

1. QUALIFICATION OF THE PARTIES

The Parties acknowledge that, within the meaning of the Regulations:

  • FASTERIZE has the quality of data processor,
  • The CUSTOMER (or CLIENT) has the quality of data controller.

2. CAUTION

The CUSTOMER’s attention is drawn to the fact that:

  • the processing carried out by FASTERIZE as part of the provision of the Service does not involve the storage of the Personal Data contained in the pages of the CLIENT’s websites,
  • the processing carried out by FASTERIZE only concerns the transit of traffic from these websites via the FASTERIZE Platform for the sole purpose of traffic optimization and performance measurement of traffic optimization,
  • the processing carried out by FASTERIZE on behalf of the CLIENT only concerns Personal Data that is not directly identifiable, with the exception of the processing of the data of the Client’s employees, for the purposes of performing the Contract.
  • FASTERIZE undertakes not to use them other than as part of the provision of its Service,
  • FASTERIZE undertakes not to access the content and Personal Data generated or integrated into the pages of the CLIENT’s websites passing through its Platform.

It is in this context that the provisions of this Agreement are to be read and interpreted.

3. DESCRIPTION OF PROCESSINGS

FASTERIZE operates as a CDN:

  1. The browser sends an HTTPS request to the Fasterize platform. FASTERIZE intercepts requests from Internet users to the site (like a proxy).
  2. FASTERIZE fetches requested pages and resources from origin servers and parses HTML, Javascript, CSS and images. In this context, FASTERIZE receives a request containing the IP address and the “user-agent”, transmits this request to the CLIENT’s servers and receives a response from the CLIENT’s servers containing the requested web page.
  3. FASTERIZE applies optimization rules. Each of these rules is selected and tested beforehand by our technical experts in order to guarantee the quality of our services.
  4. FASTERIZE generates the optimized content on the fly before sending it back to the browser. This is cached if the response from the origin server allows it.


FASTERIZE processes Personal Data only for the nature and purpose of the processing operations, as well as for the types of Personal Data and categories of data subjects, listed below.

ProcessingPurposeCategories of personal dataCategories of data subjectsData retention period
Web traffic optimization Optimization of web page contentIP address, user-agent, content of web pages
Website usersData transit time on the platform (~100ms).
Content Delivery Network ManagementOptimization of the distribution of web page content IP address, user-agent, content of web pagesWebsite usersData transit time on the platform (~100ms)
Log management Optimization service quality and performance metricsIP address, user-agent, url address of web pages visitedWebsite users

Between 4 and 7 days in indexed form
30 days in raw form

Fasterize Platform User ManagementUsing the Fasterize PlatformLast name, first name, email address, IP addressFasterize Platform UsersDuration of subscription to the Service
Alert management Notify users of an incident or scheduled maintenance operatione-mail addressFasterize Platform UsersDuration of subscription to the Service

4. PURPOSE LIMITATION

FASTERIZE processes Personal Data only for the specific purposes defined above, unless further instructions from the CLIENT.

5. DURATION OF PROCESSING AND STORAGE OF PERSONAL DATA

Processing is carried out by FASTERIZE for the duration of the CLIENT’s Subscription.

Personal Data related to the transit of website traffic via the FASTERIZE Platform is not retained beyond the period mentioned above.

Personal Data related to incident management is kept for a maximum period of 30 days as indicated in the table above.

From the end of the retention periods defined above for each category of Personal Data, or from the termination or expiration of the Contract, FASTERIZE will delete, in a secure manner, all Personal Data processed on behalf of the CLIENT, as well that any copies of this Personal Data, except in the case where the retention of this Personal Data is necessary for the purposes of compliance with the Regulations.

FASTERIZE must certify in writing to the CLIENT that the Personal Data has been securely deleted.

6. SECURITY

FASTERIZE implements at least the technical and organizational measures specified in its Security Assurance Plan, available on request.

These measures include the protection of Personal Data against any breach of security resulting, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure of Personal Data or unauthorized access to such Personal Data (see Personal Data Breach).

FASTERIZE grants its staff members access to the Personal Data subject to processing only to the extent strictly necessary for the execution, management and monitoring of the provision of the Service.

FASTERIZE ensures that persons authorized to process Personal Data undertake to respect confidentiality or are subject to an obligation of confidentiality.

FASTERIZE ensures:

  • Guarantee and maintain, for the entire duration of the Contract or until the destruction of the Personal Data, the application of all necessary or appropriate technical and organizational measures, taking into account the nature of the Personal Data, in order to:
    • protect the integrity, availability, resilience, confidentiality and security of all Personal Data,
    • protect Personal Data from any unlawful or accidental destruction, damage, loss, alteration or unauthorized access or disclosure,
  • use pseudonymization and encryption of Personal Data.

 

7. PROCESSINGS LOCATION

The processing of Personal Data is carried out in the European Union.

In the event that FASTERIZE plans to transfer all or part of the Personal Data outside the European Union for the purposes of providing a service, it will inform the CLIENT beforehand to present the conditions for such a transfer and would obtain his prior written consent.

In the event that such authorization is given, it will be subject to the conclusion, as soon as possible, of additional agreement(s) relating to the Processing of the data and any other appropriate measure in order to govern any cross-border transfer in compliance with the Regulations.

Such additional Data Processing agreement(s) may include, but is not limited to, the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from a Data Controller to a Data Processor or other valid transfer mechanism in accordance with the Regulations and other data protection provisions.

 

8. GENERAL OBLIGATIONS OF FASTERIZE

As a data processor within the meaning of the Regulations, FASTERIZE:

  1. only processes Personal Data on documented instructions from the CLIENT,
  2. immediately inform the CUSTOMER in the event that, in the reasonable opinion of FASTERIZE, any instruction or directive of the CUSTOMER would violate Data Protection Laws;
  3. processes Personal Data in accordance with the duration, purpose, type and categories of Data Subjects specified, as described in Article 3 “Description of Processing;
  4. agrees not to Process the Personal Data or permit its Processing or access to it, in whole or in part, in any way other than as required by the Agreement and only to the extent reasonably necessary for the performance of this Agreement;
  5. ensures that persons authorized to process Personal Data undertake to respect confidentiality or are subject to an obligation of confidentiality,
  6. takes all the necessary measures to guarantee a level of security adapted to the risk of breach of the protection of Personal Data, including at least the security measures referred to in its Security Insurance Plan,
  7. undertakes not to copy, export or extract any Personal Data in any way whatsoever, and to ensure full compliance with this obligation by its representatives and potential subsequent sub-contractors, as defined under of this Agreement;
  8. does not recruit or change another subcontractor without informing the CLIENT, thus giving him the opportunity to object to these changes, under the conditions defined in Article 10,
  9. helps the CUSTOMER, by appropriate technical and organizational measures, as far as possible, to fulfill his obligation to respond to requests made by data subjects in order to exercise their rights,
  10. helps the CLIENT to guarantee compliance with the obligations relating to the security of Personal Data, taking into account the nature of the processing and the information at its disposal,
  11. agrees to implement the principles of privacy protection by design and data protection by default for the tools and applications it uses under the Agreement.

 

9. AUDIT 

FASTERIZE provides the CLIENT with all the information necessary to demonstrate compliance with its obligations under this Agreement and to allow audits to be carried out, including inspections, by the CLIENT or another auditor appointed by it, and contribute to these audits.

The CLIENT may decide to carry out the audit itself or to appoint an independent auditor.

Audits may also include inspections at FASTERIZE premises and are, where appropriate, conducted on reasonable notice.

 

10. CONDITIONS FOR USE OF SUBCONTRACTORS

When recruiting another sub-processor to carry out specific processing activities on behalf of the CLIENT, FASTERIZE undertakes to impose on the sub-processor concerned the same or similar obligations as those set out in this Agreement.

FASTERIZE is not authorized to subcontract to a subcontractor the processing operations it carries out on behalf of the CLIENT under these clauses without prior specific written information to the CLIENT.

When signing the Quotation, the CLIENT was informed and approved the intervention of the subcontractors referred to in the appendix to this Agreement.

FASTERIZE will inform the CLIENT in writing of any change of subcontractors at least 30 days in advance, thus giving the CLIENT sufficient time to be able to issue reservations and discuss them with FASTERIZE.

In the event of reservations, the CLIENT must provide the objective arguments justifying its refusal and FASTERIZE must ask its subcontractor to take into account the reservations made by the CLIENT or propose another subcontractor.

Each subcontractor provides sufficient guarantees as to the implementation of appropriate technical and organizational measures defined in the appendix to this Agreement.

FASTERIZE remains fully responsible, with regard to the CLIENT, for the performance of the obligations of its subcontractors.

 

11. DUTY TO ASSIST

FASTERIZE assists the CLIENT in fulfilling its obligation to respond to requests from data subjects to exercise their rights, taking into account the nature of the processing.

FASTERIZE also helps the CUSTOMER, taking into account the nature of the processing and the information available to FASTERIZE, to ensure compliance with the following obligations:

  • the obligation to carry out an assessment of the impact of the planned processing operations on the protection of Personal Data (“data protection impact assessment”) when a type of processing is likely to present a high risk for the rights and freedoms of natural persons;
  • the obligation to consult the competent supervisory authority prior to processing where a data protection impact assessment indicates that the processing would present a high risk if the CLIENT did not take measures to mitigate the risk;
  • the obligation to ensure that the Personal Data is accurate and up to date, informing the CLIENT without delay if FASTERIZE learns that the Personal Data it processes is inaccurate or has become obsolete;
  • the applicable obligations in terms of Personal Data security.

The provisions of this Agreement define the appropriate measures by which FASTERIZE is obliged to provide assistance to the CLIENT in application of this article, as well as the scope and extent of the assistance required.

 

12. NOTIFICATION OF PERSONAL DATA BREACHES

In the event of a violation of Personal Data, FASTERIZE cooperates with the CLIENT and assists him in order to comply with his obligations.

In the event of a Personal Data breach in connection with Data processed by FASTERIZE on behalf of the CLIENT, FASTERIZE assists the CLIENT:

  • for the purpose of notifying the Personal Data breach to the competent supervisory authority, as soon as possible after the CLIENT becomes aware of it, where applicable (unless the Personal Data breach is unlikely to cause a risk to the rights and freedoms of natural persons),
  • for the purpose of obtaining the following information to be included in the CLIENT’s notification, and include, at least:
    • the nature of the Personal Data, including, where possible, the categories and approximate number of individuals affected by the breach and the categories and approximate number of Personal Data records affected;
    • the likely consequences of the Personal Data breach;
    • the measures taken or the measures that the CUSTOMER proposes to take to remedy the breach of Personal Data, including, where applicable, the measures to mitigate any negative consequences.

Where and to the extent that it is not possible to provide all information at the same time, the initial notification shall contain the information available at that time and, as it becomes available, additional information shall be communicated. thereafter as soon as possible.

  • For the purpose of satisfying the CLIENT’s obligation to communicate the Personal Data breach to the person concerned as soon as possible, when the Personal Data breach is likely to create a high risk for the rights and freedoms of natural persons.

In the event of a violation of Personal Data in connection with data processed by FASTERIZE, the latter shall inform the CLIENT as soon as possible after having become aware of it.

This notification contains at least:

  • a description of the nature of the breach found (including, if possible, the categories and the approximate number of persons affected by the breach and of Personal Data records affected);
  • details of a point of contact from which further information may be obtained regarding the Personal Data breach;
  • its likely consequences and the action taken or the action proposed to be taken to remedy the breach, including to mitigate any adverse consequences.

Where and to the extent that it is not possible to provide all information at the same time, the initial notification shall contain the information available at that time and, as it becomes available, additional information shall be communicated. thereafter as soon as possible.

 

13. SECURITY LEVEL ASSESSMENT PROCEDURE

FASTERIZE has implemented a procedure for assessing the level of security applied to the protection of Personal Data processed within the framework of its Service.

The purpose of this procedure is to verify, once a year, whether the measures referred to in its Quality Assurance Plan are still relevant and appropriate with regard to the Regulations.

 

14. CONSEQUENCES OF BREACH OF THE AGREEMENT

Without prejudice to the provisions of the Regulations, in the event of FASTERIZE failing to fulfill its obligations under this Agreement, the CUSTOMER may instruct it to suspend the processing until the latter complies or until until the Subscription is terminated.

FASTERIZE shall, where appropriate, promptly inform the CLIENT if it is unable to comply with this Agreement, for any reason whatsoever.

The CUSTOMER is entitled to terminate the Subscription, following a suspension, if:

  • compliance with this Agreement is not restored within a reasonable period of time and, in any event, within one month of the suspension,
  • FASTERIZE is in serious or persistent violation of this Agreement or of its obligations under the Regulations,
  • FASTERIZE does not comply with a binding decision of a competent court or competent supervisory authority regarding its obligations under this Agreement or the Regulations.

At the end of the Subscription, FASTERIZE will delete all the Personal Data processed on behalf of the CLIENT and will certify to the latter that it has carried out this deletion,

FASTERIZE will continue to ensure compliance with these clauses until the termination of the Service and the deletion of the Personal Data.

 

15. DPO

FASTERIZE has appointed a personal data protection officer who can be contacted by email: dpo@fasterize.com  

Solutions