OUTSCALE INC. PERSONAL DATA PROTECTION POLICY

 

Table of contents

Table of contents                                                                                                                  1

Preamble                                                                                                                                2

ARTICLE 1.        Definitions                                                                                                2

ARTICLE 2.        Scope                                                                                                         3

ARTICLE 3.        Main Principles                                                                                       4

ARTICLE 4.        Processing of Sensitive Data                                                                5

ARTICLE 5.        Duration of Retention                                                                           6

ARTICLE 6.        Personal Data Breach                                                                            6

ARTICLE 7.        Third Party Processing                                                                           7

ARTICLE 8.        Transfer of Data to Third-Party Countries                                        8

ARTICLE 9.        Data Subject Rights                                                                                8

ARTICLE 10.     Complaint Management Procedure                                                      9

ARTICLE 11.     Privacy by Default                                                                                     10

ARTICLE 12.     Impact Assessment                                                                                   10

ARTICLE 13.     Data Processing Record                                                                           11

ARTICLE 14.     Cooperation with the Supervisory Authorities                                    11

ARTICLE 15.     Training Program                                                                                       12

ARTICLE 16.     Audit                                                                                                             12

 

Preamble

OUTSCALE INC. Delaware corporation with its principal place of business at 185 Alewife Brook Parkway, Suite 210, Cambridge, MA 02138.

The purpose of this Policy is to present the technical and organizational measures implemented by OUTSCALE INC. to provide a high level of protection of Personal Data, to document its compliance with the relevant data privacy regulations, and to inform Data Subjects on the manner in which OUTSCALE INC. processes Personal Data and the means available to them to control this processing.

 

ARTICLE 1.  Definitions

The following terms used in this Policy, when capitalized, have contractual value and are to be interpreted as follows: 

Client: any entity having subscribed, directly or indirectly through a third-party reseller, to the Services pursuant to a Customer Agreement with OUTSCALE INC.

Controller: refers to the party which determines the purposes and means of the processing of Personal Data under applicable law.

Customer Agreement: a contractual commitment, such as pursuant to a contract or general terms and conditions accepted by the Client for OUTSCALE INC. to provide the Services.

Data Subject: an identified or identifiable natural person to whom the Personal Data undergoing processing is related.

Personal Data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly. 

Policy: the present document applicable to any Data Subject concerned by the Processing (including Client, user, employees, subcontractors, partners, suppliers, prospects, etc.) regarding the rules of access and use of the Services provided by OUTSCALE INC.

Privacy Impact Statement:  a process to help identify and minimize the data protection risks of a project.

Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data under applicable law. 

Processor:  any natural or legal person, public authority, agency or other body subject to applicable law which Processes Personal Data on behalf of a Controller.

Sensitive Data: means Personal Data which are, by their nature, particularly sensitive or merit specific protection under applicable law.

Services: the services provided by OUTSCALE INC. under the conditions referred to in the Customer Agreement. 

Subprocessor: A Processor engaged to provide services for another Processor to carry out the Processing of Personal Data.

Supervisory Authorities: a governmental entity responsible for enforcing applicable law.

Third Party: a natural or legal person, public authority, agency or body other than a Data Subject, Controller, Processor, under the direct authority of the Controller or a Processor, authorized to Process Personal data.

 

ARTICLE 2.  Scope

This Data Protection Policy applies from May 3, 2021.

The Policy applies when OUTSCALE INC.is processing Personal Data on behalf of its Clients and when OUTSCALE INC. is the Controller. OUTSCALE INC. acts as Processor when it processes Client Data as part of Services.

This Policy applies to all OUTSCALE INC. infrastructure located in the United States of America territory and OUTSCALE S.A.S. located in France.

 

ARTICLE 3.  Main Principles

1.  When OUTSCALE INC. acts as Controller:

a. Purpose limitation

Prior to collecting and processing any Personal Data as a Controller, OUTSCALE INC. must ensure that collection is based on a specific, explicit and legitimate purpose:

OUTSCALE INC. may collect and process Personal Data as a Controller during the performance of a Customer Agreement with a Client.

b.  Minimization of Data

OUTSCALE INC. only collects Personal Data necessary to performance of the Customer Agreement.

c.  Further compatible Processing

OUTSCALE INC. may carry out further processing of the Personal Data collected, provided that such processing is compatible with applicable law.

d.  Data accuracy/quality

OUTSCALE INC. will ensure that any Personal Data it collects is accurate and up to date.

An individual may exercise his or her right to correct or to update their Personal Data by contacting OUTSCALE INC.’s Data Protection Officer at  [email protected].

e.  Limitation of Data Retention

OUTSCALE INC. shall not keep Personal Data longer than necessary or agreed upon for the Purposes of the processing.

f.  Security measures / Integrity and confidentiality

OUTSCALE INC. implements security measures in order to secure its IT environment against unauthorized or illicit processing and against accidental loss, destruction or damage (depending on the context: encryption, traceability measures, access controls, backup, etc.). Such security measures also prevent access to the Cloud Computer Infrastructure on which the Personal Data is stored.

2.  When OUTSCALE INC. acts as Processor:

OUTSCALE INC. processes Personal Data in accordance with the instructions of its Clients.

OUTSCALE INC. processes the Personal Data on behalf of its Client, for the Purpose described by the Client exclusively, in accordance with the Customer Agreement that binds it to its Client, for a duration that cannot exceed the one prescribed by the Client. The Customer Agreement and the actions of the Client using the tools made available by OUTSCALE INC. are considered instructions.

The Clients have agreed in the Customer Agreement to comply with the relevant legislation(s) in effect.

3.  When OUTSCALE INC. acts as Subprocessor: 

When OUTSCALE INC. acts as Subprocessor, the provisions of this Policy applicable to OUTSCALE INC. acting as Processor shall be interpreted as applying to its role as a Subprocessor.

 

ARTICLE 4.  Processing of Sensitive Data

OUTSCALE INC. processes Sensitive Personal Data in limited cases.

1.  When OUTSCALE INC. acts as Controller:

OUTSCALE INC. does not collect Sensitive Data as a Controller.

2.  When OUTSCALE INC. acts as Processor:

In the event OUTSCALE INC.is required by its Client to process Sensitive Data, the Client and OUTSCALE INC. shall agree upon specific security provisions suitable for the nature of the Processed Data.

 

ARTICLE 5.  Duration of Retention

1.  When OUTSCALE INC. acts as Controller:

OUTSCALE INC. will retain the Personal Data that it has collected in its capacity of Controller up to 7 (seven) years.

2.  When OUTSCALE INC. acts as Processor:

The Personal Data collected as part of the Services are retained for the entire duration of the contractual relationship between OUTSCALE INC. and the Client. Upon termination of the Customer Agreement, the Personal Data shall be handled as set forth In the Customer Agreement.

3.  Data Sharing

It is specified that Personal Data shared by the Client to Third Parties cannot be deleted by OUTSCALE INC. It is the Client’s responsibility not to share confidential information, Sensitive Data, Personal Data or Data belonging to third parties.

4.  Further Processing

In accordance with applicable legislation, OUTSCALE INC. shall not carry out further processing that is not compatible with the initial Purpose of the Processing.

 

ARTICLE 6.  Personal Data Breach

 1.  When OUTSCALE INC. acts as Controller:

In the event OUTSCALE INC. identifies an unauthorized or unlawful access, use or disclosure, whether potential or actual, of the Personal Data for which it is responsible, OUTSCALE INC. shall determine if the breach must be reported to the appropriate authorities in accordance with its data breach management procedure.

2.  When OUTSCALE INC. acts as Processor:

In the event OUTSCALE INC. considers there has been an unauthorized or unlawful access, use or disclosure, whether potential or actual, of the Personal Data for which it is responsible, OUTSCALE INC. shall inform the Client as provided in the Customer Agreement.

 

ARTICLE 7.  Third Party Processing

OUTSCALE INC. can resort to Third Parties for its own needs or as part of the Services provided to its Clients.

1.  When OUTSCALE INC. acts as Controller:

When OUTSCALE INC. uses Third Parties for Processing, it ensures the Third Party:

–          Implements procedures to guarantee the instructions provided by OUTSCALE INC. are followed, by the Third Party itself and by its subcontractors.

–          Informs OUTSCALE INC. of any request for communication of OUTSCALE INC.’s Personal Data that the Third Party receives from another Third Party.

–          Ensures their staff and subcontractors comply with the applicable legislation and sign a specific confidentiality agreement.

–          Implements a procedure to inform OUTSCALE INC. of the requests and complaints of the data subjects it may receive as part of the Processing of OUTSCALE INC.’s Personal Data.

–          Allows OUTSCALE INC. to carry out audits.

–          Undertakes to regularly audit its subcontractors.

–          Cooperates with OUTSCALE INC. to assess and document the compliance of the Personal Data Processing.

 

2.  When OUTSCALE INC. acts as Processor:

The Client is informed that:

–          The data centers are provided and managed by a Third Party.

–          The fiber provision is provided and managed by a Third Party.

–          The bandwidth provision is provided and managed by a Third Party.

The Client authorizes OUTSCALE INC. to engage these Third Parties as part of its Services.

In the event where OUTSCALE INC. engages a Third Party to carry out the Processing of Personal Data, OUTSCALE INC. shall obtain the same guarantees from the said Third Parties as if they were a Controller.

OUTSCALE INC. shall inform the Client of any change regarding the addition or replacement of Third Parties carrying out Processing of Personal Data.

 

ARTICLE 8.  Transfer of Data to Third-Party Countries

The transfer of Personal Data from OUTSCALE INC. to a Third Party located outside the United States shall be managed by agreement between the Client and OUTSCALE INC. and set out in the Customer Agreement.

 

ARTICLE 9.  Data Subject Rights

1.  When OUTSCALE INC. acts as Controller:

A Data Subject shall have the right to enforce this Data Protection Policy.

2.  When OUTSCALE INC. acts as Processor:

Regarding the Processing of the Personal Data of a Data Subject, the Data Subject may exercise their rights through the Client.

3.  Rights of opposition, access, rectification, portability and erasure:

A Data Subject shall have the following rights:

–          Accessing the Personal Data related to them and that are Processed by OUTSCALE INC.

–          Asking for the rectification, or limitation of inaccurate and incomplete Personal Data related to them and Personal Data for which the Purpose of the Processing is no longer legal or appropriate.

–          Objecting to the Processing of their Personal Data at any time, except if said Processing is required or permitted by law and provided the Data Subject proves they have a legitimate reason induced by the specific nature of the situation.

Receiving their Personal Data as required by applicable law.

4.  Request for information/remarks and complaints

If a Data Subject has remarks or questions regarding his or her rights, they can contact OUTSCALE INC.by e-mail: [email protected]

 

ARTICLE 10.  Complaint Management Procedure

A Data Subject shall submit their complaints according to the following complaint management procedure. OUTSCALE INC. shall undertake to manage these complaints within a reasonable period of time and at the latest within one month of receipt of the complaint. This procedure will also apply at the Data Subjects’ request to exercise their rights of access, update and deletion regarding their Personal Data.

With regard to the Data Subjects’ complaints relating to OUTSCALE INC.’s Clients, if a Data Subject files a complaint directly to OUTSCALE INC., it shall inform the Client about this request, notify the Client of all the relevant information received from the Data Subject, and notify the Client that the processing of this complaint is incumbent upon the Client.

If the Data Subject complaint relates to OUTSCALE INC.’s role as a Controller, the Data Protection Officer will receive the complaint and forward it to the relevant OUTSCALE INC. department in order to resolve the said complaint.

A Data Subject may exercise his or her rights on the processing of their Personal Data by OUTSCALE INC., by contacting the Data Protection Officer (DPO) by email:  [email protected] or by sending a signed letter with a copy of proof of identity at the following address:

OUTSCALE INC.

For the attention of the Data Protection Officer

185 Alewife Brook Parkway, Suite 210, Cambridge, MA 02138

 

ARTICLE 11.  Privacy by Default

OUTSCALE INC. adopts restrictions for data protection at the start of any new project, in order to protect a Data Subjects’ privacy from the moment a new product or service is designed.

The principles and obligations of this Policy will be included in a project from its inception.

To respect privacy by design and by default, OUTSCALE INC. shall:

–          Integrate restrictions for data protection from the design stage.

–          Anticipate restrictions for data protection and integrate these Data in the design stage of any project.

–          Ensure that restrictions for privacy are taken into account at the start of all projects.

–          Ensure that the commitment of a project concerning data protection is clearly defined and identified in order to facilitate the conformity assessment and ensure full transparency regarding the data subjects.

–          Ensure that restrictions for privacy are being complied with throughout the product or system life cycle, or the duration of retention of the Personal Data.

 

ARTICLE 12.  Impact Assessment

1.  When OUTSCALE INC. acts as Controller:

In certain cases, OUTSCALE INC. may conduct a Privacy Impact Assessment in order to:

–          Identify the processing that involves a potential risk for the protection of the Personal Data.

–          Assess the level of conformity of the processing that is conducted.

–          Decide on corrective actions to apply in order to ensure that the Personal Data are processed in conformity with applicable regulations.

2.  When OUTSCALE INC. acts as Processor:

OUTSCALE INC. may be asked by its Clients to cooperate and provide them with relevant information in order to conduct a Privacy Impact Assessment.

OUTSCALE INC. shall provide a Client with all relevant information it possesses if requested in order for such Client to conduct a Privacy Impact Assessment, provided that it is responsible for the successful execution of the said Privacy Impact Assessment.

 

ARTICLE 13.   Data Processing Record

As Controller and as Processor, OUTSCALE INC. commits to maintaining a record of its data processing activities.

OUTSCALE INC. has responsibility to ensure that any new Processing is registered in the record with the information relevant to the context of the processing.

 

ARTICLE 14.   Cooperation with the Supervisory Authorities

OUTSCALE INC. commits to maintaining good relations with the Supervisory Authorities. To that end, OUTSCALE INC. will cooperate and allow the Supervisory Authorities to audit it as required by law. OUTSCALE INC. will also agree to follow, to the extent applicable, advice from these Supervisory Authorities.

OUTSCALE INC. will choose the Supervisory Authorities best for each existing Processing.

The Data Protection Officer will be informed in a timely manner If a Supervisory Authority conducts an audit on one of OUTSCALE INC. ‘s facilities.

By email: [email protected]

Or by sending a signed letter with a copy of proof of identity at the following address:

OUTSCALE INC.

For the attention of the Data Protection Officer

185 Alewife Brook Parkway, Suite 210, Cambridge, MA 02138

 

ARTICLE 15.   Training Program

OUTSCALE INC. commits to implementing a training program on the protection of Personal Data. The goal of this program is to ensure that OUTSCALE INC. employees are aware of the principles and procedures defined in this Data Protection Policy.

This training program aims at providing OUTSCALE INC. employees:

–          Common and shared knowledge on the principles applicable during the Processing of Personal Data.

–          A clear understanding of existing procedures and when and how they apply.

The training program is followed by all OUTSCALE INC. employees.

The training is delivered online or on-site.

 

ARTICLE 16.    Audit

1.  When OUTSCALE INC. acts as Controller:

OUTSCALE INC. commits to implementing organizational and technical measures for monitoring the commitments in this Data Protection Policy.

2.  When OUTSCALE INC. acts as Processor:

OUTSCALE INC. provides the Controller with the necessary documentation to demonstrate compliance with all of its obligations and to enable audits, including inspections, conducted by the Controller or another auditor mandated for these audits, and to contribute to these audits.

The Controller may subsequently, at its own expense, conduct an audit on the protection measures of the Personal Data implemented by OUTSCALE INC.

The Controller will have to inform OUTSCALE INC., in writing, of its intention to conduct an audit and of the choice of auditor, with fifteen (15) days’ notice.

This audit may be conducted by an internal organization of the Controller or by an external, independent audit firm. The latter’s activities must not be competitive to OUTSCALE INC.’s or linked to one of OUTSCALE INC.’s competitors.

In the situation, where OUTSCALE INC. provides unbiased justifications to question the independence and impartiality of the selected auditor, OUTSCALE INC. may refuse to allow this third party to conduct the audit.

 

Last updated May 3, 2021