DATA PROCESSING AGREEMENT
DPA
Standard DPA · Version 1.0 · EvaluationsHub by Vockam SAS
Click here to sign your copy
| PARTIES TO THIS AGREEMENT | |
| Controller | [Customer Entity Name], incorporated in [Jurisdiction], registered office at [Address] (“the Controller”) |
| Processor | Vockam SAS, a French Société par Actions Simplifiée (SAS), registration no. 899272736 R.C.S. Meaux, 1 Boulevard du huit mai 1945, 77260 La Ferté-sous-Jouarre, France, operating EvaluationsHub (“the Processor”) |
| Effective Date | [DATE] |
| Governing Law | French law and EU GDPR |
| Jurisdiction | Courts of Paris, France |
This Data Processing Agreement (“DPA”) is the standard data processing agreement issued by Vockam SAS (operating EvaluationsHub) to its customers. It forms part of the Master Service Agreement or Terms of Service (“Principal Agreement”) between the parties above, and sets out the terms on which the Processor will process Personal Data on behalf of the Controller in connection with the EvaluationsHub service. By signing below, the Controller accepts the terms of this DPA.
- Definitions
In this DPA, the following terms have the meanings given below:
| Data Protection Laws | All applicable legislation relating to data protection and privacy, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the French Data Protection Act (Loi Informatique et Libertés), and any applicable national implementing legislation, as amended or replaced from time to time. |
| Personal Data | Has the meaning given in Article 4(1) GDPR: any information relating to an identified or identifiable natural person. |
| Processing | Has the meaning given in Article 4(2) GDPR: any operation performed on Personal Data. |
| Data Subject | The identified or identifiable natural person to whom Personal Data relates. |
| Personal Data Breach | Has the meaning given in Article 4(12) GDPR: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. |
| Sub-processor | Any third party engaged by the Processor to process Personal Data on behalf of the Controller. |
| Standard Contractual Clauses (SCCs) | The EU Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries, as updated from time to time. |
| EEA | The European Economic Area. |
| TOMs | Technical and organisational measures as described in Annex 2. |
- Scope and Duration
2.1 Subject Matter. The Processor provides a Supplier Relationship Management (SRM) and customer experience evaluation platform (“EvaluationsHub”). The Processor will process Personal Data solely to the extent necessary to deliver these services under the Principal Agreement.
2.2 Duration. This DPA remains in effect for as long as the Processor processes Personal Data under the Principal Agreement. It terminates automatically upon the termination or expiry of the Principal Agreement, subject to the survival of obligations under Clause 8 (Deletion or Return of Data).
- Processing on Instructions Only
3.1 Documented Instructions. The Processor shall process Personal Data only on documented instructions from the Controller, as set out in this DPA or the Principal Agreement, unless required to do so by Union or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law on grounds of public interest.
3.2 Notification of Conflicts. If the Processor believes that any instruction from the Controller would infringe Data Protection Laws, it shall immediately notify the Controller and may suspend the relevant processing until the issue is resolved.
3.3 Confidentiality of Personnel. The Processor shall ensure that all persons authorised to process Personal Data have committed to contractual or statutory obligations of confidentiality.
- Security
4.1 Appropriate Measures. The Processor shall implement and maintain the technical and organisational measures set out in Annex 2 (TOMs). These measures shall ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of the processing, as well as the risk to the rights and freedoms of Data Subjects.
4.2 Updates to TOMs. The Processor may update or modify the TOMs from time to time, provided that any such update does not materially reduce the overall level of security provided. The Processor shall notify the Controller of any material reduction in security measures at least 30 days in advance.
4.3 Staff Training. The Processor shall ensure that all staff with access to Personal Data receive adequate and regular training on data protection obligations and security practices.
- Sub-processing
5.1 General Authorisation. The Controller grants the Processor general written authorisation to engage the Sub-processors listed in Annex 3, subject to the conditions in this Clause 5.
5.2 Sub-processor Obligations. Before engaging any Sub-processor, the Processor shall impose data protection obligations on that Sub-processor that are equivalent to those in this DPA, in particular providing sufficient guarantees to implement appropriate TOMs. The Processor remains fully liable to the Controller for the acts and omissions of its Sub-processors.
5.3 Changes to Sub-processors. The Processor shall give the Controller at least 30 days’ prior written notice of any intended changes to the list of Sub-processors (additions or replacements). The Controller may object to such changes on reasonable grounds within 15 days of receiving notice. If the Controller objects and the Processor cannot accommodate the objection, the Controller may terminate the relevant services without penalty on written notice.
5.4 Non-EEA Sub-processors. Where a Sub-processor is located outside the EEA in a country not recognised by the European Commission as providing an adequate level of data protection, the Processor shall ensure that an appropriate transfer mechanism is in place (e.g. SCCs) before any Personal Data is transferred to that Sub-processor. Confirmed transfer mechanisms for current non-EEA Sub-processors are detailed in Annex 3.
- International Data Transfers
6.1 Primary Storage. Personal Data is primarily stored and processed within the EEA, using AWS infrastructure in the EU (Ireland and Frankfurt regions).
6.2 Transfers Outside the EEA. Where Personal Data is transferred to a country outside the EEA that is not subject to an adequacy decision, the Processor shall ensure that one of the following safeguards is in place prior to the transfer: (a) the EU Standard Contractual Clauses (2021/914) have been executed with the relevant Sub-processor; or (b) another lawful transfer mechanism recognised under Article 46 GDPR applies. Details of applicable safeguards for each Sub-processor are set out in Annex 3.
6.3 Notification. The Processor shall promptly notify the Controller if any safeguard referred to in Clause 6.2 ceases to be valid or is materially changed.
- Assistance with Data Subject Rights
7.1 Requests from Data Subjects. Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).
7.2 Forwarding of Requests. If the Processor receives a request directly from a Data Subject, it shall forward it to the Controller within 5 business days and shall not respond to the request itself without the Controller’s prior written authorisation, unless required to do so by law.
7.3 Further Assistance. The Processor shall also assist the Controller in ensuring compliance with its obligations regarding: (a) security of processing (Article 32 GDPR); (b) notification of Personal Data Breaches to supervisory authorities and Data Subjects (Articles 33–34 GDPR); and (c) Data Protection Impact Assessments and prior consultation (Articles 35–36 GDPR).
- Personal Data Breach Notification
8.1 Notification to Controller. The Processor shall notify the Controller without undue delay, and in any event without undue delay and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
8.2 Content of Notification. Such notification shall include, to the extent then known: (a) a description of the nature of the breach, including categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of the Processor’s data protection contact (team@evaluationshub.com); (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach, including mitigation measures.
8.3 Further Information. Where not all information is available at the time of initial notification, the Processor shall provide further information in phases as it becomes available, without undue delay.
8.4 Record-Keeping. The Processor shall document all Personal Data Breaches, including the facts, effects, and remedial actions taken, and make such records available to the Controller on request.
- Data Retention
9.1 Retention Periods. The Processor shall not retain Personal Data for longer than necessary for the purposes set out in Annex 1. Unless otherwise agreed in writing, the following maximum retention periods apply:
| Data Category | Retention Period |
| Active user account data | Duration of the Principal Agreement |
| Performance evaluations and assessments | 3 years from creation, unless deletion is requested earlier |
| Login credentials (access logs) | 12 months from creation |
| Backup copies | 90 days from the termination of the Principal Agreement |
| Audit logs | 3 years from creation (legal obligation) |
- Deletion or Return of Data
10.1 Upon Termination. Upon termination or expiry of the Principal Agreement, the Processor shall, at the Controller’s choice and within 30 days of receiving a written request: (a) securely return all Personal Data to the Controller in a commonly used machine-readable format; or (b) securely delete and destroy all Personal Data (and all copies thereof), unless Union or Member State law requires continued storage.
10.2 Confirmation. The Processor shall provide the Controller with written confirmation of deletion or return within 30 days of completing the action.
10.3 Residual Copies. The Processor shall use commercially reasonable efforts to ensure that Sub-processors also delete or return Personal Data in accordance with this Clause 10.
- Audit Rights
11.1 Information. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA and Article 28 GDPR.
11.2 Audits. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to: (a) the Controller giving at least 30 days’ prior written notice; (b) audits being conducted no more than once per calendar year (except following a suspected Personal Data Breach); (c) the audit being conducted during normal business hours and in a manner that minimises disruption; and (d) costs of the audit being borne by the Controller unless the audit reveals material non-compliance, in which case costs shall be borne by the Processor.
11.3 Certifications. At the Controller’s request, the Processor shall provide copies of relevant third-party certifications (e.g. ISO 27001, once obtained) or security assessment summaries in lieu of or in addition to an on-site audit, where applicable. The Processor is currently pursuing ISO 27001 certification.
- Data Protection Impact Assessments
12.1 The Processor shall reasonably assist the Controller in carrying out any Data Protection Impact Assessment (DPIA) required under Article 35 GDPR, by: (a) providing relevant information about the processing operations, risks, and TOMs in place; (b) participating in consultation meetings on reasonable notice; and (c) promptly responding to written queries relating to the processing activities described in Annex 1.
- Liability
13.1 Liability Cap. To the maximum extent permitted by applicable law, the total aggregate liability of the Processor to the Controller under or in connection with this DPA (whether in contract, tort, negligence, or otherwise) shall not exceed the total fees paid or payable by the Controller to the Processor during the 12-month period immediately preceding the event giving rise to the claim (the “Liability Cap”). Where the Principal Agreement covers a period of less than 12 months at the time of the claim, the Liability Cap shall be the total fees paid or payable under the Principal Agreement to date.
13.2 Exclusions from Cap. The Liability Cap shall not apply to: (a) either Party’s liability for death or personal injury caused by its negligence; (b) either Party’s liability for fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited by applicable law.
13.3 Mutual Liability. Where both Parties are responsible for damage caused by a breach of GDPR, each Party shall be liable for its part of the damage in accordance with Article 82 GDPR. The Liability Cap in Clause 13.1 applies to the Processor’s share of any such liability.
13.4 Mitigation. Each Party shall take reasonable steps to mitigate any loss or damage it suffers as a result of the other Party’s breach of this DPA.
- Governing Law and Jurisdiction
14.1 This DPA is governed by and construed in accordance with French law and applicable EU law, including the GDPR.
14.2 Any dispute arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Paris, France, unless otherwise required by applicable law.
- Signatures
By signing below, the Parties agree to the terms of this Data Processing Agreement.
| For and on behalf of the Controller (Customer) | For and on behalf of Vockam SAS (Processor) |
| Full name: _______________________________ | Full name: Bert Paesbrugghe |
| Title: ____________________________________ | Title: Founder & CEO, Vockam SAS |
| Company: _________________________________ | Company: Vockam SAS |
| Signature: | Signature: |
ANNEX 1 — Description of Processing Activities
| Categories of Data Subjects | • Customer employees and authorised platform users • Representatives of the Customer’s suppliers and vendors |
| Types of Personal Data | • Names and job titles • Professional email addresses • Business contact details (phone, address) • Supplier and customer names • Performance evaluation data • Platform login credentials (stored as one-way hashed values only; plaintext credentials are never retained) • User behaviour and usage logs |
| Nature of Processing | Collection, storage, retrieval, use, disclosure (to authorised users), and deletion of Personal Data. |
| Purpose of Processing | To facilitate supplier and customer evaluations, risk assessments, and management of the SRM platform under the EvaluationsHub service. |
| Legal Basis (Controller’s basis) | The Controller is responsible for identifying and documenting its own legal basis for processing under Article 6 GDPR (e.g. Article 6(1)(b) — performance of a contract; or Article 6(1)(f) — legitimate interests). EvaluationsHub processes Personal Data solely on the Controller’s instructions and does not determine the legal basis. |
ANNEX 2 — Technical and Organisational Measures (TOMs)
| Measure | Implementation |
| Encryption at Rest | AES-256 encryption for all Personal Data stored in AWS S3 and RDS databases. |
| Encryption in Transit | TLS 1.2 or higher for all data transmissions. TLS 1.0 and 1.1 are disabled. |
| Access Control | Strict Role-Based Access Control (RBAC). Access to Personal Data is granted on a need-to-know basis only. |
| Authentication | Two-factor authentication (2FA) is mandatory for all staff and administrative accounts with access to Personal Data. |
| Credential Handling | User passwords are stored exclusively as one-way salted hashes (bcrypt or equivalent). Plaintext passwords are never stored or logged. |
| Data Residency | All Personal Data is stored in AWS EU regions (Ireland / Frankfurt). No Personal Data is replicated outside the EEA unless a valid transfer mechanism is in place (see Annex 3). |
| Backups and Resilience | Automated daily backups stored in AWS Availability Zones within the EU. RPO: 24 hours. RTO: 8 hours. |
| Audit Logs | Immutable logs are maintained for all data access, modification, and deletion events. Logs are retained for 3 years. |
| Vulnerability Management | Regular security testing conducted in line with the Processor’s security programme. The Processor is actively pursuing ISO 27001 certification. Critical vulnerabilities are remediated on a risk-prioritised basis. |
| Incident Response | A documented incident response plan is maintained and tested annually. Processor commits to notifying the Controller within 72 hours of a confirmed Personal Data Breach (see Clause 8). |
| Supplier Management | Sub-processors are subject to data protection due diligence and contractual data protection obligations before engagement. |
ANNEX 3 — Approved Sub-processors
The following Sub-processors are authorised as at the Effective Date. The Processor will give 30 days’ prior notice of any changes in accordance with Clause 5.3.
| Sub-processor | Purpose | Country | Transfer Mechanism | Data Categories |
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | EEA (Ireland / Frankfurt) | Adequacy — EEA based; AWS DPA in place | All personal data |
| Stripe | Payment processing (where applicable) | USA | SCCs (Module 2: Controller-to-Processor) executed | Billing contact name, email, payment metadata only |
| Zoho Corporation | CRM, email campaigns, support chat | USA / India | SCCs (Module 2) executed; Zoho EU data residency option enabled. Note: the scope of data processed by any AI features within Zoho is governed by Zoho’s own DPA and privacy documentation, available at zoho.com/privacy.html | Names, emails, business contact details |
| Pitangent Technologies | Software development and maintenance | India | SCCs (Module 2: Controller-to-Processor) executed; access limited to anonymised/test data only; no production personal data access without Controller consent | Anonymised/pseudonymised data only in normal course |
| Mixpanel | Platform usage analytics | USA | SCCs (Module 2) executed; EU data residency enabled | Pseudonymised user behaviour and usage logs only |
* EvaluationsHub (Vockam SAS) warrants that SCCs and/or equivalent transfer mechanisms are in place with all non-EEA Sub-processors listed above. Copies of the relevant SCCs are available to the Controller upon written request to team@evaluationshub.com.
