Data Processing Agreement Localista
CONTENTS
Preamble
1- Definition
2- Client's Obligations
2.1. Client's Role
2.2. Data Processing
2.3. Instructions
2.4. Records
2.5. Information for Data Subjects
2.6. Rights of Data Subjects
2.7. Security
2.8. Change of Status
2.9. Data Breaches
2.10. Liability
3- Obligations of LOCALISTA
3.1. Role of LOCALISTA
3.2. Acting on the instructions of the Client
3.3. Obligation of confidentiality
3.4. Obligation of security
3.5. Notification of Data Breach
3.6. Subsequent subcontracting
3.7. Transfers outside the European Union
3.8. Rights of the Data Subjects
3.9. Obligation to cooperate - Audit
4- Return of Data
5- Miscellaneous provisions
APPENDIX A- Description of Data Processing
APPENDIX B- Technical and organizational security measures
PREAMBLE
The Company LOCALISTA, a Simplified Joint Stock Company registered in the PARIS Trade and Companies Register under number 930 152 004, whose registered office is located at 3, rue du Dragon - 75006 PARIS (hereinafter “LOCALISTA”) and the Client (hereinafter referred to individually as “Party” and collectively as “Parties”) have entered into a contract (hereinafter the “Contract”) under the terms of which LOCALISTA may be required to process personal data on behalf of the Client
In this respect, LOCALISTA acts as a subcontractor, and the Client as a data controller within the meaning of Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals and the free movement of such data (hereinafter “GDPR”)
In the context of the execution of this Contract, the Parties undertake to comply with the GDPR and Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms (hereinafter “Data Protection Act”), as well as more generally any applicable regulations relating to the protection of personal data.
Thus, and in accordance with Article 28 of the GDPR, the Parties wish to enter into this Data Processing Agreement (hereinafter the “Agreement” or the “DPA”) in order to define their respective obligations relating to the processing of personal data collected and processed by the Client, transmitted and executed by LOCALISTA under the Contract entered into between the Parties.
Unless otherwise stated, the provisions of the Contract form an integral part of this DPA. In the event of a conflict between one or more provisions of this DPA and the provisions of the Contract, the provisions of this DPA shall prevail insofar as they relate to Personal Data.
1 – Definitions
Capitalized words or phrases shall have the following meanings
“Contract” means the contract concluded between LOCALISTA and the Client under which this Agreement is entered into. ”Personal Data or PD”
“Contract” means the contract concluded between LOCALISTA and the Client under which this Agreement is entered into.
“Personal Data or PD means any information relating to an identified natural person or a person who can be identified (hereinafter “Data Subject”), directly or indirectly, in particular by reference to an identification number, location data, online identifiers (e.g. username and password) or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person, in accordance with Article 4 of the GDPR
“Regulations” means all applicable laws and regulations in the European Union regarding PD, including the French Data Protection Act No. 78-17 of January 6, 1978, as amended, and the GDPR once it comes into effect.
“Service“ means the service provided, and more generally all the services performed by LOCALISTA for the Client as referred to in the Contract.
“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing. Within the framework of the Contract and this DPA, the Data Controller is the Client.
“Processor” means the natural or legal person, public authority, agency or other body that processes PD on behalf of the Controller, in accordance with his instructions. Within the framework of the Contract and this DPA, the Processor is LOCALISTA
“Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available the alignment or interconnection, the limitation, the erasure or the destruction.
The terms and expressions “Data Breach”, “Process”, “Member State”, “Supervisory Authority”, “Standard Contractual Clauses”, have the same meaning as that given to them in the Regulations, and related expressions should be interpreted in the same way
Capitalized terms not defined in this DPA have the meaning given to them in the Contract.
2 - Obligations of the Client
2.1. Role of the Client. In accordance with the Regulations, the Client is solely responsible for the Processing of Personal Data processed by LOCALISTA, on behalf of the Client, in the context of the performance of the Contract and/or according to its instructions As such, the Client undertakes to comply with the Regulations applicable to the protection of Personal Data and to carry out all the procedures and formalities incumbent upon it in its capacity as Data Controller.
2.2. Data Processing. In the context of the Services provided by LOCALISTA, the Client undertakes to process Personal Data in a fair and lawful manner, in accordance with the principles relating to Processing as defined in Articles 5 and 6 of the GDPR The Client shall not process or share with LOCALISTA, within the framework of the Contract, any data defined as “sensitive” within the meaning of Articles 9 and 10 of the GDPR and the French Data Protection Act (Loi Informatique et Liberté)
2.3. Instructions. The Client shall detail the purpose, nature and finality of the Processing subcontracted to LOCALISTA, the type of Personal Data, the categories of Data Subjects for each Processing operation, and more generally any instructions relating to such Processing in Appendix A of this Agreement, prior to signing the Contract. The Client acknowledges that LOCALISTA is limited to following the Client's documented instructions, subject to informing the Client in the event of instructions given that do not comply with the Regulations. Any request from the Client that exceeds or modifies the processing instructions in Appendix A shall be subject to a separate agreement and a quote when necessary. Any instruction that is not documented in writing or that does not comply with the Regulations shall not be taken into account by LOCALISTA.
2.4. Records. The Client undertakes to keep a record of all Processing operations that it carries out as a Data Controller, which record must contain the mandatory information required by the Regulations and be updated in the event of developments or modifications to one or more Processing operations concerned by this DPA.
2.5. Information for Data Subjects. The Client shall provide the necessary information to the Data Subjects prior to the collection of their Personal Data and its transfer to LOCALISTA In particular, it shall inform the Data Subjects (i) of their rights and obligations, (ii) of the possibility for LOCALISTA to process their Data on behalf of the Client and in accordance with its instructions, (iii) of the existence of Processing under the conditions prescribed in Article 12 of the GDPR In particular, the Client declares and guarantees that it has complied with the Regulations when collecting Data as part of the Service and that any disclosure of Data to LOCALISTA concerns personal Data collected lawfully, based on a legal basis as described in Articles 6 to 10 of the GDPR. Where applicable, the Client undertakes in particular to comply with the conditions for obtaining the consent of children as provided for in Article 8 of the GDPR.
2.6. Rights of Data Subjects. The Client guarantees that the Data Subjects may exercise their rights in accordance with the applicable Regulations, and shall respond to all requests relating to these rights in accordance with Articles 12 to 18 of the GDPR. The Client undertakes, in the event that a Data Subject submits a request to exercise his or her rights, to inform LOCALISTA without delay if this request concerns the Client, so that LOCALISTA is able to respond within the regulatory time limit.
2.7. Security. The Client, in its capacity as Data Controller, shall take all necessary measures with regard to the nature of the Data and the risks resulting from their Processing, in order to preserve the security of the Personal Data and, in particular, to prevent any alteration, damage or access by unauthorized third parties to said data The Client shall also take reasonable measures to keep Personal Data up to date to ensure that it is not inaccurate or incomplete with regard to the purpose for which it was collected.
2.8. Change of status. The Client shall promptly alert LOCALISTA of any development in the Services that results in or may result in a potential change in LOCALISTA's status as a Processor within the meaning of the Regulations.
2.9. Data Breaches. Inform LOCALISTA without delay in the event of an incident, Data Breach, or in the event of an inspection by the CNIL or any other supervisory authority, administrative or judicial authority, directly or indirectly related to one or more of the Processing operations covered by this Agreement In the event of a Breach relating to the Processing(s) provided for in the Contract, the Client shall implement the appropriate corrective measures and carry out all notification initiatives required by Articles 33 and 34 of the GDPR with the assistance of LOCALISTA under the conditions specified in Article 3.5.
2.10. Liability. The Client is solely responsible for the use it makes of the Data, whether personal or otherwise, and for the use it makes of the Services and the Data it incorporates or processes through the Services. If the Client uses the Services covered by the Contract to process other Data or categories of Data, or for other Processing than that described in Appendix A of this Agreement, the Client does so at its own risk and LOCALISTA cannot be held liable in the event of a breach of the Regulations. Furthermore, LOCALISTA cannot be held liable in the event that the Personal Data collected as part of its Services is used unfairly or unlawfully by the Client or by a third party to which the Client has transferred said Data. More generally, the Client shall be liable for any damage caused in the event of a breach of its obligations under the applicable Regulations.
3 - Obligations of LOCALISTA
3.1. Role of LOCALISTA. LOCALISTA carries out the Processing listed in Appendix A on behalf of the Client, in its capacity as Subcontractor. In accordance with Article 28 of the GDPR, and in its capacity as Subcontractor, LOCALISTA makes the following commitments
3.2. Acting on the Client's instructions. LOCALISTA undertakes to process Personal Data only on the Client's documented instructions, in particular in accordance with the Contract, for the sole purposes that are the subject of the subcontracting, which are necessary for the provision of the Services and as listed in Appendix A of this DPA LOCALISTA consequently refrains from any Processing of Personal Data on its own behalf or for any other purpose. In the event of a request for instructions from the Client outside the Contract, the latter shall present this request to LOCALISTA, which shall respond as soon as possible, accepting this request in writing subject to feasibility and setting out the terms and conditions, in particular the financial terms and conditions.
In the event that LOCALISTA is required to process Personal Data under a mandatory provision of Community law or the law of the Member State to which it is subject, it shall inform the Client prior to Processing.
3.3. Obligation of confidentiality. LOCALISTA undertakes to guarantee the confidentiality of the Personal Data processed under this DPA, and to implement the appropriate means to preserve the confidentiality of the Personal Data LOCALISTA shall ensure that persons authorized to process the Data hereunder undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality, and shall only process the Data within the framework of the Contract, and/or on the written instruction of the Data Controller.
3.4. Security obligation. In accordance with Article 32 of the GDPR, LOCALISTA implements all appropriate technical and organizational measures to preserve the confidentiality and security of the Data processed on behalf of the Client, with regard to the economy of the Contract, the state of the art, and the information made available to it. These precautions are taken to protect the Data against any risk of destruction, loss, alteration, unauthorized disclosure, or even accidental or illegal access to such Data.
LOCALISTA undertakes in particular to implement the following security measures:
Data encryption;
Authorization management
LOCALISTA has held the CASA Security Certificate issued by TAC Security since January 17, 2025;
Secure password management via 1Password;
Secure database connections via AWS PrivateLink;
Infrastructure hosted in the secure data centers of Amazon AWS and Microsoft Azure
The detailed list of security measures [OPTION 1] may be forwarded to the Client upon written request [OPTION 2] is reproduced in Appendix B of this DPA.
The Client acknowledges that it is best placed to determine the appropriate technical and organizational security measures for the Processing The Client hereby confirms that it has ensured that the technical and organizational security measures provided by LOCALISTA are appropriate and offer an adequate level of protection, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risks, the degree of probability and severity of which vary for the rights and freedoms of the Data Subjects. In the event that additional measures are necessary, the Parties agree to meet and discuss in good faith the conditions of these additional measures, which will be the subject of a separate agreement if necessary.
Upon reasonable request and at the Client's expense, LOCALISTA will assist the Client in complying with the obligations set forth in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to LOCALISTA.
3.5. Data Breach Notification. LOCALISTA undertakes to notify the Client of any Personal Data Breach as soon as possible after becoming aware of such an event. LOCALISTA therefore undertakes to cooperate with the Client and to take all reasonable measures requested by the Client to help it understand this event and mitigate and remedy each of the Data Breaches. In the event of a Breach, LOCALISTA shall refrain from communicating about the situation to any third party, including the Data Subjects and the media, without the prior written consent of the Client. LOCALISTA undertakes not to make any notification to the CNIL (French Data Protection Authority) without the prior written consent of the Client.
3.6. Subsequent subcontracting. In general, the Client authorizes LOCALISTA to call on other subcontractors (hereinafter “Subsequent Subcontractor”), solely for the purposes of the proper performance of the Contract and/or the Client's instructions, provided that these Subsequent Subcontractors are subject to equivalent data protection obligations as those imposed on LOCALISTA and that they are established within the European Union or, if they are located outside the European Union, that they are established in a country considered by the European Commission to have an adequate level of protection or offer appropriate safeguards within the meaning of the GDPR.
The list of Sub-processors that LOCALISTA is likely to use can be found in Appendix A of this DPA. This list will be kept up to date
In the event of a change to or addition of a new Subsequent Processor established outside the European Union, LOCALISTA will inform the Client in advance, who has a period of eight (8) days from the date of receipt of this information to express any potential reservations or raise any objections, the absence of an objection within this period constituting acceptance by the Client In the event of a reasoned refusal by the Customer of the new Subsequent Subcontractor, LOCALISTA will cease to use the Subsequent Subcontractor for the Processing of the Customer's Data and will take corrective measures to remedy the shortcomings listed by the Customer in the terms of his objection. In any event, the Client shall bear all consequences and damages resulting from any delay or inability to use, temporarily or permanently, all or part of the Services subscribed to under the Contract as a result of the refusal to use one or more Sub-processor(s).
3.7. Transfers outside the European Union Personal Data processed by LOCALISTA on behalf of and on the instructions of the Client is stored and hosted within the European Union. In the event of transfer of Data outside the European Union or the European Economic Area, LOCALISTA undertakes to take all measures prescribed by the Regulations to ensure that this transfer provides appropriate safeguards, in particular under the conditions detailed in 3.6 above In particular, Personal Data may be transferred to third countries that offer an adequate level of Data protection under an adequacy decision taken by the European Commission, without any other protective measures being necessary. In the event that the Data Processing involves transfers, either direct or by onward transfer to third countries that have not been the subject of an adequacy decision as mentioned above, and that this transfer is not governed by other means approved by the Regulations, LOCALISTA will supervise this transfer by signing, with these third parties, the European Commission's standard contractual clauses (SCCs) between Subcontractors
3.8. Rights of the Persons Concerned. The Client guarantees to have obtained the express and prior consent of the Persons Concerned for the collection and processing of their Personal Data within the LOCALISTA solution and Services It guarantees that it has informed the persons concerned by the collection and Processing of their Personal Data of their rights and the procedures for making their Data available, accessing, rectifying, deleting, tracing and any transmission of their Data. As far as possible, LOCALISTA will assist the Client to enable it to fulfill its obligation to respond to requests to exercise the rights of the Persons Concerned. When the Data Subjects make requests to LOCALISTA to exercise their rights, LOCALISTA will forward these requests to the Client as soon as possible and will accompany this communication with all the information at its disposal in relation to these requests. LOCALISTA may only respond directly to a Data Subject's request on the documented instruction of the Data Controller.
3.9. Obligation to cooperate - Audit. LOCALISTA undertakes to make available to the Client all the information necessary to demonstrate compliance with the obligations set out in this DPA, to reasonably assist the Client in conducting its Data Protection Impact Assessments (DPIA) and to allow audits to be carried out. The Parties agree that these audits will be carried out at the Client's expense by an independent auditor who must be approved by LOCALISTA, who will sign a confidentiality agreement. Prior to the audit operations, the Client will indicate the specific purpose of the audit and the types of information to which the auditor will have access, which must only concern the obligations provided for in this DPA, to the exclusion of any other area. LOCALISTA undertakes to collaborate in good faith with the independent auditor for the performance of the audit operations. The audit operations may not disrupt the activity of LOCALISTA, the proper functioning of its infrastructures, or the execution of the Contract At the end of the audit operations, a full copy of the audit report drawn up by the auditor will be given to LOCALISTA at the same time as to the Client, failing which such a report will not be enforceable against him. LOCALISTA will have the opportunity to respond to this audit report The Client shall have the option of an audit once (1) a year, and within the limit of two (2) man-days made available by LOCALISTA.
4 – Return of Data
At the Client's choice and upon written request made no later than one (1) month after the end of the Contract, LOCALISTA shall
Either return all the Personal Data processed, in a standard, readable and usable format;
Or delete it and certify to the Customer in writing that the deletion has been carried out subject to and within the limits of the legal and regulatory conservation obligations imposed on LOCALISTA
If the Customer fails to make such a request within the aforementioned period, the Personal Data processed on behalf of the Data Controller will be deleted, including the backups, subject to the aforementioned legal or regulatory retention obligation imposed on LOCALISTA.
Article 5 - Miscellaneous provisions
5.1. Amendments. This DPA is subject to change. The Client may, subject to forty-five (45) working days' notice, request in writing amendments made necessary as a result of a change affecting the Regulations or any decision of a competent Authority such as the CNIL, in order to allow the Processing to be brought into compliance with such a change In this case, LOCALISTA will make the necessary and reasonable efforts to respond to this request for modification and the Client may not refuse or delay without reasonable grounds an agreement on the modification proposed by LOCALISTA in order to ensure the compliance of the DPA with these developments or changes, protecting LOCALISTA against risks of non-compliance which would expose it to all types of sanctions In the absence of an objection, or in the absence of an objection based on reasonable grounds expressed within thirty (30) working days of the proposed amendment made by LOCALISTA, the latter will automatically apply to this DPA
With the exception of the aforementioned requests for modifications, and the change of a Subsequent Subcontractor as provided for in Article 3.5 of this DPA, LOCALISTA reserves the right to modify the provisions of this Agreement by informing the Client in writing or by making a new version of this DPA available to the Client on its Site or on the Platform. These modifications will automatically apply thirty (30) days after the Client has been informed.
5.2. Severability. If any of the provisions of this Agreement is declared null and void or deemed unwritten following a decision by a court or a national or Community administrative authority, the Parties undertake, in good faith, to adapt the conditions of execution, it being understood that such nullity shall not affect the other provisions of this Agreement.
5.3. Liability. The liability of each Party arising from a breach of the obligations of this Agreement shall be subject to the provisions of the Contract dealing with the consequences of a breach Subject to this, LOCALISTA shall not be held liable for damages resulting from a breach by the Client of its obligations under this DPA and in its capacity as Data Controller, or if it has given non-compliant or unlawful instructions to the Client, without the Client's knowledge.
5.4. Sanctions. The Parties acknowledge that in the event that a Party violates a provision of the applicable Regulations, it is liable to be subject to sanctions such as an administrative fine imposed by the competent authority.
5.5 Applicable law. This DPA is governed by and interpreted in accordance with French law. Any difficulty relating to its conclusion, interpretation or execution will be submitted to the French courts referred to in the Contract.
APPENDIX A - DESCRIPTION OF DATA PROCESSING
List of categories of Personal Data concerned by the Processing
Personal and professional identification and contact details: Title, surname, first name, email address, telephone number, date of birth. Data relating to professional life: Position held, status, company, professional training. Data transmitted by the Client through the Services and any information entered by the Client in the free text fields.
Purposes of Processing:
Optimization of the Client's event marketing strategy: the purpose of Data Processing is to improve and optimize the management of events and participants, ensuring the centralization and monitoring of the status of guests in order to maximize their commercial impact for the Client
Automation of processes: the Data collected through the Services is integrated into the Client's CRM or imported from the Client's CRM. The Processing also aims to automate repetitive and operational processes related to event management in order to increase operational efficiency, and enables personalized follow-ups, adapted to the status of each prospect in order to avoid delays and generic communications.
Data Analysis: the Data collected through the Services is intended to be analyzed in order to understand the behavior of customers and prospects, to compile statistics on event participation and to help improve the Client's event strategy.
Analysis of the performance of the sales teams: the Data makes it possible to evaluate the effectiveness of the Client's teams during events
Provide the Services to the Customer, execute the Contract, the DPA or any other agreement signed between the Parties.
Provide assistance to the Customer in the use of the Services provided by LOCALISTA.
Comply with the applicable Regulations, prevent, mitigate and investigate the causes of any incidents related to the Data, or any other fraud or illegal or prohibited activity.
Nature of the Processing operations
Collection, recording, importation, organization, structuring, conservation/storage, access/consultation, reconciliation or interconnection, adaptation.
List of categories of Data Subjects
LOCALISTA customers. Customer employees. Users of the Solution at the Customer's premises authorized by the Customer. Prospects, customers and partners of the Customer. Participants in an event, workshop, trade show or any other event concerned by the use of LOCALISTA Services. Any other person whose Data the Customer collects through the Service or transmitted on the Service and the Platform.
Data Retention Periods
LOCALISTA will process the Data in accordance with the DPA and the Contract for the duration of the Contract. Contact details of the Customer's Contact Person and/or Data Protection Officer (DPO): Name
LOCALISTA will process the Data in accordance with the DPA and the Contract for the duration of the Contract.
Contact details of the Client's Contact Person and/or Data Protection Officer (DPO):
Last name:
First name:
Position:
Email address:
Business telephone number:
List of LOCALISTA Sub-Processors
Name of the Subsequent ProcessorLocationNature of the subcontracted serviceLink to the Privacy Policy
Anthropic Ireland LimitedIreland (EEA) Artificial Intelligence Functionality https://www.anthropic.com/legal/privac
AppSignal B.V.Amsterdam (EU) Performance monitoring, analysis and error resolution https://www.appsignal.com/privacy-policy
Neon Inc.Wilmington (USA). Compliance with the EU-US Data Privacy Framework. Provider for our database https://neon.tech/privacy-polic
Prisma Data Inc. San Francisco (USA). Compliance with the EU-US Data Privacy Framework. Simplification of interaction with the https://www.prisma.io/privacy database
API Hero Ltd. Altrincham (United Kingdom). Task management https://trigger.dev/legal/privac
Unified API Inc. Ontario (Canada). Compliance with the EU-US Data Privacy Framework. Transfers governed by the European Commission's Standard Contractual Clauses. Application Programming Interface (API) for integration with Salesforce and Hubspot https://unified.to/privac.
Google Ireland Limited (Google Cloud and Google API) Dublin, Ireland (EEA) Image scanning and voice conversion. https://policies.google.com/privacy
Fly.io Inc Chicago (USA) Cloud infrastructure https://fly.io/legal/privacy-policy/
Stripe Dublin, Ireland (EEA) Secure payment provider https://stripe.com/fr/privac
ZenLeads Inc. d/b/a Apollo.io, Covina, California, (USA), Business intelligence and sales engagement platform, providing B2B contact data and sales automation tools. https://www.apollo.io/privacy-polic
ContactOut Inc., San Francisco, California (USA), Supplier of emails and telephone numbers for recruiters and other companies. https://contactout.com/privac
Coresignal, UAB New Jersey, (USA) Supplier of data on employees, companies and job offers, enabling companies to build data-based products and extract actionable insights. https://coresignal.com/privacy-polic
People Data Labs Inc., San Francisco, California, (USA) Provider of data on individuals and companies, offering APIs to access detailed profiles for in-depth analysis and custom integrations. https://privacy.peopledatalabs.com/policies?name=privacy-policy
Anymailfinder Ltd., London (United Kingdom). Supplier of emails for business outreach and lead generation. https://anymailfinder.com/legal/privacy-policy
Rocketsearch Inc., New York (USA). Provider of contact and business intelligence data for sales and marketing teams. https://rocketreach.co/privacy