Acquire

Data Procesing Agreement

The Data Processing Agreement ("Agreement") is entered into as of the Date of Execution of the Contract by and between MANTRA, a French company, registered with the Nanterre RCS under number 892 440 959, with a share capital of €27,111.11 whose Head Office is located at 65, rue de la Croix, 92000 Nanterre – France ("MANTRA" or the “Processor”) and the client (“Controller ” or “Client”).

MANTRA and the Client are referred to individually as a “Party” and collectively as the “Parties” to this Agreement.

Preamble:

Mantra is the publisher of an all-in-one phishing simulation and cybersecurity awareness platform allowing its clients to train their employees.

This Agreement sets out MANTRA's commitments to the Client with respect to the protection of personal data of the employees processed for the performance of the Services.

For the purpose of the Contract, the Parties agree to act in compliance with EU regulation n°2016/679 of 27 April 2016 (the “GDPR”).

This Agreement shall apply in addition to and without prejudice to the applicable General Terms and Specific Terms and Conditions that the Parties may have entered into.

MANTRA shall develop its Platform in accordance with the principle of privacy by design and privacy by default.


  1. Definitions:

Capitalized terms have the meaning indicated in their definitions, whether singular or plural.

Agreement: means this Agreement.

Contract: means the contract between MANTRA and the Client relating to the provision of the Services.

Personal Data: has the meaning given in the GDPR.

Employees: means the employees of the Client.

Processing activities: means the processing activities, under the meaning given in the GDPR, that are implemented for the purpose of granting access to the Platform to the Client.

Platform: means the phishing simulation and cybersecurity awareness platform.

Services: means the services accessible through the Platform.

Unless otherwise specified, capitalized terms in the Agreement have the meaning given to them by the GDPR.

  1. Description of the Data Processing 

When using the Platform, the Client’s employees Personal Data may be processed. For that purpose, MANTRA acts as Data Processor and the Client acts as Data Controller.

In accordance with article 28.3 GDPR, the processing activities carried out by MANTRA on behalf of the Client while using the Platform are described hereafter.

Processing activity

Data collected

Lawful basis

Retention period

Data subject

Sending simulated phishing emails

Position within the client

Employees list (last name first name, department, location, time zone, software used, language)

Contract

Duration of the contract or for 3 consecutive years

Clients and prospective clients’ employees

Monitoring employees' results in the simulation

Last name, first name, position, email address, number of clicks in-mail, opening time and date, report time and date, sensitive action rate (Documents opened, downloading, Credential inputted) 

Contract

Duration of the contract or for 3 consecutive years

Clients’ employees

Identifying suspicious emails

Sender’s email address, email subject, email body, employee reporting (time and date)

Contract

Duration of the contract or for 3 consecutive years

Clients’ employees

Employees training (chatbot)

Client’s corporate information 

List of employees

Contract

Duration of the contract or for 3 consecutive years

Clients’ employees

Monitoring of employees’ training (chatbot)

List of employees (first name, last name, department) courses taken, progression.

Contract

Duration of the contract or for 3 consecutive years

Clients’ employees


Analysis of the employees’ e-mails

Metadata/Message headers: (senders and recipient’s information, email address domain name, IP address, time and date of the exchange, country, workstation, nature of the e-mail services used, outbox location, Computer system location.)

Contract

Duration of the contract or for 3 consecutive years

Any person whose data is processed through emails

Add a trusted sender

(Email analysis)

Sender’s and recipient’s email address.

Contract

Duration of the contract or for 3 consecutive years

Any person whose data is processed through emails

Analysis of how the passwords are used

User’s ID (last name, first name, e-mail address)

Password input Time and date on a suspicious website, suspicious website.

Contract

Duration of the contract or for 3 consecutive years

Client’s employees

Analysis of the downloaded files

File type

Contract

Duration of the contract or for 3 consecutive years

Client’s employees

Analysis of the browser extensions

Name of the browser extension

Contract

Duration of the contract or for 3 consecutive years

Client’s employees

 

  1. Obligations of the Client

The Client undertakes to comply with the applicable regulation (in particular in relation with personal data) in regards with its Employees.

The Client undertakes to ensure the confidentiality of the login information used to access the Services and to implement all organizational and technical measures required to ensure the physical and logical security of the use of the services on its equipment, software and all items under its responsibility.

In any event, the Client undertakes to provide MANTRA with instructions that comply with the applicable regulations and legal provisions. 

  1. MANTRA’s obligations 

4.1 MANTRA acts as Data Processor for the processing activities described in article 2 « description of the Data Processing »

MANTRA processes Data solely for the purposes set out in article 2.

4.2 As such, MANTRA only processes Personal Data on documented instructions of the Client, for the purposes set out in the present Agreement. The present Agreement, the Contract and the written instructions of the Client when using the Platform and Services constitute the Client’s documented instructions.

MANTRA will use its best efforts to inform the Client, if possible, if any of its instructions is likely to the extent of its knowledge to constitute a breach of the applicable regulation.

4.3 In the event that MANTRA is required by European or National law to transfer Personal Data to a third-party country or to an international organization, MANTRA will inform the Client, unless such information is prohibited by a legal provision or an order from a competent authority.

In the event that MANTRA is required to make a Transfer outside the EU or EEA, such Processing activity shall meet the requirements of the GDPR for Cross-border processing, namely:

a) The Processing is carried out in a Third Country with an applicable Adequacy Decision;

b) The Processing is governed by standard contractual clauses published by the European Commission. In this case, MANTRA and the Third-Party Data Importer will incorporate the standard contractual clauses in their contract, which they undertake to ratify prior to the implementation of the Processing; 

c) The Processing is governed by Binding Corporate Rules (BCR).

If the mechanism(s) used for the Transfer become obsolete, the Parties undertake to modify the chosen mechanism and replace it with an appropriate mechanism.

The standard contractual clauses used by Mantra, including its requirements in terms of technical and organizational measures implemented by the data importer are attached in an Appendix available upon request.

4.4 MANTRA ensures the confidentiality of the Personal Data processed under the Contract.

4.5 MANTRA warrants that the personnel authorized to process the Personal Data of the Client for the purposes of the Contract undertake to observe an appropriate level of confidentiality and commits to the principles of its Data Protection Policy.

4.6 MANTRA is authorized to use other sub-processors for specific processing activities (The “Sub-processor”). On Client’s request MANTRA will communicate the details of the processing activities sub-contracted, the sub-processors’ identities, contact information and the date of the contracts. The Client shall have a 15-day period from the receipt of the information to raise objections. In the event of a disagreement in relation with the identity of a Sub-processor, the Parties will endeavor to find an alternative Sub-contractor.

MANTRA shall enter into a contract with each Sub-processor, listing their rights and obligations per the GDPR and the Processing. This contract shall contain all the obligations listed herein to which the Sub-processor will be committed.

MANTRA is responsible for ensuring that the Sub-processor provides the same sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing meet the requirements of the General Data Protection Regulation and this Agreement. Where the Sub-processor fails to fulfil its data protection obligations, MANTRA shall no longer work with this Sub-processor on Processing implemented on behalf of the Client.

The Client has already authorized MANTRA to sub-process all Processing to the Sub-processors listed in an Appendix available upon request. MANTRA shall duly notify the Client in the event of a change in this list of authorized Sub-processors.

In any event, MANTRA remains fully liable to the Client for the Sub-processor’s performance of its obligations.

4.7 The Client is responsible for providing the information listed in articles 13 and 14 of the GDPR to its Employees whose data are processed by MANTRA. Where applicable, this information may be provided when connecting to the Platform.

4.8 MANTRA undertakes to cooperate with the Client to answer any request of an Employee whose Data are processed in connection with the Services.

MANTRA shall assist the Client in fulfilling its obligation to respond to requests for exercising the rights of data subjects: 

  1. right to access;
  2. right to rectification or erasure; 
  3. right to object;
  4. right to restriction of processing; and
  5. right to data portability.

MANTRA shall forward to the Client without delay any such request from an Employee.

4.9 The Client reserves the right to conduct, at its own expenses, a data protection impact assessment on one of the Processing activities. In that event, MANTRA shall assist the Client, to the extent of its capacity.

4.10 MANTRA shall notify the Client of any personal data breach not later than 48 hours after their identification. Said notification shall be sent along with any necessary documentation to enable the Client, where necessary, to notify this breach to the competent supervisory authority.

MANTRA shall notify the Client of any request for transmission of or access to Personal Data from a judicial or administrative authority as soon as possible before responding, unless prohibited by law or regulation.

4.11 MANTRA undertakes to implement all organizational and technical measures to ensure the physical and logical security of the Data. The logical and technical measures currently implemented are listed in an Appendix available on request and shall apply to all Processing.

4.12 Upon termination of the Contract, MANTRA shall delete, or return within thirty (30) days upon Client's request, the Personal Data of Employees processed for the performance of the Contract that are still hosted on its servers.

Upon Client’s request, MANTRA shall provide a record of the destruction of the Data.

4.13 MANTRA maintains a written record of all categories of processing activities performed on behalf of the Client. MANTRA shall make available to the Client the documentation necessary to demonstrate compliance with all of its obligations.

The Client may carry out, at its own expense, any verification that it deems useful to establish that MANTRA is complying with its obligations hereunder, in particular by means of audits or inspections. These verifications may be carried out by the Client itself or by a third party once a year, under the conditions that: (a) MANTRA is notified of the date of audit no less than fifteen (15) days before the expected date and (b) the third party selected to conduct the audit is not one of MANTRA’s competitor.

MANTRA will provide the Client or the third party with the information required to provide proof of compliance with the obligations set out in this Contract, and undertakes to contribute to the verifications.

Where the audit has required the immobilization of one or more resources on the part of MANTRA for a period exceeding forty (48) hours, MANTRA reserves the right to invoice the Client for the cost of the immobilized resources.

If the audit concludes that MANTRA has failed to comply with the regulations, MANTRA undertakes to bring its technical, organizational and/or methodological resources into line with the regulations within two (2) months.

  1. Term and termination

This Data Processing Agreement is agreed upon for the duration of the contractual relationships between the Parties as referred to in the service agreement executed between the Parties or in the General Terms submitted to the Client.

In the event of a breach by one of the Parties, which is not remedied within thirty (30) days following formal notice sent to this effect by registered letter with acknowledgement of receipt, the other Party may terminate this Agreement, without legal formalities and without prejudice to any claim for damages.

  1. D.P.O Contact information

The DPO may be contacted:

  1. Miscellaneous

Should one article herein be null and void, it shall not affect the validity of the other sections of this Agreement. In the event of such qualification, the Parties shall negotiate in good faith to modify this Agreement so as to affect the original intent of the Parties as closely as possible in an acceptable manner.

Any agreement derogating from or complementary to this Agreement shall be in writing.

Headings of the articles in this Agreement are for convenience only and do not in any way affect the meaning of the provisions to which they refer.

No act of tolerance by any of the Parties, even if repeated, shall constitute a waiver by them of any of the provisions of this Agreement.

The Parties agree that this Agreement shall be governed by French law and Data Protection Laws, excluding the body of laws known as conflict of laws, as construed by the courts in that jurisdiction.

In the event of a dispute, if no amicable settlement can be reached within thirty (30) days of a notification sent by a Party to the other Party by registered letter with acknowledgement of receipt, any dispute as to the interpretation, performance or termination of this Agreement shall be subject to the exclusive jurisdiction referred to in the service agreement agreed upon by the Parties or in the General Terms submitted to the Client.