Data Processing Agreement

1. Definitions

• Personal Data means any information relating to an identified or identifiable natural person that is processed by WhiteBook on your behalf under the Services.
• Processing means any operation performed on Personal Data (e.g. collection, storage, transmission, deletion).
• Controller means the entity that determines the purposes and means of processing (you, when using the Services for your own ends).
• Processor means the entity that processes Personal Data on behalf of the Controller (WhiteBook).
• Sub-processor means any third party engaged by WhiteBook to process Personal Data on your behalf.

2. Roles and Scope

You act as Controller of the Personal Data you make available to the Services. WhiteBook acts as Processor and will process Personal Data only on your documented instructions, unless required to do otherwise by applicable law. WhiteBook will inform you of any such legal requirement before processing, unless the law prohibits such information.

3. Processing Details

WhiteBook will process Personal Data only as necessary to provide the Services and as described in our Privacy Policy and your agreement with us. The nature and purpose of processing, the types of Personal Data, and the categories of data subjects are determined by your use of the Services (e.g. account and profile data, content you create or upload, usage data). Processing will be carried out for the duration of your use of the Services and in accordance with your instructions and applicable law.

4. Security

WhiteBook will implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction, and to ensure a level of security appropriate to the risk. Such measures will take into account the state of the art, implementation costs, and the nature of the data. WhiteBook will not reduce the overall security of the processing during the term of the DPA without prior notice to you.

5. Sub-processors

You authorize WhiteBook to engage Sub-processors to assist in providing the Services. WhiteBook will ensure that each Sub-processor is bound by contractual obligations that are substantially equivalent to those in this DPA. WhiteBook remains liable to you for the performance of Sub-processors. We will inform you of any intended changes concerning the addition or replacement of Sub-processors, giving you the opportunity to object on reasonable grounds relating to data protection.

6. International Transfers

Personal Data may be processed in the European Economic Area (EEA). WhiteBook is based in Paris, France. If we transfer Personal Data outside the EEA, we will ensure that appropriate safeguards are in place (e.g. adequacy decision, Standard Contractual Clauses, or other mechanisms approved under applicable law) so that the transfer complies with applicable data protection law.

7. Assistance and Data Subject Rights

WhiteBook will assist you in meeting your obligations under applicable data protection law, including in relation to security, data protection impact assessments, and consultations with supervisory authorities. WhiteBook will also assist you in responding to requests from data subjects to exercise their rights (e.g. access, rectification, erasure, restriction, portability, objection). If we receive a request directly from a data subject, we will forward it to you without responding to the data subject, unless we are legally required to respond.

8. Personal Data Breaches

WhiteBook will notify you without undue delay after becoming aware of a personal data breach affecting your Personal Data. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach. WhiteBook will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9. Deletion and Return of Personal Data

Upon termination of the Services or at your request, WhiteBook will delete or return all Personal Data to you in a structured, commonly used format, and will delete existing copies unless applicable law requires retention. You may request deletion or return by contacting us at legal@whitebook.app.

10. Audits

WhiteBook will make available to you the information necessary to demonstrate compliance with this DPA. You may conduct audits (including inspections) to verify that WhiteBook is processing Personal Data in accordance with this DPA and applicable law. Audits will be carried out at your expense, at reasonable times, and subject to reasonable advance notice and confidentiality obligations. WhiteBook may satisfy audit obligations by providing relevant certifications, reports, or summaries where they give sufficient assurance of compliance.

11. Term and Governing Law

This DPA remains in effect for as long as WhiteBook processes Personal Data on your behalf. The laws of France will govern this DPA. Any disputes will be subject to the exclusive jurisdiction of the courts of Paris, France.

12. Contact

For questions about this DPA or our processing of Personal Data, contact us at legal@whitebook.app. WhiteBook is based in Paris, France.