ADDENDUM SUR LA PROTECTION DES DONNÉES

Customer and G-P are Parties to a Master Agreement or into an agreement with similar nature and purpose (hereinafter “Master Agreement”). This DPA supplements the terms and conditions in the Master Agreement and is incorporated therein. In the event of a conflict between this DPA, and any other agreement between the Parties on the issues set forth herein, this DPA shall prevail. If Customer already has an executed data protection addendum in effect with G-P, then that agreement shall prevail over this DPA, and this DPA shall have no force or effect, unless otherwise agreed in writing by Customer and G-P.

1. DEFINITIONS

Les termes non définis dans le présent document ont la signification qui leur est donnée dans l'accord-cadre. Dans le présent DPA, les termes suivants ont la signification suivante :

1.1 “ Authorized User ” means an individual permitted by Customer who may include either or a Customer’s employee and/or contractor, to access and use the GPP on behalf of the Customer, pursuant the execution of the Master Agreement.

1.2 “ Customer Data ” means any Personal Data related to any Authorized User or identifiable natural person that is transferred, processed, or stored by G-P on behalf of Customer in connection with the Services for the use of the GPP by the Customer.

1.3 “ Data Protection Laws ” means any data protection and privacy laws to which a party to this Agreement is subject and which are applicable to the Services provided, including where applicable, but not limited to, GDPR, UK GDPR, Swiss Data Protection Laws, US Privacy Laws (including state and federal laws), and Brazil LGPD.

1.4 “ portage salarial (EOR) ” means Employer of Record.

1.5 “ Règlement général sur la protection des données ” means the General Data Protection Regulation (EU) 2016/679.

1.6 “ GPP ” means G-P’s proprietary software , including without limitation, the software, the mobile version, any software contained therein, and any data made available through the use of either G-P’s proprietary software or the third party services, including their updates, upgrades, platform as a service and, documentation.

1.7 “ EEA ” means the European Economic Area.

1.8 “ LGPD "La loi brésilienne n° 13.709, la loi générale sur la protection des données à caractère personnel, telle qu'elle peut être modifiée, annulée ou remplacée.

1.9 “ Politique de confidentialité ” means G-P´s privacy policy, as updated from time to time, available at https://www.globalization-partners.com/privacy-policy/

1.10 “ Professionals´ Data ” means Professionals´ Personal Data processed by G-P in the course of the provision of EOR services to Customer.

1.11 " Restricted Transfer" means any transfer of Personal Data to a country outside the EEA, the United Kingdom, Switzerland or Brazil that is not subject to an adequacy decision under the applicable Data protection Laws, and therefore requires appropriate safeguards under applicable data protection laws.

1.12 “ Services” mean the services to be provided by G-P to the Customer under the Master Agreement which may include the provision of EOR services and the access and use of GPP.

1.13 " Standard Contractual Clauses" ou "SCCs" mean (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c), or (d) where the UK GDPR means the International Data Transfer Addendum (“UK Addendum”) to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as such UK Addendum may be revised under Section 18 therein ("UK SCCs"); (iii) where the Swiss Data Protection Laws apply, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection Authority and Information Commissioner´s Office (the "Swiss SCCs); where the Brazilian LGPD applies, the applicable sstandard contractual clauses, attached to Resolution CD/ANPD No. 19/2024 promulgated by the Brazilian National Data Protection Authority (“ANPD”), as they may be amended from time to time (“Brazil SCCs”).

1.14 “ Swiss Data Protection Laws ” or “FADP” means (i) Swiss Federal Data Protection Act (“ FDPA ”); (ii) The Ordinance on the Federal Act on Data Protection (“ FODP “); and (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.

1.15 “ UK Addendum ” means the United Kingdom international data transfer addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner.

1.16 “ UK Data Protection Laws” mean the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2019 ("UK GDPR") and the Data Protection Act 2018 (together, "UK Data Protection Laws").

1.17 “ US Privacy Laws ” means applicable United States (US) state laws, orders, regulations and regulatory guidance relating to the Processing of Personal Data including without limitation: (a) the CCPA; (b) Virginia’s Consumer Data Protection Act; (c) the Colorado Privacy Act; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring; (e) the Utah Consumer Privacy Act; and (f) all similar state laws.

1.18 " Controller" "Data Subject", "Personal Data", “Personal Information” “Data Breach”, "Processor", "Process/Processing", “Restricted Transfer”, “Service Provider” et/ou tout autre terme ou concept similaire ont la signification définie dans les lois sur la protection des données.

2. INDEPENDENT CONTROLLER - CONTROLLER RELATIONSHIP

2.1 Rôles des parties. When G-P provides the Customer with EOR services, G-P assumes the role of the legal employer for any individuals selected by the Customer (“Professional(s)”) to be hired. With regard to such Professionals‘ Personal Data, G-P is an independent Controller during the course of the employment relationship. Regarding Professional´s Personal Data collected and used by the Customer for its own purposes, Customer is also an independent Controller with independent privacy obligations. When delivering the EOR services, the exchange of Professionals’ Personal Data between G-P and the Customer is under an independent Controller-to-Controller relationship and the provisions of this section 2 (“Independent Controller-Controller Relationship”), shall apply. In no event will the Parties Process Personal Data under this DPA as joint Controllers.

2.2 Responsabilités et remerciements . The Parties in their capacity as Controllers shall:

2.2.1 Comply with the applicable Data Protection Laws in relation to the Processing of Professionals´ Personal Data.

2.2.2 Process and share the Professionals´ Personal Data fairly and lawfully for the purpose of (as the case may be) performing or receiving the EOR Services for its own legitimate interests.

2.2.3 Ensure a lawful Processing ground applies to any sharing of Professional´s Personal Data between the Parties.

2.2.4 Assist each other in complying with their respective obligations under Data Protection Laws, including, but not limited to, assisting each other if a Data Breach occurs, responding to Data Subjects and/or regulators’ requests.

3. CONTROLLER – PROCESSOR RELATIONSHIP

3.1 Roles of the Parties . G-P also offers various software as a service products via GPPthrough which G-P enables Customer to manage the relationship with those Professionals. When G-P provides Customer with access to GPP, G-P is the Processor for the account related Personal Data uploaded to the GPP by the Customer´s appointed Authorized Users of GPP and the Customer is the Controller of such data and, the provisions of this section 3 (“Controller-Processor Relationship”), shall apply.

3.2 Instructions. G-P will process Customer Data in accordance with Customer’s documented instructions. Customer agrees that this DPA, the Master Agreement, and Annex I attached hereunder, comprise Customer’s complete instructions to G-P regarding the Processing of Customer Data. Any additional or alternate instructions must be agreed between the Parties in writing, including the costs (if any) associated with complying with such instructions. Customer will ensure that its instructions comply with applicable Data Protection Laws. Customer acknowledges that G-P is not responsible for determining which laws are applicable to Customer’s business. Customer will ensure that G-P’s Processing of Customer Data, when done in accordance with Customer’s instructions, will not cause G-P to violate any applicable law, including applicable Data Protection Laws. However, if G-P is of the opinion that a Customer instruction infringes applicable Data Protection Laws, G-P shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.

3.3 Détails du traitement . Les détails de l'objet du traitement, sa durée, sa nature et sa finalité, ainsi que le type de données du client et les personnes concernées sont précisés à l'annexe I ci-jointe.

3.4 Conformité. Customer and G-P agree to comply with their respective obligations under Data Protection Laws applicable to the Customer Data that is Processed as specified in Annex I. Customer has sole responsibility for complying with Data Protection Laws regarding the lawfulness of the Processing of Customer Data prior to disclosing, transferring, or otherwise making available, any Customer Data to G-P. For the avoidance of doubt, in all cases, Customer shall obtain, where required, any consents from the Data Subjects for G-P to Process Customer Data as directed by Customer.

3.5 Sous-processeurs . Customer authorizes G-P to appoint and use Processors (“Subprocessors”) to Process the Customer Data in connection with the Services. Subprocessors may include third parties or any member of the G-P group of companies. G-P may continue to use those Subprocessors already engaged by G-P as of the date of this DPA, and a list of such Subprocessors is available in Annex III attached hereunder. Where a Subprocessor fails to fulfil its data protection obligations as specified above, G-P shall be liable to the Customer for the performance of the Subprocessor’s obligations. G-P shall notify Customer of any changes to its list of Subprocessors through GPP. If, within 10 (ten) days of the receipt of that notice, Customer legitimately objects to the addition or removal of a Subprocessor on data protection grounds and G-P cannot reasonably accommodate Customer’s objection, the Parties will discuss Customer’s concerns in good faith with a view to resolving the matter.

3.6 Mesures de sécurité techniques et organisationnelles . Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the Processing, and any other relevant circumstances relating to the Processing of the Customer Data, G-P shall implement appropriate technical and organizational security measures to ensure security, confidentiality, integrity, availability and resilience of processing systems and services involved in the Processing of the Customer Data are commensurate with the risk in respect of such Customer Data, as detailed in Annex II attached hereto. G-P will periodically (i) test and monitor the effectiveness of its safeguards, controls, systems and procedures and (ii) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Customer Data, and ensure these risks are addressed.

3.7 Confidentialité . G-P s'assure que les personnes autorisées à accéder aux données du client (i) se sont engagées à respecter la confidentialité ou sont soumises à une obligation légale appropriée de confidentialité et (ii) n'accèdent aux données du client que sur instructions documentées de G-P, à moins que la loi applicable ne l'exige.

3.8 Violation de données personnelles. G-P will notify the Customer without undue delay after becoming aware of a Data Breach in relation to the Processing of Customer Data and will use reasonable efforts to assist the Customer in mitigating, where possible, the adverse effects of any Data Breach .

3.9 Suppression des données personnelles. En cas de cessation de la licence des services (quelle qu'en soit la raison), G-P renverra ou supprimera, dès que possible, les données du client stockées dans le GPP, à moins que la législation applicable n'exige que les données du client soient conservées pendant une période plus longue. Dans ce cas, les dispositions du présent DPA continueront à s'appliquer à ces données du client.

3.10 Demandes des personnes concernées . G-P shall promptly inform Customer of any Data Subjects’ requests regarding Customer Data. Customer is responsible for responding to such requests. G-P will reasonably assist Customer to respond to such Data Subject requests to the extent that Customer is unable to access the relevant Customer Data in its use of the GPP.

3.11 Demandes de tiers . Si G-P reçoit des demandes de tiers ou une ordonnance d'une cour, d'un tribunal, d'un régulateur ou d'une agence gouvernementale compétente à laquelle G-P est soumise concernant le traitement des données du client en vertu de l'accord, G-P redirigera rapidement la demande vers le client. G-P ne répondra pas à ces demandes sans l'autorisation préalable du client, à moins d'y être légalement contraint. Sauf interdiction légale, G-P informera le client à l'avance de toute divulgation des données du client et coopérera raisonnablement avec le client pour limiter la portée de cette divulgation à ce qui est légalement requis.

3.12 Évaluation de l'impact de la protection des données et consultation préalable . Dans la mesure où les lois sur la protection des données l'exigent, G-P fournira une assistance raisonnable au client pour réaliser une évaluation de l'impact sur la protection des données en relation avec le traitement des données du client effectué par G-P et/ou toute consultation préalable requise avec les autorités de contrôle. G-P se réserve le droit de facturer au client des frais raisonnables pour la fourniture de cette assistance.

3.13 Audit. Customer may audit G-P compliance with this DPA and Data Protection Laws by requesting a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor (e.g., ISO27001 certification, SOC2 certificate), within twelve (12) months as of the date of Customer’s request. Alternatively, in the event the documentation provided subject to this Section 3.13 is not sufficient for the purpose of demonstrating compliance, the Customer may conduct its own audit in addition to the provided third party certifications or reports, provided that such audit shall be conducted: i) no more than once per each 12 (twelve) months period; ii) during normal business hours and without disrupting G-P’s day-to-day business; iii) with thirty (30) days prior written notice; iv) at the Customer’s sole expense; v) based upon mutually agreed parameters and scope, limited to the specific scope of services, systems in use and/or Processing activities contemplated hereunder; vi) based upon mutually agreed in advance date, subject to reasonable postponement by Customer upon G-P’s reasonable request; and vii) in accordance with all confidentiality obligations and restrictions. Notwithstanding the forgoing, no audit right is granted after termination of the Master Agreement, except for legal obligations that will have to be demonstrated by the Customer. Any third-party representative selected to perform an audit on behalf of Customer must not have an ownership interest in or affiliation with an EOR services company, agency, a related organization or consultant. Nothing in this DPA will require G-P to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other G-P’s customer; (ii) G-P’ internal accounting or financial information; (iii) any trade secret of G-P or its affiliates; (iv) any information that, in G-P’ reasonable opinion, could compromise the security of any G-P’s systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws.

3.14 Lois américaines sur la protection de la vie privée. Under this section 3, the Parties agree that G-P is a “Service Provider” or “Processor” as such terms are defined under applicable US Privacy Laws. Accordingly, to the extent US Privacy Laws apply to the Processing of Customer Data by G-P, G-P shall not (a) retain, use, or disclose any Customer Data outside the direct business relationship between G-P and Customer, or for any purpose other than for the purpose set out in Annex I attached hereto, and G-P shall only Process Customer Data only as long as it provides services to the Customer; (b) sell any Customer Data; (c) share any Customer Data; or (d) combine the Customer Data that G-P receives from, or on behalf of, Customer with “personal data” (as such term or equivalent is defined under applicable Data Protection Laws) that it receives from, or on behalf of, another person, or collects from its own interaction with a consumer, provided that G-P may combine Customer Data if it is within the scope of providing the services to Customer. Where applicable, each Party shall notify the other party if it makes a determination that it can no longer meet its obligations under US Privacy Laws.

4. INTERNATIONAL DATA TRANSFERS

4.1 Une protection appropriée . G-P is authorized, in the normal course of business, to make worldwide transfers of Customer Data to its affiliates and/or Subprocessors. When making such transfers to a territory that has not been recognized by the relevant data protection authorities as providing an adequate level of protection for Personal Data according to Data Protection Laws, G-P shall ensure appropriate protection is in place to safeguard the Customer Data transferred under or in connection with the Master Agreement.

4.2 Data Privacy Framework. Professionals and Customer Data are stored in GPP which is hosted in U.S. G-P is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). G-P´s certification can be confirmed publicly on the DPF website https://www.dataprivacyframework.gov/list . The EU-U.S. Data Privacy Framework was considered adequate by the European Commission, being a lawful data transfer mechanism pursuant to Article 45 of the GDPR, the UK GDPR, and the FADP, respectively. If the DPF Framework(s) are invalidated, suspended, or otherwise no longer recognized as providing adequate protection for international data transfers, the Processor agrees to enter into and comply with the SCCs issued or approved by the European Commission, the UK Information Commissioner’s Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable. The Parties shall cooperate in good faith to implement any supplementary measures required to ensure an essentially equivalent level of protection for the transferred data.

4.3 Clauses contractuelles types. The Parties agree that when the transfer of personal data from Customer (as "data exporter") to G-P (as "data importer") is a Restricted Transfer and applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA, as follows:

a. In relation to transfers of Personal Data that is protected by the GDPR, the EU SCCs shall apply, completed as follows:

i. Modules One and Two shall apply;

ii. in Clause 7, the optional docking clause will apply;

iii. in Clause 9 of Module Two, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in section 3.5 of this DPA;

iv. in Clause 11, the optional language will not apply;

v. in Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Master Agreement;

vi. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

vii. in Clause 18(b), disputes shall be resolved before the courts of Ireland;

viii. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and

ix. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA;

x. Annex III of Module Two of the EU SCCs shall be deemed completed with the information set out in Annex 3 to this DPA.

b. In relation to transfers of personal data protected by the UK Data protection Laws or the Swiss Data Protection Laws , the EU SCCs as implemented under sub-paragraphs (a) above will apply with the following modifications:

i. references to "Regulation (EU) 2016/679" shall be interpreted as references to UK Data Protection Laws or the Swiss Data Protection Laws (as applicable);

ii. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the UK Data Protection Laws or the Swiss Data Protection Laws (as applicable);

iii. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "UK" or "Switzerland", or "UK law" or "Swiss law" (as applicable);

iv. the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);

v. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the UK Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);

vi. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" (as applicable);

vii. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and

viii. with respect to transfers to which UK Data Protection Laws apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss Data Protection Laws apply, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.

ix. In relation to data that is protected by the UK GDPR, the EU SCCs will apply as follows: (i) apply as completed in accordance with the paragraphs (i) to (viii) above; and (ii) be deemed amended as specified by Part 2 of the UK Addendum, which shall be deemed incorporated into and form an integral part of this DPA. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I and Annex II of this DPA and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".

c. In relation to transfers of personal data protected by the Brazil LGPD, either directly or via onward transfer, to a country outside of Brazil that is not subject to an adequacy decision issued by the ANPD, the Brazil SCCs will be deemed entered into, and incorporated into this DPA by this reference, and completed as follows:

i. Clause 2 of the Brazil SCCs is satisfied by the information set forth in Annex I, which describes the data transfer;

ii. In Clause 3 of the Brazil SCCs, Option B shall apply, with onward transfers permitted in accordance with Section 3.5 (“Subprocessors”) of this DPA. The subject matter, nature, and duration of processing are set forth at Annex I of this DPA;

iii. Clause 4 of the Brazil SCCs is satisfied by the information set forth in Annex I of this DPA. Where G-P is a Controller, it will be the “Designated Party”, as defined in the Brazil SCCs, and for the purposes of Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 (Incident Reporting) of the Brazil SCCs. Customer remains responsible for compliance with Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 Incident Reporting) of the Brazil SCCs for any personal data of which it may otherwise be Controller;

iv. In Clause 9 of the Brazil SCCs, the optional docking clause will not apply; and

v. Section III (Security Measures) of the Brazil SCCs will be deemed completed with the information set forth in Annex II of this DPA.

4.4 Unforeseen Data Transfers . If, in the course of providing the Services, either Party identifies that a transfer of Personal Data occurs or is likely to occur that is not already addressed by the mechanisms set forth in Sections 4.1 through 4.3 of this DPA, the Parties shall promptly notify each other and shall cooperate in good faith to implement, without undue delay, such additional transfer mechanisms or supplementary measures as may be required under applicable Data Protection Laws to ensure the lawfulness of such transfer. Neither Party shall be required to proceed with any such unforeseen transfer until the appropriate mechanism has been agreed and put in place.

Annexe I

Description du traitement des données

INDEPENDENT CONTROLLER - CONTROLLER RELATIONSHIP DETAILS (This section regards to the details of Personal Data that is being shared between the Parties in their capacities as Controllers)
Les partis	Exportateur de données : entité du client qui exécute le contrat-cadre Data Importer: Globalization Partners LLC.
Coordonnées des parties	Coordonnées telles que définies dans l'accord-cadre.
Activités liées aux données transférées	Activities related to the EOR Services.
Roles	Data Exporter: Controller. Data Importer: Controller.
Activités de traitement	The Personal Data processed / transferred may be subject to the following Processing activities: any operation with regard to Personal Data irrespective of the means applied and procedures, in particular the collecting, organizing, storage, holding, use, retrieval, consultation, archiving, transmission, blocking, erasing, or destruction of data, the operation and maintenance of systems, compliance, legal and audit functions.
Durée du traitement	The term of the Master Agreement and on a continuous basis.
Nature et finalité du traitement	Customer may transfer Customer Data to G-P, the extent of which is determined and controlled by the Customer in its sole discretion. The Purpose of the Processing is to provide the EOR Services in accordance with the Master Agreement.
Categories of Data Subjects	Professionals.
Types of Personal Data	Contact details (which may include name, address, email address, telephone, fax, emergency contact details, and associated local time zone information). Employment details (which may include education, CV, job title, grade, demographic, location data, nationality and export compliance status, salary, bonus). Data subjects' email content. Details of services provided to or for the benefit of data subjects.
Catégories particulières de données (le cas échéant)	N/A
Rétention	Les données à caractère personnel seront conservées au moins aussi longtemps que toute période de conservation minimale imposée par la loi, en conformité avec les lois de prescription applicables et dans le respect des bonnes pratiques commerciales.
Autorité de surveillance compétente	The competent supervisory authority shall be determined in accordance with applicable Data Protection Laws and shall include: the Irish Data Protection Commission (for EU GDPR); the Swiss Federal Data Protection and Information Commissioner / FDPIC (for Swiss FADP); the UK Information Commissioner's Office / ICO (for UK GDPR); and the Autoridade Nacional de Proteção de Dados / ANPD (for Brazil LGPD).
Transferts aux sous-traitants	Pour les transferts aux sous-traitants, l'objet, la nature et la durée du traitement sont les mêmes que ceux définis ci-dessus.
Coordonnées de G-P Privacy	privacy@G-P.com A l'attention du Bureau mondial de la protection de la vie privée.

CONTROLLER - PROCESSOR RELATIONSHIP DETAILS (This section regards to the details of Personal Data that is being processed by G-P on behalf of the Customer)
Les partis	Exportateur de données : entité du client qui exécute le contrat-cadre Data Importer: Globalization Partners LLC.
Coordonnées des parties	Coordonnées telles que définies dans l'accord-cadre.
Activités liées aux données transférées	Activités liées aux services de portage salarial (EOR) et à l'utilisation des GPP fournis au client en tant que service.
Roles	Data Exporter: Controller Data Importer: Processor
Activités de traitement	Les données à caractère personnel traitées/transférées peuvent faire l'objet des activités de traitement suivantes : toute opération concernant les données à caractère personnel, quels que soient les moyens utilisés et les procédures, en particulier la collecte, l'organisation, le stockage, la conservation, l'utilisation, l'extraction, la consultation, l'archivage, la transmission, le blocage, l'effacement ou la destruction des données, l'exploitation et la maintenance des systèmes, les fonctions de conformité, juridiques et d'audit.
Durée du traitement	The term of the Master Agreement and on a continuous basis.
Nature et finalité du traitement	Customer may transfer Customer Data to G-P, the extent of which is determined and controlled by the Customer in its sole discretion. The Purpose of the processing is to provide GPP as a Service to the Customer in accordance with the Master Agreement.
Categories of Data Subjects	Authorized Users of the GPP who may include Customer’s employees and/or contractors.
Types of Personal Data	Coordonnées (telles que le numéro de téléphone et l'adresse électronique). Données relatives aux employés et aux contractants (telles que l'intitulé du poste et le nom de l'entreprise). Données d'utilisation (telles que les données relatives à l'appareil de l'utilisateur autorisé et à la manière dont cet appareil interagit avec les marchés publics mondiaux). Données de localisation (telles que la localisation dérivée de l'adresse IP). Données de contenu (telles que le contenu des fichiers du Client concernant les Professionnels et les communications y afférentes). les informations d'identification (telles que les mots de passe, les indices de mots de passe et les informations de sécurité similaires utilisées pour l'authentification et l'accès au compte des marchés publics mondiaux). Any Personal Data supplied by Authorized Users.
Catégories particulières de données (le cas échéant)	N/A
Rétention	Les données à caractère personnel seront conservées au moins aussi longtemps que toute période de conservation minimale imposée par la loi, en conformité avec les lois de prescription applicables et dans le respect des bonnes pratiques commerciales.
Autorité de surveillance compétente	The competent supervisory authority shall be determined in accordance with applicable Data Protection Laws and shall include: the Irish Data Protection Commission (for EU GDPR); the Swiss Federal Data Protection and Information Commissioner / FDPIC (for Swiss FADP); the UK Information Commissioner's Office / ICO (for UK GDPR); and the Autoridade Nacional de Proteção de Dados / ANPD (for Brazil LGPD).
Transferts aux sous-traitants	Pour les transferts aux sous-traitants, l'objet, la nature et la durée du traitement sont les mêmes que ceux définis ci-dessus.
Coordonnées de G-P Privacy	privacy@G-P.com A l'attention du Bureau mondial de la protection de la vie privée.

Annexe II

Mesures techniques et organisationnelles

G-P has been certified and attested to confirm compliance with SOC 2 and ISO 27001 standards, by independent auditors. Such certifications demonstrate our commitment to securing Customer Data. G-P’s security program is designed to:

Protect the confidentiality, integrity, and availability of Customer Data in G-P’s possession or to which G-P has access;

Protéger la confidentialité, l'intégrité et la disponibilité des données des clients contre toute menace ou tout risque anticipé ;

Protéger contre l'accès, l'utilisation, la divulgation, l'altération ou la destruction non autorisés ou illégaux des données relatives aux clients ;

Protéger contre la perte ou la destruction accidentelle des données du client ou contre les dommages qui leur sont causés ; et

Sauvegarder les informations conformément à toute réglementation dont G-P pourrait faire l'objet.

Ce qui suit décrit les fonctions, processus, contrôles, systèmes, procédures et mesures que G-P a pris pour garantir la sécurité du traitement des données des clients :

1) TECHNICAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION

Privacy by Design and Default:

G-P takes the requirements of Article 25 GDPR into account in the conception and development phase of product development. Processes and functionalities are set up in such a way that the data protection principles such as legality, transparency, purpose limitation, data minimization, etc. as well as the security of processing are considered at an early stage.

b) Encryption of Personal Data:

Ensuring that personal data are only stored in the system in a way that does not allow third parties to identify the data subject.

Database and storage encryption:

On all databases used by G-P an encryption "at rest" according to the state of the art is used so that the data from the database can only be read after proper authentication on the respective database system.

Encryption of mobile data media:

The use of mobile data carriers for storing customer data is not permitted.

Encryption of data carriers on laptops:

Appropriate state-of-the-art hard disk encryption is installed on all employees' laptops.

Encrypted exchange of information and files:

In principle, the exchange of information and files is directly encrypted via a special application. If personal data or confidential information must be transferred to servers which cannot be sent via TLS-encrypted HTTPS uploads, these will be transferred using Secure File Transfer Protocol (SFTP), encrypted envelope service or another encrypted mechanism according to the state of the Art.

E-Mail Encryption:

In principle, all e-mails sent by employees of G-P are encrypted with TLS. Exceptions may be if the receiving mail server does not support TLS. The Customer shall ensure that the corresponding mail servers used within the scope of the order support TLS encryption

c) Admission Control

Admission controls are intended and put in place in order to prevent the use and processing of data which is protected by data protection laws by unauthorized persons.

Use of authentication methods

Access to personal data is always via encrypted protocols: SSH, SSL/ TLS, HTTPS or comparable protocols. Authentication procedure for IT system: Multifactor authentication log-in to IT system.

Automatic blocking in case of inactivity

Laptops used by G-P employees locked with password or PIN protection when not in use by the user. In addition, an automatic screen lock with password protection is set up after 15 minutes of inactivity.

Use of anti-virus software

Laptops used by G-P employees are equipped with state-of-the-art anti-virus software that is kept up to date on all operational or business IT systems. As a matter of principle, no computers may be operated without resident virus protection unless other equivalent state-of-the-art security measures have been taken or there is no risk. Default security settings must not be deactivated or circumvented.

"Clean Desk Policy"

Employees of G-P are instructed not print out or locally store personal data of data subjects, not to leave work materials in a location where they may be viewed by third parties, and to store all work materials properly. Documents which G-P is required by law to hold in hard copy are stored in locked cabinets.

d) Access Controls Within the Platform

Access controls ensure that persons authorized to use a processing system have access only to the personal data covered by their access authorization.

Rôles et autorisations

Roles and Authorization Platform – Customer Access Customer users can view and edit customer account information.

Roles and Authorization Platform – Professional Access Professional users can view and edit their own professional information.

Professionals can also gain Customer access role upon requirement + approval

Roles and Authorization Platform – Internal Access

Internal access users have varied roles. They have varied access to create, view, edit, and approve the following:

Informations sur les clients

Informations sur la facturation

Informations sur les partenaires

Informations sur les dossiers du personnel professionnel

L'accès au système d'administration est généralement limité aux employés formés dans les domaines de l'assistance à la clientèle et du développement de produits.

e) Firewall as a Service

G-P uses use an external firewall as a service that allows it to grant or block access to websites to make sure systems can’t access malicious content and to restrict access to inappropriate content.

f) Record of Log-In to the Platform

G-P maintains a record of all login activity.

g) Separability

Ensuring that personal data collected for different purposes can be processed separately and are separated from other data and systems in such a way that unplanned use of these data for other purposes is excluded.

Separation of development, test and operating environments

Data from the operating environment may only be transferred to test or development environments if it has been made completely anonymous before transfer. The transfer of the anonymized data must be encrypted or via a trustworthy network.

Software to be transferred to the operating environment must first be tested in an identical test environment ("staging"). Programs for error analysis or the creation/compilation of software may only be used in the operating environment if this cannot be avoided. This is especially the case if error situations depend on data that would be falsified due to the requirements for anonymization when transferring to test environments.

Separation in networks

G-P separates its networks according to tasks. The following networks are used permanently: operating environment ("Production"), test environment ("Staging", “Sandbox”), development environment (“Dev”) office IT staff. In addition to these networks, further separate networks are created as required, e.g., for restore tests and penetration tests. Depending on the technical possibilities, the networks are separated either physically or by means of virtual networks.

h) Availability control

G-P takes the following steps to ensure that personal data is protected against accidental destruction or loss.

Data protection procedures/ backups

To ensure adequate availability G-P implements daily snapshots of its database with replication to a different region. Measures are also taken to ensure employees with job-based need to review data are granted access only to replica datasets.

Géo-redondance en ce qui concerne l'infrastructure des serveurs pour les données de production et les sauvegardes

IT incident management ("Incident Response Management")

There is a concept and documented procedures for handling incidents and safety- relevant events. This includes the planning and preparation of the response to incidents, procedures for monitoring, detecting and analyzing security- relevant events and the definition of corresponding responsibilities and reporting channels in the event of a violation of the protection of personal data within the framework of the legal requirements.

2) ORGANIZATIONAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION

G-P a mis en place les mesures organisationnelles suivantes afin de s'assurer que l'organisation fonctionne de manière à répondre aux exigences en matière de confidentialité et de protection des données.

a) Organizational Instructions

G-P has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. Documentation includes how to identify and manage data privacy issues, best practices for ensuring privacy compliance, and policies for addressing privacy incidents.

b) Commitment to confidentiality and data protection

G-P has developed and is developing a data governance program including policies, procedures, and guidelines for employees to follow. All employees and contractors are bound in writing to confidentiality and data protection as well as other relevant laws. All employees receive privacy & security training. Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes. The employees and contractors of G-P are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.

c) Data protection training

All employees receive privacy & security training which remains available for review at any time in G-P training platform.

d) Physical Access Controls

G-P has the following physical controls in place to deny unauthorized persons access to IT systems equipment used for processing.

Electronic door protection

The entrance doors to the premises of G-P offices are always locked and electronically secured. The doors are opened via a personal electronic transponder.

Controlled distribution of keys

A central, documented allocation of keys to the employees of G-P takes place. These electronic transponders/keys could be deactivated centrally by each office manager or the People Resources department.

Supervision and accompaniment of external persons

External service providers and other third parties may only be granted access to the premises via prior authorization or when accompanied by an employee of G-P. G-P applies its written Visitor’s Policy when visitors are invited to the premises.

Securing of premises with increased need for protection

Premises or cabinets with increased protection requirements, such as legal offices and certain Operations locations, are equipped with locking cabinets and drawers. Cabinets and drawers where legal documents, contracts, and confidential documentation are held are to be locked at all times except when they are in use.

Closed doors and windows

Employees are organizationally instructed to keep windows and doors closed or locked outside office hours.

e) Recoverability

G-P ensures that systems in use can be restored in the event of physical or technical failure.

Regular tests of the data recovery ("Restore-Tests")

Regular full restore tests are carried out to ensure recoverability in the event of an emergency/disaster.

Emergency plan ("Disaster Recovery Concept")

There is a concept for the treatment of emergencies/disasters and a corresponding emergency plan. G-P ensures the recovery of all systems on the basis of the data backups / backups, usually within 48 hours.

Review and evaluation measures

Presentation of the procedures for regular review, assessment and evaluation of the effectiveness of the technical and organizational measures.

f) Privacy Team

The organization has a Global Data Privacy Office tasked with planning, implementing, evaluating and adapt measures in the field of data protection.

g) Risk Management

There is a process for analyzing, evaluating, and allocating risks and for deriving measures on the basis of these risks.

3) INDEPENDENT REVIEW OF INFORMATION SECURITY

Performance of audits

Internal audits on data protection and information security are conducted regularly. Audits are carried out on the basis of common test criteria/schemes.

b) Review of compliance with security policies and standards

Compliance with the applicable security guidelines, standards and other security requirements for the processing of personal data is checked regularly. Where possible, these checks are carried out on a random and unexpected basis.

c) Verification of compliance with technical specifications

Regular automated and manual vulnerability scans are performed by the IT department or other qualified personnel to verify the security of the applications and infrastructure, as well as the regular development of the product. Detailed penetration tests are carried out by an external service provider to specifically examine the applications and infrastructure for vulnerabilities.

d) Processing on instruction

The employees of G-P are instructed to process personal data for lawful reasons only, pursuant to applicable contracts with the customer and professional, with due consideration to any express consent given or withheld by the data subject, and in keeping with any lawful duty of the organization.

e) Careful supplier selection

G-P adheres to its Supplier Prequalification Process when selecting vendors and suppliers who may encounter protected data. This process includes feedback from the Finance and Legal/Privacy Departments and incorporates risk assessment, security prequalification and documentation certification steps. Suppliers who will process protected data will be required to demonstrate their adherence to applicable data privacy laws, including Article 28 GDPR for covered data

Annexe III

Liste des sous-processeurs

Sous-processeur	Localisation et coordonnées	Description du traitement
Acumatica	3933 Lake Washington Blvd NE #350, Kirkland, WA 98033, USA	Services financiers
Amazon Web Service	P.O. Boîte 81226 Seattle, WA 98108-1226, USA	Hébergement - Fournisseur de services en nuage
Microsoft	Microsoft Corporation One Microsoft Way Redmond, Washington 98052 USA Téléphone : (+1) 425-882-8080.	Soutien aux processus opérationnels pour la gestion des communications (courrier électronique) et des services
Atlassian	350 Étage de la rue Bush 13 San Francisco, CA 94104, États-Unis +1 415 701 1110	Soutien aux processus opérationnels pour la gestion des services
DocuSign	DocuSign International (EMEA) Ltd, Attention : Privacy Team, 5 Hanover Quay, Ground Floor, Dublin 2, République d'Irlande	Gestion des documents
Salesforce.com	Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA 1-800-387-3285	Soutien aux processus d'affaires pour la gestion des relations avec les clients (CRM)
Zendesk	989 Rue du Marché San Francisco, CA 94103, États-Unis zendesk.com 888-670-4887	Demandes de renseignements auprès du service d'assistance à la clientèle
Service Now	2225 Lawson Lane Santa Clara, CA , 95054 ÉTATS-UNIS	Business Process Support for IT service and operations management, the employee and customer experiences through ( automated cloud-based workflow)
Databricks	160 Spear Street, 15th Floor San Francisco, CA 94105 1-866-330-0121 ÉTATS-UNIS	Infrastructure d'entrepôt de données en nuage.
Datadog	620 8^th Ave 45 ^th Floor New York, NY 10018 ÉTATS-UNIS	Outil de surveillance et de débogage des services
Wise	Avenue Louise 54, salle52, 1050 Bruxelles Belgique	Traitement des paiements en ligne
Google	1600 Amphithéâtre Pkwy, Mountain View, CA 94043	Support des processus métier pour les communications (email) et le stockage interne de documents

Langage de confidentialité de la MSA​​

ADDENDUM SUR LA PROTECTION DES DONNÉES​​

1. DEFINITIONS​​

2. INDEPENDENT CONTROLLER - CONTROLLER RELATIONSHIP​​

3. CONTROLLER – PROCESSOR RELATIONSHIP​​

4. INTERNATIONAL DATA TRANSFERS​​

Annexe I​​

Annexe II​​

1) TECHNICAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION​​

b) Encryption of Personal Data:​​

c) Admission Control​​

d) Access Controls Within the Platform​​

e) Firewall as a Service​​

f) Record of Log-In to the Platform​​

g) Separability​​

h) Availability control​​

2) ORGANIZATIONAL MEASURES TO ENSURE DATA PRIVACY AND PROTECTION​​

a) Organizational Instructions​​

b) Commitment to confidentiality and data protection​​

c) Data protection training​​

d) Physical Access Controls​​

e) Recoverability​​

f) Privacy Team​​

g) Risk Management​​

3) INDEPENDENT REVIEW OF INFORMATION SECURITY​​

b) Review of compliance with security policies and standards​​

c) Verification of compliance with technical specifications​​

d) Processing on instruction​​

e) Careful supplier selection​​

Annexe III​​

Langage de confidentialité de la MSA