DATA PROCESSING AGREEMENT

This Data Processing Agreement (hereinafter, DPA) is part of the General Terms of Use of Sendinblue services (hereinafter, Agreement). All terms in uppercase not defined in this DPA shall have the same meaning as established in the Agreement.

This DPA aims to define the conditions under which Sendinblue undertakes to carry out, on behalf of the User, the data processing operations defined below.

In the context of this DPA, the User acts as Data Controller and Sendinblue as Data Processor within the meaning of the EU Data Protection Law.

1 – DEFINITIONS

User Data means any Personal Data that Sendinblue processes on behalf of the User as Data Processor in the course of providing the services.

Data Controller means the User (Werku Tools SA).

Data Processor means Sendinblue.

EU Data Protection Law means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (GDPR).

EEA means the European Economic Area.

Personal Information means any information related to an identified or identifiable natural person.

Processing has the meaning ascribed to it in the GDPR and process, processes, and processed shall be interpreted accordingly.

Subprocessor means any Data Processor engaged by Sendinblue to assist in fulfilling its obligations with respect to the provision of services under the Agreement or this DPA. Subprocessors may include third parties or Sendinblue group members.

2 – DATA PROCESSING DETAILS

2.1 Sendinblue will process User Data only for the purposes described in the DPA and only in accordance with the User’s documented legal instructions. The Parties agree that this DPA and the Agreement set forth the complete and final instructions of the User to Sendinblue regarding the processing of User Data.

2.2 Duration: Between Sendinblue and the User, the duration of data processing under this DPA is until the termination of the Agreement in accordance with its terms.

2.3 Purpose: The purpose of data processing under this DPA is the sending of marketing and/or transactional emails and/or SMS.

2.4 The data processing operations carried out by Sendinblue on behalf of the User are defined below:

• Storage of contact lists uploaded by the User
• Sending of email or SMS messages, whether automated or not (including order tracking, order confirmation, newsletters)
• Retention and analysis of email delivery capacity data (retargeting screen)
• Collection of subscription cancellations and User information
• Collection of consents (in case the User uses the Sendinblue form to retrieve contact data from their own site)
• Analysis of email recipient behavior (tracking of open rates, click rates, and bounce rates on an individual level)

2.5 Categories of data subjects: Any individual: (i) whose email address is included in the User’s distribution list; (ii) whose information is stored or collected through the services, or (iii) to whom the User sends emails or engages or communicates through the services and, more specifically, customers and prospects.

2.6 Types of User Data: Any type of data determined and controlled by the User at their sole discretion, in the context of their use and configuration of the services, such as contact data (such as email and phone number); computer information (IP addresses, cookie data).

3 – USER OBLIGATIONS

3.1 If the User is established in the European Union, or if their Distribution List contains Personal Data of EU citizens, the User agrees to comply with their obligations as Data Controller under the EU Data Protection Law, and in particular:

• That the Personal Data contained in the files transmitted have been collected and processed in accordance with applicable regulations
• That the User has informed the data subjects in accordance with applicable regulations
• If applicable, that data subjects have consented to the collection and processing
• That data subjects may exercise their rights in accordance with applicable rules
• That the User undertakes to have the information rectified, completed, clarified, updated, or deleted if it is inaccurate, incomplete, ambiguous, or outdated, or if the data subject wishes to prohibit its collection, use, communication, or storage

3.2 It is specified that the User is solely responsible for managing the retention periods of the Personal Data they upload to the Sendinblue platform, and it is their responsibility to delete the data when their retention period expires. Sendinblue is responsible solely for deleting this data at the end of its contractual relationship with the User.

3.3 The User undertakes not to include in the distribution lists uploaded to the platform any Personal Data known as “sensitive” within the meaning of Article 9 of the GDPR.

4 – SENDINBLUE OBLIGATIONS

4.1 Compliance with User instructions and regulations. Sendinblue undertakes to:

Process Personal Data only for the purpose set forth in this DPA

Process Personal Data in accordance with the Controller’s instructions. If Sendinblue believes that an instruction constitutes a violation of the EU Data Protection Law, it will immediately inform the Use

Ensure the confidentiality of Personal Data processed under this Agreement

Ensure that persons authorized to process Personal Data under this DPA:

Commit to respecting confidentiality or are subject to an appropriate legal obligation of confidentiality

Receive necessary training in the protection of Personal Data; appoint a Data Protection Officer: Jules Jeanroy, dpo@sendinblue.com

Maintain a record with a list of the processing operations carried out on behalf of the Data Controller, including all information listed in Article 30(2) of the GDPR

4.2 Security: Sendinblue undertakes to take all necessary precautions, with regard to the nature of the Personal Data and the risks posed by the processing, to preserve the security of Personal Data and, in particular, to prevent it from being distorted, damaged, or accessed by unauthorized third parties. Sendinblue undertakes in this context to implement appropriate technical and organizational security and confidentiality measures.

4.3 Data breach: Upon becoming aware of any Personal Data breach, Sendinblue will notify the User within 72 hours of becoming aware of it, by notification through the User’s client account or by email to the address, in particular to allow the User to fulfill the obligation under Article 33 of the GDPR.

4.4 Destruction: At any time during the execution of the Agreement, the User can access or delete the Personal Data processed by Sendinblue directly from their client account by clicking on the “export” button in their client account. At the end of the contractual relationship, Sendinblue undertakes, at the User’s request, to destroy all Personal Data, or return it to the User or another data processor designated by them if technically feasible and within a maximum period of 3 months. The return must be accompanied by the destruction of existing copies in Sendinblue’s information systems, unless some applicable law requires their retention. Sendinblue undertakes to provide the User, upon request, with proof of such destruction.

5 – ASSISTANCE AND AUDIT

5.1 Assistance: To the extent that the User cannot independently access relevant User Data within the services, Sendinblue shall (at the User’s expense) provide reasonable cooperation to assist the User in responding to any requests from individuals