Your privacy is important to us, so in this Privacy Policy, we explain how Konverso uses personal data when you use or interact with one of our applications.
Within the context of the provision of the Services, Konverso may gain access, in its capacity as subcontractor, to personal data within the meaning of the French Data Protection Act (Law 78-17 of 6 January 1978) and the European General Data Protection Regulation (Regulation 2016/679 of 27 April 2016, hereinafter the “GDPR”). Accordingly, Konverso may be led to process such data on behalf of the Client, who is the Data Controller or first-line subcontractor, for the sole purposes of providing the Software and Associated Services and for the duration stipulated in the Agreement.
Konverso may collect, either as Controller or Processor, the following categories of Personal Data when users use or otherwise interact with the application:
Name;
Email address;
User language;
IP addresses and other information collected passively, such as browser type, operation system, date/time stamp;
Conversation information such as user inputs and actions taken, information related to logins, and clicks to external links;
Uploaded files.
Konverso covenants to process the personal data solely for the purposes required by the Client, i.e. the provision of the Services stipulated in the Agreement, including, in particular, hosting and Software Support.
Konverso processes personal data for purposes such as:
Account configuration;
Fulfilling requests users make related to the application;
Creating tickets in 3rd party ITSM services;
Providing reports based on information collected from the use of the application.
Konverso keeps all required data processing registers, the content of which is defined by Article 30(2) of the GDPR, and will make them available on request.
In accordance with Articles 38 and 39 of the GDPR, Konverso’s Data Protection Officer or department responsible for data protection matters can be contacted at the following address: dpo@konverso.ai.
The Client covenants to:
Provide Konverso with all information needed for Konverso to comply with its obligations under the GDPR;
Specify all instructions regarding Konverso’s processing of the data in writing;
Ensure beforehand, and monitor throughout the duration of the processing, Konverso’s compliance with the GDPR;
Reply, within fifteen (15) days, to any request from Konverso concerning the processing of personal data in relation to the provision of the Service;
Comply with its obligations as data controller or first-line subcontractor, in accordance with the provisions of the GDPR.
Konverso warrants that it will take every necessary measure to ensure the security, integrity, availability, resilience, and confidentiality of the personal data sent to it or to which it gains access during the performance of the Agreement or/and each purchase Order. Accordingly, Konverso covenants to take all measures required under Article 32 of the GDPR, and in particular all appropriate technical and organizational measures – given the current state of knowledge, the cost of implementation, and the nature, scope, context, and purpose of the processing – required for Konverso and its personnel to comply with their duty of security, integrity, and confidentiality. Specifically, Konverso covenants to:
Only process or view the personal data and files in accordance with the Client’s instructions, including with regard to transfers of personal data to another country or international organization, unless Konverso has a duty to do so under French or European Union law; in this case, Konverso will inform the Client of this duty before processing, unless the law prohibits it from informing the Client for substantial public policy reasons;
Not process or view said personal data or the files containing them for any purpose other than that of providing the Service to the Client in accordance with the Agreement;
Not insert other data into the existing personal data processing operations;
Take all measures needed to prevent misuse, malicious use, or fraudulent use of said personal data and files;
Take every necessary precaution to ensure the security of said personal data, to ensure that they are not altered, damaged, or accessed by third parties without authorization, and to prevent all access from taking place without prior authorization from the Client;
Take all appropriate steps (i) to ensure the uninterrupted confidentiality, integrity, availability, and resilience of the processing systems and services used; (ii) to re-establish the availability of the personal data and access to it within an appropriate time frame in the event of a physical or technical incident; and (iii) to regularly test, analyze, and evaluate the effectiveness of these steps;
Not view and process personal data other than those falling within the scope of the Agreement or/and applicable Purchase Order, even if access to this data is technically possible;
Ensure that the individuals authorized to process personal data are bound by a written non-disclosure agreement requiring them to keep the personal data confidential, or that they are subject to an appropriate legal duty of confidentiality, and that they receive the required training on personal data protection;
Not disclose, in any way, shape, or form, all or part of said personal data;
Not copy or store, regardless of the form or purpose, all or part of said personal data contained in the media or documents provided to or collected by Konverso during the performance of the Agreement or/and applicable Purchase Order (other than technical operations strictly required for the performance).
At the end of the Agreement or/and the applicable Purchase Order, Konverso covenants to return all files in its possession and all personal data processed on behalf of the Client in accordance with the conditions stipulated in the Agreement or/and the applicable Purchase Order. Konverso further covenants to destroy all physical or digital files in which the personal data is stored (and any copies thereof), after ensuring that the Client is in possession of this information unless Konverso is required to continue to store this data under French or European Union law.
In addition, Konverso covenants to inform and to enter into a written agreement with each of its subcontractors (“Subprocessors”) requiring them to comply with the provisions of the GDPR. However, in the event of a Subprocessor’s failure to comply with its personal data protection obligations, Konverso will remain fully liable to the Client.
The Client hereby grants Konverso general consent to hire Subprocessors to process personal data. Upon the Client’s request, Konverso will make available a system allowing the Client to be informed of changes to the list of Subprocessors.
To ensure the security and confidentiality of the personal data, Konverso covenants (i) to keep the personal data strictly confidential; (ii) to implement appropriate technical and organizational data protection measures within its company, including within its hosting infrastructure; and (iii) to create, maintain, and provide, upon request, a description of the measures put in place to protect personal data (with it being noted that the Client is solely responsible for the security, access conditions, and protection of personal data on its own IT system).
In light of the current state of knowledge, the cost of implementation, and the nature, scope, context, and purpose of the processing, as well as the varying probability and severity of the risks to the rights and freedoms of natural persons, the Parties will implement appropriate technical and organizational measures to ensure a suitable level of security with regard to the level of risk, including, where appropriate:
Measures ensuring the constant confidentiality, integrity, availability, and resilience of the processing systems and services;
Methods rendering it possible to re-establish the availability of personal data and access to it within an appropriate time frame in the event of a physical or technical incident;
A procedure for regularly testing, analyzing, and evaluating the effectiveness of the technical and organizational methods for ensuring the security of the data processing.
In evaluating the appropriate level of security, particular attention must be paid to the risks involved in the data processing, including, in particular, risks related to the destruction, loss, alteration, or unauthorized disclosure of the personal data sent, stored, or processed in any way, as well as to any accidental or unlawful access to this data. The Parties will take the necessary steps to ensure that all individuals working under their authority with access to personal data process this data solely in accordance with their instructions unless they are required to process them by the laws of the European Union or a European Union Member State.
Konverso also covenants to cooperate with the Client in order to:
Inform the Client without undue delay of any requests received from data subjects, and cooperate with the Client, within reason, to allow it to comply with its obligations under the GDPR pertaining to such requests. The Client will bear all reasonable costs of Konverso’s assistance in complying with such obligations;
Ensure the Client’s compliance with its own obligations in terms of the security and confidentiality of personal data;
Ensure compliance with the obligation to report data breaches to oversight authorities and to the data subject. Konverso will inform the Client without undue delay whenever it learns of a personal data breach, and will, within reason, respond to the Client’s requests for additional information in order to allow it to comply with its obligations under Articles 33 and 34 of the GDPR;
Inform the Client without undue delay if it feels that the Client’s instructions constitute a breach of the GDPR or other data protection legislation of the European Union or a European Union Member State;
Perform personal data protection impact assessments if the Client consults the CNIL beforehand.
The Client reserves the right to carry out, at its own expense, any verifications it sees fit to ensure that Konverso is in compliance with its obligations under the Agreement or the applicable Purchase Order, particularly by performing audits or inspections. These verifications, which may not exceed one inspection or audit per year, may be carried out by the Client or a third party, duly authorized for these purposes, who is not a competitor of Konverso. Within this context, Konverso will provide the Client or said third party the information needed to prove its compliance with the terms of the Agreement. Konverso covenants to contribute to these verifications. Audits must assess the Client’s compliance with the Agreement or applicable Purchase Order and applicable data protection law, and, in particular, they must render it possible to establish whether adequate technical and organizational measures for guaranteeing data security and confidentiality have been implemented, that these measures cannot be bypassed without detection, and that, if this occurs or if any other personal data breach occurs, a procedure for notification and action by Konverso must immediately be put in place. Generally, each Party warrants to the other Party that it will comply with its legal and regulatory obligations in personal data protection.
Konverso will ensure that whenever it sends personal data from the European Union to a subcontractor in another country or territory outside of France and/or the European Union that has not received a binding “adequacy decision” (accreditation) from the European Commission or the national data protection authority, the transmission of the data will be subject to an appropriate transfer procedure in order to ensure an adequate level of protection within the meaning of the GDPR.
In any case, the Service provided by Konverso constitutes an element that contributes to compliance but is not sufficient to ensure the Client’s full compliance with data protection requirements. Accordingly, Konverso’s liability in the area of compliance with data protection law is strictly limited to the scope of the Service that it operates. The Client is solely liable for possessing at least the following: an IT system that is correctly suited to the processing of personal data, a risk and impact assessment (where appropriate), a cybersecurity policy for its IT system, a charter governing the use of its IT resources, an IT security and data protection training and awareness-raising program for its Users. Under no circumstances will Konverso incur any liability whatsoever for the Client’s failure to implement the necessary technical and organizational measures to ensure the protection of personal data, nor, generally, for the Client’s determination of the categories of data collected and/or uploaded to the Services, or for the purposes for which data is collected by the Client or on the Client’s behalf.