Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between LADONNEE Consulting SARL à capital variable ("Processor," "we," "our," or "us") and the organization using Kultigo services ("Controller," "you," or "your").

This DPA governs the processing of personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

• "Controller" means the organization that determines the purposes and means of processing personal data
• "Processor" means LADONNEE Consulting SARL à capital variable, which processes personal data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data, including collection, storage, analysis, and transmission
• "Data Subject" means the individual whose personal data is being processed
• "GDPR" means the General Data Protection Regulation (EU) 2016/679

3. Scope and Purpose of Processing

3.1 Categories of Personal Data

We process the following categories of personal data on your behalf:

• Employee identification information (name, email, employee ID)
• Organizational information (department, role, team membership)
• Assessment responses and cultural data
• Usage analytics and platform interaction data
• Communication preferences and settings

3.2 Categories of Data Subjects

• Your employees and team members
• Organizational administrators and managers
• Assessment participants and respondents
• Platform users and stakeholders

3.3 Purpose of Processing

Personal data is processed for the following purposes:

• Conducting cultural assessments and surveys
• Generating organizational reports and analytics
• Providing platform functionality and user management
• Supporting organizational development initiatives
• Ensuring platform security and performance

4. Processor Obligations

4.1 Processing Instructions

We will process personal data only on documented instructions from you, including with regard to transfers of personal data to third countries or international organizations.

4.2 Confidentiality

We ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Incident response and breach notification procedures
• Regular staff training on data protection

4.4 Sub-processors

We may engage sub-processors to assist in providing our services. We ensure that any sub-processor is bound by the same data protection obligations as set out in this DPA.

5. Controller Obligations

5.1 Lawful Basis

You are responsible for ensuring that you have a lawful basis for processing personal data and that data subjects have been properly informed about the processing.

5.2 Data Subject Rights

You are responsible for handling data subject requests and ensuring compliance with data subject rights under applicable data protection laws.

5.3 Data Quality

You are responsible for ensuring that personal data provided to us is accurate, complete, and up-to-date.

6. Data Subject Rights

We will assist you in fulfilling data subject rights requests, including:

• Right of access to personal data
• Right to rectification of inaccurate data
• Right to erasure of personal data
• Right to restrict processing
• Right to data portability
• Right to object to processing

We will provide reasonable assistance to help you respond to such requests within the timeframes required by applicable law.

7. Data Breach Notification

In the event of a personal data breach, we will:

• Notify you without undue delay after becoming aware of the breach
• Provide you with all relevant information about the breach
• Assist you in meeting your breach notification obligations
• Take reasonable steps to mitigate the effects of the breach

8. Data Retention and Deletion

8.1 Retention Period

We will retain personal data only for as long as necessary to fulfill the purposes outlined in this DPA or as required by applicable law.

8.2 Deletion

Upon termination of our services or upon your request, we will delete or return all personal data to you, unless we are required to retain it by applicable law.

8.3 Certification

We will provide you with certification of deletion upon request.

9. International Data Transfers

If we transfer personal data to countries outside the European Economic Area, we will ensure that appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Binding corporate rules
• Certification schemes and codes of conduct

10. Audits and Compliance

10.1 Audit Rights

You have the right to audit our compliance with this DPA. We will provide reasonable cooperation and access to relevant information.

10.2 Certifications

We maintain relevant certifications and can provide evidence of our compliance with data protection standards.

10.3 Regulatory Cooperation

We will cooperate with supervisory authorities and assist you in any regulatory investigations or proceedings.

11. Liability and Indemnification

Each party will be liable for any damages caused by their breach of this DPA. We will indemnify you against any claims, damages, or costs arising from our breach of this DPA, subject to the limitations set forth in our Terms of Service.

12. Term and Termination

This DPA will remain in effect for as long as we process personal data on your behalf. Upon termination, the provisions relating to data deletion, confidentiality, and liability will survive.

13. Governing Law

This DPA is governed by the laws of Paris (France) and is subject to the jurisdiction of the courts of Paris (France).

14. Contact Information

For questions about this Data Processing Agreement, please contact us: