Appendix Personal data protection

1. Purpose

Pursuant to Article 14 of the Kosmos General Terms and Conditions of Sale, the purpose of this appendix is to stipulate Kosmos' commitments, including the technical and organizational measures deployed by Kosmos, in order to ensure the protection of the Customer's personal data and the compliance of the processing covered by the Contract with the applicable reapplicable regulations (Regulation no. 2016-679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data). the free movement of such data repealing Directive 95/46/EC ("RGPD") and Law n°78-17 of January 6, 1978 as amended (hereinafter together "Regulations"). In no event shall Kosmos be liable for any refusal by Kosmos to carry out Processing that does not comply with the Regulations. This Appendix is agreed in accordance with Article 28 of the GDPR.

2. Definitions

Unless otherwise indicated, the definitions contained in the GDPR, in particular the terms. "Controller", "Processor", "Purposes", "Recipients", "Data Subject", "Member State", " Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority", apply. " Personal Data" in this context means any Personal Data, as defined in the GDPR, processed by Kosmos on behalf of the Customer pursuant to or in connection with the Contract. Such Personal Data includes, as specified in Sub-Appendix 1 Personal Data collected, processed or hosted by Kosmos as the Customer's Subcontractor in connection with the performance of the Services that are the subject of the Contract. In addition, Kosmos may collect and process the Personal Data of the Customer's employees in its capacity as Processor in connection with the formation and monitoring of the Contract.

3. Qualification of parties

This Appendix covers all Services provided by Kosmos, whether (i) SaaS Services, (ii) recurring IT Services (Support, TMA) or one-time Services and more generally any intervention by Kosmos on the Customer's Personal Data.

Where Personal Data is processed or hosted on Kosmos servers or information systems, the technical and organizational measures described in sub-annex 2 shall apply. If Personal Data is processed or hosted on the customer's information system or on that of any third party under the customer's responsibility, it is the sole responsibility of the customer toKosmos' responsibility is limited to the protection of Personal Data handled by its employees in connection with the Services.

For the purposes of this Appendix, Kosmos is the Subcontractor of the Customer, who is the Data Controller. Sub-Appendix 1 sets out details of (i) the Purposes of the Processing entrusted to Kosmos, (ii) the categories of Personal Data processed by Kosmos, (iii) the categories of Personal Data processed by Kosmos, and (iv) the categories of Personal Data processed by Kosmos.(ii) categories of Personal Data processed by Kosmos, (iii) categories of Persons concerned by the Processing and (iv) deletion periods (retention period) of Personal Data by Kosmos. It is the Customer's responsibility to determine the third-party recipients to whom Personal Data is sent, if any, and to provide Kosmos with the contact details of such recipients.

Kosmos is not responsible for the protection of Personal Data by such recipients, which the Customer acknowledges.
In the event of modification of a Processing, the Parties will agree on any modifications to Sub-Annex 1 necessary to meet the requirements of the Regulations.
Except in the case of a separate legal basis applicable to Kosmos as Data Controller, Kosmos will only process the Personal Data defined in Sub-Annex 1 in accordance with the Purposes defined in Sub-Annex 1.in application of the Purposes defined in Sub-annex 1, within the framework of the Services performed by Kosmos as defined in the Contract and the Processing corresponding to these Services only.

4. How Kosmos processes personal data

Kosmos undertakes to process Personal Data under the Agreement only (i) in accordance with the Customer's documented instructions, (ii) in compliance with and within the limits of the Purposes stipulated, (iii) in compliance with the technical and organizational measures described in this Appendix, and (iv) for the retention period(s) stipulated in this Appendix.s stipulated, (iii) in compliance with the technical and organizational measures described in this Appendix, and (iv) for the retention period(s) stipulated.
Kosmos implements appropriate technical and organizational measures in order to (i) prevent the unauthorized or unlawful processing of Personal Data, (ii) prevent the accidental loss, destruction or deterioration of Personal Data, (iii) ensure the awareness and training of its employees, and (iv) ensure the confidentiality of Personal Data.ensure the awareness and training of its employees in the protection of personal data in the context of their Job titles, and (iv) ensure that only those of its employees and any subcontractors who have a need to know in the context of the Services have access to Personal Data. The technical and organizational security measures implemented are described in Sub-annex 2 (hereinafter the "Measures").

Acknowledging that the Measures are subject to technical progress and development, the Parties agree that Kosmos is entitled to make improvements to the Measures, provided that such Improvements do not fall within the scope of the Measures. provided that such Measures do not fall below the safety level set forth in Sub-Annex 2 and that they comply with the state of the art. Kosmos will provide the Customer with a description of any significant changes to the Measures.

Insofar as the Agreement relates to the supply by Kosmos of a Software Solution, Kosmos shall take into account the principles of security, confidentiality, minimization and protection of personal data from the outset of its design or as part of its technical development.

In the case of Services performed by Kosmos on the Customer's information system, the Customer is solely responsible for the technical and organizational measures and security surrounding the Personal Data stored on its information system.Kosmos and the Customer agree on an access management policy for Kosmos employees in consideration of regulatory requirements.

5. Management of data subject rights

The Parties acknowledge and agree that it is the legal responsibility of the Customer, as the Data Controller, to deal with requests from Data Subjects relating to their rights over their Personal Data as defined by the Regulations (right to information, rights of access, rectification, deletion, opposition, limitation, portability or revocation of any consent), concerning the Processing of Personal Data carried out, and that Kosmos is not responsible for any such requests.Kosmos itself is not obliged to respond directly to such requests, unless otherwise required by documented instructions from the Customer.

If the Customer has direct access to the Personal Data of the Data Subjects (in particular in the case of the provision of a Solution), the Customer shall itself handle the Data Subjects' requests, in accordance with procedures that it determines under its responsibility. The Customer may request Kosmos' assistance in identifying Personal Data and processing requests, in writing.

If a Data Subject's request is received directly by Kosmos in connection with the Services, Kosmos will promptly forward the request to the Customer for a decision and Reply. In all cases, the Customer is solely responsible for the appropriateness of the Reply to be provided to the Person concerned, for establishing his/her identity, for requesting additional information, forIn all cases, the Customer is solely responsible for the appropriateness of the response to be given to the Person concerned, for establishing his/her identity, for requesting additional information, for identifying any exceptions to the request, or for refusing to comply with the request for legitimate Reason(s) that the Customer himself/herself determines and communicates to the Person concerned.

In the event of a dispute with a Data Subject or in the event of any other action taken by a Data Subject in relation to the Processing of Personal Data entrusted to Kosmos, the Customer will inform Kosmos as soon as possible, and Kosmos will cooperate and provide the Customer with any useful information in this context.

6. Management of personal data breaches

Kosmos undertakes to implement a system for detecting any Personal Data breaches occurring on its information system in connection with the Services. In the event of a Personal Data Violation within its scope of operation, Kosmos undertakes to (i) alert the Data Controller as soon as possible, (ii) implement any palliative solution to limit or Delete the Personal Data Violation, and (iii) investigate the reasons for the Violation.

Where necessary and to the extent possible, the notification sent by Kosmos to the Customer will include the information requested by Article 33 of the RGPD making it possible to de(i) the nature of the Personal Data Breach, (ii) the categories of Personal Data and the Processing(s) involved, (iii) the number and categories of Personsgories of Data Subjects, (iii) the origin and foreseeable consequences of the Breach for the Data Subjects and (iv) the measures implemented to put an end to the Personal Data Breach and attempt to limit or Delete its consequences. Failing this, Kosmos will indicate when further information will be provided, in particular in the event of a technical investigation carried out by Kosmos or its subsequent Subcontractor. In this context, Kosmos is not authorized to notify a Personal Data Breach directly to the Supervisory Authority, Data Subjects or other third parties, unless Kosmos is required to do so by applicable law. Apart from these cases, it is the sole responsibility of the Customer, as the Data Controller, to decide and make any necessary notifications, by any means of its choice, to the Supervisory Authority, and to the Data Subjects in the event of a risk to their rights and freedoms as determined by the Data Controller.

7. Assistance to the data controller

Kosmos will alert the Customer in writing if it becomes aware of any obvious non-conformity between the needs expressed by the Data Controller under the Contract and the requirements of the Regulations. However, Kosmos cannot be held responsible for (i) non-conformities in Processing caused by the Data Controller, or (ii) failure to detect a non-conformity that is not serious and obvious.

Kosmos assists the Data Controller (i) by answering the Data Controller's oral or written questions relating to the Processing, (ii) in the event of a request or investigation by a supervisory authority and (iii) in the event of a complaint by the Data Controller.(ii) in the event of a request or investigation by a supervisory authority, and (iii) in the event of a prior impact analysis being carried out on the scope of the Processing in question. To this end, Kosmos provides the Customer with documentation relating to compliance with its commitments under this Appendix.

Where necessary, Kosmos reminds the Customer that the processing of personal data includes "particular" data within the meaning of the Rèvulnerable" persons such as minors, or the processing of personal data on a large scale, or behavioural profiling or behavioral profiling, a prior impact analysis may be necessary, and Kosmos undertakes, where appropriate assist in the said analysis with regard to the scope of the Processing entrusted to it under the Contract, and the Resources implemented by it for this purpose.

8. Audit

Once (1) a year, upon reasonable written notice, the Controller shall have the right to conduct an audit of Kosmos' implementation of the Measures stipulated in this Appendix, covering only the perimeter of Personal Data and Processing related to the Agreement, excluding (i) any element of the system, (ii) any part of the system, and (iii) any part of the data processing system.(i) any part of Kosmos' information system not covered by the Agreement, and (ii) any other part of Kosmos' information system not covered by the Agreement.information system not covered by the Contract, (ii) any personal data of Kosmos' other customers, (iii) any element constituting a business or industrial secret of Kosmos.Kosmos' business or industrial secrets, and (iv) in compliance with Kosmos' intellectual property, security procedures, availability of employees and normal production.

Kosmos shall confirm the auditor's identity in advance, and may disqualify the auditor if he or she belongs to a company competing with Kosmos. The cost of the audit shall be borne by the Customer. If the audit identifies any non-conformity with Kosmos' commitments, Kosmos will remedy the situation as soon as possible and send written confirmation to the Customer. In any event, the audit report is sent in writing to Kosmos, which may make any observations.

9. Use of subcontractors

Kosmos may use a third-party service provider to carry out all or part of the Services (hereinafter the "Third-Party Service Provider"), provided that the Third-Party Service Provider (i) is subject to the Customer's express prior approval, and (ii) is contractually bound to Kosmos to ensure that the Third-Party Service Provider protects the Personal Data.(i) is subject to the Customer's express prior approval, and (ii) provides Kosmos with a contractual undertaking to ensure the protection of Personal Data in the course of its work substantially in accordance with the requirements of this Appendix.

On the date of signature of the Contract, the Customer is informed and expressly approves the use of the following Subcontractor(s) stipulated in Sub-annex 1, for the execution of the Processing in question. Any subsequent recourse to another subsequent Subcontractor will imply compliance with the following procedure.

Kosmos shall give prior written notice to the Customer of the proposed appointment of a new Subcontractor, specifying the name, address and contact details of the Subcontractor.es of the subsequent Subcontractor, as well as the aspects of the Processing for which the said subsequent Subcontractor will be responsible, and in particular whether it involves a cross-border flow of Personal Data. If, within a period of eight (8) calendar days from receipt of such notification, the Customer expresses legitimate and reasoned objections in writing to the appointment of the Subsequent Subcontractor in question, Kosmos will inform the Customer in writing.Kosmos will discuss with the Customer the objections raised by the Customer and, if it is not possible to agree on such measures, Kosmos will not appoint the proposed Subsequent Subcontractor. Failing this, the proposed Sub-Contractor will be accepted by the Customer.

In the event of any breach by the Sub-Contractor of its contractual obligations, Kosmos shall remain liable to the Customer in accordance with the terms of the Contract.

10. Management of cross-border flows of personal data

By default, Kosmos undertakes to process Personal Data only within the European Economic Area ("EEA"). However, in the event that the Services (including any subsequent use of a Subcontractor) involve a transfer of Personal Data outside the EEA, Kosmos will (i) keep the Customer informed and (ii) ensure in advance that the said transfer is carried out under safeguards that comply with the requirements of the Rèsuch as standard contractual clauses issued by the European Commission or the Supervisory Authority, binding corporate rules, the Supervisory Authority's adequacy decision, etc.).Kosmos will make these available to the Customer on request.

On the date of signature of the Contract, the Customer is informed of and expressly approves the transfers stipulated in Sub-annex 1, for the execution of the Processing in question.

11. Personal data of employees of the parties

In the context of the conclusion and operational and accounting management of the Contract, each of the Parties may also have access to the Personal Data of certain categories of persons (Contract signatory for the Customer, operational contacts, legal contacts, accounting contacts, etc.). Each Party undertakes, as Data Controller, to protect and use the Personal Data of these contacts of the other Party only for the purposes of managing the Contract, and to apply appropriate technical and organizational measures to them throughout the duration of the Contract. The Personal Data of these contacts will be deleted by each Party at the end of the Contract, subject to prolonged retention in the event of a legal obligation to archive or preserve evidence.

12. Communication with the supervisory authority

To the extent permitted by applicable law, Kosmos will inform the Customer as soon as possible of any investigation, formal notice or other proceedings that may relate to the Processing by Kosmos of the Customer's Personal Data by a Supervisory Authority or any other public authority. Where applicable, the Parties shall assist each other to ensure consistent communication with the Authority concerning any investigation by the latter. In the event of a dispute, injunction or fine imposed or envisaged by the Supervisory Authority or any other competent authority concerning the Processing of Personal Data against one or other of the Parties or against the other of the Parties, the Parties hereby agree to cooperate with each other in the event of a dispute, injunction or fine imposed or envisaged by the Supervisory Authority or any other competent authority concerning the Processing of Personal Data.In the event of litigation, injunction or fine imposed or contemplated by the Supervisory Authority or other competent authority concerning the Processing of Personal Data against either or both of the Parties, the Parties shall inform each other without delay in order to defend themselves effectively against such actions or to settle them out of court in a timely manner.

13. Fate of personal data at the end of the contract

Kosmos shall retain the Customer's Personal Data (i) for the period(s) defined by the Customer in Sub-annex 1, and (ii) if necessary, for the duration of the Contract plus the legal periods of proof and prescription.
Without prejudice to the foregoing, and to the extent required for the performance of the Services, Kosmos will delete Personal Data when the term or terms of the Agreement have expired.(ii) at the express request of the Customer, or (iii) at the documented request of a Data Subject, or (iv) at the express request of the Customer, or (v) at the express request of a Data Subject, or (vi) at the express request of the Customer.and confirmed in writing by the Customer, and in any event (iii) at the end of the Contract (subject to any additional periods of time required for proof or prescription), after the Personal Data in question has been returned to the Customer.

Subject to the foregoing, in the event of (i) termination of the Agreement, or (ii) at any time upon written request by the Customer, Kosmos shall delete and obtain the deletion by its subsequent Subcontractor(s) of all copies of the Personal Data in question.(ii) at any time upon Customer's written request, Kosmos shall delete and obtain the deletion by its subsequent Subcontractor(s) of all copies of Customer's Personal Data, or upon specific written request, of certain of such Data.

14. Scope of liability

As the Data Controller, it is the Customer's responsibility to inform the Persons concerned by its Processing (whether carried out directly by its Users via the Solution or corresponding to the Services entrusted to Kosmos, about (i) the Personal Data collected, (ii) the Processing implemented, (iii) the Purposes pursued, (iv) the legal bases on which the Processing is based, (v) any third-party Recipients of the Personal Data, and (vi) any third-party Recipients of the Personal Data.implemented, (iii) the Purposes pursued, (iv) the legal bases underpinning the Processings, (v) any third-party Recipients of the Personal Data, as well as (vi) all other information due to individuals under Articles 13 or 14 of the GDPR, including a reminder of the rights they have over their Personal Data and the Contact details to which they can assert them. The Data Controller determines the methods of dissemination and the effectiveness of this information under its sole responsibility. Where appropriate, he/she will communicate the information messages to Kosmos for publication on any Solution provided.

In any event, it is the Customer's responsibility, as the Data Controller, to ensure that the Personal Data Processing it entrusts to Kosmos, and more generally the processing of its own Personal Data, complies with the Regulations.Kosmos, and more generally for processing on its own information system, with its own employees and other subcontractors, and to deploy the appropriate technical and organizational measures within its organization. Kosmos accepts no responsibility for the compliance of the Data Controller beyond the scope of the Services covered by the Agreement.

In this respect, it is the Customer's responsibility as Data Controller (i) to collect Personal Data under its own responsibility, ensuring that it is strictly necessary and proportionate to the Purposes pursued, (ii) to ensure that the Personal Data it collects is strictly necessary and proportionate to the Purposes pursued, and (iii) to ensure that the Personal Data it collects is strictly necessary and proportionate to the Purposes pursued.(ii) ensure that they have been collected in accordance with a proven legal basis (and, where applicable, that they have been subject to the necessary consents, of which the Customer retains proof).(iii) ensure that the Data Subjects are fully informed in advance, (iv) document all instructions to Kosmos relating to Personal Data(v) to ensure that Kosmos complies with its regulatory obligations throughout the term of the Agreement, and (vi) to supervise the execution of the Processing carried out on its behalf.

Kosmos may only be held liable for damage directly related to a breach by Kosmos of its obligations as a Subcontractor, or if it has acted outside or contrary to the Customer's instructions in accordance with the Regulations.

In the event of a fine, conviction or loss suffered by Kosmos (i) as a result of a failure by the Data Controller to comply with its obligations under the Regulations, or (ii) as a result of an instruction issued to Kosmos, in particular if the Data Controller fails to comply with its obligations under the Regulations. Kosmos, in particular if the instruction leads to non-compliance of the Processing entrusted to Kosmos with the Regulations, the Data Controller undertakes to compensate Kosmos for any fine, conviction or prejudice suffered.

15. Data processing register and appointment of DPO

Each Party undertakes to list the Processing that is the subject of the Services in a register of Processing. Kosmos will indicate in its register the Processing that it carries out in the name and on behalf of the Customer in accordance with the requirements of Article 30, 2° Du RGPD. The Customer is responsible for its own register of Processings in accordance with the requirements of Article 30 1° of the RGPD.

The designation of the Parties' DPOs is set out in Sub-Appendix 1.