Privacy Policy and Protection of Data

Confidentiality Agreement

At OliveSoft, we attach paramount importance to protecting your personal data and complying with current regulations, in particular the General Data Protection Regulation (GDPR). As part of our IT services, we are required to access our customers’ systems and data, thus becoming a data processor. It is within this framework that the present privacy policy falls.

This privacy policy also defines and informs you of the manner in which OliveSoft uses and protects the information that you may transmit to us when you use this site, which is accessible from the following URL:

Please note that this privacy policy may be modified or supplemented at any time by OliveSoft, in particular in order to comply with any legislative, regulatory, jurisprudential or technological developments. In such a case, the date of the update will be clearly identified at the top of this policy. These modifications are binding on the User as soon as they are put online. It is therefore advisable for the User to consult the present privacy and cookie use policy on a regular basis in order to take note of any changes.

Article 1. Definitions

  • “OliveSoft“, “we“, “our“, “us“ refer to the company OliveSoft, registered under the Siren number 843 934 860, a Joint Stock Company (JSC). Its headquarters are located at 42, rue de Maubeuge, 75009 Paris.
  • Data Controller: refers to the entity that determines the purposes and means of the Processing of personal data;
  • Processor: refers to the entity that processes personal data on behalf of the Data Controller and according to its instructions;
  • Data Protection Regulation: refers to all European and national regulations related to privacy and personal data, including Regulation EU No. 2016/679 of April 27, 2016 (GDPR) and the French Law No. 78-17 of January 6, 1978 as amended and any other law provided for in the service contract signed by the Client;
  • Data Protection Authority: refers to the supervisory authority concerned with the processing of personal data. If a processing activity affects individuals located in several member states of the European Union, the supervisory authority of the main establishment of the Data Controller will be considered as the lead authority, in accordance with the GDPR;
  • Personal Data: refers to any information relating to an identifiable or identified natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
  • Processing (or Process): refers to any operation or set of operations performed on Personal Data, such as collection, recording, organization, storage, adaptation, extraction, consultation, use, communication, dissemination, making available, matching, erasure, or destruction;
  • OliveSoft Client(s): refers to the clients of the company OliveSoft who have entered into a service contract with said company.
  • Service Contract: refers to the legal agreement concluded between OliveSoft as the service provider and its client, where OliveSoft undertakes to provide specific services in exchange for remuneration. This contract also formalizes the terms under which OliveSoft, as a service provider, may access the client’s personal data in order to execute the agreed services.

Article 2. Security Measures

OliveSoft may act either as a Data Controller or as a Processor, depending on the circumstances. As a Data Controller, OliveSoft determines the purposes and means of processing personal data and is responsible for the compliance of these processes with legal and regulatory obligations. As a Processor, OliveSoft processes personal data on behalf of a client under a service contract, respecting the instructions of the Data Controller and contractual and legal obligations regarding data protection, including security and confidentiality.

OliveSoft implements and maintains appropriate technical and organizational security measures to protect the confidentiality of the Personal Data it processes or accesses, in accordance with the prescriptions of the Data Protection Regulation.

These measures take into account the potential risks to the individuals concerned due to the processing activities. They comply with industry standards and best practices in security, and take into account the recommendations of Data Protection Authorities.

OliveSoft strives to:

  • Ensure that it has physical security measures against acts of malice or cyberattacks.
  • Access to client systems by OliveSoft personnel is protected by strong authorization and authentication measures. Security updates for operating systems are installed regularly. Technical measures are in place against malware.
  • Implement and maintain security and confidentiality measures that take into account the principles of Personal Data protection and are adapted to the risks posed by their processing on the rights and freedoms of the individuals concerned, in accordance with the requirements of the applicable Regulation. These measures aim to protect Personal Data against destruction, loss, alteration, unauthorized disclosure to third parties, and to ensure the recovery of the availability and access to Personal Data in a timely manner in the event of an incident.

In case of failure, OliveSoft will do its best to restore the service as soon as possible, within the limits of its commitments.

Article 3. Identification of Processing Activities

For the purpose of providing Services and more generally to perform any other tasks assigned by the Client under the Service Agreement, OliveSoft may process the Personal Data that the Client integrates into its IT systems.

  • Data Subject: Any individual whose personal data is collected or processed by the Client OliveSoft
  • Purpose of Processing: The purposes are determined by the Client OliveSoft
  • Legal Basis: Execution of the Contract between the Client and the Data Subject
  • Categories of Data Processed: All categories, depending on the processing activities carried out by the Client as the Data Controller
  • Retention Period: Duration of the Contract with the Client or any other retention period requested by the Client
Article 4. OliveSoft’s Commitments

As a Subcontractor, OliveSoft undertakes to respect the following obligations and to ensure that its staff respects these same obligations, in accordance with article 28 of the GDPR:

  • Process the Personal Data collected by the Client for the strict purposes of providing the Services defined in the Contract.
  • Ensure the confidentiality of Personal Data and ensure that its personnel authorized to process them are subject to an obligation of confidentiality;
  • Take into account, regarding its tools, products, applications or services, the principles of protection of Personal Data from design (privacy by design) and by default (privacy by default);
  • Not use Personal Data for purposes other than those provided for in the Contract and not keep them beyond the term of the Contract or any other period specified by the Client;
  • Return the Personal Data under the conditions set out below;
  • Not license, rent, transfer Personal Data, in whole or in part, to a third party, without the prior written consent of the Customer;
  • Reasonably assist the Client in carrying out privacy impact analyzes if necessary;
  • Respond as quickly as possible to any request from the Client relating to the Personal Data processed in order to enable it to take into account, within the allotted time, any requests from the Data Subjects (right of access, rectification, erasure, opposition, etc.);
  • Warn and assist the Customer in ensuring compliance with obligations relating to the security of Personal Data, in particular within the framework of security violation notification procedures, under the conditions provided for below;
  • Implement technical and organizational measures allowing the Client to fully respect the rights of the Data Subjects, in particular the right of access, rectification or erasure of Personal Data, or the limitation of the processing thereof, the right to object to decisions based on profiling, as well as the right to data portability, where applicable;
  • Define and formalize a policy governing the restitution of personal data as well as their destruction, and make it available to the Client upon request.

Customer is advised that if OliveSoft is required to disclose Personal Data to a law enforcement agency, OliveSoft will use its best efforts to provide Customer with reasonable notice and opportunity to seek any protective order or other remedy. appropriate, unless OliveSoft is prohibited from doing so by law or by the relevant Data Protection Authority.

Article 5. Location of Personal Data

The Personal Data is not stored within OliveSoft infrastructure but is stored in the client’s data centers and IT systems in accordance with applicable legal provisions.

OliveSoft nevertheless has access to this data in the context of performing the service contract. This access is necessary to allow OliveSoft to provide the agreed services and meet the needs of its clients. Thus, OliveSoft access to clients’ personal data falls within the legal framework of the service contract and is limited to the needs of performing the agreed services.

Article 6. Personal Data Breach

If OliveSoft becomes aware of a Personal Data breach, it will inform the Client as soon as possible after becoming aware of it and will provide all necessary information so that the Client can assess the breach.

In accordance with Article 33 of the GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of Data Subjects, the Client, as the Data Controller, will be responsible for notifying the Supervisory Authority and, if the breach is likely to result in a high risk to their rights and freedoms, the affected individuals, in each concerned Member State. This notification must be made without undue delay and no later than 72 hours after the Client has become aware of a Personal Data breach.

This notification from the Client to the Supervisory Authority must:

  • Describe the nature of the Personal Data breach and include, if possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of Personal Data records concerned;
  • Provide the name and contact details of the data protection officer or other contacts from whom further information can be obtained;
  • Describe the likely consequences of the Personal Data breach;
  • Describe the measures taken or proposed to address the Personal Data breach, including measures to mitigate its possible adverse effects.
Article 7. Record of Processing Activities

OliveSoft maintains a record of processing activities carried out on behalf of the Client, identifying for itself and each of its subsequent processors the processing activities performed on behalf of the Client, the location from which the service is provided, and any transfers of Personal Data outside the European Economic Area (EEA). The record will also document, where applicable, the implementation of appropriate safeguards to ensure an adequate level of protection, and any other information required by the Data Protection Regulation. The record will be accessible at any time to the Client and the Data Protection Authority.

Article 8. Security and Confidentiality of Processing

The general security requirements are set out in ARTICLE 2 above. Regarding the security of Personal Data processed for the purpose of providing the Services, OliveSoft implements additional measures resulting from the Data Protection Regulation. In particular, OliveSoft commits to implementing the following measures:

  • Ensure adequate protection of Personal Data to guarantee their confidentiality and prevent Personal Data breaches and/or minimize impacts in case of a breach;
  • Ensure that any person acting under OliveSoft’s authority who may have access to Personal Data bases for the purpose of their activity performs no other processing of such data, except in cases expressly authorized by the Client;
  • Delete Personal Data at the end of the retention or access period defined by the Client;
Article 9. Subsequent Processors

The Client expressly authorizes OliveSoft to subcontract the execution of tasks involving processing, in whole or in part, of Personal Data in the context of the Services to its subsidiary.

OliveSoft commits to informing the Client of any planned changes regarding the designation or replacement of a subsequent processor and to give the Client the opportunity to object to this change in writing within 8 calendar days.

The Client may only object to the new subsequent processor for the following reasons: (i) the new processor is a direct competitor of the Client; (ii) the new processor is involved in an ongoing dispute with the Client; (iii) the Client believes that the new processor does not comply with the Data Protection Regulation; (iv) the replacement of the processor would reduce existing security measures.

In any case, OliveSoft guarantees that any subsequent processor it appoints provides sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the Data Protection Regulation. Processing by a subsequent processor is governed by a contract between OliveSoft and the subsequent processor that sets out the same rights and obligations as those defined herein, including the obligation to ensure the security of processing, the protection of Personal Data, and the right to audit.

OliveSoft will regularly verify, including through audits, the compliance of its subsequent processors with the aforementioned obligations. Additionally, for transfers of Personal Data outside the European Economic Area (EEA), OliveSoft will ensure that these contracts include the standard contractual clauses approved by the European Commission to ensure an adequate level of protection for the transferred Personal Data.

OliveSoft maintains an up-to-date list of subsequent processors specifying (i) their name and contact details, as well as (ii) the nature of the tasks assigned, (iii) the location of processing, and (iv) the dates of the last audits. In any case, OliveSoft remains fully responsible to the Client for the performance of its subsequent processors’ obligations.

Article 10. Documentation

OliveSoft will provide the Customer, subject to confidentiality obligations, with all the information necessary to demonstrate its compliance with the obligations of the Data Protection Regulations.

Article 11. Termination of Contract

At the end of the Service Contract, OliveSoft undertakes to return or delete the Personal Data

Article 12. Client Commitments

As the Data Controller, the Client must ensure that Users and Data Subjects have been informed about the processing of their Personal Data and have given their consent where required. The Client guarantees OliveSoft compliance with Data Protection Regulations (including providing complete, intelligible, and easily accessible information to Data Subjects; establishing a proper legal basis for processing; and adhering to all required procedures and formalities, such as conducting a data protection impact assessment if applicable, etc.). If the Client acts as a Data Processor on behalf of a third-party Data Controller, the Client guarantees OliveSoft that:

  • all necessary authorizations have been obtained to enter into the Service Agreement;
  • the contract concluded with the Data Controller complies with the applicable regulations;
  • the instructions given to OliveSoft comply with the Data Controller’s instructions;
Article 13. Client Guarantees

The Client guarantees that it has obtained and will maintain all necessary consents and/or declarations/authorizations required to lawfully process the Personal Data of Users and Data Subjects. The Client will indemnify and hold OliveSoft harmless from any claim or action by a User or Data Subject regarding the protection of their Personal Data.

Article 14. Liability

It is reiterated that OliveSoft is subject to a duty of care in providing Services to the Client. OliveSoft’s liability to the Client can only be engaged in the event of direct damage suffered by the Client due to a proven contractual breach by OliveSoft committed during or in connection with the performance of its obligations.

Notwithstanding the foregoing, the Client expressly acknowledges and agrees that OliveSoft liability cannot be engaged regarding the processing of Personal Data conducted by the Client. The Client, as the Data Controller, is solely responsible to third parties for compliance with Data Protection Regulations and guarantees OliveSoft against any action, claim, or recourse from third parties (Data Subjects, Supervisory Authorities, or other third parties) in this regard. In accordance with Article 82 of the GDPR, it is reiterated that OliveSoft’s liability, as a Data Processor for the Client, is strictly limited to the contractual obligations assumed within the framework of the service agreement.

If both Parties are jointly declared responsible for damage caused to a Data Subject due to the processing of their Data, OliveSoft will only be liable for damages proportional to its contractual responsibility towards the Client.

Article 15. Identification of Processing Activities

OliveSoft processes the following Personal Data as Data Controller:

OliveSoft collects, stores, processes, uses, and communicates personal data about you when you use the “contact us” section of the website:

OliveSoft collects and processes the following categories of data: Identification and contact data: for example, your identity, email address, phone number.

OliveSoft collects data about you to respond to your requests, questions, and complaints online. For this purpose based on our legitimate interest, we ensure to consider any potential impact that this collection may have on you and the users of the Site in general. If we believe that your interest or your fundamental rights and freedoms outweigh our legitimate interest, then we will not use your personal data on this basis and may ask for your specific consent.

The data is kept for a period not exceeding the duration necessary for the purposes for which they were collected and described above. They will then be permanently deleted from our systems or anonymized so that you are no longer identified or identifiable.

Article 16. Identification of Recipients of Processed Personal Data

In addition to the aforementioned Subprocessors, OliveSoft may be required to communicate the Personal Data it processes to the following categories of recipients:

  • OliveSoft personnel: for the exercise of their functions, for purposes strictly necessary for the provision of the Services in accordance with the Contract;
  • Accounting firm: for the management of OliveSoft’s accounting;
  • External auditors: for the certification of annual accounts;
  • Administrative and/or judicial authorities: in case of company audit and/or dispute involving the Client. In the latter case, OliveSoft will do its best to give the Client reasonable notice and allow the Client to seek any protective order or other appropriate relief, unless OliveSoft is prohibited from doing so by law or by the competent authority concerned.
Article 17. OliveSoft’s Commitments

OliveSoft undertakes to process the Personal Data of the Client and Users in strict compliance with data protection regulations. To this end, OliveSoft implements and maintains security measures for the Platform and more generally, its computer system, in accordance with the aforementioned Regulations, as further specified in ARTICLE 2 above.

Personal Data are strictly confidential and intended exclusively for OliveSoft,, which prohibits the exploitation of Personal Data for purposes other than those mentioned above. Only the recipients mentioned in ARTICLE 16 above may have access to the Personal Data, for the sole purpose of exercising their missions.

OliveSoft undertakes to keep the Personal Data processed for the duration mentioned above.

Article 18. Transfers of Data outside the European Economic Area

The Client or the User expressly acknowledges that certain Subprocessors, mentioned in ARTICLE 16, are affiliated companies of foreign groups located outside the European Economic Area. Therefore, Personal Data may be transferred outside the EEA for technical reasons (e.g., platform management, remote maintenance, etc.) or due to a legal or regulatory request. OliveSoft will notify the Client promptly if such a request is made and will only transmit the Personal Data to the authorities with the express agreement of the Client. If such notification is not permitted (preservation of confidentiality or a judicial investigation), OliveSoft will notify the Client or the User as soon as it is legally authorized to do so.

Outside of these cases, OliveSoft undertakes to take all legal measures recognized as appropriate by data protection regulations to control the transfer in question and ensure that it complies with the requirements of the aforementioned Regulations.

Article 19. Rights of Data Subjects

The Client and each User have the following rights over their Personal Data:

  • Right of Access: obtain confirmation of the processing of their Personal Data as well as certain information about the processing;
  • Right to Rectification: obtain the rectification of their Personal Data when they are inaccurate or incomplete;
  • Right to Erasure: under the conditions set out in Article 17 of the GDPR, obtain the erasure of their Personal Data when they are no longer necessary in relation to the purposes for which they were collected or when the Client or the User objects to the processing of their Personal Data;
  • Right to Restriction of Processing: obtain the restriction of processing of their Personal Data when the Client or the User contests the accuracy of the data, when the retention period for the Personal Data has expired but the Client or the User still needs to retain these Personal Data for the establishment, exercise, or defense of a legal claim, or if the Client or the User has objected to the processing;
  • Right to Data Portability: obtain the communication of the Personal Data that the Client or the User has provided to OliveSoft in a readable format, or request OliveSoft to transmit the Personal Data that the Client or the User has provided to another data controller;
  • Right to Object: under the conditions of Article 21 of the GDPR, object at any time, for reasons related to their particular situation, to the processing of their Personal Data, including when this objection concerns commercial prospecting, including profiling;
  • Withdrawal of Consent: withdraw their consent to the future processing of their Personal Data by OliveSoft, when the processing is based on consent;
  • Right to Lodge a Complaint: lodge a complaint with the French Data Protection Authority (CNIL) if they consider that the processing carried out by OliveSoft constitutes a violation of their Personal Data. The CNIL services can be contacted via an online form available here: CNIL Form.
Article 20. Exercise of Data Subjects’ Rights

You can exercise these rights or ask any questions regarding the management of your personal data by contacting our Data Protection Officer: