This Data Processing Agreement (hereinafter “DPA”) is entered into between MyScript SAS, a French company located at 3 rue de la Rainière, 44339, Nantes, France (hereinafter “MyScript” or the “Processor”) and You (hereinafter “You”, “Your” or the “Controller”), and both together jointly referred to as the “Parties”.
This DPA forms an integral part of MyScript’s Legal Notice and Terms of Use and is legally binding for anyone who creates a MyScript account. If You do not create a MyScript account this DPA is not applicable.
This DPA complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
“Data Protection Laws” means laws and regulations of the European Union, the EEA and their Member States, Switzerland and the United Kingdom, applicable to the Processing of Personal Data, including the GDPR;
“Data Transfer” means:
- a transfer of User Personal Data from You to the Processor; or
- an onward transfer of User Personal Data from the Processor to a Sub-processor, or between two establishments of the Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
“DPA” means this Data Processing Agreement including all Schedules;
“EEA” means the European Economic Area;
“GDPR” means EU General Data Protection Regulation 2016/679;
“End-User” means the physical person(s) granted access by You to use MyScript Cloud recognition through the developer portal;
“Services”means the services MyScript provides either (i) through Nebo cloud storage and sharing platform or (ii) managing and replying to Nebo support request or (iii) through the MyScript developer portal for text recognition. These Services are only accessible once You have created a MyScript account;
“Sub-processor” means any natural or legal person appointed by or on behalf of Processor to process User Personal Data on Your behalf in connection with the provision of the Services or this DPA;
“User Personal Data” means any Personal Data contained in any files, notes or documents that is uploaded to/sent to the Processor through the Services, such as any of Your notebooks that You upload to Nebo cloud. (This may include Your own personal data but also any personal data of any other natural person that you share with the Processor through the Service.)
1.2 The terms “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Processor” shall have the same meaning as in the GDPR, and their related terms shall be construed accordingly.
2.1 For the purposes of this DPA, and according to the definitions in the GDPR, MyScript acts as the Processor and You act as the Controller.
2.2 Processor shall:
- comply with all applicable Data Protection Laws in the Processing of User Personal Data; and
- not process User Personal Data other than under Your documented instructions.
2.3 You hereby instruct Processor to process User Personal Data in order to provide the Services.
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who may have access to User Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant User Personal Data for the provision of the Services or to carry out their role within Processor’s organization, and to comply with applicable laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Processor’s Security Responsibilities
4.1.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall, in relation to the User Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.1.2 In assessing the appropriate level of security, Processor shall take into account, in particular, the risks that are presented by Processing, in particular from a Personal Data Breach.
4.1.3 Processor’s security measures are further detailed in Schedule 2 of this DPA.
4.2 Your Security Responsibilities
4.2.1. You agree that, without prejudice to Processor’s obligations under Section 4.1 (Security Measures) and Section 7 (Personal Data Breach):
4.2.1.1 You are solely responsible for Your use of the Service, including (i) making sure you have obtained all necessary permissions from any natural persons whose Personal Data is processed through the Service, and (ii) keeping all Your login credentials and passwords safely and changing them regularly.
4.2.1.2. Processor has no obligation to protect User Personal Data that You elect to store or transfer outside of Processor’s (or Sub-processors’) systems.
4.2.2. You are solely responsible for reviewing the security measures and evaluating for yourself whether the Service, the security measures, the additional security information and Processor’s commitments under this Section 4 (Data Security) will meet Your needs, including with respect to any security obligations of Your jurisdiction’s applicable data protection laws.
5.1 Processor shall not transfer User Personal Data to any third parties and shall not appoint (or disclose any User Personal Data to) any Sub-processor unless required or authorized by You.
5.2 You hereby authorize the Sub-processors listed in Schedule 1 of this DPA to receive and process User Personal Data as necessary for the provision of the Services. Processor shall inform You of any change to Schedule 1 before the Processing of any User Personal Data by any new Sub-processor and You may cease using the Services.
5.3 Processor shall be liable for the acts and omissions of its Sub-processors to the same extent Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA and the Legal Notice and Terms of Use.
6.1 Taking into account the nature of the Processing, Processor shall assist You by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Your obligations, as reasonably understood by Processor, to respond to requests to exercise Data Subject rights under the Data Protection Laws, namely right of access, right to rectification, restriction of Processing, erasure, data portability, objection to the Processing, or its right not to be subject to an automated individual decision making (hereinafter “Data Subject Request”).
6.2 Processor shall:
- promptly notify You if it receives a request from a Data Subject under any Data Protection Law in respect of User Personal Data; and
- ensure that it does not respond to that request except on Your documented instructions or as required by applicable laws to which the Processor is subject, in which case Processor shall to the extent permitted by applicable laws inform You of that legal requirement before the Processor responds to the request.
6.3 Taking into account the nature of the Processing, Processor will assist You by appropriate technical and organizational measures, insofar as it is possible, for the fulfillment of Your obligation to respond to a Data Subject Request under European Data Protection Laws. In addition, to the extent You, in Your use of the Service, do not have the ability to address a Data Subject Request, Processor shall, upon Your written request, provide You with reasonable cooperation and assistance to facilitate Your response to such Data Subject Request, to the extent Processor is legally permitted to do so and the response to such Data Subject Request is required under European Data Protection Laws. To the extent legally permitted, You shall be responsible for any costs arising from Processor’s provision of such assistance.
7.1 Processor shall notify You and the Competent Supervisory Authority without undue delay upon Processor becoming aware of a Personal Data Breach affecting User Personal Data, providing You with sufficient information to allow You to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall co-operate with You and take reasonable commercial steps as are directed by You to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
7.3 Notification(s) of any Personal Data Breach will be delivered to You by direct communication. You are solely responsible for ensuring that any contact information, including notification email address, provided to Processor is current and valid.
7.4 Processor will not assess the contents of User Personal Data in order to identify information subject to any specific legal requirements. You are solely responsible for complying with incident notification laws applicable and fulfilling any third-party notification obligations related to any Personal Data Breach.
7.5 Processor’s notification of, or response to, a Personal data Breach under this Section 7.1 (Personal Data Breach) will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Breach.
Processor shall provide You with reasonable assistance with any data protection impact assessments, and prior consultations with the supervising authorities or other competent data privacy authorities, which You reasonably consider to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of User Personal Data by Processor, and taking into account the nature of the Processing and information available to the Processor.
9.1 Upon Your express request or upon deletion of Your account by Yourself, Processor shall delete User Personal Data that has been Processed or is being Processed by Processor. Deletion is definitive and Processor shall keep no copies of such User Personal Data.
9.2 Upon cessation of the Services, Processor shall promptly, and in any event within 12 months of the date of cessation of any Services involving the Processing of User Personal Data, delete and procure the deletion of all copies (if any) of those User Personal Data that have been transferred to Processor (or any Sub-processors) during the provision of the Service.
10.1 Processor shall regularly perform audits and shall ensure that all Sub-processors do the same, in order to ensure compliance with this DPA and their obligations under applicable Data Protection Laws.
10.2 Subject to this Section 10, Processor shall make available to You on request, and provided a sufficient confidentiality agreement is in place, all information necessary to demonstrate compliance with this DPA, in relation to the Processing of the User Personal Data by the Processor and/or Sub-processors.
10.3 You may request to conduct any audit, including any inspection, You have the right to request or mandate on Your own behalf, and on behalf of Your controllers when You are acting as a processor, under applicable Data Protection Law, by instructing Processor to carry out the audit described in Section 10.1.
10.4 If You wish to change this instruction regarding the audit, then You have the right to request a change to this instruction by sending Processor a written notice to legal@myscript.com. If Processor declines to follow any request and/or instruction requested by You regarding audits, including inspections, You are entitled to terminate the Services immediately.
11.1 The Processor may not transfer, or authorize the transfer of, User Personal Data to countries outside the EU and/or the EEA without Your prior written consent. If Personal Data processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the User Personal Data is adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of Personal Data.
11.2 A list of Sub-processors who receive User Personal data, as well as countries in which they are based, is provided in Schedule 1 to this DPA. For the purposes of Section 11.1 above, You consent to the transfer of User Personal Data to the Sub-processors listed in Schedule 1.
12.1 Duration. This DPA takes effect upon Your acceptation of the Legal Notice and Terms of Use and shall remain in effect for as long as the Processor provides You the Services.
12.2 Notices. All notices and communications given under this DPA must be in writing and sent through email to the address used to create a MyScript account in the case of MyScript contacting You, and must be sent to legal@myscript.com in case You wish to notify MyScript.
12.3 Law and jurisdiction. This DPA is governed by the laws of France. Any dispute arising out of or in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the competent French courts or authorities.
12.4 Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.5 The Competent Supervisory Authority to contact in case of a claim, complaint or request is the Commission Nationale des Informations et des Libertés (CNIL) and can be contacted through https://www.cnil.fr/fr/plaintes/.
1.1 Nebo Cloud services
| Sub-processor | Purpose | Data center location |
|---|---|---|
| AWS | Cloud infrastructure provider | EU |
| Freshworks | Receiving and managing support requests which may include the transfer of files (notebooks) | EU |
| Claranet | Infrastructure runner | EU |
1.2 Nebo generative artificial intelligence features
| Sub-processor | Purpose | Data center location |
|---|---|---|
| OpenAI | Service provider | Worldwide (SCC) |
| AWS | API hosting | EU |
1.3 MyScript Cloud recognition through the developer portal
| Sub-processor | Purpose | Data center location |
|---|---|---|
| AWS | Cloud infrastructure provider | Oregon, USA (SCC) |
| Claranet | Infrastructure runner | EU |
Processor will implement and maintain the following technical and organizational security measures when processing User Personal Data on Your behalf:
Physical Access Controls
Processor shall take reasonable measures to prevent physical access, such as secured buildings and secured server rooms, to prevent unauthorized persons from gaining access to User Personal Data, or ensure Sub-processors that are operating data centers on its behalf are adhering to such controls.
System Access Controls
Processor shall take reasonable measures to prevent User Personal Data from being used without authorization. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords, combined with multi-factor authentication where applicable, documented authorization processes, firewalls, documented change management processes and/or, logging of access on several levels and automatic security updates.
System Access Controls
Processor shall take reasonable measures to prevent User Personal Data from being used without authorization. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords, combined with multi-factor authentication where applicable, documented authorization processes, firewalls, documented change management processes and/or, logging of access on several levels and automatic security updates.
Data Access Controls
Processor shall take reasonable measures to provide that User Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the User Personal Data for which they have privilege of access, and that User Personal Data cannot be read, copied, modified or removed without authorization in the course of Processing.
Transmission Controls
Processor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of User Personal Data by means of data transmission facilities are envisaged so User Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport. These measures include using certified secure server connections and limit cross origin resource sharing on all APIs.
Input Controls
Processor shall take reasonable measures to provide that it is possible to check and establish whether metadata has been entered into data processing systems, modified or removed. Processor shall make use of industry best practices, hereunder cryptographical protocols for authentication and secure audit logging.
Data Back-up
Back-ups of the databases in the Service are taken on a regular basis, are secured, and encrypted at rest to ensure that User Personal Data is protected against accidental destruction or loss. Snapshot are taken every 12 hours (AWS). Encrypted backup takes place every three days on our servers.
Name: MyScript SAS
Address: 3 rue de la Rainière 44339, Nantes, France
Contact person’s name, position and contact details: Emilie Fowell, DPO, legal@myscript.com
Activities relevant to the data transferred: Performance of the Services
Role (controller/processor): Processor
3.1 Nebo Cloud Services
1. Categories of data subjects whose personal data is transferred:
You may submit User Personal Data to the Services, the extent of which is determined and controlled exclusively by You.
2. Categories of personal data transferred:
- Unstructured User Personal Data contained in notebooks sent by You to the Processor through the Service for sharing with MyScript or for storing on Nebo cloud.
3. Special categories of data:
MyScript does not collect any special categories of data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health and sex life). However, the content of the unstructured User Personal Data, as described above, is unknown to MyScript.
4. Frequency of the transfer
Unstructured User Personal Data is transferred to our Sub-processor(s) listed in Schedule 1 and on a continuous basis depending on the frequency of Your use of the Service.
5. Nature of the Processing
The nature of the Processing is the performance of the Services.
6. Purpose(s) of the data transfer and further Processing
MyScript will Process User Personal Data as necessary to perform the Services requested by You.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Unstructured User Personal Data is transferred to Processor’s servers for as long as You decide to store or share User Personal Data through Nebo Cloud. If You delete Your MyScript account then all User Personal Data is automatically deleted from all storage points.
8. For transfers to (Sub-) processors, also specify subject matter, nature and duration of the Processing
The Sub-processor will Process User Personal Data as necessary to perform the Services. The Sub-processor will Process User Personal Data for as long as You have a MyScript account, unless otherwise agreed in writing or if You have requested a prior deletion of User Personal Data. Identities of the Sub-processors used for the provision of the Services and their country of location are listed in Schedule 1 of this DPA.
3.2 Nebo generative artificial intelligence features
1. Categories of data subjects whose personal data is transferred:
You may submit User Personal Data to the Services, the extent of which is determined and controlled exclusively by You.
2. Categories of personal data transferred:
- Unstructured User Personal Data contained in notebooks sent by You to the Processor through the Service in order to generate content and import it in Your notebooks.
3. Special categories of data:
MyScript does not collect any special categories of data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health and sex life). However, the content of the unstructured User Personal Data, as described above, is unknown to MyScript.
4. Frequency of the transfer
Unstructured User Personal Data is transferred to our Sub-processor(s) listed in Schedule 1 and on a continuous basis depending on the frequency of Your use of the Service.
5. Nature of the Processing
The nature of the Processing is the performance of the Services.
6. Purpose(s) of the data transfer and further Processing
MyScript will Process User Personal Data as necessary to perform the Services requested by You.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Unstructured User Personal Data is temporarily transferred to Sub-processor’s servers when You include it in a request to generate content through the articifial intelligent features.
8. For transfers to (Sub-) processors, also specify subject matter, nature and duration of the Processing
Identities of the Sub-processors used for the provision of the Services and their country of location are listed in Schedule 1 of this DPA. The Sub-processors will Process User Personal Data as necessary to perform the Services. The User Personal Data is kept by the Sub-processor OpenAI for 30 days in order to monitor for illegal and/or abusive content and then it is deleted. The User Personal Data only transits by the Sub-processor AWS servers and is instantaneously deleted.
3.3 MyScript Cloud recognition through the developer portal
1. Categories of data subjects whose personal data is transferred:
You may submit User Personal Data to the Services, the extent of which is determined and controlled exclusively by You.
2. Categories of personal data transferred:
- Unstructured User Personal Data contained in documents sent by You to the Processor through the Service for transformation from handwritten notes into typed text.
- End-User IP address.
3. Special categories of data:
MyScript does not collect any special categories of data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health and sex life). However, the content of the unstructured User Personal Data, as described above, is unknown to MyScript.
4. Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
All categories of data listed above are transferred to our Sub-processor(s) listed in Schedule 1 and on a continuous basis depending on the use of the Service.
5. Nature of the Processing
The nature of the Processing is the performance of the Services.
6. Purpose(s) of the data transfer and further Processing
MyScript will Process Personal Data as necessary to perform the Services.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Unstructured User Personal Data is transferred to Processor’s servers the time for the Processing to take place, is then returned to the End-User and is not stored by the Processor. IP addresses are kept in log records for 12 months. Unstructured User Personal Data is not stored by the Processor unless specifically & expressly requested by You in writing.
8. For transfers to (Sub-) processors, also specify subject matter, nature and duration of the Processing
The Sub-processor will Process User Personal Data as necessary to perform the Services. The Sub-processor will Process Personal Data for as long as You use the Services, unless otherwise agreed in writing. Identities of the Sub-processors used for the provision of the Services and their country of location are listed in Schedule 1 of this DPA.
Competent Supervisory Authority
The Competent Supervisory Authority to contact in case of a claim, complaint or request is the Commission Nationale des Informations et des Libertés (CNIL) and can be contacted through https://www.cnil.fr/fr/plaintes/.