TEHTRIS MTD : Terms of Use

These TEHTRIS MTD General Terms and Conditions form an Agreement between the Customer and TEHTRIS for the subscription to the TEHTRIS MTD Solution and the associated services (hereinafter referred to as the “TEHTRIS Service”).

The commencement of the TEHTRIS Service constitutes full and unreserved acceptance of the Agreement and the waiver by the Customer of any general terms and conditions of purchase, and constitutes a firm and definitive order by the Customer, who may not cancel it.

By downloading, installing, copying or otherwise using the TEHTRIS Service, the Customer acknowledges that he has read, understood and is deemed to have accepted the provisions of the Agreement. If the Customer does not agree to them, the Customer is not authorized to install and/or use all or part of the TEHTRIS Service for any purpose.

Article 1.            Definitions

Capitalized terms in the Contract, when used in the singular and/or plural, shall have the following meaning:

“Alert” means feedback from the software analysis of Events indicating that a certain threshold set by TEHTRIS or a certain technical abnormality, has been reported within the TEHTRIS Service.

“Appliance” or “Virtual Machine” or “VM” means a virtual server configured to perform specialized tasks based on the TEHTRIS Solution with which the Appliance is associated. There may be multiple Appliances for a single TEHTRIS Solution. Appliances are located in the TEHTRIS datacenter.

“Customer” or “User” means any natural or legal person who has subscribed to the TEHTRIS Service by entering into this Agreement and is a professional within the meaning of French law.

“Contract” means this document, its Appendices and any amendments. It defines the rights and obligations of the Parties.

“Documentation” means all documents, in whatever form or medium, readable by man and/or machine, that enable the operation of an application or computer component that is part of the TEHTRIS Solutions or, more generally, an element that makes up the TEHTRIS Service to be understood.

“Data” means the Customer’s technical security data, the use of which is the subject of the Agreement.

“Intellectual Property Right(s)” means all (a) rights related to copyright and related rights, including, but not limited to, economic and moral rights, (b) trademark rights, company names and related rights, (c) trade secrets, (d) patent rights (d) patent, design and database rights, (e) other Intellectual and Industrial Property Rights of every kind and nature, and (f) registrations, initial applications, renewals or extensions thereof (including all rights to make or apply for any of the foregoing).

“Equipment” means an operational element associated with a given TEHTRIS Solution, deployed and/or configured on the corresponding Appliance (example: a BAT agent, etc.).

“Event” means a security event generated by the Customer’s information system components and collected by the TEHTRIS Solutions that may qualify as a Security Incident depending on its criticality.

“Credentials” means the User’s own identifier (“login”), password, and digital certificate for logging into a TEHTRIS digital environment.

“Intranet” refers to the Customer’s own computer network, using the “TCP/IP” protocols.

“Log” means an event log containing sequential records, usually time-stamped, from a computer system or application process.

“Partner” means an entity other than TEHTRIS with whom the User has purchased a subscription for the TEHTRIS Service. It may be a reseller and/or distributor of TEHTRIS products

“Security Incident” means an Event that may compromise the integrity, availability, confidentiality, or accountability of all or part of the Customer’s infrastructure.

“Software” means any software provided by TEHTRIS to the Customer, including certain elements present and/or used in the TEHTRIS Service.

“Technical Requirements” means a set of conditions to be met by the Customer in using the TEHTRIS Service.

“TEHTRIS” means TEHTRI-Security, SAS, with a capital of 139 816 €, whose registered office is located at 13-15 rue Taitbout, 75009, PARIS, France, registered at the Paris’ RCS under the SIRET number 521 474 445.

“TEHTRIS Service(s)” or “Service(s)” means all TEHTRIS Solutions, TEHTRIS Operational Services as subscribed to by Customer and provided remotely by TEHTRIS. The term “TEHTRIS Services” is extended to the Documentation relating to such Services.

“TEHTRIS Solution” means operational cybersecurity functionality provided as SaaS, commissioned from one or more Appliance(s), consisting of multiple Equipment.

“TEHTRIS Operational Service(s)” means an optional service.

“Third Party Provider” means a provider other than TEHTRIS and providing the Customer with digital services.

Article 2.            Contractual documents

The Contract is made up of the following contractual documents presented in hierarchical order of decreasing legal value:

• This Contract and its appendix:
  • Schedule 1 – Services Agreement
  • Appendix 2 – Quality Charter
  • Appendix 3 – Processing of personal data
• Order and/or quotation signed by the Parties.

In the event of a conflict between one or more contractual provisions contained in one of these documents, the provision of the higher ranking document shall prevail. In the event of a conflict between the terms of documents of the same rank, the most recent shall prevail.

Article 3.            Duration and effect

The Agreement shall come into force and apply in the manner and for the duration agreed between TEHTRIS and the User or between the Partner and the User.

Unless otherwise agreed to by the Parties, User shall not use the TEHTRIS Solutions as a service provider or similar activity for the benefit of third parties..

Article 4.            Try and Buy

 Only in the cases expressly agreed between the Parties, the User may benefit from the possibility of testing the Services (hereinafter “Try and Buy”) for a maximum period of one (1) month, unless otherwise agreed in writing. The purpose of this phase is to allow the User to verify and validate the suitability of the Services for its needs. The Try and Buy phase begins on the date the Agreement takes effect.

During this Try and Buy phase, subject to having been agreed between the Parties, the service level agreements (SLA) will not apply.

At the end of the Try and Buy phase, the application of the Agreement will continue automatically.

If the User wishes to terminate the Try and Buy phase, the User shall notify TEHTRIS of its choice not to continue the Agreement, which shall automatically terminate five (5) business days from the date of receipt of the notification by TEHTRIS. In the event that the User decides to terminate the Agreement following the Try and Buy phase, the User shall remain liable to pay for the Services until the date of termination of the Agreement.

Article 5.            Intellectual Property

5.1 SaaS license

TEHTRIS grants the User a personal, non-exclusive, non-assignable and non-transferable right to access and to use the TEHTRIS Service for the entire term of the Agreement and worldwide. The license is granted for the sole and exclusive purpose of enabling the User to use the TEHTRIS Service for its internal purposes and in accordance with their documentation, to the exclusion of any other purpose. The right of use shall mean the right to represent and implement the TEHTRIS Service in accordance with its intended purpose, in SaaS mode via a connection to an electronic communications network.

Unless otherwise agreed between the Parties, the User may not make the TEHTRIS Service available to any third party not acting on its behalf. The User is strictly prohibited from making any other use, in particular, but not limited to, any adaptation, modification, translation, arrangement, distribution or decompilation.

5.2 Property

TEHTRIS is and shall remain the owner of all Proprietary Rights relating to the TEHTRIS Service made available to the User, its know-how and methods used in the performance of the Agreement, as well as the entire IT infrastructure (software and even hardware where applicable) provided by TEHTRIS and implemented or developed under the Agreement. The Software and associated documentation, all copies, improvements, modifications and derivative works thereof, and all associated Intellectual Property Rights, are and shall remain TEHTRIS’ sole and exclusive property.

The Agreement does not grant the User any ownership right in the TEHTRIS Service. The TEHTRIS Service’s temporary provision for the Agreement duration shall not be construed as the transfer of any Intellectual Property Right to the User within the meaning of the French Intellectual Property Code.

TEHTRIS expressly declares that it does not provide User or any other person with any access or right, under any condition, to the source codes of all or part of any component of the TEHTRIS Service.

User shall not reproduce any part of the Software, or any documentation relating thereto, by any mean or in any form and on any medium. Subject to applicable public policy provisions, the User is not permitted to decompile the Software, codes and algorithms used in the TEHTRIS Service.

The User and any third party who may have access to the TEHTRIS Service undertake not to develop competing solutions offering all or part of the elements offered in the TEHTRIS Service, throughout the performance of the Agreement and for a period of ten (10) years from the Agreement end and throughout the world.

The User is and remains the owner of all Data that it sends to the TEHTRIS Service.

TEHTRIS reserves the right on an ongoing basis to use and exploit malware and any malicious or suspicious elements for research and development, analysis, reporting and statistical purposes, and for continuous improvement of the TEHTRIS Service’s performance.

Article 6.            Maintenance

TEHTRIS provides technical (1), corrective (2) and evolutionary (3) maintenance of the TEHTRIS Service in France.

TEHTRIS shall not be liable for maintenance in any of the following cases: (i) use of all or part of the TEHTRIS Service, not in accordance with its intended purpose or documentation; (ii) unauthorized modification or misuse of the TEHTRIS Service, by the Customer or a third party under the Customer’s responsibility; (iii) failure by the Customer to meet its obligations under the Agreement; (iv) refusal by the Customer to carry out updates requested by TEHTRIS; (v) implementation of software packages, software or operating systems that are not compatible with the TEHTRIS Solutions; (vi) use of elements that are incompatible with the Technical Requirements; (vii) failure of electronic communication networks; (viii) deliberate acts of damage, malice or sabotage; (ix) force majeure.

TEHTRIS reserves the right to make tuning and deletions in the oldest Alerts and/or Logs that come up or are stored when the proper functioning of a TEHTRIS XDR Platform and/or a Cloud Appliance, could be in question (but not limited to: in case of almost full disk, problem on backups, problem on CPU and RAM).

6.1 Technical maintenance

TEHTRIS updates the various components of the TEHTRIS Service (Appliance, servers, databases, application of security patches, etc.). All or part of the TEHTRIS Service may occasionally be temporarily suspended due to interventions required for its proper operation. TEHTRIS shall not be liable for any impact of such unavailability on the User’s activities. Technical maintenance is scheduled by mutual agreement with the User, except in case of an emergency maintenance (such as a security patch).

6.2 Corrective maintenance in case of anomaly

TEHTRIS commits to perform the TEHTRIS Services’ corrective maintenance under the conditions described to Appendix 1. The notion of a defect refers to any malfunction or non-conformity of the TEHTRIS Solutions with their specifications and purpose, reproducible by the User, which prevents the normal operation of all or part of the TEHTRIS Solutions. The several anomaly’s levels are defined to Appendix 1.

TEHTRIS shall qualify the level of defect and may, at its sole discretion, diagnose a defect and make error and/or bug corrections or updates.

6.3 Upgradeable maintenance

By default, minor upgrades, i.e., a change from an X.y. to an X.z. version, as well as minor functional upgrades (all of which are hereinafter referred to as “Minor Upgrades”) of the TEHTRIS Service are included and subject to the terms of the Agreement.

Interventions relating to Minor Updates may make all or part of the TEHTRIS Service temporarily unavailable. TEHTRIS shall not be liable for any impact of such unavailability on the User’s activities. Evolutionary maintenance is scheduled by mutual agreement with the User. TEHTRIS reserves the right to delete features in order to adapt to global developments in information technology. The frequency of evolutionary maintenance is about three (3) per year on average.

The upgrade to a major version, i.e. a change from version X to Y involving a substantial change in the operation of all or part of the TEHTRIS Service, may be submitted to the User through a new quote when special conditions are needed. User may refuse to upgrade to a higher major version for a period of three (3) months from the new major version’s public availability. At the most, at these three (3) months period’s end, the Parties agree to meet in order to define the transition to the new version. As it is not advisable to maintain the old versions in operational condition, the User is advised to apply the proposed changes in order to continue to benefit from the advanced security features.

Article 7.            Financial conditions

The financial terms are agreed between the User and TEHTRIS or between the User and a third-party reseller (including TEHTRIS’ partner).

In the event that the financial terms applicable between TEHTRIS and the User are not specified in a specific document, the provisions below of this article “Financial conditions” shall apply.

Services are payable according to the following timeframes:

• Services are by default invoiced annually in arrears. The invoice is calculated on the basis of the Services mentioned in the quote. Any change will result in TEHTRIS adjusting the corresponding invoice.
• Other non-recurring services (training, integration, consulting, etc.) are invoiced monthly in arrears.
• Invoices shall be payable within thirty (30) days from the date of issue, by direct debit or bank transfer. By default, the billing address is that of the registered office of the recipient of this quotation. Unless otherwise agreed between the Parties, it is expressly agreed that the amount of the sums invoiced may be revised annually by TEHTRIS.

The prices agreed between TEHTRIS and the recipient of this quotation are exclusive of taxes and charges. Prices are indexed to the SYNTEC index. They shall be revised on the anniversary date of the commencement of the Services in accordance with the revaluation of the SYNTEC index, in accordance with the following formula: P = Po (S/So) where:

• P represents the price after revision,
• Po is the price defined in the quotation,
• S is the most recent SYNTEC index published on the revision date,
• So is the SYNTEC index known at the date of signature of this Agreement.

Without prejudice to any damages, failure or delay in payment, including partial payment of an invoice, shall automatically result in the day following the due date: (i) the application of late payment interest equal to three (3) times the legal interest rate, without prior notice and as of the first day of delay; (ii) additional bank and management fees (follow-up of collection, reminder letters and telephone charges, representation of direct debit rejections) in accordance with Article L.441-10 of the French Commercial Code and (iii) the suspension of the Services after a period of thirty (30) days of notification by registered letter with acknowledgement of receipt that has remained unsuccessful and consequently leading to the automatic termination of the Contract for breach of an essential obligation.

As an exception to the provisions of the “Contractual Documents” article, paragraphs 2 to 4 of this “Financial Conditions” article do not take precedence over the information contained in the quotation.

Article 8.            Quality of service

TEHTRIS shall use its best efforts to warrant the TEHTRIS Service against programming defects for the duration of the Agreement. This warranty shall lapse if any person acting on behalf of the User or any third party modifies or attempts to modify the TEHTRIS Service or any part thereof.

TEHTRIS shall not be liable for any unavailability or slowdown of the TEHTRIS Service and in particular the TEHTRIS Solutions, due to the technical hazards inherent on the Internet as well as the service provider and data host provider, and the access interruptions that may result. Subject to the Service Level Agreements (“SLAs”) set forth in Appendix 1, TEHTRIS is unable to guarantee the continuity of the TEHTRIS Service.

It is the User’s responsibility to comply with the volume thresholds indicated through the choice of options on network speeds, hard disk sizes and other technical criteria provided for in the Agreement, and to notify TEHTRIS of any increase in its processing capacity requirements.

TEHTRIS makes no other express or implied warranties with respect to the TEHTRIS Service, including, without limitation, any implied warranty of merchantability or fitness for a particular purpose. The Parties acknowledge that software may contain errors and that not all errors are economically correctable or necessary to correct. TEHTRIS therefore does not warrant that all failures or errors in the TEHTRIS Service will be corrected.

Article 9.            Penalties

TEHTRIS undertakes to comply with the performance deadlines and service levels stipulated in the Agreement. Where expressly provided for in the Agreement, TEHTRIS shall be liable to penalties that may be provided for in the Special Service Agreement.  

The purpose of any such penalties is to penalise non-compliance with its obligations that is attributable exclusively to TEHTRIS. Under no circumstances shall the Customer be entitled to avail itself of this section and claim penalties in the event of failure resulting in whole or in part: (i) events or factors beyond the control of TEHTRIS such as, but not limited to, force majeure, acts of a third party, problems with the connection to the Internet network, malfunction of the Internet network, malfunction or misuse of hardware or software under the Customer’s control, computer attack; (ii) a failure by the Customer to comply with the obligations incumbent on it under the Agreement (in particular failure to cooperate); (iii) misuse or inappropriate use of the TEHTRIS Service by the Customer; (iv) maintenance in accordance with the Maintenance section; (v) loss of Data and/or interruption and/or reduction in service by the telecommunications operator, the Data hosting operator or the electricity supplier; (vii) failure of the electronic communication networks or Internet transport networks or the associated IT platforms (hardware and software), in particular its access provider(s) and Data hosts. The application of any of the cases of exclusion defined above, shall be established by TEHTRIS by any means, and in particular on the basis of the elements of TEHTRIS’ information system (such as connection data), which, by express agreement between the Parties, shall be admissible. For any service made available free of charge or offered by TEHTRIS to the Customer, the associated SLA is not guaranteed and no credit may be granted to the Customer in the event of non-compliance with it.

The penalties are directly deducted from the Customer’s next invoice upon request by the latter, made by e-mail, at the latest, the month following the month during which the unavailability was noted by the Customer. Failing this, the Customer will no longer be entitled to claim said compensation.

It is expressly agreed that the penalties shall constitute a lump-sum compensation for the Customer for all losses resulting from TEHTRIS’s failure to comply with the SLAs in question; the Customer hereby waives any other claim, complaint and/or action.

Article 10.         Liability

Each of the Parties shall be liable for the consequences resulting from its own faults, errors or omissions, as well as those of its subcontractors, if any, and causing direct and foreseeable damage to the other Party.

This section “Liability” shall be effective even if the Agreement is terminated.

10.1 TEHTRIS’ responsibility

TEHTRIS shall provide the TEHTRIS Service to the User on the dates and terms agreed between the User and the Partner.

With respect to the capacity and performance of the TEHTRIS Solutions and TEHTRIS Operational Services, TEHTRIS is subject only to an obligation of means, meaning that TEHTRIS cannot guarantee the prevention and detection in full and in real time and/or in delayed time, of any attack or computer threat, of any Security Incident, of any failure affecting all or part of the monitored information system.

As an IT professional and as part of its duty to advise, TEHTRIS will provide the User with any recommendation necessary to optimize its choices and ensure the most appropriate coverage of its needs.

Should TEHTRIS provide consulting services to the User, TEHTRIS shall not be liable for any decision made by the User insofar as the services concerned consist solely of providing observations and advice. As the User has a choice of a multitude of solutions, the decision whether or not to implement the observations and advice rests solely with the User. 

10.2 User’s own responsibility

The User undertakes to cooperate with TEHTRIS and to provide or ensure access to any information or material that TEHTRIS may reasonably require in order to fulfill its obligations under this Agreement. In particular, the User shall notify TEHTRIS of any specific legal and regulatory requirement to which it is subject, including those relating to computer security and its industry, so that such requirements can be taken into account by TEHTRIS, which shall use its best efforts to meet them.

The User shall be deemed to have or to have obtained from any third party all ownership and access rights to the information systems within the scope of the TEHTRIS Service. The User shall be solely liable for any damage that may result from such absence.

The User is solely responsible for: the technical choices and security measures concerning the physical hosting of its equipment (hardware) and computer solutions (software) on which the TEHTRIS Solutions will be installed; its infrastructures where the TEHTRIS Service will be used; the soundness of the networks connecting the TEHTRIS Solutions, as well as the networks on which the Data is transmitted between the TEHTRIS Service and the external infrastructures.

The User is solely responsible for the selection and modification of security configurations of the TEHTRIS Solutions and the consequences thereof. TEHTRIS shall comply with the User’s instructions and shall not be liable for any damages in this regard.

The User is solely responsible for the content of the Data transmitted to the TEHTRIS Service in any capacity whatsoever.

The User undertakes to use the TEHTRIS Service, including network and system resources, in a professional manner that respects TEHTRIS’ rights. If malicious or illegal actions are observed towards TEHTRIS’s infrastructure or on any element or sub-element of the TEHTRIS Service or unlawful investigations to study its internal workings are carried out by the User or any person acting on its behalf, TEHTRIS reserves the right to suspend access to the TEHTRIS Service entirely and terminate the Agreement for breach of the essential obligation of professional use of the TEHTRIS Service.

The User is responsible for the use, custody and confidentiality of the Credentials. The User shall bear the sole responsibility for the consequences that may result from the loss, disclosure, or fraudulent or unlawful use of the Credentials. If User becomes aware of any unauthorized access, User shall notify TEHTRIS immediately by e-mail.

10.3 Limitation of liability

In performing its obligations, neither Party shall exclude or limit its liability for: (i) death or personal injury resulting from negligence; (ii) fraud or fraudulent misrepresentation; or (iii) any other head of liability which cannot be excluded by law.

Neither Party shall be liable for any indirect or consequential loss or damage of the other Party, including, without limitation, any lost profits, inaccuracy or corruption of files or Data, commercial loss, loss of sales or profits, loss of goodwill, loss of opportunity, cost of procurement of substitute product or service or technology, regardless of the liability basis : contract, tort, product liability or any other basis.

Under no circumstances shall TEHTRIS be liable on the following grounds: (i) use by the User or a third party of all or part of the TEHTRIS Service not in accordance with its intended purpose or documentation; (ii) unauthorized modification or misuse of the TEHTRIS Service by the User or a third party; (iii) failure by the User to comply with its obligations under the Agreement; (iv) refusal by the User to carry out the necessary updates requested by TEHTRIS; (v) implementation of software packages, software, operating systems or other elements not compatible with the technical requirements; (vi) loss of Data and/or interruption and/or decrease in service of the telecommunications operator, Data hosting operator, electricity supplier; (vii) failure of electronic communication networks or Internet transport networks or associated computer platforms (hardware and/or software), in particular of its access provider(s) and Data hosts; (ix) loss, disclosure or illicit or fraudulent use of the Credentials by the User or third parties; (x) force majeure.

10.4 Indeminification

Regardless of the nature, basis and terms of any action brought against TEHTRIS, in the event of proven fault on the part of TEHTRIS, the compensation due to the User for any loss suffered, for which the User shall provide full proof and evidence of the causal link, shall not exceed an amount equal to or equivalent to one hundred (100) percent of the sums received by TEHTRIS under this Agreement in respect of the last twelve (12) months prior to the occurrence of the loss.

The User waives the right to hold TEHTRIS liable by way of a warranty claim for any damage suffered by third parties who have used, directly or indirectly, TEHTRIS Services.

10.5 Third Party Provider

User may engage a Third-Party Service Provider to access, use and/or operate TEHTRIS Service. Such activity shall be performed on behalf of User and for the sole purpose of providing services to User. User is responsible for Third Party Service Provider’s compliance with the terms of the Agreement. Any breach of the Agreement by the Third-Party Service Provider shall be deemed to be the User’s. Each Third-Party Service Provider requiring access to the TEHTRIS Service shall be notified to TEHTRIS in writing with fifteen (15) days’ notice and approved in writing by TEHTRIS. TEHTRIS may deny access to a Third-Party Service Provider, including any entity that is a competitor of or affiliated with a business that is a TEHTRIS competitor or any entity not trained for the TEHTRIS Service use. Any failure on the part of the User, with respect to these types of access, shall be deemed as an Agreement essential obligation’s breach.

TEHTRIS disclaims any responsibility for the activities provided by the Third Party Provider (including in the event of the Third Party Provider’s failure) and, except as otherwise provided, makes no commitment as to the compatibility between TEHTRIS Solutions and any solution developed by a Third Party Provider.

Article 11.         Beta Test / Early User

The primary purpose of beta testing or early user operations is to test the relevant TEHTRIS Services. Such operations are subject to this Agreement and to TEHTRIS’ sole discretion as to their duration, purpose, organization and scope.

If User agrees to participate in a beta test or early user operation, User acknowledges that: the Services involved may contain errors, bugs and/or other defects; TEHTRIS makes no commitment to performance, warranty, data backup and/or maintenance with respect to such Services; and TEHTRIS shall have no liability with respect to beta test operations. It is recommended that User perform beta testing operations in a dedicated digital environment.

During the term of this Agreement, User agrees to use its best efforts to provide TEHTRIS with feedback regarding the Services subject to beta testing or early user, including error or bug reports. User hereby assigns to TEHTRIS all rights to such feedback. No compensation shall be claimed by User for such feedback.

User shall cease use and destroy all copies of all Services subject to the beta test or early user on the earliest of the following three dates: (i) upon the first request of TEHTRIS; (ii) fifteen (15) days after TEHTRIS releases the Services replacing the beta test or early user Services, or (iii) upon the scheduled expiration date of the beta test or early user operation.

User shall not make available to a third party, distribute or resell the beta-tested or early user Services, or use such Services as a basis for developing a competitive solution (or contract with a third party to do so).

Article 12.         Force majeure

Neither Party shall be liable to the other Party for the non-performance or delay in performance of any obligation under this Agreement due to the act of the other Party or a third party or to the occurrence of an event of force majeure, as defined in Article 1218 of the French Civil Code and in case law.

The Party establishing the case of force majeure shall without delay inform the other Party of its inability to perform its obligation. In all cases, the prevented Party shall do everything in its power to limit the effects and duration of the force majeure.

In the event that the event is prolonged beyond a period of thirty (30) consecutive days, this Agreement may be terminated by either Party by registered letter with acknowledgment of receipt. Moreover, in this case, the User shall pay for all the Services performed until the day of the termination.

Article 13.         Warranty of eviction

TEHTRIS represents and warrants: (i) that it holds all the Intellectual Property Rights required to enter into the Agreement; (ii) that the TEHTRIS Service, as well as the elements necessary for their operation provided in performance of the Agreement, do not infringe the rights of third parties and do not constitute an infringement of any pre-existing work or even infringement of any other software or other intellectual creation belonging to a third party; (iii) that the TEHTRIS Solutions developed are original within the meaning of the French Intellectual Property Code and do not constitute, in whole or in part, either infringement or unfair competition; and (iv) that nothing shall prevent the User from freely exploiting the elements resulting from the services for the Agreement’s duration.

In the event of legal action brought by a third party against the User and relating to an alleged infringement of the Intellectual Property guaranteed by TEHTRIS, TEHTRIS undertakes to assist the User in its defense and in compliance with the following conditions:

• The User has notified TEHTRIS of such action by registered letter with acknowledgment of receipt as soon as the User became aware of such action,
• That the alleged breach does not relate to changes made directly by the User without TEHTRIS’ prior authorization or to any other breach of this Agreement by the User.

Accordingly, if all or part of the TEHTRIS Solutions are recognized by a final court decision as constituting an infringement of Intellectual Property Rights attributable to TEHTRIS, TEHTRIS undertakes to reimburse the User for the costs of defense.

TEHTRIS undertakes to obtain the User’s right to continue to use the Solutions or, failing that, to terminate this Agreement by registered letter with acknowledgement of receipt, effective upon receipt.

The User undertakes to notify TEHTRIS immediately of any infringement of the Solutions of which it is aware, in which case TEHTRIS shall be free to take such measures as it deems appropriate.

Article 14.         Confidentiality

In particular, the following shall be considered confidential Information: any quotation or business proposal from TEHTRIS and any request from the User; by default, any information concerning the TEHTRIS Solutions and the TEHTRIS Service generally that is not in the public domain; any information designated in writing as confidential by one of the Parties; any information relating to deliverables, services, organizations or activities of the other Party or a third party and, more generally, any information of a financial, technical or commercial nature.

Notwithstanding the foregoing, neither Party shall have any obligation with respect to confidential Information that: has fallen or will fall into the public domain through no fault of the receiving Party; is independently developed by the receiving Party; is legitimately known to the receiving Party prior to disclosure by the other Party; would legitimately be received from a third party not subject to an obligation of confidentiality; would be required to be disclosed by law or by order of a judicial or administrative authority lawfully entitled to require such disclosure, provided, however, that the Party required to disclose the information has given prior notice to the other Party.

Each of the Parties undertakes: to keep strictly confidential any confidential Information that has come to its knowledge in the course of the performance of the Agreement; not to disclose the confidential Information of the other Party to any third party or service provider, other than employees or agents with a need to know; to use the confidential Information of the other Party only for the purpose of exercising its rights and fulfilling its obligations under the Agreement; inform the other Party as soon as possible in the event of a breach of the confidentiality obligation arising from this Agreement and to assist the other Party in determining the causes of and persons responsible for such breach; return all copies of documents and media containing other Party’s confidential Information, immediately upon termination of the Agreement, regardless of the cause, or undertake to destroy them, with the exception of the Agreement and the associated quotations; ensure compliance with these obligations by its personnel and by any employee or third party who may be involved in any capacity whatsoever in the context of the Agreement

The obligations of the Parties with respect to the confidential Information shall remain in effect for the duration of the Agreement and for so long after its termination as the information concerned remains confidential to the disclosing Party and, in any event, for a period of five (5) years after the term or termination of the Agreement.

User and its Third-Party service providers, if any, shall not, during the performance of the Agreement and for a period of two (2) years after the termination of the Agreement, publish or distribute to third parties any test results or usage results of the TEHTRIS Solutions, benchmarking or competitive analyses involving the TEHTRIS Service, except after obtaining TEHTRIS’ written consent.

TEHTRIS reserves the right to use results or reports obtained through the TEHTRIS Service for its own internal or external publications and use, subject to compliance with this Agreement.

Article 15.         Processing of personal data

The Parties agree to comply with the current legislation and regulations applicable to the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).

Each Party is solely responsible for the processing that it carries out on its own behalf with the personal data transmitted by the other Party. The personal data transmitted for this Agreement’s performance shall not be used for any purpose other than its performance or monitoring or the monitoring of disputes, except in for the cases provided for in the Agreement.

Each Party shall inform the data subjects of the personal data processing implemented and the means available to them to exercise their rights, as provided in Articles 15 to 23 of the GDPR. For any additional information, the User may contact the Data Protection Officer (DPO) of TEHTRIS at: privacy(@)tehtris.com

The processing and commitments with respect to the TEHTRIS Service are detailed in Appendix 3 – Personal Data processing.

Article 16.         Audit

Throughout the term of the Agreement, TEHTRIS may, upon fifteen (15) days’ notice, conduct, or cause to be conducted by a third party, audits of TEHTRIS Services User’s use. The purpose of such audits is to ensure that the User is complying with the terms and conditions of the User’s rights of use and rights acquired. The User shall endeavor to cooperate in good faith with TEHTRIS and/or its representative and to provide TEHTRIS with all information, access and documents required as soon as possible.

Article 17.         Termination

If the User fails to perform all or part of any of its contractual obligations, TEHTRIS may terminate the Agreement by operation of law within one (1) month of the User’s formal notice of default, served by registered letter with acknowledgement of receipt, which has remained without effect. 

The Agreement may be terminated by TEHTRIS in the event that the User has breached one or more of the Agreement’s essential obligations, in particular the stipulations relating to confidentiality, Intellectual Property, TEHTRIS Service’s malicious use, upon receipt of a registered letter with acknowledgement of receipt and without prior notice. In the event of a breach attributable to the User, the annual subscription shall be invoiced and the User shall not be entitled to reimbursement by TEHTRIS of any associated sum.

In the event of termination for any reason whatsoever, the User shall cease to use all Credentials. Each Party shall be released from any and all obligations owed to the other in connection with the Agreement performance, with the exception of those relating to confidentiality, liability and Intellectual Property. In addition, the User shall be obliged, where applicable, to immediately pay the invoices corresponding to the compliant Services already performed.

In addition, in the event of the User’s receivership or liquidation, this Agreement may be terminated by TEHTRIS as of right, unless the administrator decides otherwise, as provided for in Article L. 622-13 of the French Commercial Code.

Article 18.         Values and Ethics

In application of the principles enshrined in French Law No. 2016-1691 of December 9, 2016 on transparency, the fight against corruption and the modernization of economic life, and in national and international Conventions, TEHTRIS pursues a demanding ethical policy and strictly condemns fraud, corruption and influence peddling.

TEHTRIS will only enter into contracts with like-minded partners. TEHTRIS also prohibits all anti-competitive practices and is committed to social and environmental responsibility.

Consequently, the User undertakes to actively combat all forms of fraud, whether social or economic, and all forms of corruption and influence peddling, whether in the context of relations with a public and/or private agent, at international, national or local level, whether these practices are engaged directly or indirectly.

In this respect, the User certifies that it has not, either directly or indirectly, made or offered and undertakes not to make or offer, promise, give, authorize or accept any payment, gift, promise or any other advantage, for the use or benefit of any other person, where such payment, gift, promise or advantage is or would be intended to influence an act or decision of such person; to induce such person to perform or refrain from performing an act in violation of legal obligations; to obtain an improper advantage; to perform or refrain from performing an act in violation of laws applicable to the activities governed by the Agreement.

The User undertakes to impose on its personnel and any subcontractors the obligations set forth in this Article and to obtain the same undertaking from its subcontractors and co-contractors.

In the event of a breach of the foregoing undertakings by the User, TEHTRIS reserves the right to terminate this Agreement without notice for breach by the User.

The Agreement may be terminated immediately and by operation of law, by registered letter with return receipt requested, without further formality in the event of a violation by the User, or any of its shareholders, of any Sanctions Regulations (hereinafter “Sanctions Regulations”) or if the User or any of its shareholders is directly subject to any Sanctions Regulations. Termination shall take effect on the day following the date of receipt of such notice by the User, unless another effective date of termination is specified by TEHTRIS to the User in such notice and without the need for TEHTRIS to put the User on notice. Sanctions Regulations shall mean: (i) all French legal and regulatory provisions relating to the fight against corruption and influence peddling, (ii) foreign regulations relating to the fight against corruption with extraterritorial scope, in particular the US Foreign Corrupt Practices Act and the UK Bribery Act insofar as they are applicable, and (iii) international restrictive measures adopted against natural or legal persons.

Article 19.         Logo – User reference

The User grants TEHTRIS a personal, non-exclusive and non-transferable right to use the User’s logo, company name and website link, including reproduction (digital or hard copy), copying, mentioning as a customer reference (e.g. in response to calls for tenders, technical specifications of a prospect), communication to the public (online broadcasting or at a conference/forum). The logo, the name, the internet link and all related rights remain the exclusive property of the User. This right of use is granted geographically for the whole world and for the duration of the related copyrights, within the limit of the duration of this Agreement.

Article 20.         Various

20.1 Partial invalidity

If one or more clauses of the Agreement are declared invalid pursuant to a law, a regulation or following a final decision of a competent court, the other provisions shall retain all their force and scope, unless the invalid clause(s) is (are) substantial and its (their) disappearance would jeopardize the contractual balance. In any event, the Parties shall make their best efforts to substitute a valid clause, in accordance with the original text spirit.

20.2 Waiver

The fact that one of the Parties does not at a given time avail itself of any of the present stipulations and/or tolerates a breach by the other Party of any of the obligations referred to in the Agreement may not be interpreted as a waiver of the right to avail itself of any of the said stipulations at a later date.

20.3 Applicable law and language of the contract

Disputes arising from the interpretation and/or application of the Agreement are subject to French law. This applies to both substantive and formal rules. In case of dispute, the laws of the countries where the virtual servers are located do not apply and the Agreement remains subject to French law.

If the Agreement is written in more than one language or translated, the French version shall prevail.

For the performance of the present Agreement, the Parties respectively elect domicile at their registered offices indicated on the first page. Any change in the registered office or address of one of the Parties shall not be binding on the other Party until eight (8) calendar days after it has been duly notified.

20.4 Dispute Resolution and Jurisdiction

Unless otherwise stipulated in the Agreement, the Parties agree to consider electronic messages and more generally electronic documents exchanged between them in electronic form within the meaning of Article 1366 of the French Civil Code, as original writings. Each Party shall refrain from modifying the content of the electronic messages it has received or sent.

Each Party shall inform the other Party of any breach of contractual obligations committed by the latter, as soon as such breach has been discovered.

In the event of any difficulty in the interpretation and/or performance of this Agreement or any of its amendments, the Parties undertake, in the first instance, to cooperate diligently and in good faith with a view to finding an amicable solution to their dispute.  To this end, as soon as a Party identifies a dispute with the other Party, it shall request the convening of an ad hoc meeting of the officials of each Party, in order to discuss the settlement of the matter in dispute. This meeting shall be convened by registered mail with return receipt. This meeting shall be held within a maximum of fifteen (15) days from the date of sending the request. IN THE ABSENCE OF SUCH AN AMICABLE SETTLEMENT, ANY POSSIBLE DISPUTE WHICH HAS NOT BEEN SETTLED WITHIN THIRTY (30) DAYS FROM THE DATE OF SENDING THE REQUEST FOR AN AD HOC MEETING, WILL BE BROUGHT BY THE MOST DILIGENT PARTY BEFORE THE COMMERCIAL COURT OF BORDEAUX TO WHICH THE PARTIES ATTRIBUTE EXCLUSIVE COMPETENCE, NOTWITHSTANDING PLURALITY OF DEFENDANTS OR CALL FOR GUARANTEES.

20.5 Entire contract

The Agreement constitutes the entire current agreement between the Parties within the scope of its purpose. It cancels and replaces any written or oral commitment or agreement that may have been entered into between the Parties for the same purpose.

This Agreement may only be amended or modified by a written amendment signed by the Parties. Until the amendment is executed, TEHTRIS shall continue to perform the Services in accordance with the terms originally agreed upon.

It is expressly stipulated that the clauses contrary to the Agreement and contained in the User’s general terms and conditions of purchase or in any other such document, are inapplicable to the scope of the present.

Appendix 1. Service Agreement – TEHTRIS MTD

If the User requires additional commitments, special conditions will be agreed between the Parties.

Article 1.             TEHTRIS Service

1.1 Data Hosting and Alerts

Data and Alerts are hosted via subscriptions with a data host located in the European Union. TEHTRIS chooses the data host and deals with it independently.

As part of a best effort obligation, TEHTRIS shall back up the contents of the Cloud Appliances under the following conditions:

• Recurrence of the backup: daily,
• Backup content: complete operating systems, data and alerts collected the day before the backup:
  • Data: TEHTRIS retains Data in the Cloud Appliances up to the storage capacity of the Appliances and for a maximum of three (3) months,
  • Alerts: TEHTRIS retains Alerts up to the storage capacity of the Appliances and for a maximum of three (3) months;
• Retention of the backup: fourteen (14) days.

TEHTRIS reserves the right to automatically delete the oldest Data and/or Alerts in order to avoid disk clutter and ensure the availability of the Appliance.

1.2 Integration phase

TEHTRIS MTD is a managed solution in SaaS mode.

The TEHTRIS MTD application is compatible with the following versions: Google Android (from Android 6.0 for phones, tablets, televisions…) and Apple (iPhone side from iOS 11, iOS 12, iOS 13, iOS 14 and iPad side: iOS 11, iOS 12, iPadOS 13, iPadOS 14). The deployment can be done automatically through the User’s MDM. TEHTRIS recommends using the most recent versions for best results. Operating system version evolutions take into account as much as possible the new functionalities according to the additions or withdrawals of the functionalities from the OS.

1.3 Run phase

User may begin deploying the Equipment and taking advantage of the TEHTRIS Solutions’ functionalities and TEHTRIS Operational Services subscribed to. TEHTRIS reserves the right to provide the User with any Documentation required for the TEHTRIS Service’s proper performance.

1.4 User registration phase

Registration requires:

• a Google account for the Android[1] version or an Apple[2] account for the iOS version in order to download the application on the online application purchase platform and benefit from updates,
• The business email address of the user of the mobile device to be audited.

In the event of termination of the Agreement for any of the reasons set forth in this Agreement, TEHTRIS will terminate the entire TEHTRIS Service. This phase will result in the destruction of the Data in accordance with the Article – Reversibility.

1.5 TEHTRIS Operational Services

The User may benefit from operational services such as support, cyber monitoring, under the conditions defined in the associated quote. All operational services are performed by TEHTRIS under an obligation of means, in best efforts mode.

Article 2.             Reversibility

This section applies at the end of a subscription to one or more TEHTRIS Solutions not renewed by the User and/or in the event of termination of the Agreement for any reason whatsoever except in the event of termination for fault by the User. 

Before the date of termination or expiration of subscriptions in case of non-renewal, as well as before proceeding with deletion operations, it is the User’s sole responsibility to carry out any operation (such as backup, transfer to a third party solution, etc.) necessary for the conservation of his Data.

TEHTRIS reminds the User that it is the User’s responsibility to keep any Data that may be used for evidential purposes (traces of attacks, etc.).

TEHTRIS undertakes, with the exception of the cases mentioned in the section “Property”, to destroy at its expense all Data sent by the User. TEHTRIS undertakes to carry out the destruction within ten (10) days following the date of termination of contractual relations between the Parties. Upon completion of such destruction, TEHTRIS may, at the request of the User, provide a record of destruction.

Appendix 2.  Quality Charter

TEHTRIS undertakes to comply with the Quality Charter, which guarantees the quality of its services for all elements of the TEHTRIS Service that are not provided free of charge.

1. Availability

TEHTRIS undertakes to implement internal controls to ensure that the Customer can access and use the TEHTRIS Service in accordance with the terms of the Agreement. In particular, TEHTRIS has set up redundant systems to ensure that the service is provided with minimum risk of interruption. TEHTRIS ensures response times based on the elements indicated in the Agreement, with respect to the Appliances at the Customer’s premises, the Users and the TEHTRIS datacenter located in France. In the event of an outage, TEHTRIS shall provide an availability report to verify the parameters defined in this Charter.

In particular, TEHTRIS uses the following technologies: dual power supplies, dual inverters, dual network connections at least Gigabit, dual switches, dual HSRP routing and dual physical links to the Internet

2. Integrity

From the point of view of the development and testing of TEHTRIS Solutions prior to their use in production, TEHTRIS undertakes to implement effective controls to provide reasonable assurance that the applications made available to Customers process the Data entrusted to it without any risk of omission, alteration, distortion or any other form of anomaly likely to affect the integrity of the results produced by these applications.

3. TEHTRIS staff

TEHTRIS only employs personnel who have a contractual relationship with TEHTRIS. TEHTRIS staff are subject to confidentiality obligations and to the signature of the TEHTRIS ethics and IT charters. No member of the TEHTRIS staff is registered in the bulletin n°3 of the criminal record.

4. Security and privacy at TEHTRIS

TEHTRIS is committed to securing access to and use of the TEHTRIS Service, taking into account the threats, in accordance with the practices in this area and the state of the art. TEHTRIS regularly conducts intrusion tests against its own facilities and tools in search of security flaws. These tests are regularly re-run after each modification requiring the revalidation of the entire security cycle.

TEHTRIS has implemented effective controls to protect against unauthorized physical and electronic access to TEHTRIS’ operating systems and applications, as well as Users’ confidential information, to provide reasonable assurance that access to Client systems and data is limited to authorized individuals and that confidential information is protected from improper use.

TEHTRIS has set up a daily data backup in the TEHTRIS datacenter. The backups are kept for 14 consecutive days. The data backed up are the following: complete operating systems, and all associated data, used for the User in the TEHTRIS datacenter. The time required to restore the backups will depend on the performance of the host and the size of the data to be restored and may be several days in the most complex cases. All data backups are protected by cryptographic means. On optional request, the media can be stored in two separate locations, which will serve as an additional quote. TEHTRIS provides, as part of an obligation of means, a business recovery plan. Any request for additional commitment will be subject to additional billing and contractual conditions.

User Data is protected by cryptographic means in the TEHTRIS Appliances hosted at the User’s premises, and in the TEHTRIS datacenter that centralizes the results of TEHTRIS Solutions for the User. The encryption keys are protected and are not present in the operating systems that will use them. They are securely distributed at the time of startup of the operating systems hosting the TEHTRIS Solutions. If these keys are not retrievable, for security reasons or network concerns, the Data on the hard disk is not accessible by the operating systems. When operating systems are running, the Data remains permanently encrypted in all areas using non-volatile memory.

a. Physical security at TEHTRIS

The TEHTRIS main building is equipped with physical security with biometric fingerprint authentication for authorized personnel.

The telecom room used for the link with the operator has reinforced physical security limiting the possibility of entering it (armoured door, etc.). In particular, it is electronically monitored with a real-time alert system available 24 hours a day, 365 days a year in case of physical intrusion.

TEHTRIS’ premises do not contain any unencrypted persistent data related to the TEHTRIS Service or the Customer. Any theft of physical disks would result in the inability to read the associated data. Customer data used by the TEHTRIS Service is not stored on TEHTRIS’ premises. It is stored in the datacenters of the host of the TEHTRIS datacenter. A physical intrusion into TEHTRIS’ premises cannot result in theft with the possibility of reading or using the Customer’s data present in the TEHTRIS datacenter.

TEHTRIS premises are protected 24/7/365 by a reinforced physical surveillance system (sensors, detections, video surveillance, etc.).

Access to TEHTRIS premises is limited to TEHTRIS staff. Trainees or employees outside the CDI work in physically separate rooms and on physically separate networks. Meetings with external personnel are held in rooms annexed to TEHTRIS. External companies (maintenance and cleaning) may not work on TEHTRIS premises unless they are physically supervised directly and locally by TEHTRIS.

TEHTRIS does not print sensitive documents for security reasons. The working documents that are nevertheless printed, are then destroyed when they are no longer used, with a shredder (confetti with cross-cutting guaranteeing a level of security adapted to confidential documents), before being managed as waste. TEHTRIS’ main building has been certified to ISO 14001.

b. Logical security

All hard drives of TEHTRIS Appliances at the Customer’s premises or in the TEHTRIS datacenter (which are used in servers) are encrypted via FDE (Full Disk Encryption) with keys that are stored off-site in a restricted, protected and encrypted area.

All hard drives on TEHTRIS workstations (which are used to remotely administer the TEHTRIS Service) are encrypted via FDE. Workstations with elevated privileges are physically protected and inaccessible outside of business hours.

All system authentications are performed by using a crypto-processor in a French branded smart card, with a PIN code typed on an external French branded reader, and/or by an ANSSI certified external key.

All operating systems used in TEHTRIS Appliances at the Customer site or in the TEHTRIS datacenter are protected by secure Linux kernels, modified and compiled by TEHTRIS, with the use of advanced security technologies, including for example: RBAC integration in the kernel with role assignment and security policies for all processes; technologies against overflow attacks; special protections against data leakage into memory

Applications hosted in TEHTRIS Appliances at the Customer’s premises or in the TEHTRIS datacenter, built by TEHTRIS in order to provide the TEHTRIS Service, may use technologies such as obfuscation, encryption and anti-reverse engineering, in order to limit and slow down attempts to recover functionality.

All communications related to the TEHTRIS Service are encrypted between TEHTRIS workstations and the TEHTRIS datacenter. All communications between TEHTRIS Appliances are encrypted including in the TEHTRIS datacenter. All communications between TEHTRIS employees regarding the Agreement are encrypted (email, instant messaging).

TEHTRIS’ internal network access security contains scalable modules to combat physical and logical intrusion threats, for example: authentication on the network with 802.1X; technologies against network attacks, such as DHCP attacks, ARP spoofing attacks, IP spoofing attacks, etc.; partitioning of activities with network zoning to separate Users and respect watertightness notions; presence of two separate firewalls between the Internet network and the Internet operator’s network; TEHTRIS’ employees can access the network through the Internet. TEHTRIS employees have no incoming access to the TEHTRIS internal network from a distance, as the latter behaves like a diode with respect to the Internet.

Access to the TEHTRIS datacenter infrastructure is protected by : (i) identity restrictions: strong authentication dedicated to each employee based on physical tokens with French-branded crypto-processors and physical protection; (ii) time restrictions: with limitations on hours and days based on roles; (iii) geographic restrictions: with limitation to known areas defined as work source; (iv) network restrictions: with firewalls that are designed, installed, controlled and maintained solely by TEHTRIS from end to end; (v) DDOS restrictions: with the use of anti-DDOS technologies at the entrance to the TEHTRIS datacenter; (vi) application restrictions: with the use of certificates to access application areas such as the TEHTRIS Console.

All TEHTRIS data in local or cloud areas is on encrypted media.

5. TEHTRIS datacenter hosting

The access provider and provider of Cloud hosting used by TEHTRIS is the company “OVH”. The guarantees offered by OVH for the TEHTRIS datacenter are applied to the Contract. The certifications obtained by OVH, relating to computer security and the safety of operation of the security standards for the hosting of the TEHTRIS datacenter are as follows:

• PCI-DSS level 1; ISO/IEC 27001:2005; SOC 1 type II (SSAE x 2 type II.

a. Physical security of the datacenters hosting the TEHTRIS datacenter

Access to the compound is strictly monitored with fences and barbed wire. A video surveillance and motion detection system also operates continuously. Activity in the data centers and outside the buildings is monitored and recorded on secure servers, while surveillance teams work on a 24/7 basis.

In order to control and monitor access to the compound, strict security procedures are in place. Each staff member is equipped with a personal RFID badge to which access rights are assigned. These are regularly reviewed, depending on the duties of each individual. To gain access to the premises, each employee must first submit his or her badge for verification and then pass through a secure airlock.

Inside, the datacenters are even more highly protected, as only authorized personnel can enter them. The hosting company is the sole operator of its facilities. Each room in each datacenter is equipped with a fire detection and extinguishing system and fire doors. The host respects the APSAD R4 rule for the installation of portable and mobile fire extinguishers, and has the N4 certificate of compliance for all its datacenters.

b. Logical security of the datacenters hosting the TEHTRIS datacenter

The host deploys its fiber optic network throughout the world. The equipment is chosen for its performance, then installed and maintained by the hosting company’s engineering teams. The host has also chosen to build its network in a totally redundant manner: several security loops have been set up to eliminate any risk of unavailability. This multiplicity of links allows the data to take the shortest route and therefore to display minimum latency times.

This proprietary network delivers a high quality of service with a bandwidth of 3Tbps in Europe, around 8000Gbps in North America, and a connection to 33 peering points on 3 continents.

A human presence is ensured 24/7/365 in the data centers by the host’s teams, in order to ensure permanent maintenance. In the event of a technical incident, their reaction is immediate so that the servers are restored as soon as possible.

The servers used by TEHTRIS are also equipped with a dual power supply and a dual network card: the infrastructure is thus redundant from end to end. The data centers are powered by two independent electrical supplies and are also equipped with inverters with generators that can be used for 48 hours in the event of a power failure. The hosting provider integrates protection against all types of DDoS attacks and has set up three anti-DDoS infrastructures of 160 Gbps each in the data centers used by TEHTRIS, to be able to mitigate up to 480 Gbps, 24/7.

A double authentication process secures the connection to the administration tools of the hosting company, with OTP (One Time Password) options in addition to the traditional login – password combination. This OTP is a one-time password generated randomly. Each time a connection is attempted, it is sent by SMS or generated in separate physical tokens, and it is necessary for the finalization of authentications.

Appendix 3.  Processing of personal data

In this appendix:

• the terms personal data and controller have the same definition as in Article 4 of the GDPR;
• TEHTRIS is a subcontractor within the meaning of the said Article 4 ;
• The data controller is the User of the TEHTRIS Service.

1. TEHTRIS’ Obligations to the data controller

In this regard, TEHTRIS undertakes to:

• To cooperate with and assist the data controller in fulfilling its obligations,
• Process the data controller’s personal data only for the purposes for which they are processed as described above, process them only in accordance with the data controller’s written instructions and refrain from any personal or commercial use,
• If TEHTRIS considers that an instruction constitutes a violation of the applicable regulations on the protection of personal data, it shall immediately inform the controller. TEHTRIS reserves the right not to carry out any unlawful instruction of the controller, without any liability on its part,
• Ensure the confidentiality of the personal data processed under the Agreement,
• Ensure that persons authorized to handle personal data are subject to a duty of confidentiality,
• Consider the principles of personal data protection by design and by default,
• Comply with an internal security program in accordance with the ISO/IEC 27001 Standard or its equivalent as agreed between the Parties including the controls of ISO/IEC 27002,
• To assist the data controller in carrying out impact analyses relating to the protection of personal data and, where appropriate, in carrying out the prior consultation with the supervisory authority,
• Refrain from using or allowing or facilitating the use by third parties, on the part of a subcontractor or a person acting under the authority or on behalf of TEHTRIS, for purposes other than the performance of the services, as well as from any use or processing or any other operation or exploitation without the prior authorization of the controller.

2. Data controller obligations to TEHTRIS

The data controller undertakes to TEHTRIS to:

• Provide TEHTRIS with the personal data referred to in this Section,
• Document in writing any instructions regarding the processing of personal data performed by TEHTRIS,
• To ensure that the applicable obligations regarding the protection of personal data are respected throughout the processing,
• Provide TEHTRIS with the contact details of its representative and, if applicable, of its Data Protection Officer.

3. Subcontractor of personal data processing

TEHTRIS undertakes to inform the data controller in advance of any subcontracting operation involving the processing of personal data.

TEHTRIS undertakes to inform the data controller of the location of personal data processing sites.

TEHTRIS undertakes to impose on its subcontractor all necessary obligations, at least equivalent to those provided for in this Appendix and the provisions relating to security, to ensure that the confidentiality, security and integrity of the personal data are respected, and that the said data cannot be transferred or leased to a third party, whether free of charge or not, or used for purposes other than those defined in the Agreement, and shall ensure that the said service provider(s) or subcontractor(s) comply with their obligations.

4. Communication of personal data to third parties

The personal data shall not be disclosed to any third party, including TEHTRIS’ subcontractor, except as provided in the Agreement or as required by law or regulation. TEHTRIS shall put in place procedures to ensure that any third parties it authorizes to access the personal data respect and maintain the confidentiality and security of the personal data.

5. Application of the European regulation regarding data transfers outside the European Union

TEHTRIS undertakes to use exclusively means of processing Personal data located in the territory of a member country of the European Economic Area (“EEA”) and/or in a country recognized as adequate by the European Commission. TEHTRIS undertakes not to disclose or transfer personal data, even for transit purposes or by means of remote access, to any third party or subcontractor operating in a country outside the EEA. TEHTRIS shall ensure that no personal data of the controller is transferred outside the EEA by its own subcontractor and by persons acting under the authority or on behalf of TEHTRIS. To the extent strictly necessary for the performance of the Agreement and subject to the consent of the data controller, TEHTRIS may use processing facilities located in a country that does not provide an adequate level of protection within the meaning of the GDPR, in the following case: TEHTRIS, has previously entered into a data transfer agreement with the data controller in accordance with the terms and conditions set out in the European Commission’s standard contractual clauses for the transfer of personal data to processors established in third countries.

6. Right of data subjects

It is the responsibility of the data controller to provide information to data subjects of the processing operations at the time of collection of the personal data. To the extent possible, TEHTRIS shall assist the data controller in fulfilling its obligation to respond to requests to exercise the rights of data subjects with respect to the processing of Personal data performed by TEHTRIS on behalf of the data controller. However, as the processing performed by TEHTRIS is based on the legitimate interest pursued by the controller, the exercise of certain rights of data subjects is limited by the GDPR.

If a data subject should contact TEHTRIS directly to exercise his or her right of access, rectification, deletion and/or objection, TEHTRIS shall forward the request directly to the data controller.

7. Personal data breaches’ notification

TEHTRIS shall notify the data controller of any breach of the personal data as soon as possible by means of a signed email. As an exception to the above, if TEHTRIS is unable to provide all the information available to it at the same time, the information may be provided in a staggered manner without undue delay.

This notification shall be accompanied by any useful documentation to enable the data controller, if necessary, to notify the breach to the competent supervisory authority within seventy-two (72) hours at the latest after becoming aware of it, unless the breach in question is not likely to give rise to a risk to the rights and freedoms of the data subjects. In general, it is the responsibility of the data controller to communicate directly to the data subjects the violation of the personal Data, when it is likely to generate a high risk for the rights and freedoms of the data subjects.

TEHTRIS undertakes to carry out any useful investigation into breaches of the aforementioned protection rules and/or any threats in order to remedy such breaches and/or threats and prevent their recurrence in the future.

The relevant documentation will be provided to the data controller by means of a written report by TEHTRIS consisting of:

• The nature of the failures to comply with the rules for the protection of personal data as defined in the Contract,
• A description of the corrective actions taken or proposed to be taken by TEHTRIS to remedy the deficiencies identified, or where appropriate, measures to mitigate any adverse consequences,
• The name and contact details of the Data Protection Officer or other point of contact from whom further information can be obtained.

TEHTRIS is aware that any failure to comply with the rules for the protection of personal data may impose obligations on the data controller, in particular with regard to notification of data subjects and the authorities.

8. Personal data’ Use

The controller shall be responsible for the use of the TEHTRIS Service in accordance with the provisions of the Agreement. The data controller shall indemnify TEHTRIS on first demand against any loss resulting from a third party challenging it for a breach of this warranty.

The data controller shall be solely responsible for the quality, lawfulness and relevance of the personal data and their content, which it transmits for use of the TEHTRIS Service. He also warrants that he holds the Intellectual Property Rights entitling him to use the Data and content. Accordingly, TEHTRIS shall not be liable for any failure of the Data and/or content to comply with laws and regulations, public policy or the needs of the controller.

More generally, the controller is solely responsible for the content and messages broadcast and/or downloaded via the Service. The controller remains the sole owner of the Data constituting the content of the Solutions. Malicious or suspicious items uploaded to the Solutions shall become the sole Property of TEHTRIS under the conditions set forth in Article – Property.

9. Personal Data’ Security

Each of the Parties undertakes to implement the appropriate technical means to ensure the security of the personal data.

TEHTRIS undertakes to implement technical and organizational measures to prevent any access to or fraudulent use of the personal data and to prevent any loss, alteration or destruction of the personal data, in particular all of the undertakings set out in the TEHTRIS Quality Charter, attached to this Agreement.

10. Description of the processing operations carried out on behalf of the data controller

DPO contact details
TEHTRIS : Florine Belle – privacy@tehtris.com , TEHTRIS – Service DPO – 5 allée des lumières, Cité de la photonique, 33600, PESSAC, France
Goals
Personal data might be collected from the security logs and recorded to organize the processing for incident monitoring. The purposes are to ensure the management and performance of the incident and event security monitoring system as well as the management of authentication accounts to the TEHTRIS XDR Platform and the continuous improvement of TEHTRIS Services (necessary to ensure the security of the IT infrastructure and the information of the controller).
Nature of the treatments
Collection; Storage; Analysis; Deletion.
Category of persons concerned
Any person with access to the data controller’s IS on which the TEHTRIS Service is deployed (employees, service providers, customers, visitors, etc.).The end users of the application
Data category
TEHTRIS Solutions do not allow to open or have access to a client file of type .doc, . pdf, . xls. Only the technical security data is transmitted. No “sensitive” data by default.
Personal data (applicable according to the services subscribed to)
MTD	Device data: device manufacturer and model, unique device identifier (UID), and MDM if applicable; enrollment date; last login date; device name entered by the user; number of CPUs, amount of RAM, device version, amount of total and available memory (the space on the phone’s “disk”).Device configuration data, such as whether the device allows root access or whether its hardware restrictions have been removed (jailbreak).Firmware/operating system data, including the name of the manufacturer and model of the device, certain technical parameters of the device (including display size and firmware version), type and version of the device’s operating system.Application data: including the metadata of all applications installed on your mobile device (including, but not limited to, application names and versions). Alerts reported by the application and their criticality level. The number of malware-type applications present on the devices. In some cases, we may also collect a copy of the application without the user data.Analytics data: used to analyze product performance on your device.Identification data: such as business email address for registration purposes, if applicable, or for analysis of a possible compromise, i.e. if the address is not part of a database of leaked identifiers.Geolocation Data: Geolocation only when activated by the End User and/or Employer where applicable; last known locations of the Device.Network Data: Metadata about the networks to which the Device connects (including, but not limited to, the SSID of the network or the unique MAC/BSSID of the network equipment) and the IP address; Name of the Wi-Fi network to which the Device is connected to identify whether the Wi-Fi network is at risk.Web content data: URLs and domain names associated with malicious content or content that requires further analysis. TEHTRIS MTD only collects metadata about the applications installed on the device and/or the application itself. TEHTRIS MTD does not collect the user data entered in these applications and therefore does not read or examine emails, SMS, photos or videos.
Shelf life
MTD	Maximum 3 months. However, if the Employer has authorized the collection of geolocation data, such data will only be retained for a maximum of two (2) months.
Storage location
OVH Cloud – 2 rue Kellermann – 59100 Roubaix – France	European Union certifications obtained by OVH, relating to computer security and safety of operation of the security standards for hosting the TEHTRIS datacenter are: PCI-DSS level 1, ; ISO/IEC 27001:2005, ; SOC 1 type II (SSAE 16 and ISAE 3402), SOC 2 type II.
List of subcontractors
OVHCloud, for hosting the TEHTRIS Service and storing the data. OVHCloud does not have access to the data of the controller.
Transfer outside the EEA
Default NO
Security measures
See the TEHTRIS Quality Charter attached to the Contract.

Users can consult the specific TEHTRIS MTD Privacy Policy available on https://tehtris.com/en/legal/  at any time, which includes the description of the processing operations mentioned in this appendix.

---

[1] Android is a trademark of Google Inc.

[2] Apple, the Apple logo and iPhone are trademarks of Apple Inc. registered in the United States and other countries. App Store is a service mark of Apple Inc.