GDPR_Standard Contractual Clauses (SCC)

(MODULE 2 - Controller to Processor Transfer) - In accordance with Commission Implementing Decision (EU) 2021/914

These Standard Contractual Clauses (“SCCs”) are entered into by and between Scaleflex SAS, established in the European Economic Area (“EEA”), and Scaleflex Inc., located in the United States, for the purpose of governing the cross-border transfer of personal data between the two entities. Pursuant to Articles 44 et seq. of Regulation (EU) 2016/679 (the “GDPR”), such transfer requires appropriate safeguards, as the United States is not subject to an adequacy decision by the European Commission. By executing these Clauses, the Parties commit to ensuring a level of data protection that is essentially equivalent to that guaranteed within the European Union.

List of Parties:

Data Exporter:

• Name: Scaleflex SAS

• Address: 53 Chemin du Beauregard, 38330 Saint-Nazaire-Les-Eymes, France

• Contact Person: Jean-François Lecas, Chief Experience Officer & DPO

• DPO Contact: [email protected]

• Relevant Activities: Data Controller

Data Importer:

• Name: Scaleflex Inc.

• Address: 3500 South Dupont Highway, Dover DE 19901

• Contact Person: Jean-François Lecas, Managing Director North America

• DPO Contact: [email protected]

• Relevant Activities: Data Processor

Clause 1 - Purpose and Scope

These Standard Contractual Clauses aim to ensure the compliance of personal data transfers from the EEA to a third country (the United States), in accordance with Article 46 of the GDPR.

Clause 2 - Description of the Transfer

Purpose of the Transfer: Personal data is transferred to Scaleflex Inc. for the exclusive purpose of enabling:

• Corrective and evolutive maintenance of services provided by Scaleflex SAS, including the diagnosis of anomalies affecting media file processing that contain personal data.

• Advanced technical support (L1/L2/L3), particularly the analysis of assistance requests requiring secure access to the concerned data to reproduce or resolve incidents reported by clients.

• Continuous infrastructure monitoring (NOC - Network Operations Centre), for performance, availability, security, and integrity management of services.

• Research and Development (R&D) on Scaleflex products and services, for strictly internal purposes of technological improvement (e.g., optimisation of media processing algorithms), without using data for other purposes or external communication.

Duration of Processing: For the term of the contract between Scaleflex SAS and its clients + 30 days.

Location of Processing: United States (Scaleflex Inc.).

Clause 3 - General Obligations

Scaleflex Inc. undertakes to:

• Process personal data only on documented instructions from Scaleflex SAS.

• Implement appropriate technical and organisational measures.

• Alert Scaleflex SAS in the event of a security incident or unauthorised access request.

• Not transfer data to another sub-processor without the prior written consent of Scaleflex SAS and without the signature of a sub-SCC.

Clause 4 - Additional Safeguards

In accordance with the Schrems II judgment, the parties agree on the following safeguards:

• Data is encrypted at rest and in transit, and Scaleflex Inc. does not have access to the encryption keys.

• In the event of an access request by U.S. authorities, Scaleflex Inc. shall:

  • Immediately inform Scaleflex SAS, unless legally prohibited.

  • Legally oppose any request that is manifestly excessive or non-compliant.

Clause 5 - Governing Law and Jurisdiction

These clauses are governed by French law. In the event of a dispute, the competent jurisdiction shall be that of Paris.