# GDPR\_Standard Contractual Clauses (SCC)

(MODULE 2 - Controller to Processor Transfer) - In accordance with Commission Implementing Decision (EU) 2021/914

These Standard Contractual Clauses (“SCCs”) are entered into by and between Scaleflex SAS, established in the European Economic Area (“EEA”), and Scaleflex Inc., located in the United States, for the purpose of governing the cross-border transfer of personal data between the two entities. Pursuant to Articles 44 et seq. of Regulation (EU) 2016/679 (the “GDPR”), such transfer requires appropriate safeguards, as the United States is not subject to an adequacy decision by the European Commission. By executing these Clauses, the Parties commit to ensuring a level of data protection that is essentially equivalent to that guaranteed within the European Union.

**List of Parties:**

**Data Exporter:**

* Name: Scaleflex SAS
* Address: 53 Chemin du Beauregard, 38330 Saint-Nazaire-Les-Eymes, France
* Contact Person: Jean-François Lecas, Chief Experience Officer & DPO
* DPO Contact: <privacy@scaleflex.com>
* Relevant Activities: Data Controller

**Data Importer:**

* Name: Scaleflex Inc.
* Address: 3500 South Dupont Highway, Dover DE 19901
* Contact Person: Jean-François Lecas, Managing Director North America
* DPO Contact: <privacy@scaleflex.com>
* Relevant Activities: Data Processor

**Clause 1 - Purpose and Scope**

These Standard Contractual Clauses aim to ensure the compliance of personal data transfers from the EEA to a third country (the United States), in accordance with Article 46 of the GDPR.

**Clause 2 - Description of the Transfer**

| **Categories of Data Transferred**                                    | **Categories of Data Subjects**      |
| --------------------------------------------------------------------- | ------------------------------------ |
| Technical identifiers (IP addresses, logs, metadata)                  | End customers of the data controller |
| Authentication data (professional email)                              | Employees of clients                 |
| Multimedia content associated with users (images, videos, file names) | Technical administrators             |

**Purpose of the Transfer:** Personal data is transferred to Scaleflex Inc. for the exclusive purpose of enabling:

* Corrective and evolutive maintenance of services provided by Scaleflex SAS, including the diagnosis of anomalies affecting media file processing that contain personal data.
* Advanced technical support (L1/L2/L3), particularly the analysis of assistance requests requiring secure access to the concerned data to reproduce or resolve incidents reported by clients.
* Continuous infrastructure monitoring (NOC - Network Operations Centre), for performance, availability, security, and integrity management of services.
* Research and Development (R\&D) on Scaleflex products and services, for strictly internal purposes of technological improvement (e.g., optimisation of media processing algorithms), without using data for other purposes or external communication.

**Duration of Processing:** For the term of the contract between Scaleflex SAS and its clients + 30 days.

**Location of Processing:** United States (Scaleflex Inc.).

**Clause 3 - General Obligations**

Scaleflex Inc. undertakes to:

* Process personal data only on documented instructions from Scaleflex SAS.
* Implement appropriate technical and organisational measures.
* Alert Scaleflex SAS in the event of a security incident or unauthorised access request.
* Not transfer data to another sub-processor without the prior written consent of Scaleflex SAS and without the signature of a sub-SCC.

**Clause 4 - Additional Safeguards**

In accordance with the Schrems II judgment, the parties agree on the following safeguards:

* Data is encrypted at rest and in transit, and Scaleflex Inc. does not have access to the encryption keys.
* In the event of an access request by U.S. authorities, Scaleflex Inc. shall:
  * Immediately inform Scaleflex SAS, unless legally prohibited.
  * Legally oppose any request that is manifestly excessive or non-compliant.

**Clause 5 - Governing Law and Jurisdiction**

These clauses are governed by French law. In the event of a dispute, the competent jurisdiction shall be that of Paris.

| **Scaleflex SAS**       | **Scaleflex Inc.**               |
| ----------------------- | -------------------------------- |
| Emil Novakov            | Jean-François Lecas              |
| Chief Executive Officer | Managing Director, North America |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://legal.scaleflex.com/privacy-and-data-processing/global-privacy-policy/data-privacy-addendum/gdpr_standard-contractual-clauses-scc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.