PRIVACY POLICY

Subject to the terms of this Agreement, Fabor will use commercially reasonable efforts to provide to the Customer of the Services (as such term is defined in Section 1.3). Fabor reserves the right to update or modify the Services at any time, including to add or remove features with or without prior notice.  As part of the registration process, the Customer will identify an administrative user name and password for Customer’s Company account (the “Administrative Account”).  Customer may register additional user accounts, provided that such accounts shall be associated with a specific individual, and accounts and passwords may not be shared or disclosed to other individuals within or outside of Customer’s organization.  Customer will be responsible for any actions taken by parties with access to such usernames and passwords.  The Customer will inform Fabor immediately if it discovers that any such account and/or password has been disclosed or made available to a third party.  Fabor reserves the right to refuse registration of, or cancel passwords it deems inappropriate. Subject to the terms hereof, Fabor will provide Customer with reasonable technical support services in accordance with the Fabor’s standard practice.

1. Data collected by Fabor & processing purposes

In accordance with its subscription to the contract which binds us, Fabor collects the following data:

2. Working environment

Fabor’s office are located in Paris, France.

There is no data stored in Fabor’s office.

3. Security & data access

Fabor has put into place all necessary technical and organizational appropriate measures in order to ensure the safety of the processing that is carried out within the framework of our contract and guarantee the protection of the rights of the persons concerned by the processing and meet the requirements of the applicable regulation.

Only the founder of Fabor has access to the solution on which the data is processed internally in order to provide the service. Fabor uses a unique identifier and password per application used. The identifiers are confidential and there are no shared accounts, identifiers or logins. Passwords are changed quarterly according to a specific procedure (complex passwords, 42 characters, numbers and punctuation). An automatic session locking mechanism (every 5 minutes) and the installation of a firewall are installed on our devices and computers. No passwords are posted on the company’s premises.

We are subject to an obligation of confidentiality and discretion regarding the data to which we have specific access. We must ensure that the data to which we specifically have access cannot be read, duplicated, copied, modified or deleted without the appropriate authorization.

We have set up a system for the daily recording of the identifiers of employees and users on our solution, their connection times, the type of data consulted and the related references.The event logs are monitored every day in order to detect any anomalies. The logging policy includes the following elements: list of data collection sources, list of events to be logged by data sources, purpose of logging by event, frequency of collection and time base used.

4. Employees

Employees with access to the data is subject to a clause specifically aimed at the confidentiality of the data to which Fabor has given them access to for the execution of their mission. All Fabor employees have been duly trained and informed of the provisions of the applicable regulation and its consequences. Each new employee also receives a training course on the subject.

Any violation of the obligation of confidentiality to which it is subject and/or of the procedures imposed by Fabor will lead to a sanction of the employee at the origin of the fault that may go as far as the withdrawal of his specific access rights and/or his dismissal – in compliance with the provisions of the legislation and regulation in force and depending on the degree of seriousness and the consequences.

The founder of Fabor has been appointed as security manager in charge of defining the procedure to be followed in the event of a data breach and possibly to evaluate the appropriateness and/or the obligation to notify the CNIL/persons concerned (if requested by the applicable regulation) by the breach.

He has also been appointed as manager of the rights of the concerned persons, and is therefore in charge of responding (if needed) and collaborating with the client on requests to exercise the rights of data subjects (right of access, rectification, deletion, limitation of processing, opposition, portability).

You can write to the founder at the following address: gdpr@fabor.io

5. Data retention

Subject to the mandatory preservation period of all data related to client’s files, which is five(5) years as of the end of the contractual relationship, the client’s identification data shall be retained by Fabor for a period that shall not exceed same period. In accordance with the applicable legislation, the accounting billing data is kept for a period of ten (10) years.

Fabor hereby confirms that it deletes the data provided by the client within 2 years after it was provided to Fabor.

6. Crisis situation

In case of violation of systems and databases, Fabor undertakes to take all useful precautions with regard to the nature of the data and the risks presented by the processing in order top reserve the security of the data.

To this end, Fabor has put into place an internal policy in the event of a real or supposed violation or attempted violation of data including all internal procedures and technical and organizational measures to ensure:

• that the means previously implemented by Fabor render it possible to avoid cases of data violation,
• that all internal procedures put into place to ensure the communication of the mandatory instructions in a case of real or supposed data violation are properly informed (disconnection of the machine, machine maintained under power, live warning of the security manager, copy of the hard disk),
• in the event of an actual breach, that a detailed report is drawn up by the appointed teams, signed by the security manager (who is also the legal representative of Fabor),including the list of persons in charge of analyzing the breach, the successive stages of the analysis, the nature of the intrusion, the approximate number of people concerned by the breach, the probable consequences of the breach and the measures envisaged by Fabor to deal with and mitigate it.

In addition, a self-assessment is carried out, annexed to the violation analysis report, including the level of seriousness of the violation on the rights and freedoms of the persons concerned.

In the case where the violation entailed a risk for the rights and freedoms of the data subjects, a procedure for notifying the competent authority (for France: Commission Nationale de l’Informatique et des Libertés, the French “CNIL”) and the data subjects is provided in the internal violation policy.

These provisions, as well as the internal data violation policy is applicable to situations in which Fabor is the data controller within the meaning of the regulation, but also in cases in which Fabor is a processor within the meaning of the same regulation, it being specified that in the latter case Fabor will provide its full collaboration to the data controller and undertakes to notify the existence of a violation immediately after its discovery and to document it according to the same procedure if required by the aforementioned regulation.

7. Data processors

Fabor hereby informs the client that it employs AWS to provide it service.
AWS privacy policy can be found here: https://aws.amazon.com/fr/privacy/

8. Data hosting & transfers

As described in the previous article, the client’s data as well as data provided by the client in order to provide the Service AWS’s servers which are located in the European Union. Therefore, no data is subject to any transfer outside of the European Union area.

Fabor also informs its clients that the only recipient of the data (clients’ data as well as data provided by the client) is Fabor and especially its founder (notwithstanding communication to the public competent authorities if required by regulation and the hoster of the data).

For any further information, please contact us at : gdpr@fabor.io