June 2025
‍
1. DEFINITIONS

‍‍SUBSCRIPTION: service contract entered into between the CLIENT and NAVLEAD, the purpose of which is the use of the APPLICATION under the conditions described in these GENERAL TERMS OF SERVICE AND USE.

‍APPLICATION: the Navlead website and/or the Navlead internet and/or mobile application, edited and marketed by the company NAVLEAD, which allows to organize, manage, store, modify, share, operate and/or download in a readable and portable format, professional contact details of natural persons, originating from (i) data entered by the CLIENT, (ii) reconstructions of professional email addresses carried out by the APPLICATION from publicly available information on the internet and/or (iii) the EXTENSION.

‍TARGETS: natural or legal person whose professional data, publicly accessible on the internet, are processed by the CLIENT through the APPLICATION.

‍CLIENT: natural or legal person acting exclusively within the framework and/or for the needs of their professional activity and who has an active and valid SUBSCRIPTION to the APPLICATION.

‍ACCOUNT: CLIENT's private online space on the APPLICATION, accessible after subscribing to a SUBSCRIPTION and which allows the CLIENT to use and manage their SUBSCRIPTION.

‍GENERAL TERMS: the hereby general terms of service and use.

‍DATA: as the case may be, either the professional information that the CLIENT provides to NAVLEAD at the time and/or during his/her SUBSCRIPTION, or the professional information relating to the TARGET listed in Article 5 below.

‍EXTENSION: the Navlead software in the form of a compatible internet browser extension, edited and marketed by the company NAVLEAD, which allows to retrieve, store and download in a readable and portable format, search results of professional contact details of natural persons, carried out by the CLIENT via the Linkedin website or similar sites.

‍NAVLEAD: simplified joint-stock company with a share capital of €1,000, registered with the Paris Trade and Companies Register under the number 943 508 945, having its registered office at 61 rue Emeriau 75015 Paris, represented by its President.

‍DATA CONTROLLER: NAVLEAD in what concerns the DATA of the CLIENT; the CLIENT in what concerns the DATA of the TARGET.

‍GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, the latest applicable version of which on the date hereof can be consulted here.

‍PROCESSOR: NAVLEAD, which acts on behalf of the CLIENT with regard to the DATA of the TARGET; in accordance with the "Contractual Conditions" appearing in Appendix 1 of the hereby GENERAL TERMS.

‍USER: natural person, member of the CLIENT's company and/or team, to whom the CLIENT grants access to the APPLICATION under a "multi-user" SUBSCRIPTION. The CLIENT is the USER in the case of an individual SUBSCRIPTION.

2. OBJECT

‍These GENERAL TERMS describe the rights, obligations, terms, and conditions applicable between NAVLEAD and the CLIENT in connection with the use of the APPLICATION.

By using the APPLICATION, the CLIENT declares to fully and unreservedly accept these GENERAL TERMS, which prevail over all and ant other conditions, the hereby clause representing an essential condition of NAVLEAD's consent.

By accepting the GENERAL TERMS, the CLIENT declares that he/she had prior access to all relevant information for him/her, and was able to ask NAVLEAD any questions and received satisfactory answers, and that his/her commitment is therefore made in clear, understandable, and foreseeable terms.

The APPLICATION is not intended for individuals acting as consumers or non-professionals, and by using the APPLICATION, the CLIENT expressly declares that he/she is acting solely within the scope and/or for the needs of his/her professional activity.

NAVLEAD has neither the obligation nor the vocation to research a professional partner on behalf of the CLIENT, and the use of the APPLICATION does not imply any brokerage service by NAVLEAD.

THE CLIENT controls and is the only person responsible for the DATA he/she processes through the APPLICATION.

3. CONTRACTUAL DOCUMENTS

‍Acceptance of the hereby GENERAL TERMS implies full and unreserved acceptance of the following documents, previously communicated to the CLIENT and accessible on the website www.navlead.com, which together form the basis of the contractual relationship between NAVLEAD and the CLIENT:

- The NAVLEAD Personal Data Protection Charter,
- The Standard Contractual Clauses set out in Appendix 1 hereto,
- The Cookies Policy,
- The general terms and conditions and the Personal Data Processing Policy of the online payment service provider

4. TECHNICAL PREREQUISITES

‍In order to use the APPLICATION and the EXTENSION, the CLIENT must:
- Have a web browser compatible with the EXTENSION as indicated on the website www.navlead.com at the time of SUBSCRIPTION.
- Install the EXTENSION in this web browser by following the installation steps indicated for this purpose on the website www.navlead.com at the time of SUBSCRIPTION.

The CLIENT is expressly informed that, failing to meet these technical prerequisites, certain functionalities of the APPLICATION, in particular the EXTENSION, may not work, and NAVLEAD may not be held liable in relation to this.

The CLIENT is personally responsible for setting up the computer and telecommunications means allowing access to and use of the APPLICATION and of the EXTENSION, and bears all internet access costs.

5. DESCRIPTION AND LIMITS OF THE APPLICATION AND THE EXTENSION

‍Operation: The use of the APPLICATION and the EXTENSION is only possible with a valid SUBSCRIPTION. The APPLICATION includes access to the EXTENSION. The use of the EXTENSION is not possible independently of the APPLICATION.

Purpose: The APPLICATION allows the CLIENT, under the conditions and limits described in the SUBSCRIPTION plans and herein, to organize, manage, store, modify, share, operate and/or download professional contact details of TARGETS and legal entities (companies, organizations, institutions, associations, etc.) originating from (i) data provided by the CLIENT in the APPLICATION, (ii) reconstructions of professional email addresses carried out by the APPLICATION from publicly available information on the internet and/or (iii) the EXTENSION.

Limits: The only DATA that the EXTENSION allows the CLIENT to process is the professional information relating to TARGETS which publicly accessible and/or made visible by the TARGET, as follows:
‍
‍

The EXTENSION only allows the processing of information and DATA that the CLIENT has access to through his/her LinkedIn account, within the limits of the services he/she has subscribed to on LinkedIn.

Sharing: THE CLIENT may, under its sole responsibility, share the DATA of the TARGET with other CLIENTS, under the conditions provided for in the APPLICATION and subject to compliance with the Personal Data Protection Charter.

6. SUBSCRIPTION

‍Types: the SUBSCRIPTION is either individual or multi-user. The USER of the individual SUBSCRIPTION is the CLIENT. In the case of a "multi-user" SUBSCRIPTION, the SUBSCRIPTION is accessible to the CLIENT and to one or more additional USERS.

Holders: The SUBSCRIPTION can only be contracted for lawful purposes by individuals with legal capacity, acting on their own behalf within the scope or for the needs of their professional activity. The SUBSCRIPTION is strictly personal to the CLIENT, who may not transfer it to third parties.

Conditions: The features, options, duration, price, and all other conditions of the SUBSCRIPTION are indicated on the NAVLEAD website in the description of the SUBSCRIPTION plans. NAVLEAD may modify the conditions of the SUBSCRIPTION at any time and without reason, by informing the CLIENTS in advance. The new conditions become applicable immediately for new SUBSCRIPTIONS contracted after this modification, and at the end of the current term in the case of current SUBSCRIPTIONS.

Duration: the SUBSCRIPTION can be contracted either for a monthly or an annual period. Unless otherwise stated, the renewal of the SUBSCRIPTION is automatic for an identical period to the previous one.

Modifications and termination: The CLIENT may modify his/her SUBSCRIPTION at any time. The modification to a paid plan from a free or less expensive plan is applicable immediately. Except in the event of non-payment by the CLIENT in accordance with Article 7 below, the modification from a paid plan to a free or less expensive plan only enters into force upon the expiry of the current SUBSCRIPTION at the date of the modification. The CLIENT may terminate his/her SUBSCRIPTION upon its expiry by deleting his/her ACCOUNT. An inactive SUBSCRIPTION, meaning a SUBSCRIPTION that the CLIENT does not pay for and which has not used for at least 1 (one) year, is automatically terminated at the end of this 1 (one) year period.

7. PRICE AND CONDITIONS OF PAYMENT

‍The subscription price is indicated on the NAVLEAD website in the description of the subscription plans.

The Price is payable in advance on the first day of the subscription period, whether monthly or annual, by credit card or direct debit from the bank account details provided at the time of subscription. Any period is due.

The Price can be paid in euros or dollars, at the CLIENT's choice. Any and all bank and payment fees, including conversion fees, are added to the Subscription Price and are charged to the CLIENT.

Online payment services are provided by an authorized third party with whom NAVLEAD has entered into a mandate agreement. Acceptance of the online payment service by the CLIENT constitutes a commitment between the CLIENT and the third-party payment provider, whose contact details and general terms and conditions are accessible by clicking here and whose data processing policy is accessible by clicking here.

In the event on a non-payment on the due date, the SUBSCRIPTION automatically transforms in a "free" plan SUBSCRIPTION with the corresponding functionalities as indicated on the NAVLEAD website, until the CLIENT regularizes the payment of the SUBSCRIPTION.

Any late payment automatically bears interest at the conventional daily rate of 5%, due and payable based on the sole delay without the need for prior formal notice, to which is added a fixed indemnity for recovery costs of €40.

8. OBLIGATIONS OF THE CLIENT

‍Obligations towards NAVLEAD

The CLIENT uses the APPLICATION in compliance with the hereby GENERAL TERMS and with the laws and regulations in force.

By subscribing to and using the APPLICATION, the CLIENT undertakes not to do anything that could be detrimental to NAVLEAD and guarantees that the USERS and other CLIENTS with whom he/she may share DATA will not do anything that could be detrimental to NAVLEAD.

The CLIENT undertakes to use the DATA of TARGETS, lawfully and in a way that is, compatible with the purpose and limits of the APPLICATION. He/She is responsible for ensuring the protection and security of the DATA of the TARGETS, in particular by ensuring compliance with the Personal Data Protection Charter.

The CLIENT informs NAVLEAD without delay of any updates to his/her own DATA.

The CLIENT undertakes not to republish outside the APPLICATION the DATA of the TARGETS, that originates from the EXTENSION, nor to transfer it to third parties, whether free of charge or for compensation, without prejudice to the possibility of sharing such DATA with other CLIENTS or USERS under the conditions set forth hereby.

The CLIENT and, where applicable, the other USER(S), are solely responsible for the security of the password chosen for access to the ACCOUNT. They undertake not to disclose it to third parties and remain solely responsible for all actions carried out on the APPLICATION with this password.

The CLIENT authorizes NAVLEAD to access his/her ACCOUNT when necessary for technical reasons or related to the protection of the personal data of CLIENTS or TARGETS.

Obligations towards the TARGETS

In its capacity of data controller within the meaning of the GDPR [General Data Protection Regulation], the CLIENT must ensure his/her compliance with these rules and ensure their respect, under his/her sole responsibility, in particularly as regards the legal basis of processing, data security, storage period, etc.

In particular, the CLIENT must obtain the prior consent of the TARGETS before commercial prospection, unless he/she can justify a legitimate interest to prospection, directly related to the professional activity of the person concerned.

The CLIENT must inform the TARGETS, at the latest on the date of the first contact with them, of his/her identity as well as of their rights of access, opposition, limitation of processing, rectification, erasure, correction, portability, withdrawal of consent, to give instructions on the fate of the data after their death, concerning their DATA. This communication must include the information provided for by the GDPR [General Data Protection Regulation].

The examples of the rules applicable to the CLIENT in his/her capacity of data controller, set forth in the hereby GENERAL TERMS and in the CHARTER, are not exhaustive and their respect by the CLIENT is not sufficient to consider that the CLIENT complies with all his/hers obligations regarding personal data. Consequently, it is the CLIENT's responsibility to obtain information and put in place, under his/her sole responsibility, mechanisms allowing him/her to ensure compliance with his/her obligations as data controller in the field of personal data protection.

The CLIENT must undertake all reasonable measures not to process DATA that is obsolete with regard to the purposes of their processing. They must ensure the updating of the TARGETS' DATA at the time of their use, if necessary by contacting the person concerned.

The obligations recalled above are only indicative and are not exhaustive, and it is the CLIENT's responsibility to ensure compliance with all the obligations incumbent upon him/her as data controller.

How you can use the DATA processed through the APPLICATION

Except for the DATA collected on the basis of the person's consent, the CLIENT may only use the DATA processed through the APPLICATION to contact the TARGETS via their professional contact details in order to offer them a product or service that is likely to provide added value to their professional activity.

9. SUSPENSION OR RESTRICTION OF ACCESS TO THE APPLICATION

‍NAVLEAD may suspend the APPLICATION and/or CLIENTS' access to their ACCOUNTS and SUBSCRIPTIONS, without its liability being incurred as a result, in the following cases.

‍Technical reasons. NAVLEAD makes its best efforts to ensure that the servers hosting the offered services are operational 24 hours a day, seven days a week, subject to the occurrence of a force majeure event, an event beyond NAVLEAD's control, or maintenance and servicing periods, update operations and exceptional interruptions.

The CLIENT acknowledges that networks have varying transmission capacities and their own usage policies, and that no one can guarantee the proper functioning of the Internet as a whole.

The CLIENT agrees to bear, within the reasonable limits of NAVLEAD's diligence, risks of imperfection or unavailability of the services (examples: accessibility of content, page display time).

‍Legal reasons: In the event of a legislative amendment or an enforceable order from a judicial or administrative authority where non-compliance would be sanctioned, preventing or limiting the operation of the APPLICATION by NAVLEAD.

‍Reasons related to the CLIENT. NAVLEAD may restrict or suspend the SUBSCRIPTION of a CLIENT in the event of a legitimate reason, namely:

- Serious breach by the CLIENT of any of the clauses of the hereby GENERAL TERMS,
- Proven suspicion of an offense or attempted offense committed by the CLIENT or in which the CLIENT participated and which could involve or affect the APPLICATION,
- Proven infringement of NAVLEAD's or third parties' intellectual property rights,
- Proven breach of the Personal Data Protection Charter.

In the event of a decision on access restriction or suspension, the CLIENT will be informed in writing with a 10 (ten) days' notice, except in one of the following cases where the decision applies immediately and without notice:
- The concerned CLIENT has waived the notice period, by means of a written declaration or a clear positive act,
- NAVLEAD is responding to a legal or regulatory obligation in a way that does not allow it to comply with the notice period,
- NAVLEAD exercises a right of termination for a compelling reason provided for by national law in accordance with European Union law,
- In the event of a sufficiently serious breach of its obligations by the CLIENT making it impossible to continue the SUBSCRIPTION,
Repeated breaches of the GENERAL TERMS by the CLIENT,
- When the restriction or removal of access without notice is due to a third party beyond NAVLEAD's control,
- In the case of a legitimate reason.

10. INTELLECTUAL PROPERTY

‍The APPLICATION, as well as all the elements composing it, namely the codes, preparatory design material, technical user documentation, graphic interface, incorporated multimedia elements, the name, including the EXTENSION, are the exclusive ownership of NAVLEAD and are protected as such by moral and economic copyright.
‍
By contracting a SUBSCRIPTION, the CLIENT is granted a simple license to use the APPLICATION within the limits of the terms and conditions herein.

No other intellectual property right or any other right arises for the CLIENT from the SUBSCRIPTION or the use of the APPLICATION.

Any reproduction or representation, in whole or in part, of the APPLICATION or any of its elements, without the express, written, and prior authorization of NAVLEAD, is strictly prohibited and may constitute an infringement sanctioned by the Intellectual Property Code, liable to legal proceedings and/or sanctions, in particular civil, criminal or administrative, without prejudice to any damages, including indirect and intangible ones.

11. LIABILITY - LIMITATIONS

‍Responsibility for processed data: the CLIENT is the only responsible for the DATA processed through the APPLICATION. NAVLEAD's role is exclusively limited to providing a tool for organizing, managing, storing, modifying, sharing, operating and/or downloading said DATA. Consequently, NAVLEAD is not responsible for the quality, accuracy, updating and more generally the content of the DATA that the APPLICATION allows to process.

Absence of guarantee: NAVLEAD, as well as its subsidiaries and agents, make no declaration and offer no guarantee as regards the adequacy, reliability, availability, visibility, speed, security, accuracy or completeness of the SUBSCRIPTION, the DATA processed through the APPLICATION, the content and services of the APPLICATION. Some DATA is protected by technical means on the internet, or made unavailable or invisible by the TARGET itself. Access to the APPLICATION shall in no case be interpreted as a guarantee by NAVLEAD as to the availability of the DATA of the TARGETS, and NAVLEAD's responsibility may not be engaged in the event of total or partial unavailability on the internet of the DATA regarding the TARGETS' nor of any other information that the APPLICATION allows to process.

Limitations due to third parties: When the APPLICATION processes DATA collected by the CLIENT from the LinkedIn Sales Navigator service or any other similar service, the processing capacities of said DATA by the APPLICATION in type, volume and frequency depend on the settings of said services and the limits of the CLIENT's subscription to said services, which the CLIENT expressly accepts.

Non-responsibility: NAVLEAD's may not be held liable in the event of total or partial, temporary or permanent inaccessibility of the APPLICATION or in the event of difficulties in using the APPLICATION, when this results from restrictions emanating from or affecting LinkedIn services, or from an incident affecting LinkedIn or Sales Navigator or the internet browser or the CLIENT's computer environment on which the APPLICATION operates, or when this results from the termination of the CLIENT's subscription to LinkedIn services or any other online service.

Guarantee by the CLIENT: in the event the liability of NAVLEAD is engaged, due to an act committed by the CLIENT or its USERS, they engage to fully guarantees NAVLEAD against any legal proceedings or conviction, for any type of damages and indemnification.

Exclusion of indirect and immaterial damages: NAVLEAD may never be held liable for any indirect and/or immaterial damages possibly suffered by the CLIENT and/or its USERS related to the use of the APPLICATION or in connection with it.

Limit of liability: the liability of NAVLEAD is in all situations limited to the amount of the SUBSCRIPTION Price paid by the CLIENT from the date of its subscription until the moment when NAVLEAD's liability is incurred.

12. FORCE MAJEURE

‍Neither Party shall be held liable to the other Party in case of failure, in whole or in part, to perform any of its obligations when such failure is the result of a force majeure event or a fortuitous event, such as, but not limited to: natural disaster, war, sabotage, terrorism, insurrection, riots or any other act of civil disobedience, act or requirement of any person exercising governmental authority, court decision directly affecting the performance hereof, strike, boycott, epidemic, pandemic.

13. INDEPENDENCE OF ARTICLES

‍If any provision of the hereby terms and conditions is declared null or inapplicable, this will not affect the other provisions which will remain valid and applicable between the Parties.

14. MODIFICATION OF THE GENERAL TERMS

‍NAVLEAD may unilaterally modify these GENERAL TERMS by providing a minimum of 5 (five) calendar days' notice, it being specified that the notice period shall not apply when the necessity to make the change without respecting the notice period arises from a legal, regulatory, or judicial obligation incumbent upon NAVLEAD, or when such modification is exceptionally necessary to address an unforeseen or imminent danger in order to protect the APPLICATION and/or the CLIENT against fraud, malware, spam, data breaches, or other security risks.

15. NOTIFICATIONS – DISPUTES – APPLICABLE LAW

‍The GENERAL TERMS and the SUBSCRIPTION are governed by French law.

The CLIENT may notify NAVLEAD of any question, dispute, or report regarding the use and operation of the APPLICATION in writing, in French and/or English, at the following address: contact@navlead.com or by registered mail to NAVLEAD's postal address indicated here in above.

Any dispute between NAVLEAD and a CLIENT, relating to the negotiation, the formation, the interpretation, the performance, the termination of the SUBSCRIPTION, or in connection therewith, shall be subject to an attempt of amicable settlement initiated by the most diligent party and notified in writing to the other party. Failing amicable settlement within a period of 3 (three) months from the attempt by one Party towards the other Party, the dispute shall fall under the jurisdiction of the Commercial Court of Paris.


ANNEX 1
STANDARD CONTRACTUAL CLAUSES

1. Purpose and scope

The purpose of these standard contractual clauses (hereinafter the "Clauses") is to ensure compliance with Article 28, paragraphs 3 and 4, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (hereinafter the "GDPR")).

The data controller and processor listed in Annex I have agreed to these Clauses in order to ensure compliance with the provisions of Article 28, paragraphs 3 and 4, of the GDPR.

These Clauses apply to the processing of personal data as specified in Annex II.

Annexes I to IV form an integral part of the Clauses.

These Clauses are without prejudice to the obligations to which the data controller is subject under the GDPR.

The Clauses alone are not sufficient to ensure compliance with obligations relating to international transfers in accordance with Chapter V of the GDPR.

2. Invariability of the Clauses

The parties undertake not to modify the clauses, except for adding information to the annexes or updating the information contained therein.

However, the parties are not prevented from including the standard contractual clauses defined in these clauses in a broader contract, nor from adding other clauses or supplementary safeguards, provided that these do not contradict, directly or indirectly, the clauses or undermine the fundamental rights and freedoms of data subjects.

3. Interpretation

Where these Clauses use terms that are defined in the GDPR, those terms shall have the same meaning as in that Regulation.
These clauses shall be read and interpreted in the light of the provisions of the GDPR.
These clauses shall not be interpreted in a way that conflicts the rights and obligations provided for by the GDPR or in a way that infringes the freedoms or fundamental rights of the data subjects.

4. Hierarchy

In the event of contradiction between these clauses and the provisions of related agreements existing between the parties, existing at the time these clauses are agreed or entered into thereafter, these clauses shall prevail.

5. Description of processing operations

The details of the processing operations, in particular the categories of personal data and the purposes of the processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

6. Obligations of the parties

6.1 Instructions

The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject; in this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. Instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented. An instruction given through the APPLICATION is considered documented.

The processor shall immediately inform the controller if, in the processor's opinion, an instruction given by the controller infringes of the GDPR or other Union or Member State data protection provisions.

6.2 Purpose limitation

The processor shall process personal data only for the specific purpose(s) of the processing as set out in Annex II, unless further instructed by the controller.

6.3 Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

6.4 Security of processing

The processor shall implement at least the technical and organizational measures specified in Annex III to ensure the security of personal data. These measures shall include the protection of data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data (personal data breach). When assessing the appropriate level of security, the parties shall take due account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk for data subjects.

The processor shall grant access to personal data processing only to members of its personnel who are strictly necessary for the performance, management and monitoring of the contract. The processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.5 Sensitive Data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, or data relating to criminal convictions and offences ('sensitive data'), the processor shall apply specific restrictions and/or additional safeguards.

It is specified that the APPLICATION does not allow the processing of sensitive data.

6.6 Documentation and compliance

The parties shall be able to demonstrate compliance with these Clauses.

The processor shall deal promptly and adequately with inquiries from the controller regarding data processing in accordance with these Clauses.

The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in these Clauses and directly arising from the GDPR. At the request of the controller, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. When deciding on a review or audit, the controller may take into account relevant certifications held by the processor.

The controller may choose to conduct the audit itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.

The parties shall make available to the competent supervisory authority/ies, upon request, the information referred to in this Clause, including the results of any audit.

6.7 Use of sub-processors

GENERAL WRITTEN AUTHORIZATION: The data processor has the general authorization of the data controller to recruit subsequent processors on the basis of an agreed list. The data processor shall specifically informs the data controller in writing of any planned changes to this list by adding or replacing subsequent processors at least 10 (ten) days in advance, thus giving the data controller sufficient time to object to these changes before the recruitment of the subsequent processor(s) concerned. The data processor provides the data controller with the information necessary to enable it to exercise its right of objection.

When the processor engages a sub-processor to carry out specific processing activities (on behalf of the controller), it does so by means of a contract which imposes on the sub-processor, in substance, the same data protection obligations as those imposed on the data processor under these clauses. The data processor ensures that the sub-processor complies with the obligations to which it is itself subject under these clauses and the GDPR.

At the request of the controller, the processor provides it with a copy of this contract entered into with the sub-processor and any subsequent amendments thereto, with the exception of the provisions which are not relevant to the protection of personal data (such as financial provisions, etc.). To the extent necessary to protect trade secrets or other confidential information, including personal data, the data processor may redact the text of the contract prior to disclosing a copy.

The data processor shall remain fully liable to the data controller for the performance of the sub-processor's obligations in accordance with the contract concluded with the sub-processor. The processor informs the controller of any failure by the sub-processor to fulfil its contractual obligations.

The processor shall agree with the sub-processor to a third-party beneficiary clause according to which — in the event that the processor has materially disappeared, ceased to exist legally or become insolvent — the controller has the right to terminate the contract concluded with the sub-processor and to instruct the sub-processor to erase or return the personal data.

6.8 International transfers

Any transfer of data to a third country or an international organization by the processor shall only take place on the basis of documented instructions from the controller or in order to meet a specific requirement under Union or Member State law to which the processor is subject and shall be carried out in accordance with Chapter V of the GDPR.

The controller agrees that where the processor engages a sub-processor pursuant to Clause 6.7 for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, the processor and the sub-processor can ensure compliance with Chapter V of the GDPR by using standard contractual clauses adopted by the Commission on the basis of Article 46(2) of the GDPR, provided that the conditions for the use of such standard contractual clauses are met.

7. Assistance to the controller

The processor shall promptly inform the controller of any request it has received from the data subject. It shall not act on the request itself unless authorized to do so by the controller.

The processor shall assist the controller in fulfilling its obligation to respond to requests from data subjects exercising their rights, taking into account the nature of the processing. In fulfilling its obligations under the preceding paragraphs, the sub-processor shall follow the controller's instructions.

In addition to the processor's obligation to assist the controller under Clause 8(b), the processor shall further assist the controller in ensuring compliance with the following obligations, taking into account the nature of the processing and the information available to the processor:

- The obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data ('data protection impact assessment') where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
- The obligation to consult the competent supervisory authority(ies) prior to the processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
- The obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become obsolete;
- The obligations laid down in Article 32 of the GDPR;The parties shall lay down in Annex III the appropriate technical and organizational measures by which the processor is required to assist the controller in the application of this clause, as well as the scope and the extent of the assistance required.

8. Notification of personal data breaches

In the event of a personal data breach, the subprocessor shall cooperate with the controller and assist them in complying with their obligations under Articles 33 and 34 of the GDPR, taking into account the nature of the processing and the information available to the subprocessor.

8.1 Data breach related to data processed by the data controller

In the event of a personal data breach related to data processed by the controller, the processor shall assist the data controller:

a. For the purpose of notifying the personal data breach to the competent supervisory authority/authorities, without undue delay after the data controller becomes aware of it, where applicable (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

For the purpose of obtaining the following information which, pursuant to Article 33(3) of the GDPR, must be included in the controller's notification, and include at least:

1. the nature of the personal data including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

2. the likely consequences of the personal data breach;

3. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide all the information at the same time, the initial notification shall contain the information available at that time and further information shall be provided subsequently without undue delay as it becomes available;

c. For the purpose of complying the obligation, pursuant to Article 34 of the GDPR, to communicate the personal data breach to the data subject without undue delay, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

8.2 Data breach related to data processed by the subprocessor

In the event of a personal data breach related to data processed by the subprocessor, the latter shall inform the controller as soon as possible after becoming aware of it. This notification shall contain at least:

1. A description of the nature of the breach (including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerne
2. The details of a contact point from whom more information about the personal data breach can be obtained;
3. Its likely consequences and the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide all the information at the same time, the initial notification shall contain the information available at that time, and further information shall be provided subsequently without undue delay as it becomes available.

The parties shall set out in Annex III any other elements that the processor must communicate when assisting the controller in fulfilling the obligations incumbent on the latter pursuant to Articles 33 and 34 of the GDPR.

9. Breach of the Clauses and termination

a. Without prejudice to the provisions of the GDPR, in the event the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the processor has complied with these Clauses or until the contract is terminated. The processor shall promptly inform the controller if it is unable to comply with these clauses for any reason.

b. The controller shall be entitled to terminate the contract insofar as it concerns the processing of personal data in accordance with these clauses if:
(i) the processing of personal by the data processor has been suspended by the data controller pursuant to point (a) and compliance with these clauses is not restored within a reasonable time and, in any event, within one month of suspension;
(ii) the processor is in substantial or persistent breach of these clauses or its obligations under the GDPR;
(iii) the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations under these clauses or the GDPR.

c. The processor shall be entitled to terminate the contract insofar as it concerns the processing of personal data under these clauses where, after informing the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1, second paragraph, the data controller insists on compliancewith its instructions.

d. Following the termination of the contract, the processor shall, at the choice of the data controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or return all personal data to the data controller and destroy existing copies unless Union or Member State law requires further storage. The processor shall continue to ensure compliance with these clauses until the data is deleted or returned.

ANNEX I
List of parties

Data controller(s): the CLIENT, whose contact details are those provided in his/her ACCOUNT at the time of SUBSCRIPTION to the APPLICATION. Contact person: legal representative of the CLIENT.

Processor: NAVLEAD, whose contact details are set out at the beginning of the GENERAL TERMS. Contact person: Mr. Ali CHADDAD, contact@navlead.com

Sub-processor:
- Webflow, for the purposes of hosting the NAVLEAD website, privacy@webflow.com
- Amazon Web Services, for the purposes of hosting the NAVLEAD APPLICATION, aws-EU-privacy@amazon.com
- SCALEWAY, for the purposes of hosting the NAVLEAD APPLICATION, privacy@scaleway.com
- DataImpulse, for the purposes of secure online navigation on companies’ websites, info@dataimpulse.com
- STRIPE, for the purposes of online payment of the SUBSCRIPTION price. privacy@stripe.com

ANNEX II
The Description of the processing, the Categories of data subjects, the Categories of personal data processed, the Nature of the processing and the Purpose(s) for which the personal data are processed on behalf of the controller, are specified in Article 5 of the GENERAL TERMS AND CONDITIONS and in Article 4 of the Personal Data Protection Charter.Duration of processing: in accordance with Article 8 of the Personal Data Protection Charter.

ANNEX III
Technical and organizational measures, including technical and organizational measures to ensuring the security of data and the relationship with sub-processors:
- measures intended to guarantee the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- measures ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- procedures for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
- CLIENT identification and authorization measures;
- data protection measures during transmission;
- data protection measures during storage;
- measures intended to guarantee the physical security of sites where personal data are processed;
- measures  intended to guarantee the logging of events;
- measures intended to ensure the configuration of systems, including default configuration;
- measures for governance and management of internal IT and IT security;
- product insurance measures;
- measures  intended to guarantee data minimization;
- measures intended to guarantee data quality;
- measures intended to guarantee limited data retention;
- measures intended to guarantee accountability;
- measures enabling data portability and guaranteeing erasure;
- entering into specific contracts with subsequent sub-processors.

ANNEX IV
The controller has authorized the use of the following sub-processors:
- Webflow, for the purposes of hosting the NAVLEAD website, privacy@webflow.com; Description of processing: hosting the NAVLEAD landing website
- Amazon Web Services, for the purposes of hosting the NAVLEAD APPLICATION, aws-EU-privacy@amazon.com; Description of processing: hosting the NAVLEAD APPLICATION, storage of data on servers located in France and/or in the European Union.
- SCALEWAY, for the purposes of hosting NAVLEAD APPLICATION, privacy@scaleway.com, Description of processing: hosting the NAVLEAD APPLICATION, storage of data on servers located in France and/or in the European Union
- DataImpulse, for the purposes of secure online navigation on companies’ websites, info@dataimpulse.com, Description of processing: Provision of secure IP addresses
- STRIPE, for the purposes of online payment of the SUBSCRIPTION price. privacy@stripe.com, Description of processing: Managing and securing customer payment operations on the application
‍