DPA Support Light — scoped art.28

Article 1 — Subject matter and duration

The present DPA applies exclusively during 72h emergency support interventions performed by Natalia SAS (the « Processor ») on the Software deployed on the Customer infrastructure (the « Controller »). The DPA is activated by an intervention authorisation signed by the Controller and ends with the closing of the intervention ticket.

Article 2 — Nature and purpose of the processing

Diagnosis and resolution of a critical incident identified by the Controller in the operation of the Software, scoped to the perimeter described in the Controller authorisation. No analytical processing is carried out as part of the intervention.

Article 3 — Categories of data and data subjects

Strictly limited to the categories of personal data necessary to diagnose the incident: typically structured log entries, configuration files, anonymised stack traces. No call audio, no exhaustive list of phone numbers, no exhaustive list of employees. The data subjects are the natural persons whose CDR or accounts are involved in the incident perimeter.

Article 4 — Obligations of the Processor (art.28 §3 GDPR)

(a) Documented written instruction. The Processor acts solely on documented written instruction from the Controller, materialised by the intervention authorisation. Any change in perimeter during the intervention is subject to a new written authorisation.

(b) Confidentiality commitment. The Processor ensures that the persons authorised to access the data are bound by an obligation of confidentiality covered by their employment contract or a dedicated agreement.

(c) Security measures. The Processor implements appropriate technical and organisational measures: end-to-end encryption of the temporary access channel, individual authentication of the operators, immutable intervention log, restriction of access to the operators involved in the ticket.

(d) Sub-processor authorisation. The Processor uses no sub-processor in this scope without prior written authorisation from the Controller. Where an integrator partner (SN2O) is involved, the Controller is informed in advance and the partner signs a back-to-back DPA.

(e) Assistance with rights requests. The Processor assists the Controller in fulfilling the data subjects' rights, to the extent of the data accessed during the intervention.

(f) Assistance with security obligations. The Processor assists the Controller in fulfilling its obligations under art.32 to 36 GDPR, in particular notification of a personal data breach within 48h after detection.

(g) Deletion or return of data. At the end of the intervention, the Processor deletes the technical artifacts accessed within 30 days, with the exception of the structured intervention log kept for 12 months for audit purposes. A deletion certificate is issued on Controller's request.

(h) Information and audit. The Processor makes available to the Controller, on written request, the elements necessary to demonstrate compliance with this DPA (intervention log, security measures applied). An audit may be carried out once per year by an independent third party designated by the Controller, subject to a 30-day prior notice.

Article 5 — Intervention log

For each intervention, the Processor maintains an immutable structured log containing: date and time, ticket reference, identified operators, access perimeter, actions performed, data accessed (category and volume), outcome. The log is shared with the Controller upon ticket closure and kept by both Parties for 12 months.

Article 6 — Return to strict disconnected mode

At the end of the intervention, the temporary access channel is closed by the Controller, the Software returns to strict disconnected mode, and Natalia returns to the legal qualification of software publisher described in the on-premise GDPR page.

Article 7 — Liability

The Processor is liable for damages resulting from a breach of its art.28 obligations, within the limits of the master agreement signed between the Parties. The exclusions and caps of the master agreement apply.