Confidentiality Policy

1. Our Commitment to Data Privacy

Protecting the privacy of individuals who provide us with personal information ("Personal Data") is of sincere importance to Awen and to the way we do business. To this end, we are committed to respecting data privacy legislation, and in particular the (EU) 2016/679 General Data Protection Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of persons with regard to the processing of personal data (the "Applicable Law »).

2. General provisions

This Privacy Policy (the "Policy") describes how Awen SAS ("Awen", "we", or "us") collects, uses, stores, shares and protects your information in connection with services offered by Awen as a data controller including, but not limited to, services provided at or using the domain awen.ai (the "Site") and/or in the future, Awen’s application (the "Application") (collectively, the « Services").

This Privacy Policy applies when you ("you", the "Customer", the "User") access, visit or use any portion of the Services.

For the purposes of this Privacy Policy:

- a "Customer" is a person who uses the application on the basis of a subscription contract,

- a "Prospect" is a person who browses the Website out of interest for the Services and/or signs up for a demo.

3. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time to ensure transparency on all processing operations relating to you and your Personal Data in real-time. We may notify you of any substantial changes to this Privacy Policy, before the effective date of the changes, by sending an email or in another conspicuous manner reasonably designed to notify you.

Therefore, we recommend that you read this Policy regularly.

4. How we process your personal Data

We collect and process information relating to you and your use of the Services. The way we handle it differs as set out below:

. Customer

categories of personal data processed: Identification Data (Name, surname, company, professional contact details, email address, phone number…). Billing and financial information (payment, refundment…). Any other information you share with us in other contexts such as customer support.

purpose of the processing: perform the Services requested under the Subscription Contract (creating, setting up and maintaining your Awen Account…) ; assist you with using the Services through our Customer Support ; contact you in order to invite you to our webinars, keep you updated with our newest features or any other commercial communication ; Manage our commercial relationship with you (contracts, invoice…) ; Manage unpaid debts and litigation; respond to any requests from public authorities; combating money laundering or terrorist financing

Legitimate basis: The performance of the Subscription Contract to which you are party. Compliance with our legal obligations. Your consent if so granted to receive our marketing emails or Awen's legitimate interest in sending marketing emails.

. Prospect

categories of personal data processed: Name, surname, job position, email address.

purpose of the processing: Contact you for a demo and send marketing communication.

Legitimate basis: Your consent if you have expressly consented to Awen contacting you, (for example when completing the demo request on our Site) or if you have consented to a third party transmitting your data to its business partners of which Awen is a part; or Awen's legitimate interest, in particular when contacting new business partners.

. Browsing the Site and/or the Application

categories of personal data processed: strictly necessary cookies, preference cookies, statistic cookies, marketing cookies,

purpose of the processing: ensuring proper functioning of the service ; To store information already entered and personalize and optimize your experience on our Website ; To help us understand how the Services are used and anonymously report this information ; To track your use of the Services and help us improve your user experience.

Legitimate basis: Your Consent when you agree to use cookies on the Services.

6. How long will we retain your Personal Data ?

Your Personal Data will be handled in accordance with this Policy as long as it is needed in order to :

- perform the Services;

- provide you with personalized Services;

- comply with the law and namely prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigation and take other actions permitted by law.

Therefore, Awe shall only retain your personal data for the following periods:

. Customer:

categories of personal data processed: Identification data (name, surname, email address etc…) ; Any contractual document entered into by you and Awen ; Billing and financial information (payment, refunds…) ;

retention period: 6 years after termination of the Contract

Reason for retention period: to make statistics and more generally for evidentiary purposes, given that most claims are subject to a 6 year statute of limitation

. Prospect

categories of personal data processed: Prospect information (name, surname, contact details, request for a demo…) ;

retention period: 3 years or upon request from subject for data to be deleted, whichever is soonest

Reason for retention period: to make statistics, to give you access to a demo account and otherwise contact you.

. Browsing the Site / Application

categories of personal data processed: cookies

retention period: 13 months after they were first installed on your terminal

Reason for retention period: allow proper functioning of the Services

When we have no ongoing legitimate business need to process your personal data, we will delete it as soon as it is technically possible.

7. Do we share your personal data with any third parties?

In connection with the use of the Services, some of your Personal Data may be processed by Third Parties for the purpose of carrying out some of the processing operations listed out above.

7.1. Third Party Service Providers

We may disclose your personal data to third-party service providers (the "Subprocessors"). When we do so, we make sure to work only with companies that safeguard and protect your personal data and comply with the Applicable Law in the same way that we do. Therefore, in accordance with Article 28 of the UK GDPR, access to your Personal Data by our Subprocessors is subject to the signature of a written agreement which allows us to monitor and control the way our Subprocessors handle your personal data.

7.1.a. Operational Services

Subprocessors:

- CloudFlare:

categories of data: all data

purpose: for hosting & back-up purposes

- Descope:

categories of data: e-mails

purpose: for SSO user Authentification

- Replicate Inc:

categories of data: image based data only if user chooses to train awen on image based data for the purpose of awen’s image based features

purpose: customizing awen’s products to generate customized image content

7.1.b. Productivity Tools

Subprocessors:

- Google Suite:

categories of data: name, email address and any other personal data you share with us when contacting us via mail.

purpose: To manage our emails and daily operations.

- Notion:

categories of data: name, e-mail address

purpose: for bug management purposes

7.1.c. Accounting

- ACL audit:

categories of data: identification information and any financial or billing information related to invoices and payments.

purpose: to make sure payments and invoices are in order and to comply with legal requirements.

7.2. Other Recipients

In addition to our Subprocessors, your Personal Data may be disclosed to independent contractors in order to perform part of the Services.

- independent contractors

categories of data: the data strictly necessary for them to perform their duties.

purpose: to perform part of the services

8. Where do we store your Personal Data ?

The Personal Data we process is stored by our hosting provider CloudFlare on servers located within the European Union.

In order to perform the Services, we may transfer some of your Personal Data to third party service providers located or using servers located outside the European Union (the "EU") and the European Economic Area (the "EEA"). In such a case, we make sure that:

they are located in a country considered having an adequate level of protection by the European Union in terms of personal data or,

- if located in the United States:

- they abide by contractual provisions ensuring an equivalent level of protection of your Personal Data (such as standard contractual clauses established by the European Commission).

9. How do we protect your Personal Data ?

Awen, as the processor, has a range of technical and organisational measures to minimise the risk to Personal Data and ensure ongoing confidentiality, integrity, availability, and resilience of processing systems including:

9.1. Encryption

9.1.1 End-to-end encryption

The Processor ensures that all data transferred between the Processor and the Controller is encrypted using end-to-end encryption. This means that data is protected from unauthorized access during transit.

9.1.2 At-rest encryption:

The Processor stores all data in encrypted format on disk. This ensures that in case of unauthorized physical access to the storage media, data cannot be accessed without proper authorization.

9.2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, Art. 32 para 1 point b GDPR.

Confidentiality and integrity is ensured by the secure processing of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

9.2.1 Confidentiality

9.2.1.1 System/Electronic access control

Measures that prevent data processing systems from being used without authorization, including: User Authentication by simple authentication methods (using username/e-mail); Secure transmission of credentials using networks (using TSL and SSL); Automatic account locking; Guidelines for Handling access; Definition of authorized persons

9.1.2 Internal Access Control

The Processor has implemented access control policies and procedures to ensure that only authorized personnel can access the data. This includes user authentication, role-based access control, and monitoring of access logs.

9.1.3 Isolation/Separation Control

Measures to ensure that data collected for different purposes can be processed (storage, amendment, deletion, transmission) separately, including: Network separation; Segregation of responsibilities and duties.

9.1.4 Job Control

The Processor implements job control policies and procedures to ensure that access to data is only granted to authorized personnel for legitimate business purposes. This includes segregation of duties, regular review of user access, and monitoring of user activities.

9.2 Integrity

9.2.1 Data transmission control

Measures are in place to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport. This includes the use of industry-standard encryption protocols such as Transport Layer Security (TLS) for secure transmission between the client and server and to external systems.

9.2.2 Data input control

Measures that ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified or removed, including: Logging authentication and monitored logical system access; Logging of data access including, but not limited to access, modification, entry and deletion of data; and Documentation of data entry rights and partially logging security related entries.

9.2.3 Availability and Resilience of Processing Systems and Services

The Processor has implemented measures to ensure the availability and resilience of processing systems and services, which protect personal data from accidental destruction or loss due to internal or external influences, and can withstand attacks or recover quickly after an attack. These measures include regular backup of data, implementation of transport policies, and protection of stored backup media.

Data backup is performed every month, and the data is stored on encrypted hard drives. The retained data is subject to the subscription duration of the user, which means it is kept as long as the user is subscribed to the platform. The Processor ensures that backed-up data is protected from unauthorized access and other security breaches according to EU regulations.

9.3. Data stored in servers in the EU and respect EU regulations on information security

The Processor ensures that all data is stored in servers located within the European Union and is subject to European Union regulations on information security. This means that the data is protected from unauthorized access and other security breaches according to EU regulations.

9.4. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

The Processor implements procedures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

9.5. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

The Processor regularly tests, assesses, and evaluates the effectiveness of technical and organizational measures for ensuring the security of the processing. These measures include regular software updates, use of encryption for data in transit and at rest, access control to limit access to authorized personnel, and periodic backups to ensure availability and resilience of the processing systems and services. Additionally, the Processor retains personal data as long as the user is subscribed to the platform.

10. Your rights

Unless stated otherwise by the Applicable Law or any other legal provision or applicable regulations, you may exercise the following rights:

- Right to access: the right to be informed and to request access to your Personal Data;

- Right to data portability: the right to request a copy of your Personal Data in a structured and machine-readable format in order to hand it over to a third party ;

- Right to rectification: the right to ask us to modify or update inaccurate or incomplete Personal Data;

- Right to erasure (right to be forgotten): the right to ask us to permanently delete Personal Data when the data subject considers that we no longer have any reason to do so collect/process;

- Right to restriction of processing: the right to ask us to stop temporarily or the processing of all or part of the Personal Data;

- Right to object: the right to object at any time, for reasons related to the situation of the data subject, to the processing of Personal Data concerning him/her having as its legal basis the pursuit of a legitimate interest. Unless we demonstrate a legitimate and compelling interest justifying such processing, we will only process plus the Personal Data concerned;

- Right to decide the fate of your data after death: the right to impose the fate that you wish to reserve your Personal Data in the event of death;

- Right to file a complaint with the supervisory authority or to get compensation from the competent courts.

To exercise your right, please send their request directly to us: thibault@awen.ai ;

In accordance with Applicable Regulations, we will ask you to prove your identity.

11. Contact the competent supervisory authority

We remind you that you have the possibility to file a complaint with the competent supervisory authority. In France, this authority is the Commission National Informatique et Libertés (CNIL), whose website address is:

https://www.cnil.fr