The www.stoik.io website (hereinafter referred to as "the Site") and the https://app.stoik.io application (hereinafter referred to as "the Application") are operated by Stoïk, a simplified joint stock company with a capital of 58,744.60 euros, whose registered office is located at 4 rue Euler - 75008 Paris, and which is registered in the Paris Trade and Companies Register under number 900 293 887.
The version applicable to the User is the one in force on the Site and on the Application at the date of use of the Services.
Personal Data or Data: means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;
Processing: means any operation or set of operations, whether or not carried out by automatic means, applied to Data or sets of Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure or destruction;
Controller: means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the Processing;
Processor: means the natural or legal person, public authority, department or other body that processes Personal Data on behalf of the Controller.
Stoïk is the Controller of the Processing of the Data that the User communicates to it when using the Services.
Personal Data is collected for specific, explicit and legitimate purposes.
Stoïk ensures that Personal Data are processed in an adequate, relevant and limited manner with regard to the purposes for which they are processed:
None of the Personal Data concerning the User is transmitted to third parties, with the exception of Stoïk's staff members or partners and subcontractors, solely for the purpose of carrying out the above-mentioned purposes and within the limits of the information strictly necessary for this purpose.
The User's Personal Data is stored either in Stoïk's databases or in those of its service providers, which are located within the European Union.
The User's Personal Data is not transferred outside the European Union.
The Data Protection Officer appointed by Stoïk can be contacted at the following address: email@example.com
When you visit our webThe User may review, update, modify or request the deletion of his/her Personal Data.
If he/she has one, the User has the right to request the deletion of his/her Personal Space.
The User has the right to request the portability of his/her Personal Data, held by Stoïk, to another operator.
The User has the right to request the limitation of or to object to the Processing of his/her Personal Data by Stoïk, without Stoïk being able to refuse, unless it can demonstrate the existence of legitimate and compelling reasons that may override the interests and rights and freedoms of the User.
The User may, subject to the production of valid proof of identity, exercise his/her rights by contacting the Stoïk Data Protection Officer by email at firstname.lastname@example.org.
In order for Stoïk to comply with the request, the User is required to provide the following information: their first and last names as well as the e-mail address used on the Site or the Application.
Stoïk is required to respond to the User within 30 days.
If the User believes, after contacting Stoïk, that his/her rights have not been respected, he/she may submit a complaint to a supervisory authority.
The supervisory authority in charge of the Processing carried out by Stoïk is the Commission Nationale de l'Informatique et des Libertés (CNIL).
When performing the vulnerability scan service, Stoïk acts as a Processor within the meaning of the regulations in force applicable to the Processing of Personal Data, and solely on the instructions of the Company acting via the User, which acts as the Data Controller.
Stoïk is authorized to process on behalf of the Company the Personal Data necessary to provide the following service: external vulnerability scan to identify all the vulnerabilities of the Company's technological data and to propose an insurance contract.
Stoïk is committed to :
1. Process the Data only for the purposes described in I. I., namely the identification, analysis and presentation to the User of the vulnerabilities of the Company's technological data, revealed through the vulnerability scan, and the adjustment of prices based on identified persistent vulnerabilities.
3. Guarantee the confidentiality of the Personal Data processed in the context of the vulnerability scan
4. Ensure that persons authorized to process Personal Data under this Agreement:
are committed to confidentiality or are subject to an appropriate legal obligation of confidentialityreceive the necessary training in the protection of personal data
5. Take into account the principles of data protection by design and data protection by default for its tools, products, applications or services.
Stoik is authorized to use the following entities to conduct the Processing activities described below (hereinafter, the "Subsequent Processors"):
• Amazon Web Services: Hosting Personal Data;
• Google Cloud Platform: Hosting Personal Data;
• Stripe: Payment services;
• HelloSign: Signature services.
Subsequent Processors are required to comply with the obligations of this contract on behalf of and according to the instructions of the Company. It is Stoïk's responsibility to ensure that Subsequent Processors present the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the Processing meets the requirements of the European Data Protection Regulation. If Subsequent Processors do not fulfil their data protection obligations, Stoïk remains fully responsible to the Company for the Subsequent Processors' performance of their obligations.
It is the Company's responsibility to provide information to the persons concerned by the Processing operations.
It is the responsibility of the Company, in its capacity as Data Controller, to obtain any necessary consent from the natural persons concerned, in correlation with the purposes of the Processing pursued.
The persons whose Data have been collected must assert their rights directly to the Company, which, after studying the admissibility of the request, undertakes to comply with it within the regulatory time limits.
Insofar as possible, Stoïk shall assist the Company in fulfilling its obligation to respond to requests to exercise the rights of data subjects.
When the persons concerned make requests to Stoïk to exercise their rights, Stoïk must send these requests as soon as they are received by e-mail to the contact address given on the User's Personal Space.
Stoïk shall notify the Company of any violation of Personal Data within a maximum of 24 hours of becoming aware of it, via the contact address provided on the User's Personal Space.
This notification shall be accompanied by any useful documentation to enable the Company, if necessary, to notify the competent supervisory authority of the breach.
It is the Company's responsibility to alert, if necessary, the competent supervisory authority and/or the persons concerned, and to comply with its obligations under the GDPR.
Stoïk assists the Company in carrying out data protection impact assessments.
Stoïk assists the Company in carrying out the prior consultation with the supervisory authority.
Stoïk undertakes to put in place all the necessary means to ensure the confidentiality and security of the Data, so as to prevent their damage, deletion or access by unauthorised third parties.
Stoïk's technical and organizational measures are as follows:
Through the employment contract, the Stoïk employee undertakes to respect the rules and procedures in force in the company, particularly with regard to:
• Professional secrecy;
• Professional and loyal behaviour towards the company.
All Stoïk employees arriving on the project are made aware of security. A presentation of the objectives, individual roles and responsibilities and the security procedures related to the project is made.
The security of information and access is managed by the system administrators. They create nominative access with strong passwords for all the tools used by Stoïk.
The security policy for passwords applied to accounts complies with the recommendations of the CNIL.
Access to Stoïk's premises is reserved for authorised persons only.
Stoïk's premises are protected by an anti-intrusion alarm.
The premises are also equipped with a video surveillance system. The video surveillance data is kept for 1 month.
Each Stoïk employee has his own workstation.
The workstations are protected primarily by a user/password authentication generated by the system administrators.
Stoïk employees are made aware of the security rules by the system administrators when they are given their computers. Each employee has administrator rights on his/her computer in order to be able to configure or install additional software required for the execution of their missions.
Passwords are Personal and Confidential Data, they must be sufficiently strong, and must not be disclosed or left unprotected.
Any computer given to a Stoïk employee must have been formatted beforehand in the event of a handover, and also if the equipment is new and the operating system installed does not correspond to what has been defined by the system administrators.
The maintenance of any computer is done on Stoïk's premises whenever possible. In the event that maintenance agents are welcomed and supervised on Stoïk's premises to carry out any repairs or modifications.
Stoïk is committed to :
• Not to make any copies of the documents and data carriers entrusted to it, except those necessary for the performance of the service;
• Not to use the processed documents and information for purposes other than those defined by the Company;
• Not to divulge this information to other persons, whether private or public, natural or legal persons, for the duration of the service.
At the end of the services provided in relation to the Processing of this Data, Stoïk undertakes to destroy all personal Data relating to the Company and the User, with the exception of those whose retention beyond the contractual relationship is authorized by law, by the legitimate interests of Stoïk or by the Company and the User.
Once the Data has been destroyed, Stoïk must justify the destruction in writing.
The Stoïk Data Protection Officer can be contacted at the following address: email@example.com
Stoïk declares that it keeps a written record of all Processing activities carried out on behalf of the Company including:
• The name and contact details of the Company on whose behalf it is acting, the identification data of the User, any sub-processors and the Data Protection Officer;
• The categories of Processing carried out on behalf of the Company;
• As far as possible, a general description of the technical and organisational security measures.
Stoïk shall make available to the Company the documentation necessary to demonstrate compliance with all its obligations and to allow audits, including inspections, to be carried out by the Company or another auditor it has commissioned, and to contribute to these audits.
The Company agrees to:
• Ensure, beforehand and throughout the duration of the Processing, that Stoïk complies with the obligations set out in the European Data Protection Regulation;
• Supervising the Processing, including conducting audits and inspections at Stoïk.