Privacy Policy

The www.stoik.io website (hereinafter referred to as "the Site") and the https://app.stoik.io application (hereinafter referred to as "the Application") are operated by Stoïk, a simplified joint stock company with a capital of 58,744.60 euros, whose registered office is located at 4 rue Euler - 75008 Paris, and which is registered in the Paris Trade and Companies Register under number 900 293 887. 

This Privacy Policy explains what Data is collected when the User uses the Services, and how it is processed.

This Privacy Policy may be amended from time to time to ensure compliance with applicable law. 

The version applicable to the User is the one in force on the Site and on the Application at the date of use of the Services.

DEFINITIONS

Terms beginning with a capital letter used in the singular or plural in the body of this Privacy Policy shall have the meanings given to them in the Terms of Use, or defined below:

Personal Data or Data: means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

Processing: means any operation or set of operations, whether or not carried out by automatic means, applied to Data or sets of Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure or destruction;

Controller: means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the Processing; 

Processor: means the natural or legal person, public authority, department or other body that processes Personal Data on behalf of the Controller.

PROCESSING OF PERSONAL DATA FOR WHICH STOÏK IS THE DATA CONTROLLER

Stoïk is the Controller of the Processing of the Data that the User communicates to it when using the Services.

ARTICLE I. PERSONAL DATA PROCESSED, PURPOSES OF PROCESSING AND RETENTION TIME

Personal Data is collected for specific, explicit and legitimate purposes. 

Stoïk ensures that Personal Data are processed in an adequate, relevant and limited manner with regard to the purposes for which they are processed:

Data Category
Purpose
Legal basis
Retention time
Management of requests through the contact section
Email address
Respond to User requests
The legal basis is the legitimate interest of Stoïk to provide a response to Users
email address, password, IP address, last name, first name
Management of the newsletter
Email address, name, first name
Subscription managementManagement of electronic mailings
The legal basis is the consent of the User collected during the collection of his email address
3 years from the last contact from the User or until the withdrawal of consent 
Management of Vulnerability Scan subscriptions
Email address, name, first name, postal address
Allow access to the User's personal space
The legal basis is the consent of the User obtained at the time of registration by accepting the Terms of Use and this Privacy Policy
3 years from the last activity of the User
Subscription to the insurance contract 
Email address, telephone number, full name, postal address of the Company's representative 
Follow-up of the invoicingFollow-up of the customer relationshipManagement of after-sales services, complaints
The legal basis is the execution of the insurance contract
5 years from the end of the contractual relationship
Cookies and trackers
IP address
Ensure the operation of the site
Keep the user connected
Measuring the audience
The legal basis is the legitimate interest for the strictly necessary cookies and the consent for the others
See Cookie Policy
Processing

ARTICLE II. RECIPIENTS OF PERSONAL DATA

None of the Personal Data concerning the User is transmitted to third parties, with the exception of Stoïk's staff members or partners and subcontractors, solely for the purpose of carrying out the above-mentioned purposes and within the limits of the information strictly necessary for this purpose.

The User's Personal Data is stored either in Stoïk's databases or in those of its service providers, which are located within the European Union.

The User's Personal Data is not transferred outside the European Union.

ARTICLE III. DATA PROTECTION OFFICER

The Data Protection Officer appointed by Stoïk can be contacted at the following address: simon.guigue@stoik.io

ARTICLE IV. USERS' RIGHTS

In accordance with the regulations concerning the Processing of Personal Data, the User has the following rights:

1. Right of access, rectification and deletion

When you visit our webThe User may review, update, modify or request the deletion of his/her Personal Data.

If he/she has one, the User has the right to request the deletion of his/her Personal Space.

2. Right to Data Portability

The User has the right to request the portability of his/her Personal Data, held by Stoïk, to another operator.

3. Right to limit and oppose the processing of personal data

The User has the right to request the limitation of or to object to the Processing of his/her Personal Data by Stoïk, without Stoïk being able to refuse, unless it can demonstrate the existence of legitimate and compelling reasons that may override the interests and rights and freedoms of the User.

4. Exercise of rights

The User may, subject to the production of valid proof of identity, exercise his/her rights by contacting the Stoïk Data Protection Officer by email at simon.guigue@stoik.io.

In order for Stoïk to comply with the request, the User is required to provide the following information: their first and last names as well as the e-mail address used on the Site or the Application.

Stoïk is required to respond to the User within 30 days.

If the User believes, after contacting Stoïk, that his/her rights have not been respected, he/she may submit a complaint to a supervisory authority. 

The supervisory authority in charge of the Processing carried out by Stoïk is the Commission Nationale de l'Informatique et des Libertés (CNIL).

PROCESSING OF PERSONAL DATA FOR WHICH STOÏK IS THE PROCESSOR

When performing the vulnerability scan service, Stoïk acts as a Processor within the meaning of the regulations in force applicable to the Processing of Personal Data, and solely on the instructions of the Company acting via the User, which acts as the Data Controller.

ARTICLE I. DESCRIPTION OF THE PROCESSING BY STOÏK

Stoïk is authorized to process on behalf of the Company the Personal Data necessary to provide the following service: external vulnerability scan to identify all the vulnerabilities of the Company's technological data and to propose an insurance contract.

Data Category
Categories of Data subject
Purpose
External vulnerability scan
Employees, collaborators, customers
Email address, password, IP address, last name, first name
Identification, analysis and presentation to the User of all the vulnerabilities of the Company's technological data
Automatic scanning for persistent vulnerabilities
Email address, password, IP address, last name, first name
Employees, collaborators, customers
Adjusting prices based on identified persistent vulnerabilities
Processing

ARTICLE II. DURATION OF THE CONTRACT

This Privacy Policy is effective upon acceptance by the User, as well as acceptance of the Terms of Use, for an indefinite period.

ARTICLE III. STOÏK'S OBLIGATIONS TOWARDS THE COMPANY

Stoïk is committed to :

1. Process the Data only for the purposes described in I. I., namely the identification, analysis and presentation to the User of the vulnerabilities of the Company's technological data, revealed through the vulnerability scan, and the adjustment of prices based on identified persistent vulnerabilities.

2. Process the Data in accordance with the Company's documented instructions, as described in the Terms of Use. If Stoik considers that an instruction constitutes a breach of the EU Data Protection Regulation or any other provision of Union or Member State law relating to data protection, it shall immediately inform the Company. In addition, if the Stoik is required to transfer Data to a third country or to an international organization under Union law or the law of the Member State to which it is subject, it must inform the Company of this legal obligation prior to the Processing, unless the relevant law prohibits such information on important grounds of public interest. 

3. Guarantee the confidentiality of the Personal Data processed in the context of the vulnerability scan

4. Ensure that persons authorized to process Personal Data under this Agreement:
are committed to confidentiality or are subject to an appropriate legal obligation of confidentialityreceive the necessary training in the protection of personal data

5. Take into account the principles of data protection by design and data protection by default for its tools, products, applications or services.

ARTICLE IV. SUBSEQUENT PROCESSING

Stoik is authorized to use the following entities to conduct the Processing activities described below (hereinafter, the "Subsequent Processors"): 

Amazon Web Services: Hosting Personal Data;
Google Cloud Platform: Hosting Personal Data;
Stripe: Payment services;
HelloSign: Signature services.

Subsequent Processors are required to comply with the obligations of this contract on behalf of and according to the instructions of the Company. It is Stoïk's responsibility to ensure that Subsequent Processors present the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the Processing meets the requirements of the European Data Protection Regulation. If Subsequent Processors do not fulfil their data protection obligations, Stoïk remains fully responsible to the Company for the Subsequent Processors' performance of their obligations. 

ARTICLE V. RIGHT TO INFORMATION OF THE DATA SUBJECT

It is the Company's responsibility to provide information to the persons concerned by the Processing operations.

It is the responsibility of the Company, in its capacity as Data Controller, to obtain any necessary consent from the natural persons concerned, in correlation with the purposes of the Processing pursued. 

ARTICLE VI. EXERCISE OF THE RIGHTS OF DATA SUBJECTS

The persons whose Data have been collected must assert their rights directly to the Company, which, after studying the admissibility of the request, undertakes to comply with it within the regulatory time limits.

Insofar as possible, Stoïk shall assist the Company in fulfilling its obligation to respond to requests to exercise the rights of data subjects.

When the persons concerned make requests to Stoïk to exercise their rights, Stoïk must send these requests as soon as they are received by e-mail to the contact address given on the User's Personal Space.

ARTICLE VII. NOTIFICATION OF PERSONAL DATA BREACHES

Stoïk shall notify the Company of any violation of Personal Data within a maximum of 24 hours of becoming aware of it, via the contact address provided on the User's Personal Space. 

This notification shall be accompanied by any useful documentation to enable the Company, if necessary, to notify the competent supervisory authority of the breach.

It is the Company's responsibility to alert, if necessary, the competent supervisory authority and/or the persons concerned, and to comply with its obligations under the GDPR.

ARTICLE VIII. ASSISTANCE FROM STOÏK IN THE CONTEXT OF THE COMPANY'S COMPLIANCE WITH ITS OBLIGATIONS

Stoïk assists the Company in carrying out data protection impact assessments.

Stoïk assists the Company in carrying out the prior consultation with the supervisory authority.

ARTICLE IX. SECURITY MEASURES

Stoïk undertakes to put in place all the necessary means to ensure the confidentiality and security of the Data, so as to prevent their damage, deletion or access by unauthorised third parties.

Stoïk's technical and organizational measures are as follows:

1. Commitment to confidentiality of its employees

Through the employment contract, the Stoïk employee undertakes to respect the rules and procedures in force in the company, particularly with regard to:

• Professional secrecy;
• Professional and loyal behaviour towards the company.

2. Awareness-raising and training activities on the security of personal data

All Stoïk employees arriving on the project are made aware of security. A presentation of the objectives, individual roles and responsibilities and the security procedures related to the project is made.

3. Management of access accounts and authorisation

The security of information and access is managed by the system administrators. They create nominative access with strong passwords for all the tools used by Stoïk.

The security policy for passwords applied to accounts complies with the recommendations of the CNIL.

4. Security of Stoïk's premises

Access to Stoïk's premises is reserved for authorised persons only.

Stoïk's premises are protected by an anti-intrusion alarm.

The premises are also equipped with a video surveillance system. The video surveillance data is kept for 1 month.

5. Computer allocation and maintenance

Each Stoïk employee has his own workstation.

The workstations are protected primarily by a user/password authentication generated by the system administrators.

Stoïk employees are made aware of the security rules by the system administrators when they are given their computers. Each employee has administrator rights on his/her computer in order to be able to configure or install additional software required for the execution of their missions.
Passwords are Personal and Confidential Data, they must be sufficiently strong, and must not be disclosed or left unprotected. 

Any computer given to a Stoïk employee must have been formatted beforehand in the event of a handover, and also if the equipment is new and the operating system installed does not correspond to what has been defined by the system administrators.

The maintenance of any computer is done on Stoïk's premises whenever possible. In the event that maintenance agents are welcomed and supervised on Stoïk's premises to carry out any repairs or modifications.

6. Confidentiality of processed data

Stoïk is committed to :

• Not to make any copies of the documents and data carriers entrusted to it, except those necessary for the performance of the service;
• Not to use the processed documents and information for purposes other than those defined by the Company;
• Not to divulge this information to other persons, whether private or public, natural or legal persons, for the duration of the service.

ARTICLE X. DISPOSITION OF DATA

At the end of the services provided in relation to the Processing of this Data, Stoïk undertakes to destroy all personal Data relating to the Company and the User, with the exception of those whose retention beyond the contractual relationship is authorized by law, by the legitimate interests of Stoïk or by the Company and the User.

Once the Data has been destroyed, Stoïk must justify the destruction in writing.

ARTICLE XI. DATA PROTECTION OFFICER

The Stoïk Data Protection Officer can be contacted at the following address: simon.guigue@stoik.io

ARTICLE XII. RECORDS OF PROCESSING ACTIVITIES

Stoïk declares that it keeps a written record of all Processing activities carried out on behalf of the Company including:

• The name and contact details of the Company on whose behalf it is acting, the identification data of the User, any sub-processors and the Data Protection Officer;
• The categories of Processing carried out on behalf of the Company;
• As far as possible, a general description of the technical and organisational security measures.

ARTICLE XIII. DOCUMENTATION

Stoïk shall make available to the Company the documentation necessary to demonstrate compliance with all its obligations and to allow audits, including inspections, to be carried out by the Company or another auditor it has commissioned, and to contribute to these audits.

ARTICLE XIV. OBLIGATIONS OF THE COMPANY TOWARDS STOÏK

The Company agrees to:

• Document in writing the instructions concerning the Processing of Data by Stoïk, in particular by keeping a copy of the Terms of Use;
• Ensure, beforehand and throughout the duration of the Processing, that Stoïk complies with the obligations set out in the European Data Protection Regulation;
• Supervising the Processing, including conducting audits and inspections at Stoïk.