General Terms & Conditions

Last update: 30/05/2025

1. General

These General Terms and Conditions of Use (hereinafter the "Terms") are concluded between Gladia, a simplified joint-stock company with a capital of 1,838.83 euros, registered with the RCS of Rennes under No. 909 935 736 and whose head office is located at 38 Rue de la Tremblaie 35510 CESSON-SEVIGNE, France, represented by M. Jean-Louis Queguiner, its President and any person or entity using the services offered by Gladia’s AI solution (hereinafter a "User").

These Terms cancel and supersede the previously applicable terms and conditions and govern the use of the Services provided by Gladia.

The electronic signature or acceptance of the General Terms and Conditions of Service by the User as well as any use of the Service implies the User's full acceptance of these Terms.

These Terms are accessible on Gladia’s website and may be addressed or delivered to any User requesting it.

Gladia is free to modify its Terms at any time for the needs of and according to the evolution of the Services. Their notification is made by e-mail to the User or on his personal space. In case of refusal of the new Terms, the User may unsubscribe from the Services within fifteen (15) days from the notification. Any User who continues to use the Services after the entry into force of the Terms is deemed to accept them. The version of the Terms in force at the time of the dispute shall apply to the User.

The English version of these Terms shall prevail over any translation.

These Terms may be supplemented by special conditions which, in case of contradiction, will prevail over the Terms.

2. Definitions

"Agreement": includes the Terms, the General Terms and Conditions of Service, and if applicable the Special Terms and Conditions.

“API”: means an Application Programming Interface with artificial intelligence created and/or administered by Gladia.

"Content": collectively means the information imported into the API ("Input") and the output generated ("Output").

"GTCS" or “General Terms and Conditions of Service”: means the General Terms and Conditions of Service and its appendices.

“Offer”: means the various offers proposed by Gladia to benefit from its API and defined in Article 4.

"Service(s)": means the provision of the API by Gladia to the User.

"Special Terms and Conditions": means the additional terms to the GTCS that may be agreed upon between the Parties.

“Terms”: means the present General Terms and Conditions of Use.

Capitalized terms not defined herein shall have the meaning given to them in the GTCS.

3. Purpose of the Terms

Gladia's business is the simplification of the most advanced AI models to help Users extract 100% value from their data from audio and/or video sources.

Gladia may provide its Users with the Service.

According to its needs, the User chooses the Offer with the level of services that suits him.

4. Gladia API

4.1. Offer

Gladia grants the User with a non-exclusive, non-transferable, worldwide, right to use the API for the duration of the Agreement.

Unless expressly agreed in writing by Gladia, the User shall not:

(i) use the API for purposes other than those for allowed in the Agreement and the Documentation (as this term is defined in Article 4.3);

(ii) grant any sublicense;

(iii) modify or alter the licensed rights or the API;

(iv) transfert the API free of charge or for valuable consideration.

The API will be compatible with the Customer's existing infrastructure within the limits set forth in Gladia’s documentation ().

The API enables the User to benefit from a number of features including, from audio or video Input, to:

Transcribe information, including dialogue in live or asynchronous;
Detect and separate speakers;
Translate Input information and perform code-switching (ability to transcribe a dialogue despite language changes during conversation);
Summarize Input information;
Recognize emotions and analyze feelings;
Classify conversations;
Extract keywords;
Detect intentions.

‍Gladia's API solution is available as a "Free" Offer, "Pro" Offer or “Enterprise” Offer whose conditions are defined on the Website (), unless Special Terms and Conditions apply.

If the User chooses the “Free Offer”, only these Terms will apply; if he chooses the “Pro” Offer, the GTCS will apply and will be supplemented by the Special Terms and Conditions if the User chooses the “Enterprise” Offer. In case of contradiction between the Terms and the GTCS, the GTCS will prevail.

The User may not create more than one personal space to benefit from the API with the "Free” Offer. Gladia may invoice the User or suspend his access to the API if he uses the "Free” Offer in bad faith.

Any request by the User to modify the Offer subscribed must be the subject of a new subscription.

4.2. Evolution of the API

Gladia may, at any time and by right, modify the API, including adding, modifying or deleting ranges, options or features and enhancing their performance. The User will be notified of this change in the API seven (7) days before its implementation. If the functionalities of the API have regressed, at Gladia’s discretion, the User may terminate the said Service by registered mail with acknowledgement of receipt, within thirty (30) days from the implementation of the change.

4.3. Documentation of the API

Gladia provides the User with online resources on its website that allow the User to learn about and understand the characteristics of the API (the “Documentation”). This Documentation may include (i) information on the various functionalities, configurations, options and ranges available, and (ii) documentation or technical guides of use of the API, allowing a better understanding and use of the API.

‍Before using the API, the User agrees to read all the provisions of the Documentation and to study all available documentation, configurations and options available in order to select the services and characteristics adapted to its needs. The User ensures that the Services are adapted to the legal and regulatory requirements applicable to the activities carried out in the context of the use of the Services.

The User may obtain additional information concerning the Services by contacting Gladia’s support by .

5. Access to the Service

To activate and access the Service, the User must have a Gladia personal space associated with a valid email address. The User may only create one personal space per email address. The creation of the Gladia personal space requires the communication, by the User, of information allowing his identification for the signature of the Agreement and the choice of a password. The User acknowledges that this information is proof of his identity. Prior to the activation of the User's personal space and at any time during the term of the Agreement, Gladia reserves the right to verify the accuracy of the information provided by or on behalf of the User and to request supporting documents from the User.

When registering, the User undertakes to transmit accurate, complete and non misleading data on his identity and is prohibited from usurping the identity of a third party. In the event of a breach of this substantial obligation, Gladia reserves the right not to confirm, suspend or delete the User's account without the User being entitled to any compensation as a result.

User may use the Service only in the geographic areas currently supported by Gladia. In particular, the Service isn’t available in the Islamic Republic of Iran, the Democratic People’s Republic of Korea, South Sudan, Sudan and the Syrian Arab Republic.

Internet access costs, whatever their nature (hardware, software, Internet connection, etc.) are the sole responsibility of the User.

The login credentials of any User to his Gladia personal space are confidential, non assignable and non-transferable, in accordance with article "Password secrecy" of these Terms.

6. Terms of Use

6.1 Legal capacity of the User

Depending on the Offer subscribed, the User may be a natural or legal person, a consumer, a professional or a non-professional.

A consumer means any natural person acting for purposes outside his trade or profession.

A professional shall be understood as any natural or legal person acting for purposes connected with his trade, business, craft, profession or agricultural activity, including when acting in the name or on behalf of another trader.

The Service is reserved for adults (more than 18 years old) and legally capable persons.

When the User is a natural person acting for a legal person, he ensures that he has the power to conclude a contract in the name and on behalf of the legal person. Any use of the API by the User or acceptance of these Terms by the User will bind the Customer to these Terms.

Gladia reserves the right to delete a personal space created by a person who doesn’t meet these conditions, without prior notice.

6.2 Normal use of the Service

The User undertakes to:

use the Service in accordance with its intended purpose, its documentation and the Agreement;
promptly provide all information reasonably required by Gladia for the use of the Service;
take the necessary steps to ensure that all Users accessing the Service comply with the obligations arising from the Agreement.

Use or misuse of the Service, which would be contrary to these Terms, is strictly prohibited. The User is prohibited in particular to:

Commit any illegal or fraudulent act by using the Service;
Harm public order and morality;
Harm third-parties or their rights in any way;
Violate any contractual, legislative or regulatory provisions;
Carry out any activity that may interfere with the computer system of a third-party or Gladia, in particular with the aim of violating its integrity or security;
Carry out any operation aimed at promoting the User's services and/or sites or those of a third-party without the express authorization of Gladia;
Extract or collect, by any means, the data of other users of the Service;
Import, add to the Service, store, transmit, export, upload or publish any Content that is misleading or promotes illegal, fraudulent or deceptive activities;
Import, add to the Service, store, transmit, export, upload or publish any Content that is unlawful, harmful, defamatory, abusive, violent, abusive, racist, xenophobic, revisionist, hateful, pornographic, child pornographic, obscene, indecent, shocking or inappropriate for a family audience, contrary to morality, infringing privacy or infringing the rights of third parties, in particular the image rights of persons and property, the right of intellectual property or the right to respect for private life;
Import, add to the Service, store, transmit, export, upload or publish any Content or information that can reveal, directly or indirectly, sensitive data within the meaning of the General Data Protection Regulation (GDPR), including political, philosophical or religious beliefs, trade union membership, health status or sexual orientation;
Impersonate a third party;
Import any personal information of a third party without their consent or without relying on a legal basis provided by the GDPR or any applicable law;
Import any personal information of a minor (under 18 years old);
Import, add to the Service, store, transmit, export, upload or publish any Content that may directly or indirectly harm Gladia's interests. In general, the User undertakes to refrain from any behavior contrary to ethics or Gladia's values and interests;
Engage in any conduct that interferes with or hijacks IT systems or violates the IT security measures of Gladia and its Services;
To identify or incite a third party to commit one or more of the acts or activities listed above.

Gladia can’t be held responsible in the event of abnormal use of the Service and reserves all recourse against the User.

6.3. Security

The User must implement reasonable and appropriate measures to ensure his access to and use of the Service. If he discovers any vulnerabilities or violations related to his use of the Service, he must promptly contact Gladia and provide details about the vulnerability or breach.

6.4. Password Secrecy

Users who have created a Gladia personal space make sure to keep their password secret. Any disclosure of the password, regardless of its form, is prohibited. They assume the risks associated with the use of their username and password. Gladia declines all responsibility if the User transmits his username or password to another User or to a third party, or if the User doesn’t implement all necessary measures to keep his password secret.

Any access to the Service using the User's username and password is deemed to be made by him. The User must immediately contact Gladia if he learns that his personal space has been used without his knowledge and for any loss or compromise of these credentials:

Gladia may take any appropriate action in such a case to restore the security of its Service.

7. Penalties

In the event of a breach by the User of any of its obligations under the Terms, or in the event of a request from the competent authorities, Gladia reserves the right to:

Publish on the API any computer message that Gladia deems useful;
Ask the User to remedy the breach within a maximum period of fifteen (15) calendar days;
Delete any Content imported and/or stored by the User in the API that doesn’t comply with these Terms. Such removal may be affected without notice, prior notification or warning, at any time and at Gladia's sole discretion when the violation of these Terms is characterized by illegal behaviour, including when importing, storing, exporting or distributing Content that is illegal, harmful, abusive, racist, incite to hatred or child pornographic. Apart from this particular case, this deletion will be done after two unsuccessful warnings;
Suspend access and use of the User's personal space;
Terminate the Agreement, upon eight (8) calendar days' notice. This termination, notified to the User by e-mail, will result in the deactivation of the personal space eight (8) calendar days after this notification;
Notify and cooperate with any competent authority and provide it with any relevant information;
Take any legal action.

These sanctions are without prejudice to any damages that Gladia may claim

8. Data Protection

Gladia processes User’s data necessary for the proper functioning of the Service. By accepting these Terms, the User acknowledges that he has read Gladia's Privacy Policy and accepted the Data Protection Agreement attached in Appendix 1. In accordance with Article 13 of the General Data Protection Regulation (GDPR), the Privacy Policy provides the User with information relating to the processing of Data carried out by Gladia in the context of the provision and operation of the Service (data processed, purposes, legal basis, recipients of the data, retention periods, rights, security).

If the User uses the Service to process personal data, he must be able to provide the legally adequate documents, obtain the necessary consents for the processing of such Data, and declare to Gladia that he processes such data in accordance with applicable law and the GDPR.

9. Deletion of Data

When the Service includes the storage of the Input, the User may delete it at any time, except for the “Free” Offer which includes an internal data processing to improve the Service. In that case, this usage doesn’t constitute a backup for User benefit.

In case of deletion, Gladia doesn’t keep a history, to the extent permitted by applicable law. Input and Output (transcription, translation, content analysis, sentiment analysis, etc.) will be permanently removed from Gladia's environment.

10. Liability

10.1. Liability of the User

The User assumes all risks associated with the use of the Service. The User undertakes to provide its personnel with the training required for the correct use and operation of the Services.

The User acknowledges that it is liable for (i) regularly backing up data, (ii) developing and implementing appropriate operating procedures, control points and security mechanisms for data backup and disaster recovery, in the event of malfunction of any of the programs, (iii) preparing additional documentation, if necessary, in the light of its own specific working conditions, and (iv) protecting all data stored in its information systems.

The User is liable for the use of the Service and any direct or indirect consequences thereof.

The User is also liable for the Content that it imports into the API.

The consultation and use of the API is under the responsibility of the User. The Service may host links to third-party sites. By clicking on these links, the User acknowledges that Gladia can’t guarantee the content and therefore agrees to access them at his own risk. Consequently, Gladia can’t be held liable for damages resulting from the User's access to and/or use of the Service and the information contained therein.

10.2. Accessibility of the Service

Gladia is constantly working to improve its Service to make it more accurate, reliable, secure and beneficial. Gladia's Service uses rapidly evolving fields of study (artificial intelligence, machine learning, etc). Due to its nature, the use of the Service may in some situations result in incorrect results. The User shall evaluate the accuracy of any Output according to its use case, including by using human review of the Output.

Gladia carries out regular checks to verify the operation and accessibility of its Service and may perform scheduled maintenance under the conditions specified in the "Maintenance" section. Gladia reserves the right to suspend all or part of the Service, in the event of:

(i) a proven risk to the stability and/or security of Gladia's systems and environments, the Service and/or the User's data;

(ii) technical reasons, in particular for its maintenance or updating;

(iii) a request from a competent administrative or judicial authority;

(iv) or failure to comply with all or part of the conditions of use of the Service set forth in the Agreement.

Unless otherwise stipulated in the General Terms and Conditions of Service or Special Terms and Conditions, the User waives any claim in this regard. The aforementioned suspensions don’t relieve the User of its obligation to pay in full the amounts due to Gladia under the Agreement.

The use of the Service by the User implies knowledge and acceptance of the characteristics and limitations of the technologies inherent to the Internet, in particular with regard to response times to consult or query the server hosting the Service, technical performance, risks of interruption and, more generally, any risk incurred during the transmission of data. The User acknowledges that the implementation of the Service requires a connection to the Internet and that the quality of the Service depends on this connection, for which Gladia isn’t responsible.

Gladia can’t be held liable in the event of difficulty or temporary impossibility in accessing the Service due to:

circumstances external to Gladia's network (including partial or total failure of the User's servers);
failure of equipment, cabling, services or networks not included in the Service, or not under Gladia's control;
interruption of the Service by telecommunications operators or Internet service providers;
the User's intervention, in particular by a bad configuration applied to the Service,
force majeure.

Gladia reserves the right to limit the number of API calls and collections accessible. This number will be indicated directly on its website or in the Special Terms and Conditions.

10.3. Limitation of liability

Gladia's liability is limited to proven direct damages that the User may have suffered as a result of the use of hosted Services.

In the event of Gladia's fault in the performance of its contractual obligations, the User shall be entitled to obtain compensation for the direct damage it proved. In any event, Gladia's total and maximum liability is limited to the lesser of sixty percent (60%) of the amount actually paid by the User for the use of the Service during the twelve (12) months preceding the event or one thousand euros (1.000 €).

It’s expressly agreed that Gladia's liability can’t be sought in the following cases:

any information consulted on the Service that isn’t posted online by Gladia;
any network malfunction resulting from something external to Gladia and preventing the proper functioning of the Service;
the consequences of any computer virus, bug, anomaly or failure;
any damage caused to the Service or the User's equipment resulting from an event external to Gladia or its subcontractors.

11. Intellectual Property

11.1. License to use

Gladia grants the User a license to use the API. This licence is limited to the duration of use of the Service, nominative, limited, non-exclusive and non-transferable, non-public, free or paid according to the Offer subscribed under the conditions defined in the General Terms and Conditions of Service and Special Terms and Conditions.

In particular, the User shall refrain from granting any sublicense.

The rights granted also concern open-source modules, subject to the User's compliance with the terms and conditions of the open-source licenses.

11.2. Gladia's intellectual property

Systems, software, structures, infrastructure, databases and content (text, images, graphics, music, logos, brands, databases, etc.) used in the Service are protected by all applicable intellectual property rights or database creators' rights. Any dismantling, decompilation, decryption, extraction, reuse, copying, and more generally any reproduction, representation, publication or use of all or part of these elements, without our authorization, is strictly prohibited and could give rise to prosecution.

The content published by Gladia in the Service (including Output, texts, comments, files, images, photos, videos, works, applications, etc.) is protected by intellectual property, including copyright, designs, trademarks, domain names, patents, know-how, software or databases. Gladia or its assigns remains the owner of all such content and associated rights. On these contents, Gladia grants Users a limited, non-exclusive, revocable and non-sublicensable license to access and browse for the sole purpose of using the Service. This license doesn’t grant Users any other rights, in particular any right of reproduction or commercial exploitation of these contents except as provided for in Article 11.3.

Any total or partial representation of the Service or a content of the Service by any means whatsoever, without the express authorization of Gladia would constitute an infringement punishable by Article L 335-2 et seq. of the French Intellectual Property Code.

The GLADIA brand is protected. Any use of this trademark, name or logo without the prior written permission of Gladia, on any medium is prohibited under penalty of criminal and civil prosecution.

11.3. Content imported by the User

The User grants Gladia, on a non-exclusive basis and free of charge the right to use the Input for the performance of the Services and, if it subscribed the “Free” Offer, to train its algorithmic models, including:

the right to reproduce, duplicate, print or record all or part of the Input, as well as any adaptations, on any medium, including paper, magnetic media and any other known or as yet unknown media, in any format;
the right of permanent or temporary reproduction in whole or in part and in any form, in particular for any loading, display, execution, transmission or storage operation, on any site, the right of error correction, monitoring and maintenance, the right of integration in whole or in part with or without modification, the right of interface and the right of decompilation;
the right to create any version, in French or any other language, and in any computer language, of all or part of the Input;
the right to edit, republish and store the Input in its original version or in a version as defined above, without limitation as to the number of copies.

This licence is effective worldwide, and for the entire legal term of protection of the copyrights.

The User warrants to Gladia that the Inputs do not infringe any intellectual property rights or any other rights belonging to a third party.

The User may use the Output for its own benefit, subject to allowing Gladia to use it for the sole performance of the Services and, if it subscribed to the “Free” Offer, training its algorithmic models.

11.4. Commercial

Gladia may use the names, trademarks and logos of the User and refer to his websites as commercial references for the duration of the contractual relationship and three (3) years thereafter.

The User need an express and written agreement from Gladia to use its names, trademarks and logos and refer to its websites as commercial references.

12. Additional services

Depending on the Offer subscribed to in the Agreement, the User may benefit from additional services offered by Gladia subject to the GTCS.

12.1. Maintenance

During the duration of the Service, the User benefits from maintenance of the API, including corrective and evolutionary maintenance. In this context, access to the Service may be limited or suspended. Corrective maintenance corrects any malfunction or bug found on the subscribed Service.

Gladia reserves the right to carry out automatic and unannounced evolutionary maintenance, which includes improvements to the functionality and/or technical installations (aimed at introducing minor or major extensions) of its Service.

Access to the Service may also be limited or suspended for preventive maintenance purposes, which may include the aforementioned corrective and evolutionary maintenance operations.

12.2. Hosting

Gladia ensures the hosting of the Service and the Contents it produces by using a professional hosting provider.

12.3. Technical Support

In case of difficulty encountered when using the Service, the User may contact Gladia for technical support:

13. Final provisions

Gladia reserves the right to use subcontractors for the performance of the services. These subcontractors are subject to the same obligations as Gladia in the performance of the services.

Gladia reserves the right to replace any person who will be subrogated to all his rights and obligations under the contractual relationship with the User. Gladia will inform the User of any substitution by any written means, including by email.

If one or more stipulations of the Terms are declared null and void by application of a law, a regulation or following a final judicial or administrative decision, the other stipulations will retain their force and scope. Gladia will make its best efforts to proceed as soon as possible to replace the invalid stipulation by a valid stipulation of a scope closest to the spirit hereof.

The fact that one of the Parties has not required the application of any clause of these conditions, permanently or temporarily, can in no way be considered as a waiver of said clause.

14. Governing Law

These Terms are subject to French law.

The Parties will endeavor to resolve amicably any disputes that may arise from the interpretation or execution of these Terms within thirty (30) days of the date of occurrence of such disputes.

In the event of a dispute, if the User is a “consumer” according to the French Consumer Code, he may freely resort to the following Mediator for an amicable settlement: Consumer Mediation Centre of Justice Conciliators (CM2C), Postal address: 14 rue Saint Jean 75017 Paris, France, Phone: +33 (0)6 09 20 48 86, Website: https://www.cm2c.net.

If the User is a foreign consumer but located in the European Union, he can go to the Dispute Resolution in European Consumer Law.

In the absence of an amicable agreement, all disputes to which these Terms may give rise, concerning their validity, interpretation, execution, termination and consequences will be submitted to the competent Courts in Paris (France).

APPENDIX 1 – Data Processing Agreement

1. Purpose and Scope

The purpose of this “Data Processing Agreement” is to define the conditions under which Gladia (hereinafter the “Processor”) undertakes to carry out in the name and on behalf of the Customer (hereinafter the “Controller” or the “Data Controller”) the personal data processing operations defined in Annex I. Annexes I to III form an integral part of the Agreement.

Personal data will be processed for the purpose of performing the services pursuant to the Agreement, in particular for the purpose of processing personal data, including audio or video files transmitted by the Data Controller to the Processor in accordance with the Agreement.

In the context of their contractual relations, the Parties undertake to comply with the regulations applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 applicable from 25th May 2018 (hereinafter, "the European Data Protection Regulation" or "GDPR").

2. Interpretation and hierarchy

Where terms defined in GDPR appear in this Agreement, they shall be construed as in the GDPR.

The provisions of the Agreement should be read and interpreted considering the provisions of the GDPR.

In the event of any conflict between these provisions and those of related agreements existing between the Parties at the time of the conclusion of this Agreement, the Agreement shall prevail.

3. Description of processing operations

Any processing of personal data under this Agreement will be carried out in accordance with the regulations relating to the protection of personal data. The Processor, as a service provider, is not, however, responsible for compliance with the laws and regulations strictly applicable to the Data Controller or its industry, unless explicitly agreed otherwise between the Parties.

The details of the processing operations, and in particular the categories of personal data and the purposes of the processing for which the personal data are processed on behalf of the Controller, are specified in Annex I.

When the Controller wishes to change the subject, duration, nature and purpose of the processing of personal data, it shall inform the Processor in writing. When the Processor considers that the modification does not comply with the regulations in force, it informs the Data Controller.

4. Privacy and data protection representatives

Where required by regulation, the Parties will appoint privacy and data protection representatives (hereinafter "Data Protection Officer" or "DPO"), and will exchange contact information.

The DPO of the Gladia Processor can be contacted at the following email address: privacy@gladia.io

5. Obligations of the Parties

5.1. Instructions

a) The Processor shall only process personal data on documented instructions from the Controller, unless it is required to do otherwise under Union or Member State law to which it is subject. In this case, the Processor shall inform the Controller of this legal obligation prior to processing, unless prohibited by law for important reasons of public interest. Instructions may also be given during the configuration and use of the solution or later by the Data Controller throughout the processing of personal data. These instructions must always be documented and written. The Parties acknowledge that this Agreement constitutes such documented instructions.

b) When the Processor detects an instruction that could potentially constitute a violation of Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or other provisions of Union or Member State law relating to data protection, he shall immediately inform the Data Controller.

5.2. Responsibilities

a) The Data Controller is responsible for the legality of the personal data and their processing pursuant to the Agreement. It declares and warrants that when providing personal data to the Processor for processing by the latter:

(i) it has duly informed data subjects of their rights and obligations and, in particular, informed them of the possibility that the Processor (or a category of service providers to which it belongs) may process their personal data on its behalf and in accordance with its instructions;

(ii) that it has complied with all legislation relating to the protection of personal data in the collection of such personal data and its communication to the Processor.

b) The Data Controller is responsible for any misuse of IT devices by one of its agents as well as for the quality and accuracy of the personal data entered by its agents. The Data Controller shall indemnify the Processor against any claim by a third party, including the Data subject, resulting from misuse of IT devices and specific obligations of data protection regulations.

c) The Data Controller acknowledges and accepts that the Processor shall only provide analyses based on the data processed by the Controller which constitute only one of the possible means to enable the Data Controller to achieve its performance objectives. Under no circumstances may the Processor be held responsible for the decisions taken by the Controller based on the reports sent by the Processor.

5.3. Purpose limitation

The Processor processes personal data only for the specific purpose(s) of the processing, as defined in Annex I, unless further instructed by the Controller.

5.4. Duration of processing of personal data

Processing by the Processor shall only take place for the period specified in Annex I.

The Processor undertakes to keep personal data only for the period necessary to achieve the purposes for which they are processed, unless a legal or regulatory provision obliges it to keep them for longer periods. The Processor will destroy the personal data or return them to the Data Controller, either when the purpose for which they are processed is achieved or at the end of the legal or regulatory retention period.

5.5. Disclosure

a) The Processor will not disclose any personal data to any third party except (i) at the request of the Controller, (ii) as provided for in the Agreement, (iii) as required by processing by sub-processors in accordance with this Agreement or (iv) as required by law or a competent authority.

b) If the Controller instructs the Processor to transfer personal data to a third party contractually linked to the Controller, it is the sole responsibility of the Controller to enter into a written agreement with such party regarding the protection of such personal data, including, where applicable, the obligations imposed by the Standard Contractual Clauses. The Controller shall cover, defend and hold harmless the Processor from any liability for any losses whatsoever arising from such transfer of data to the third party, unless and insofar as the losses are attributable to proven defects of the Processor.

c) The Processor represents and warrants that persons acting on its behalf who are authorized to process personal data undertake to protect the security and confidentiality of the personal data in accordance with the provisions of this Agreement. To this end, the Processor is obliged to inform persons acting on its behalf who have access to the personal data of the applicable requirements and to ensure compliance with such requirements through contractual or legal confidentiality obligations.

5.6. Security of processing

a) The Data Controller shall implement and maintain the required technical and organizational data protection measures for the components it provides or controls, including workstations connected to the Processor's services, the data transfer mechanisms used and the identifiers issued to the Controller's personnel. The Data Controller shall take all reasonable measures to keep the personal data up to date to ensure that they are accurate and complete in relation to the purpose for which they were collected.

b) The Processor shall implement the technical and organizational measures specified in Annex II to ensure the security of personal data. These measures include the protection of data against any breach of security resulting in, accidentally or unlawfully, the destruction, loss, alteration, unauthorized disclosure of or access to personal data (personal data breach). When assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks to data subjects. During the term of the Agreement, the Data Controller may request the Processor to provide, within a reasonable time, a current description of the technical and organizational protection measures implemented.

c) When assessing appropriate technical and organizational security measures, the Parties shall take into account:

(i) state of the art,

(ii) the cost of implementing the measures,

(iii) the nature, scope, context and purposes for which the personal data are processed,

(iv) the risks posed by the processing of data to the rights and freedoms of Data subjects, resulting, inter alia, from the destruction, loss, alteration or unauthorized disclosure of, or accidental or unlawful access to, personal data transmitted, stored or otherwise processed,

(v) and the likelihood that the processing will affect the rights and freedoms of Data subjects.

d) The Processor shall grant its personnel members access to the personal data subject to the processing only to the extent strictly necessary for the execution, management and monitoring of the contract. The Processor shall ensure that persons authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.

e) These measures shall be updated by the Parties in the light of the state of the art and any incidents.

5.7. Sensitive data

If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person, or data relating to criminal convictions and offences ("sensitive data"), the Processor shall apply specific limitations and/or additional safeguards, following the instructions of the Data Controller.

5.8. Documentation and Compliance

a) The Parties shall be able to demonstrate compliance with this Agreement.

b) The Processor shall promptly and adequately process the Controller's requests for data processing in accordance with this Agreement.

c) The Processor shall make available to the Controller the information necessary to demonstrate compliance with the obligations set out in this Agreement and arising directly from the GDPR. At the request of the Controller and at its expense, the Processor shall also allow and contribute to audits of the processing activities covered by this Agreement at reasonable intervals or where there are indications of non-compliance. When deciding on an examination or audit, the Controller may take into account the relevant certifications in the Processor's possession.

d) The Controller may decide to carry out the audit itself or to appoint an independent auditor. Audits may also include inspections at the Processor's premises or physical facilities and shall, where appropriate, be carried out on reasonable notice.

e) The Processor may refuse the identity of the selected auditor if it belongs to a competing company. The audit shall be carried out during working hours and in such a way as to minimize disruption of the Processor’s activity. The audit must in no way threaten (i) the technical and organizational security measures implemented by the Processor, (ii) the security and confidentiality of the data of the Processor’s other clients and (iii) the proper functioning and organization of the Processor. In addition, the Data Controller shall ensure that the auditor and, more specifically, the personnel performing the audit are subject to appropriate confidentiality obligations.

f) As far as possible, the Parties shall agree beforehand on the scope of the audit. The audit report will be sent to the Processor for written comments, which will be attached to the final version of the audit report. Each audit report will be considered confidential information.

g) The Parties shall make available to the competent supervisory authorities, upon request, the information set out in this Agreement, including the results of any audit.

5.9. Sub-processors

a) The Processor has the general authorization of the Controller with regard to the recruitment of sub-processors on the basis of an agreed list for the provision of services (Annex III). The Processor shall specifically inform the Controller in writing of any proposed changes to this list by adding or replacing sub-processors at least fifteen (15) days in advance, thereby giving the Controller the opportunity to submit legitimate and justified objections. In the absence of notification of objections after this period, the Controller shall be deemed to have authorized the use of the sub-processor concerned. The Processor shall provide the Controller with the information necessary to enable it to exercise its right of objection. By signing this Agreement, the Data Controller authorizes the recruitment of the sub-processors established in Annex III.

b) In case of continued objections from the Data Controller, the Parties will meet in good faith and do their best to discuss a solution. Gladia may choose (i) not to hire the sub-processor or (ii) to take corrective action as requested by the Data Controller in relation to objections before hiring the sub-processor. If neither option is reasonably possible, and Gladia can’t, for legitimate reasons, hire another sub-processor for processing, either Party may terminate this Agreement upon thirty (30) days’ notice.

c) Where the Processor engages a sub-processor to carry out specific processing activities on behalf of the Controller, it does so by means of a contract that imposes on the sub-processor, in substance, the same data protection obligations as those imposed on the Processor under this Agreement. The Processor shall ensure that the sub-processor complies with the obligations to which it is itself subject under this Agreement and the GDPR.

d) At the request of the Controller, the Processor shall provide the Controller with a copy of this contract with the sub-processor and any subsequent amendments thereto. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may redact the text of the contract before disseminating a copy.

e) The Processor shall remain fully responsible to the Controller for the performance of the obligations of the sub-processor in accordance with the contract concluded with the sub-processor. The Processor shall inform the Controller of any breach by the sub-processor of its contractual obligations.

f) The Processor shall agree with the sub-processor a clause of the third-party beneficiary according to which — in the event that the Processor has factually disappeared, ceased to exist in law or has become insolvent — the Controller has the right to terminate the contract with the sub-processor and to instruct the sub-processor to erase or return the personal data.

5.10. International transfers

a) The transfer of personal data to a country outside the European Economic Area is permitted provided that (i) such transfer is necessary under a binding legal rule under European Union or French law, (ii) the country or company(ies) to which the personal data are transferred guarantees an adequate level of protection, (iii) or that the transfer takes place within the framework of standard contractual clauses issued by the European Commission (iv) or that the transfer takes place within the Data Protection Framework in force and approved by the European Commission.

b) The Processor guarantees that the country or company to which the personal data is transferred guarantees an adequate level of protection.

6. Assistance to the controller

a) The Parties undertake to provide mutual assistance to meet the requirements of the GDPR. In particular, they shall cooperate and exchange the information necessary to carry out data protection impact assessments, audits and inspections relating to the processing of personal data.

b) The Processor shall promptly inform the Data Controller of any request it has received from the data subject. He does not comply with this request himself, unless the Data Controller has authorized him to do so.

c) The Processor assists the Controller in fulfilling its obligation to respond to data subjects' requests to exercise their rights, taking into account the nature of the processing. In performing its obligations in accordance with points b) and c), the Processor shall comply with the instructions of the Controller.

d) In addition to the Processor's obligation to assist the Controller, the Processor shall also assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the processing and the information that the Controller has made available to its Processor:

(1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data ('data protection impact assessment') where a type of processing is likely to pose a high risk to the rights and freedoms of natural persons;

(2) the obligation to consult the competent supervisory authorities prior to processing where a data protection impact assessment indicates that the processing would pose a high risk if the Controller did not take measures to mitigate the risk;

(3) the obligation to ensure that the personal data are accurate and up-to-date, by informing the Controller without undue delay if the processor becomes aware that the personal data it processes are inaccurate or have become obsolete;

(4) the obligations laid down in Article 32 of Regulation (EU) 2016/679.

e) The Parties shall set out in Annex II the appropriate technical and organizational measures by which the Processor is required to assist the Controller in the application of this Agreement, as well as the scope and extent of the assistance required.

7. Breach of personal data protection

In the event of a breach of the protection of personal data, each Party shall immediately inform the other Party by telephone and email, after its detection.

In the event of a personal data breach, the Processor shall cooperate with and assist the Controller in complying with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or Articles 34 and 35 of Regulation (EU) 2018/1725, whichever is applicable, taking into account the nature of the processing and the information available to the Processor.

7.1. Data breach in relation to processes managed by the Controller

As part of the relationship between the Data Controller and the Processor, in the event of a personal data breach in relation to processing managed by the Controller, the Processor shall assist the Controller:

a) for the purpose of notifying the personal data breach to the competent supervisory authorities, as soon as possible after the Controller becomes aware of it, where applicable (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

b) for the purpose of obtaining the following information which, in accordance with Article 33(3) of Regulation (EU) 2016/679, is to be included in the Controller's notification, and include, at least:

(i) the nature of the personal data, including, where possible, the categories and approximate number of data subjects affected by the breach and the categories and approximate number of records of personal data concerned;

(ii) the likely consequences of the personal data breach;

(iii) the measures taken or the measures that the Controller proposes to take to remedy the personal data breach, including, where applicable, measures to mitigate any negative consequences.

Where, and to the extent that, it is not possible to provide all the information at the same time, the initial notification shall contain the information available at that time and, as it becomes available, additional information shall subsequently be submitted as soon as possible.

c) for the purpose of fulfilling, in accordance with Article 34 of Regulation (EU) 2016/679, the obligation to communicate the personal data breach to the data subject without undue delay, where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

7.2. Data breach in relation to processes managed by the Processor

In the event of a personal data breach in relation to processes managed by the Processor, the Processor shall inform the Controller as soon as possible after becoming aware of it. This notification shall contain at least:

a) a description of the nature of the breach found (including, where possible, the categories and approximate number of persons affected by the breach and records of personal data concerned);

b) the contact details of a contact point from which additional information can be obtained about the personal data breach;

c) its likely consequences and the measures taken or proposed to be taken to remedy the violation, including mitigating any negative consequences.

The Parties shall set out in Annex II all other elements to be communicated by the Processor when assisting the Controller in fulfilling the Controller's obligations under Articles 33 and 34 of the GDPR.

8. Termination of the Agreement

Following the termination of the Agreement and according to the choice of the Controller, the Processor (i) deletes all personal data processed on its behalf and certifies to the Controller that it has carried out this deletion, (ii) or send all personal data back to him and destroy existing copies, unless Union or national law requires that they be kept longer. The Processor shall continue to ensure compliance with this Agreement until the data is deleted or returned.

List of Annexes:

- Annex I: Description of processing

- Annex II: Technical and organizational measures, including technical and organizational measures to ensure data security

- Annex III: List of sub-processors

ANNEX I: Description of processing

ANNEX II : Technical and organizational measures including technical and organizational measures to ensure data security

Description of the technical and organizational security measures implemented by the Processor(s) (including any relevant certification) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks to the rights and freedoms of natural persons.

Gladia uses reputable third-party service providers to host its production infrastructure. Gladia relies on these third parties to manage the physical access controls to the data center facilities that they manage. Some of the measures that Gladia’s service providers provide to prevent unauthorized persons from gaining physical access to the data processing systems available at premises and facilities (including databases, application servers and related hardware), where Personal Data is Processed.

Gladia maintains and enforces a security program that addresses how Gladia manages security, including the security controls Gladia employs. The security program includes:

Documented policies that Gladia formally approves, internally publishes, communicates to appropriate personnel and reviews at least annually
Documented, clear assignment of responsibility and authority for security program activities;
Regular testing of the key controls, systems and procedures.

All Gladia employees and Gladia independent contractors who may have access to data, including those who Process Personal Data acknowledge their data security and privacy responsibilities under Gladia’s policies.

For Personnel, Gladia, either itself or through a third party

Implements pre-employment background checks and screening
Conducts security and privacy training

Authentication

Gladia authenticates each Personnel’s identity through appropriate authentication credentials such as strong passwords, token devices or biometrics.

Training and Awareness

Annual Security and Privacy Training. Gladia’s employees complete an annual Security and Privacy awareness training on Gladia’s data security and confidentiality policies and practices.

ANNEX III: List of sub-processors

1. The Processor shall use the following sub-processors: Access Management to Gladia User interface (app.gladia.io) : No user data (Audio nor text) are processed and performed in this section.