Terms & conditions

Last update: 30/05/2025

1. General

These General Terms and Conditions of Service (hereinafter "GTCS") are concluded between Gladia, a simplified joint-stock company with a capital of 1,838.83 euros, registered with the RCS of Rennes under No. 909 935 736 and whose head office is located at 38 Rue de la Tremblaie 35510 CESSON-SEVIGNE, France, represented by M. Jean-Louis Queguiner, its President, and any person or entity (hereinafter "Customer") using the services offered by Gladia’s AI solution.

The Agreement (as this term is defined below) cancels and replaces all oral or written agreements which may have been previously concluded between the Parties in this respect and may only be modified by a new contract or an amendment concluded in writing and signed by the Parties. Any other document issued by Gladia, in particular catalogues, prospectuses or advertisements, is only informative and indicative, not contractual.

These GTCS constitute a proposal for commercial conditions that may be supplemented and/or amended by additional terms provided for in the special terms and conditions (hereinafter the “Special Terms and Conditions”) which, in case of contradiction, will prevail over the GTCS. In the absence of express written acceptance by Gladia, any stipulation contrary to this Agreement (as this term is defined below) made by the Customer, in particular in the Customer's general terms and conditions of purchase or any other document, will be unenforceable against Gladia, regardless of when it may have been brought to its attention. The same applies to additions, omissions or modifications to any of the provisions of the Agreement (as this term is defined below) that aren’t expressly accepted in writing by Gladia.

Agreements that may derogate from one or more clauses of these GTCS replace only the clause(s) in question. The other clauses remain fully applicable.

Acceptance of these GTCS by the Customer implies the latter's acceptance of the General Terms of Use of the Services which are accessible on Gladia’s website.

These GTCS are accessible on Gladia’s website. and may be addressed or delivered to each Customer requesting it. Gladia is free to modify these GTCS at any time for the needs of and according to the evolution of the Services. The changes thus made enter into force within fifteen (15) days from the date they are notified to the Customer by e-mail or on his personal space unless the Customer terminates the GTCS in accordance with Article 15 during this period. For the avoidance of doubt, the Special Conditions already accepted by the Customer may only be amended subject to the Party’s prior written approval.

By ticking the box "I accept the General Terms and Conditions" and then clicking on the "Confirm and proceed to payment" box, or by signing the Special Terms and Conditions, the Customer acknowledges having read and accepted all the GTCS. If applicable, the version of the GTCS in force on the date of the Special Terms and Conditions’ signature is applicable to the Customer.

The English version of these GTCS shall prevail over any translation.

2. Definitions

"Agreement": means the General Terms and Conditions of Use, the GTCS, and if applicable the Special Terms and Conditions.

"API": means an application programming interface with artificial intelligence created and/or administered by Gladia which functionalities are listed in Article 4.1 of the General Terms and Conditions of Use.

"Content": means collectively the information imported into the API ("Input") and the result generated ("Output") by a Customer.

"Customer": means Gladia's contracting partner, a person or entity to whom Services are provided by Gladia.

“Documentation”: has the meaning ascribed to it in the General Terms and Conditions of Use.

“General Terms and Conditions of Use”: means the terms and conditions of use of the API which are accessible on Gladia’s website.

"GTCS": means these Gladia General Terms and Conditions of Service and its appendices, in particular the Data Processing Agreement (Appendix 1).

“Offer”: means the various offers proposed by Gladia to benefit from the API and defined in article 4.1 of the General Terms and Conditions of Use.

"Payment Method": means a current, valid, accepted and updatable method of payment (bank card or bank transfer according to the service offered).

"Service(s)": means the provision of the API, if applicable, of any services described in the Special Terms and Conditions and, if applicable, of the Specifics Developments.

"Special Terms and Conditions": means the additional terms to these GTCS that may be agreed upon between the Parties.

“Specific Developments”: means the services described in Article 4.

“Website”: means Gladia’s website which URL is www.gladia.io.

3. Purpose of the GTCS

The purpose of these GTCS is to set out the contractual provisions relating to the respective rights and obligations of Gladia and its Customer in relation to the provision of the Services offered by Gladia.

‍Gladia provides the Customer with access to the API in SaaS mode under the conditions defined in the Agreement. The contractual documents making up the Agreement are mutually explanatory. However, in the event of any contradiction or discrepancy between the terms of these contractual documents, the order of priority shall be as follows, in descending order:

1* the Special Terms and Conditions;

2* these GTCS;

3* the General Terms and Conditions of Use.

4. ‍Specific Developments

As part of their commercial relations, the Customer may ask Gladia to carry out specific developments created to measure for the needs of the Customer (the "Specific Developments"), in return for invoicing made on quote.

The implementation of Specific Developments will be subject to the Special Terms and Conditions that take into account all the Customer's functional requirements and objectives.

‍‍The Specific Developments thus developed and made available to the Customer will remain the property of Gladia.

5. Obligations of the Parties

5.1. Obligations of Gladia

Gladia undertakes to perform the Agreement within an obligation of means. Gladia will perform the Agreement in a professional manner and in accordance with the usual standards applicable for similar services and guarantees that its personnel have the skills and experience necessary to perform the Agreement.

Gladia:

- requests any information useful for the performance of the Agreement that is not in its possession;

- performs its mission in accordance with the rules of the art, existing standards and the laws and regulations in force as a professional with extensive experience in such achievements;

- fulfils with the greatest diligence its duty to advise and, to this end, undertakes to provide the Customer with all the necessary recommendations to enable it to operate the Services under the best conditions in accordance with the expected use of the latter;

- monitors the performance of the Agreement and warns the Customer in good time of any difficulty in the performance of the Agreement;

- makes all suggestions to improve and/or accelerate the progress of the know-how and recommends suitable solutions;

- makes every effort to provide access to the API.

5.2.. Obligations of the Customer

The Customer agree to:

- use the Services in accordance with its purpose, the Documentation and this Agreement;

- carry out his business in accordance with the legislation in force;

- respect the rights of third parties and more generally the laws applicable to the Services;

- not use or operate the Services for any purpose other than that provided for in this Agreement.

‍The Customer will provide Gladia, within a reasonable time, with all the information and explanations that may be necessary for Gladia to carry out the tasks and missions incumbent upon it under the Agreement within the required timeframes and in the best possible conditions.

The proper performance of Gladia's obligation will depend on the communication and accuracy of the information provided by the Customer. Gladia considers all information provided by the Customer to be sincere and true. In the event of changes in any of this information, the Customer agrees to inform Gladia as soon as possible, by any written means or through the API. Gladia can’t be held responsible for the incorrect delivery of the Services if this was caused by the Customer's incorrect, incomplete or late provision of information.

The Customer will inform Gladia of its constraints as well as any foreseeable or encountered difficulties in the execution of the Agreement, so that all measures likely to overcome said difficulties are taken without delay.

The Customer undertakes to facilitate Gladia's intervention conditions as best as possible and not to do or allow anything to be done that could have the consequence of hindering them or making them more difficult or expensive. In any event, if during the performance of the Agreement, the Customer is requested by Gladia to give his consent, he must make known his response without delay. Any delay will be charged at the price agreed between the Parties.

6. Pricing

6.1. Billing

Gladia will issue invoices according to the billing cycle and Offer chosen by the Customer when subscribing on the Website or in accordance with the Special Terms and Conditions.

The Customer undertakes to pay the subscription amount as indicated on the Website on the day of subscription or as determined in the Special Terms and Conditions.

The prices are expressed in Euros and are exclusive of taxes. The Customer will pay or reimburse all local taxes (value added taxes or any withholding taxes), duties, excise taxes and assessments arising in connection with the Services or furnish Gladia with an exemption certificate.

Any discount granted is unique and doesn’t entail any rights for the future.

‍The subscription fee for the Gladia Services will be charged to the Payment Method chosen by the Customer on the specific payment date indicated on the of the Website. In some cases, the payment date may change for example if the Payment Method hasn’t successfully settled, when the Customer changed his Offer or if the paid subscription began on a day not contained in a given month.

‍The Customer is liable for any amount not debited. If payment fails due to Payment Method expiration, insufficient balance, or otherwise, and Customer doesn’t cancel the subscription, Gladia may suspend the Services until the payment is done.

‍6.2. Price revision

Unless otherwise stated in the Special Terms and Conditions, agreed prices and subscriptions may be revised from time to time by Gladia.

In the absence of Special Terms and Conditions, any changes to pricing or subscriptions will only be applicable after a minimum period of thirty (30) days following receipt of an email notification from Gladia. Should this be the case, if the Customer doesn’t wish to accept the pricing or subscription change, he may cancel the subscription before the changes take effect.

‍6.3. Terms of payment

Customer's subscription to Gladia's Services continues until terminated. To use the Services, Customer must provide Gladia with one or more valid and accepted Payment Methods. This Payment Method may be updated.

‍Unless Customer terminates its subscription prior to the billing date, he authorizes Gladia to charge him the subscription fee for the next billing cycle to its Payment Method.

‍Gladia uses Hyperline’s billing services (https://www.hyperline.co/) and Stripe’s payment services (https://stripe.com/).

‍Unless otherwise provided in the Special Terms and Conditions, the balance will be payable on the date the invoice is issued by Gladia.

‍All shipping costs, travel costs or taxes (including VAT in force at the time the Special Terms and Conditions is signed) are the responsibility of the Customer. Unless otherwise stipulated, quotes drawn up by Gladia remain valid for thirty (30) calendar days.

7. ‍Late or non-payment

7.1. Late payment penalties

In the event of non-payment of an invoice when due, Gladia may claim from the Customer, after prior notice of default and until the effective payment date, late payment interest equal to the European Central Bank's semi-annual key rate (refinancing rate or Refi), in effect on January 1 or July 1, increased by 10 points.

‍Example: 10.00% (0.00 + 10) for penalties due since July 1, 2019

This rate is applied to the entire amount of the invoice due.

7.2. Compensation for recovery costs

Gladia may also charge an additional flat-rate penalty of forty (40) Euros for recovery costs, without prejudice to its right to claim from the Customer the reimbursement of all expenses incurred to collect the unpaid amounts, if these expenses are higher than the above-mentioned flat-rate penalty. The indemnity for recovery costs applies to each invoice paid late, and not to all the invoices concerned. It is due per invoice.

7.3. Termination clause

Gladia reserves the right, in the absence of payment of the invoice on its due date, to suspend the execution of Services in progress until the resolution of the payment incident (i.e. suspension of access to the API), to refuse any new order and/or to close the Customer's personal space.

Under no circumstances may payments be suspended or offset in any way without Gladia's prior written consent.

8. Liability

Gladia undertakes to perform, in accordance with the standards and regulations in force, the obligations defined in the Agreement. The obligations contracted by Gladia are obligations of means. Furthermore, Gladia can’t guarantee the impact of its services on the Customer's turnover.

Gladia is responsible for the solutions it has developed itself. However, Gladia isn’t responsible for the design and operation of the solutions that would be published by third parties and used by the Customer. Gladia can’t, under any circumstances, guarantee the Customer the quality and proper functioning of these third-party solutions.

Gladia draws the Customer's attention to the importance of updating the solutions provided to resolve known bugs and malfunctions, but also to close security gaps.

Gladia can’t be held liable in the event that the Services are used or hosted by the Customer in abnormal, unsuitable or incompatible conditions with their proper functioning, or in the event that the malfunction or failure is caused, even partially, by behavior attributable to the Customer or a third party. The Customer undertakes to use the API in accordance with Gladia's General Terms and Conditions of Use, the regulations in force and to comply with all its legal obligations towards the competent authorities and its own customers.

Under no circumstances shall Gladia be liable to the Customer for indirect damages resulting from the performance or non-performance of its contractual obligations. Should the Customer be a “professional” under the French Consumer Code, by express agreement, without limitation, loss of profits, loss of income, loss of data, loss of image of brand and loss of customers are considered by the Parties to be indirect damages not giving rise to damages.

Should the Customer be a “professional” under the French Consumer Code, the liability of Gladia arising from the Agreement for proven direct damages, shall in no case exceed sixty percent (60%)of the amount paid by the Customer for the twelve (12) months immediately preceding the month during which the claim arose. Gladia undertakes to take out a liability insurance policy. Gladia shall not be liable for facts or faults made by its employees outside the scope of the missions provided for in the Agreement and taken on their own initiative.

9. ‍Guarantees for consumer Customers

The following may apply only if the Customer is a “consumer” according to the French Consumer Code.

Consumers have a period of two years from the date of supply of the digital content or service in which to invoke the legal warranty of conformity in the event of a lack of conformity. During a period of one year from the date of supply, the consumer is only required to establish the existence of the lack of conformity, and not the date of its appearance.

The legal warranty of conformity includes the obligation to provide all updates necessary to maintain the conformity of the digital content or service.

The legal warranty of conformity entitles the consumer to have the digital content or service brought into conformity without undue delay following his request, at no cost and without any major inconvenience to him.

The consumer may obtain a price reduction by keeping the digital content or digital service, or he may terminate the contract by obtaining a full refund in exchange for relinquishing the digital content or digital service, if:

1* The professional refuses to bring the digital content or service into conformity;

2* The compliance of the digital content or service is unjustifiably delayed;

3* The digital content or service cannot be brought into conformity without incurring costs for the consumer;

4* Bringing the digital content or service into conformity causes major inconvenience to the consumer;

5* The non-conformity of the digital content or service persists despite the professional's unsuccessful attempt to bring it into conformity.

The consumer is also entitled to a price reduction or to rescission of the contract where the lack of conformity is so serious as to justify immediate price reduction or rescission of the contract. In such cases, the consumer is not obliged to ask for the digital content or service to be brought into conformity beforehand.

In cases where the lack of conformity is minor, the consumer is entitled to cancel the contract only if the contract does not provide for payment of a price.

Any period of unavailability of the digital content or digital service for the purpose of restoring conformity suspends the warranty that was due until the digital content or digital service was supplied in conformity again.

The rights mentioned above result from the application of articles L. 224-25-1 to L. 224-25-31 of the French Consumer Code.

Any professional who obstructs the implementation of the legal guarantee of conformity in bad faith is liable to a civil fine of up to 300,000 euros, which may be increased to 10% of average annual sales (article L. 242-18-1 of the French Consumer Code).

Consumers are also covered by the legal warranty for hidden defects under articles 1641 to 1649 of the French Civil Code, for a period of two years from the discovery of the defect. This warranty entitles the consumer to a price reduction if the digital content or service is retained, or to a full refund in exchange for renouncing the digital content or service.

10. ‍Right of withdrawal

In accordance with the provisions of Articles L.221-18 et seq. of the French Consumer Code, the Customer who is a “consumer” under the French Consumer Code has the right to withdraw from the contract within fourteen (14) days from the date of acceptance of the Agreement.

The Customer may retract without having to justify his decision or incur any costs. To exercise his right of withdrawal, the Customer must notify his decision to withdraw from the present contract by means of an unambiguous statement (e.g. letter sent by post, fax or e-mail at sales@gladia.io). To this end, the Customer may use the model withdrawal form provided in Appendix 2.

If the Customer wishes the performance of the services covered by the present contract to begin before the end of the withdrawal period, he/she simply needs to tick the box provided for this purpose on the Website.

The Customer who exercises his right to withdraw from the Agreement, the performance of which has begun, at his express request, before the end of the withdrawal period, shall pay Gladia an amount corresponding to the services provided up to the communication of his decision to withdraw; this amount is proportionate to the total price of the services agreed upon herein. The Customer is reminded that, in accordance with article L.221-28 1° of the French Consumer Code, no right of withdrawal shall be recognized in the event of full performance of the services covered by the present contract before the end of the withdrawal period, performance of which has begun after the consumer's express prior agreement and express waiver of his right of withdrawal. In the event of withdrawal by the Consumer, Gladia will reimburse all payments received from the Customer, within the limits of the present article, if the services have already begun.

11. ‍Force majeure

Gladia’s liability may not be incurred or sought in the event that the performance of one of its obligations is prevented or delayed due to a case of force majeure, as provided by case law and defined in Article 1218 of the Civil Code. ‍

Are considered as cases of force majeure, events beyond the control of the Parties, which they couldn’t reasonably have been required to foresee, and which they couldn’t reasonably avoid or overcome, insofar as their occurrence makes it totally impossible to perform the obligations.

‍In particular, the following events are treated as cases of force majeure relieving Gladia of its obligation to deliver or perform the service within the time initially planned: strikes or social disputes, epidemics, wars, production stoppages due to fortuitous breakdowns, climatic phenomena, fires, lack of IT equipment, disruptions in supply or supply of energy or telecommunications and Internet network not attributable to Gladia, acts, decrees, legislation, regulations or restrictions issued by any government (particularly in the event of epidemics or pandemics), etc, as well as any other event considered by law or case law as a case of force majeure.

‍In such circumstances, the Agreement will be automatically suspended without compensation, from the date of occurrence of the event. Gladia will inform the Customer without delay. The obligations are suspended upon receipt of the information and resumed within a reasonable time after the cessation of force majeure. If the event lasts more than three (3) months from the date of its occurrence, the Agreement may be terminated by the most diligent Party, by registered letter with acknowledgment of receipt, without either Party being able to claim damages.

‍The Parties nevertheless remain responsible for the performance of their respective obligations which are not affected by force majeure and any payment obligation.

12. ‍Data protection

‍Each Party shall, at all times, comply with its obligations under the data protection regulations in force as well as under the Data Processing Agreement attached in Appendix 1 with respect to all personal data that are processed under the Agreement.

13. ‍Confidentiality

The Parties shall designate one or more contact persons for each of them. The request or provision of information and data can only be made through them. The Parties undertake:

(i) not to disclose to third parties any Confidential Information (as defined below) to which they have access under the Agreement;

(ii) not to use this information for purposes other than the performance of the Agreement;

(iii) and to disclose such information only to employees, appointees and representatives to the extent necessary for the performance of the Agreement provided that such Parties are bound by substantially similar confidentiality obligations under the Agreement.

All manufacturing or business secrets or processes, as well as any specifications, financial, commercial or technical information, know-how, reports or other information of any kind relating directly or indirectly to the affairs of the Parties communicated by one of them to the other for the purposes of the negotiation and execution of the Agreement or of which they become aware on that occasion, shall be considered confidential (hereinafter “Confidential Information”). This Confidential Information will remain confidential during the contractual relations of the Parties and after their termination for a period of five (5) years, regardless of the cause.

Each Party shall also refrain from disclosing them in any manner or for any reason whatsoever and from using them for any purpose other than those provided for herein. The Parties undertake to take all necessary measures to ensure compliance with the obligations resulting from this provision by all employees, employees or agents representing and partners.

Notwithstanding the foregoing, the restrictions set forth in this Article shall not apply to information which: (a) has been independently developed by a Party without the use of Confidential Information originating from the other Party, (b) is brought to a Party's knowledge, without restriction, by a third party without breach of the Agreement, which third party had the right to disclose said information, (c) was in the public domain at the time of its disclosure or fell into the public domain not as a result of any act or omission of the recipient Party, (d) was legitimately known to the recipient Party, without restriction, at the time of its disclosure (e) was known by employees, subcontractors and consultants who had a legitimate need to know the information for the use of the Services.

14. Personnel and non-solicitation

Gladia retains the right to determine in advance which consultant will be assigned to the mission as well as the right to change the consultant during the engagement. Gladia's consultants can never be considered as Customer's workers. Customer, its workers or agents aren’t authorized to give instructions to Gladia workers and will expressly refrain from exercising any type of authority over Gladia workers. The Parties therefore explicitly agree and acknowledge that the legal relationship created between them is that of two independent legal persons. The Parties shall comply with all legal, social, fiscal and commercial obligations applicable to any independent enterprise.

‍Each of the Parties refrains from, unless previously agreed in writing, making directly (hiring) or indirectly offers of engagement (e.g. as a consultant, independent advisor, through a company, etc.) to a collaborator, employee or not, of the other Party assigned to the execution of the Agreement. This clause shall apply for the entire performance of this Agreement and for a period of two (2) years from its termination, regardless of the cause and origin thereof. Failure to comply with this provision will be sanctioned by the payment of compensation at least equal to twice the amount of the gross annual salary of the employee (including the benefits to which the worker concerned was entitled and the employer's contributions) or the annual value of the fees due. Amounts due under this non-solicitation clause constitute damages, not penalties.

15. ‍Term and termination

15.1. Term

Unless stipulated otherwise in the Special Terms and Conditions, the Agreement will enter into force upon acceptance by both Parties for an indefinite period.

15.2. Termination

Unless stipulated otherwise in the Special Terms and Conditions, a Party may unilaterally terminate the Agreement automatically for convenience within sixty (60) days of termination notification. Notification will be sent by registered letter with acknowledgment of receipt or by email with acknowledgment of receipt.

A Party may unilaterally terminate the Agreement automatically for fault in the event that the other Party has not remedied a breach of one of its contractual obligations within thirty (30) days of notification of the breach made by the concerned Party. Notification will be sent by registered letter with acknowledgment of receipt or by email with acknowledgment of receipt.

16. Effect of termination

Upon termination, the Customer will no longer have access to the Services subscribed to and, unless otherwise stipulated in the Special Terms and Conditions, upon Customer request, Gladia will delete the Content associated with the account.

In the event of early termination of the Agreement by one of the Parties, Gladia will not refund the sums received for the provision of services.

17. Acceptance

This Agreement may be signed in paper or electronic form or accepted online. The Parties recognize that:

(i) these GTCS in electronic form have the same evidentiary value as the paper agreement;

(ii) the identifiers and computer records are admissible in court and provide evidence of the data, consents and facts contained therein and the signatures they express;

(iii) time marks (timestamps) are admissible in court and are evidence of the data and facts contained therein;

(iv) documents exchanged in electronic form are admissible in court and provide evidence of the data and facts contained therein;

(v) an electronic signature affixed to a document has the same legal effect as a handwritten signature.

When a signed copy is communicated by e-mail in ".pdf" format or in the form of another exact copy, the signature contained in that copy will create a valid and binding commitment for the signatory Parties with the same value, force and effect as the original signature.

18. Final provisions

Gladia reserves the right to use subcontractors for the performance of the Services. These subcontractors are subject to the same obligations as Gladia in the performance of the services.

Gladia reserves the right to replace any person who will be subrogated to all his rights and obligations under the contractual relationship with the Customer. Gladia will inform the Customer of any substitution by any written means, including by email.

If one or more stipulations of the Agreement are declared null and void by application of a law, a regulation or following a final judicial or administrative decision, the other stipulations will retain their force and scope. Gladia will make its best efforts to proceed as soon as possible to replace the invalid stipulation by a valid stipulation of a scope closest to the spirit hereof.

The fact that one of the Parties hasn’t required the application of any clause of these conditions, permanently or temporarily, can in no way be considered as a waiver of said clause.

19. Governing law

These GTCS are subject to French law.

The Parties will endeavor to resolve amicably any disputes that may arise from the interpretation or execution of the Agreement within thirty (30) days of the date of occurrence of such disputes.

In the event of a dispute, if the Customer is a “consumer” according to the French Consumer Code, he may freely resort to the following Mediator for an amicable settlement:

Consumer Mediation Centre of Justice Conciliators (CM2C)

Postal address: 14 rue Saint Jean 75017 Paris, France

Phone: +33 (0)6 09 20 48 86

Web site: https://www.cm2c.net

If the Customer is a foreign consumer but located in the European Union, he can go to the Dispute Resolution in European Consumer Law.

In the absence of an amicable agreement, all disputes to which these GTCS may give rise, concerning their validity, interpretation, execution, termination and consequences will be submitted to the competent Courts in Paris (France).

APPENDIX 1 – Data Processing Agreement

1. Purpose and Scope

The purpose of this “Data Processing Agreement” is to define the conditions under which Gladia (hereinafter the “Processor”) undertakes to carry out in the name and on behalf of the Customer (hereinafter the “Controller” or the “Data Controller”) the personal data processing operations defined in Annex I. Annexes I to III form an integral part of the Agreement.

Personal data will be processed for the purpose of performing the services pursuant to the Agreement, in particular for the purpose of processing personal data, including audio or video files transmitted by the Data Controller to the Processor in accordance with the Agreement.

In the context of their contractual relations, the Parties undertake to comply with the regulations applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 applicable from 25th May 2018 (hereinafter, "the European Data Protection Regulation" or "GDPR").

2. Interpretation and hierarchy

Where terms defined in GDPR appear in this Agreement, they shall be construed as in the GDPR.

The provisions of the Agreement should be read and interpreted considering the provisions of the GDPR.

In the event of any conflict between these provisions and those of related agreements existing between the Parties at the time of the conclusion of this Agreement, the Agreement shall prevail.

3. Description of processing operations

Any processing of personal data under this Agreement will be carried out in accordance with the regulations relating to the protection of personal data. The Processor, as a service provider, is not, however, responsible for compliance with the laws and regulations strictly applicable to the Data Controller or its industry, unless explicitly agreed otherwise between the Parties.

The details of the processing operations, and in particular the categories of personal data and the purposes of the processing for which the personal data are processed on behalf of the Controller, are specified in Annex I.

When the Controller wishes to change the subject, duration, nature and purpose of the processing of personal data, it shall inform the Processor in writing. When the Processor considers that the modification does not comply with the regulations in force, it informs the Data Controller.

4. Privacy and data protection representatives

Where required by regulation, the Parties will appoint privacy and data protection representatives (hereinafter "Data Protection Officer" or "DPO"), and will exchange contact information.

The DPO of the Gladia Processor can be contacted at the following email address: privacy@gladia.io

5. Obligations of the Parties

5.1. Instructions

a) The Processor shall only process personal data on documented instructions from the Controller, unless it is required to do otherwise under Union or Member State law to which it is subject. In this case, the Processor shall inform the Controller of this legal obligation prior to processing, unless prohibited by law for important reasons of public interest. Instructions may also be given during the configuration and use of the solution or later by the Data Controller throughout the processing of personal data. These instructions must always be documented and written. The Parties acknowledge that this Agreement constitutes such documented instructions.

b) When the Processor detects an instruction that could potentially constitute a violation of Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or other provisions of Union or Member State law relating to data protection, he shall immediately inform the Data Controller.

5.2. Responsibilities

a) The Data Controller is responsible for the legality of the personal data and their processing pursuant to the Agreement. It declares and warrants that when providing personal data to the Processor for processing by the latter:

(i) it has duly informed data subjects of their rights and obligations and, in particular, informed them of the possibility that the Processor (or a category of service providers to which it belongs) may process their personal data on its behalf and in accordance with its instructions;

(ii) that it has complied with all legislation relating to the protection of personal data in the collection of such personal data and its communication to the Processor.

b) The Data Controller is responsible for any misuse of IT devices by one of its agents as well as for the quality and accuracy of the personal data entered by its agents. The Data Controller shall indemnify the Processor against any claim by a third party, including the Data subject, resulting from misuse of IT devices and specific obligations of data protection regulations.

c) The Data Controller acknowledges and accepts that the Processor shall only provide analyses based on the data processed by the Controller which constitute only one of the possible means to enable the Data Controller to achieve its performance objectives. Under no circumstances may the Processor be held responsible for the decisions taken by the Controller based on the reports sent by the Processor.

5.3. Purpose limitation

The Processor processes personal data only for the specific purpose(s) of the processing, as defined in Annex I, unless further instructed by the Controller.

5.4. Duration of processing of personal data

Processing by the Processor shall only take place for the period specified in Annex I.

The Processor undertakes to keep personal data only for the period necessary to achieve the purposes for which they are processed, unless a legal or regulatory provision obliges it to keep them for longer periods. The Processor will destroy the personal data or return them to the Data Controller, either when the purpose for which they are processed is achieved or at the end of the legal or regulatory retention period.

5.5. Disclosure

a) The Processor will not disclose any personal data to any third party except (i) at the request of the Controller, (ii) as provided for in the Agreement, (iii) as required by processing by sub-processors in accordance with this Agreement or (iv) as required by law or a competent authority.

b) If the Controller instructs the Processor to transfer personal data to a third party contractually linked to the Controller, it is the sole responsibility of the Controller to enter into a written agreement with such party regarding the protection of such personal data, including, where applicable, the obligations imposed by the Standard Contractual Clauses. The Controller shall cover, defend and hold harmless the Processor from any liability for any losses whatsoever arising from such transfer of data to the third party, unless and insofar as the losses are attributable to proven defects of the Processor.

c) The Processor represents and warrants that persons acting on its behalf who are authorized to process personal data undertake to protect the security and confidentiality of the personal data in accordance with the provisions of this Agreement. To this end, the Processor is obliged to inform persons acting on its behalf who have access to the personal data of the applicable requirements and to ensure compliance with such requirements through contractual or legal confidentiality obligations.

5.6. Security of processing

a) The Data Controller shall implement and maintain the required technical and organizational data protection measures for the components it provides or controls, including workstations connected to the Processor's services, the data transfer mechanisms used and the identifiers issued to the Controller's personnel. The Data Controller shall take all reasonable measures to keep the personal data up to date to ensure that they are accurate and complete in relation to the purpose for which they were collected.

b) The Processor shall implement the technical and organizational measures specified in Annex II to ensure the security of personal data. These measures include the protection of data against any breach of security resulting in, accidentally or unlawfully, the destruction, loss, alteration, unauthorized disclosure of or access to personal data (personal data breach). When assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks to data subjects. During the term of the Agreement, the Data Controller may request the Processor to provide, within a reasonable time, a current description of the technical and organizational protection measures implemented.

c) When assessing appropriate technical and organizational security measures, the Parties shall take into account:

(i) state of the art,

(ii) the cost of implementing the measures,

(iii) the nature, scope, context and purposes for which the personal data are processed,

(iv) the risks posed by the processing of data to the rights and freedoms of Data subjects, resulting, inter alia, from the destruction, loss, alteration or unauthorized disclosure of, or accidental or unlawful access to, personal data transmitted, stored or otherwise processed,

(v) and the likelihood that the processing will affect the rights and freedoms of Data subjects.

d) The Processor shall grant its personnel members access to the personal data subject to the processing only to the extent strictly necessary for the execution, management and monitoring of the contract. The Processor shall ensure that persons authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality.

e) These measures shall be updated by the Parties in the light of the state of the art and any incidents.

5.7. Sensitive data

If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person, or data relating to criminal convictions and offences ("sensitive data"), the Processor shall apply specific limitations and/or additional safeguards, following the instructions of the Data Controller.

5.8. Documentation and Compliance

a) The Parties shall be able to demonstrate compliance with this Agreement.

b) The Processor shall promptly and adequately process the Controller's requests for data processing in accordance with this Agreement.

c) The Processor shall make available to the Controller the information necessary to demonstrate compliance with the obligations set out in this Agreement and arising directly from the GDPR. At the request of the Controller and at its expense, the Processor shall also allow and contribute to audits of the processing activities covered by this Agreement at reasonable intervals or where there are indications of non-compliance. When deciding on an examination or audit, the Controller may take into account the relevant certifications in the Processor's possession.

d) The Controller may decide to carry out the audit itself or to appoint an independent auditor. Audits may also include inspections at the Processor's premises or physical facilities and shall, where appropriate, be carried out on reasonable notice.

e) The Processor may refuse the identity of the selected auditor if it belongs to a competing company. The audit shall be carried out during working hours and in such a way as to minimize disruption of the Processor’s activity. The audit must in no way threaten (i) the technical and organizational security measures implemented by the Processor, (ii) the security and confidentiality of the data of the Processor’s other clients and (iii) the proper functioning and organization of the Processor. In addition, the Data Controller shall ensure that the auditor and, more specifically, the personnel performing the audit are subject to appropriate confidentiality obligations.

f) As far as possible, the Parties shall agree beforehand on the scope of the audit. The audit report will be sent to the Processor for written comments, which will be attached to the final version of the audit report. Each audit report will be considered confidential information.

g) The Parties shall make available to the competent supervisory authorities, upon request, the information set out in this Agreement, including the results of any audit.

5.9. Sub-processors

a) The Processor has the general authorization of the Controller with regard to the recruitment of sub-processors on the basis of an agreed list for the provision of services (Annex III). The Processor shall specifically inform the Controller in writing of any proposed changes to this list by adding or replacing sub-processors at least fifteen (15) days in advance, thereby giving the Controller the opportunity to submit legitimate and justified objections. In the absence of notification of objections after this period, the Controller shall be deemed to have authorized the use of the sub-processor concerned. The Processor shall provide the Controller with the information necessary to enable it to exercise its right of objection. By signing this Agreement, the Data Controller authorizes the recruitment of the sub-processors established in Annex III.

b) In case of continued objections from the Data Controller, the Parties will meet in good faith and do their best to discuss a solution. Gladia may choose (i) not to hire the sub-processor or (ii) to take corrective action as requested by the Data Controller in relation to objections before hiring the sub-processor. If neither option is reasonably possible, and Gladia can’t, for legitimate reasons, hire another sub-processor for processing, either Party may terminate this Agreement upon thirty (30) days’ notice.

c) Where the Processor engages a sub-processor to carry out specific processing activities on behalf of the Controller, it does so by means of a contract that imposes on the sub-processor, in substance, the same data protection obligations as those imposed on the Processor under this Agreement. The Processor shall ensure that the sub-processor complies with the obligations to which it is itself subject under this Agreement and the GDPR.

d) At the request of the Controller, the Processor shall provide the Controller with a copy of this contract with the sub-processor and any subsequent amendments thereto. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may redact the text of the contract before disseminating a copy.

e) The Processor shall remain fully responsible to the Controller for the performance of the obligations of the sub-processor in accordance with the contract concluded with the sub-processor. The Processor shall inform the Controller of any breach by the sub-processor of its contractual obligations.

f) The Processor shall agree with the sub-processor a clause of the third-party beneficiary according to which — in the event that the Processor has factually disappeared, ceased to exist in law or has become insolvent — the Controller has the right to terminate the contract with the sub-processor and to instruct the sub-processor to erase or return the personal data.

5.10. International transfers

a) The transfer of personal data to a country outside the European Economic Area is permitted provided that (i) such transfer is necessary under a binding legal rule under European Union or French law, (ii) the country or company(ies) to which the personal data are transferred guarantees an adequate level of protection, (iii) or that the transfer takes place within the framework of standard contractual clauses issued by the European Commission (iv) or that the transfer takes place within the Data Protection Framework in force and approved by the European Commission.

b) The Processor guarantees that the country or company to which the personal data is transferred guarantees an adequate level of protection.

6. Assistance to the controller

a) The Parties undertake to provide mutual assistance to meet the requirements of the GDPR. In particular, they shall cooperate and exchange the information necessary to carry out data protection impact assessments, audits and inspections relating to the processing of personal data.

b) The Processor shall promptly inform the Data Controller of any request it has received from the data subject. He does not comply with this request himself, unless the Data Controller has authorized him to do so.

c) The Processor assists the Controller in fulfilling its obligation to respond to data subjects' requests to exercise their rights, taking into account the nature of the processing. In performing its obligations in accordance with points b) and c), the Processor shall comply with the instructions of the Controller.

d) In addition to the Processor's obligation to assist the Controller, the Processor shall also assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the processing and the information that the Controller has made available to its Processor:

(1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data ('data protection impact assessment') where a type of processing is likely to pose a high risk to the rights and freedoms of natural persons;

(2) the obligation to consult the competent supervisory authorities prior to processing where a data protection impact assessment indicates that the processing would pose a high risk if the Controller did not take measures to mitigate the risk;

(3) the obligation to ensure that the personal data are accurate and up-to-date, by informing the Controller without undue delay if the processor becomes aware that the personal data it processes are inaccurate or have become obsolete;

(4) the obligations laid down in Article 32 of Regulation (EU) 2016/679.

e) The Parties shall set out in Annex II the appropriate technical and organizational measures by which the Processor is required to assist the Controller in the application of this Agreement, as well as the scope and extent of the assistance required.

7. Breach of personal data protection

In the event of a breach of the protection of personal data, each Party shall immediately inform the other Party by telephone and email, after its detection.

In the event of a personal data breach, the Processor shall cooperate with and assist the Controller in complying with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or Articles 34 and 35 of Regulation (EU) 2018/1725, whichever is applicable, taking into account the nature of the processing and the information available to the Processor.

7.1. Data breach in relation to processes managed by the Controller

As part of the relationship between the Data Controller and the Processor, in the event of a personal data breach in relation to processing managed by the Controller, the Processor shall assist the Controller:

a) for the purpose of notifying the personal data breach to the competent supervisory authorities, as soon as possible after the Controller becomes aware of it, where applicable (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

b) for the purpose of obtaining the following information which, in accordance with Article 33(3) of Regulation (EU) 2016/679, is to be included in the Controller's notification, and include, at least:

(i) the nature of the personal data, including, where possible, the categories and approximate number of data subjects affected by the breach and the categories and approximate number of records of personal data concerned;

(ii) the likely consequences of the personal data breach;

(iii) the measures taken or the measures that the Controller proposes to take to remedy the personal data breach, including, where applicable, measures to mitigate any negative consequences.

Where, and to the extent that, it is not possible to provide all the information at the same time, the initial notification shall contain the information available at that time and, as it becomes available, additional information shall subsequently be submitted as soon as possible.

c) for the purpose of fulfilling, in accordance with Article 34 of Regulation (EU) 2016/679, the obligation to communicate the personal data breach to the data subject without undue delay, where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

7.2. Data breach in relation to processes managed by the Processor

In the event of a personal data breach in relation to processes managed by the Processor, the Processor shall inform the Controller as soon as possible after becoming aware of it. This notification shall contain at least:

a) a description of the nature of the breach found (including, where possible, the categories and approximate number of persons affected by the breach and records of personal data concerned);

b) the contact details of a contact point from which additional information can be obtained about the personal data breach;

c) its likely consequences and the measures taken or proposed to be taken to remedy the violation, including mitigating any negative consequences.

The Parties shall set out in Annex II all other elements to be communicated by the Processor when assisting the Controller in fulfilling the Controller's obligations under Articles 33 and 34 of the GDPR.

8. Termination of the Agreement

Following the termination of the Agreement and according to the choice of the Controller, the Processor (i) deletes all personal data processed on its behalf and certifies to the Controller that it has carried out this deletion, (ii) or send all personal data back to him and destroy existing copies, unless Union or national law requires that they be kept longer. The Processor shall continue to ensure compliance with this Agreement until the data is deleted or returned.

List of Annexes:

- Annex I: Description of processing

- Annex II: Technical and organizational measures, including technical and organizational measures to ensure data security

- Annex III: List of sub-processors

ANNEX I: Description of processing

ANNEX II : Technical and organizational measures including technical and organizational measures to ensure data security

Description of the technical and organizational security measures implemented by the Processor(s) (including any relevant certification) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks to the rights and freedoms of natural persons.

Gladia uses reputable third-party service providers to host its production infrastructure. Gladia relies on these third parties to manage the physical access controls to the data center facilities that they manage. Some of the measures that Gladia’s service providers provide to prevent unauthorized persons from gaining physical access to the data processing systems available at premises and facilities (including databases, application servers and related hardware), where Personal Data is Processed.

Gladia maintains and enforces a security program that addresses how Gladia manages security, including the security controls Gladia employs. The security program includes:

Documented policies that Gladia formally approves, internally publishes, communicates to appropriate personnel and reviews at least annually
Documented, clear assignment of responsibility and authority for security program activities;
Regular testing of the key controls, systems and procedures.

All Gladia employees and Gladia independent contractors who may have access to data, including those who Process Personal Data acknowledge their data security and privacy responsibilities under Gladia’s policies.

For Personnel, Gladia, either itself or through a third party

Implements pre-employment background checks and screening
Conducts security and privacy training

Authentication

Gladia authenticates each Personnel’s identity through appropriate authentication credentials such as strong passwords, token devices or biometrics.

Training and Awareness

Annual Security and Privacy Training. Gladia’s employees complete an annual Security and Privacy awareness training on Gladia’s data security and confidentiality policies and practices.

ANNEX III: List of sub-processors

1. The Processor shall use the following sub-processors: Access Management to Gladia User interface (app.gladia.io) : No user data (Audio nor text) are processed and performed in this section.