General Terms of Service Connecting Food - SaS – With a share capital of 1.313.213,68 € - 511, Chapelle Street, 78630, Orgeval Versailles Trade Registry N°823 043 039 THESE TERMS AND CONDITIONS ("TC") APPLY TO THE PROVISION BY CONNECTING FOOD (THE "PROVIDER") TO THE CLIENT (THE "CLIENT") OF SERVICES AS DESCRIBED IN THE ORDER FORM ISSUED BY THE CLIENT AND ACCEPTED BY CONNECTING FOOD. Article 1. Definitions 1.1. CLIENT Data: refers to the information, publications and, in general, the data in the Client's database, the use of which is the subject of this Agreement, which are communicated by the CLIENT and received by the PROVIDER. 1.2 Confidential Information: any information communicated or obtained in any form whatsoever, whether verbal, written or on any medium, which concerns the products, services or know-how of the Parties and is expressly identified as such (in particular CLIENT Data, the terms of the Agreement, offers, documents revealing know-how or technologies, lists of customers or prospects, commercial or technical secrets, information concerning the development and marketing strategy, Deliverables). 1.3. Deliverables: refers to the elements or reports resulting from a specific Service and delivered by the Provider to the Client. 1.4. Platform: refers to the IT solution that the PROVIDER makes available to the Client, including the applications selected (LiveTrack®, LiveScan® and/or LiveAudit®), and any associated Services provided by the PROVIDER to the Client. 1.5. Services: means the services provided by the Provider and chosen by the CLIENT in a validated order form in the field of food traceability, integration of CLIENT Data, access to the Platform or the production of Deliverables. 1.6. User: a natural person under the responsibility of the CLIENT (associate, employee or service provider working exclusively on behalf of the CLIENT) who has an authorised access to the Platform and for the agreed scope of applications on his or her computer by virtue of the user licence contracted by the CLIENT. Article 2. Purpose 2.1. The PROVIDER implements a Platform and provides Services in the field of food traceability. The Platform is accessible online in SaaS mode, uses the blockchain, and includes several applications that the CLIENT chooses (LiveTrack®, LiveScan®, LiveAudit®). The Platform enables the real-time tracking of food products (LiveTrack®), the auditing of compliance with specific elements of a specification (LiveAudit®) and the display of all or part of these elements by the consumer via a webapp on smartphones (LiveScan®). A more detailed description of the Platform and its applications is available from the Provider and is updated regularly; the CLIENT being responsible for consulting this documentation. 2.2. The TC and the applicable order form set out the terms and conditions applicable to the Services ordered by the CLIENT and the obligations of the Parties (the "Agreement"). The Agreement is formed only by the express acceptance of the Provider. 2.3. The scope of the Services subscribed to, and in particular the applications selected by the CLIENT and their scope of use, is determined in the applicable order form. Article 3. Duration 3.1 Unless otherwise provided for in the order form, the Agreement shall have a term of one year as from the date of entry into force defined in the order form. Unless terminated by one of the Parties at least 90 days before each annual term by registered letter with acknowledgement of receipt, the Agreement shall be automatically renewed for a further term of one year. 3.2. Any request for a Service or Deliverable cannot be cancelled by the Client and remains due. Article 4. Provision of Services 4.1. The PROVIDER undertakes to carry out the Services with diligence and provides them with the normal diligence in the matter and on the basis of the information and needs expressed by the CLIENT. The PROVIDER reserves the right to choose the method, manner and means by which it will perform the Services. It is free to carry out its mission with complete autonomy and independence. 4.2. When consulting Services for the configuration, installation or implementation of the Platform are ordered by the CLIENT, these consulting Services are intended to enable the CLIENT to increase the benefit it derives from receiving the other Services provided by the PROVIDER. 4.3. Access to the Platform includes hosting and Maintenance, in accordance with Articles 6 to 9, the documentation and the prerequisites, and requires the CLIENT to have Internet access and to upgrade its IT environment, particularly during the set-up phase which may last several months. The level of availability of the Platform will be 99.5% for each calendar quarter, without taking into account the excused times, namely: - Cases of Force Majeure. - Data transmission failures that are beyond the control of the PROVIDER, not due to a malicious act or negligence of the PROVIDER. - Downtime due to unavailability of hosting services provided by the third party providers retained for the CLIENT Data. - Downtime resulting from applications developed for or by CLIENT that are running on or interacting with the Platform or the applications. - Downtime due to third party software used by the CLIENT and/or third party software integrations developed by or for the CLIENT. - Downtime due to an Internet or CLIENT network failure. - Interruptions for maintenance (including stoppages for emergency maintenance), for which the PROVIDER will endeavour to give reasonable notice to the CLIENT depending on the circumstances. In the event of less than the agreed level of availability, the CLIENT shall have the exclusive right to receive a credit for a portion of the fees for the quarter in which such breach of obligation occurred. Such credit shall be equal to five times the fee under this Agreement for the relevant quarter, multiplied by the percentage of downtime in excess of 0.5% under the Agreement, but not exceeding in total 15% of the fee. This credit may be applied against any outstanding or future fees due under the Agreement for the current service period. If the CLIENT does not make a written request for a credit, the credit will not be due to the CLIENT. Article 5. Review If, during the performance of the Agreement, it appears that the volume of Services or licenses provided to the CLIENT has increased in relation to the terms agreed in the applicable order form, the Provider and the CLIENT agree to negotiate in good faith an increase in the agreed price. It is the CLIENT's responsibility to inform the PROVIDER in the event of a substantial increase in its needs in terms of processing capacity compared with those validated. Article 6. Licences 6.1. The PROVIDER grants the CLIENT a personal, non-exclusive, non-assignable and non-transferable right to use the Platform, for the entire duration of the Agreement, and only for the applications selected by the Client, the volume specified in the order form, for Users only and in accordance with the purpose of the Platform. This license shall not benefit to entities affiliated with the CLIENT or non-User third parties, including subcontractors not exclusively working for the CLIENT. 6.2. This right of use means the right to access the selected applications of the Platform and the CLIENT Data integrated or entered in the Platform in SaaS mode via a connection to an Internet network. It excludes any delivery of source codes or executables of the Platform or the Provider's applications, as well as any delivery to a third party. Any other use, but also any adaptation, modification, translation, arrangement, distribution, decompilation, without this list being restrictive, is prohibited. 6.3. The rights to the Platform and the Deliverables shall remain the property of the Provider and no rights other than those set forth herein are granted to the CLIENT. 6.4. Unless otherwise agreed in writing, the Client may use the Deliverables for its own internal use and may not disclose or transmit them to third parties. The Provider may freely re-use the Deliverables and the ideas, concepts underlying them, subject to the Client's Confidential Information. Sources or preparatory files relating to the Deliverables are not provided to the CLIENT. 6.5. The CLIENT remains the owner of all the CLIENT Data that it uses via the Platform. 6.6. The use of the Platform requires on a mandatory basis the use and payment of the LiveTrack® application. 6.7 The Provider may terminate any of the licenses referred to in this Article in the event of non-payment of the price as indicated in Article 11 "Financial conditions". 6.8. The CLIENT grants the PROVIDER the right to mention and refer to the CLIENT in its commercial documentation. 6.9. The CLIENT grants the PROVIDER the right to use the CLIENT's intellectual property rights and data to provide the Services, and in particular the CLIENT's invoices and accounting and quality data for the LiveAudit® application. Article 7. Access to the Platform & Login 7.1. Access to the Platform is carried out from the Client's computers that meet the required configuration to access to the Platform, using the credentials provided to the CLIENT. This identifier credential is allocated to each User by the PROVIDER, together with a password communicated to the CLIENT by the PROVIDER. 7.2 The CLIENT will use the credentials provided to it each time it connects to the Platform. The credentials are intended to restrict access to the Platform to the CLIENT's authorised Users only, to protect the integrity, availability and confidentiality of the Platform and the CLIENT's Data as transmitted by the Users. 7.3 The credentials are personal and confidential. They can only be changed at the CLIENT's request or at the PROVIDER's initiative, subject to informing the CLIENT beforehand. The CLIENT undertakes to make every effort to keep its credentials secret and not to disclose them in any form whatsoever. 7.4. The CLIENT is entirely responsible for the use of the credentials and the custody of the access codes given to it and for the means of protecting them, in particular by changing them at regular intervals. It will ensure that no other person not authorised by the PROVIDER has access to the applications. Generally speaking, the CLIENT assumes responsibility for the security of the individual workstations that access the Platform. In the event that it becomes aware that someone other than a User is accessing them, the CLIENT will inform the PROVIDER without delay and will confirm this by registered letter. 7.5. In the event of the loss or theft of one of the credentials, the CLIENT will inform the PROVIDER as soon as possible and will use the procedure set up by the PROVIDER to recover its credentials. Article 8. Technical assistance and maintenance 8.1. The PROVIDER provides the CLIENT with a set of documentation that can be accessed from the Platform with contact details for contacting the PROVIDER's technical support and an incident report form. The PROVIDER reminds the CLIENT that its obligation for assistance and maintenance obligation is only an obligation of means. 8.2. The PROVIDER is responsible for the corrective maintenance of the applications ordered. If the CLIENT has placed an order in that respect, it benefits from the functional upgrades of the new versions of the applications. Unless otherwise specified or unless the CLIENT's environment is not compatible, upgrades and new versions of the Platform and applications will not result in any regression of the Service in terms of performance and functionality. 8.3. If the Service malfunctions, it is up to the CLIENT to consult the documentation and carry out the technical tests proposed by the PROVIDER. If the malfunction is not resolved, it is up to the CLIENT to declare the incident to the PROVIDER's departments using the specific form mentioned above, providing as much information as possible about the problem. The CLIENT is forbidden to have a third party intervening on the Platform without the prior and express agreement of the PROVIDER. 8.4. The CLIENT expressly authorises the PROVIDER to connect to its infrastructure and to carry out any operation necessary to carry out the diagnosis, both at hardware and software level. 8.5. As part of this incident reporting procedure, the PROVIDER will carry out a diagnosis in order to seek the origin and cause of the malfunction encountered. If, as part of its research, the PROVIDER determines that the malfunction results from the PROVIDER's responsibility, then the cost of carrying out the diagnosis will be entirely borne by the PROVIDER. 8.6. On the other hand, if the diagnosis reveals that the incident encountered by the CLIENT is not the responsibility of the PROVIDER or that its existence cannot be confirmed, the time spent by the PROVIDER in carrying out the diagnosis will be invoiced to the CLIENT on a flat-rate basis at the rate indicated to the CLIENT, and recalled at the time of the incident declaration. 8.7. In the event that the PROVIDER does not manage to identify the origin or cause of the malfunction, the CLIENT will not be invoiced for the research relating to the establishment of the diagnosis. 8.8. At the end of the Diagnostic, the PROVIDER will communicate the cause of the malfunction and will direct the CLIENT towards the technical solutions to be provided to resolve the problem encountered. 8.9. Interventions relating to maintenance may make the Service temporarily unavailable. They are carried out after a notice period of 2 weeks and only outside working days and hours. 8.10. Travel and meal expenses incurred by Connecting Food in the performance of the Services outside the Paris region will be re-invoiced to the CLIENT on presentation of receipts for these expenses. Article 9. Hosting & Blockchain 9.1. The CLIENT's Data and the Platform are hosted by a third-party service provider, such as inter alia OVH or Microsoft Azure, depending on the information given to the CLIENT on request. Information concerning the location of the data is sent to the CLIENT by the PROVIDER. 9.2. The provisions of the host governing this hosting are applicable and the CLIENT declares that he/she is aware of them. 9.3. Unless otherwise specified, the PROVIDER's Services are based on a distributed registry technology of the Blockchain type implemented according to the HyperLedger Sawtooth architecture. The CLIENT declares that it is aware of the impossibility of deleting the data recorded in the Blockchain. Article 10. Data processing 10.1. The CLIENT is the sole owner of the CLIENT Data. 10.2. The CLIENT is solely responsible for and guarantees the quality, lawfulness and relevance of the CLIENT Data. It guarantees that it holds all the rights and authorisations allowing it to use and have used by the PROVIDER the CLIENT Data and access to its infrastructure and its third-party applications for the purposes of providing the Services. The CLIENT guarantees the PROVIDER at first request against any prejudice that may result from a third party claim relating to this warranty. 10.3 For the elements under its control, and subject to the provisions applicable to hosting, the PROVIDER undertakes to implement the measures and means in accordance with good practice in order to preserve the security, integrity and confidentiality of the CLIENT Data. 10.4. As part of their contractual relationship, the CLIENT and the PROVIDER undertake to comply with the regulations in force applicable to the processing of personal data as described in the appendix "Processing of Personal Data and Security". Article 11. Financial conditions 11.1. The price of the Services is set out in the applicable order form; the Client agrees to pay any sum due or agreed to be due to the Provider, including said Price. 11.2. The Services, including royalties, shall, unless otherwise specified, be invoiced on a biannual basis and shall be paid by the CLIENT 30 (thirty) days net from the date of invoice. All sales, use, VAT, transfer and other taxes and duties applicable to the Services provided hereunder shall be due by and the responsibility of CLIENT. 11.3. The CLIENT must notify the PROVIDER and give reasons for any dispute about an invoice in writing before the due date of the said invoice and may not decide on its own to reduce any of the sums appearing on it. 11.4. Failure to pay on the due date shall result in the immediate payment of late interest, calculated from the date of said due date until full payment, on the basis of a rate equal to the rate applied by the ECB to its last refinancing operation plus ten (10) points, said interest starting to run on the due date of the payment term indicated in the Agreement or on each invoice. In the event of debt collection, the fixed compensation for collection costs of 40 euros, provided for in Articles L. 441-10 and D. 441-5 of the French Commercial Code, shall be applied, without prejudice to other costs incurred by the Provider, which the Client undertakes to compensate. 11.5 In addition, the PROVIDER may suspend the performance of the Services, in particular access to the Platform, within seven (7) days after sending a formal notice by registered letter with acknowledgement of receipt that has remained without effect; without prejudice the right to terminate the Agreement. Article 12. Audit The Provider has the right to regularly check the CLIENT's compliance with its obligations or its scope of use of the Platform, by using the tools integrated into the Platform. Article 13. Obligations of the CLIENT 13.1. The CLIENT has a duty to cooperate including to (i) follow any instructions given by the PROVIDER in the performance of its obligations, (ii) provide the Provider with the Data and give it access to the Data in good time for the performance of the Services and (iii) inform the CLIENT of its needs in a clear and precise manner and reveal any important information. Any failure by the CLIENT to comply with this obligation shall result in a consequential delay in the processing of the Data, which shall not be less than 5 working days. 13.2. The CLIENT undertakes to provide the PROVIDER with sincere and reliable data about its products, their origin and the elements relating to their traceability. The CLIENT undertakes to use the Platform lawfully and in accordance with its purpose. 13.3 It is the CLIENT's responsibility to regularly back up its data and its environment, in particular before any communication or access is given to the PROVIDER. 13.4. The Client has a period of fifteen days to express its reservations about the Deliverables as of their receipt; receipt may be tacit as of the use of the Deliverables. Article 14. Declarations by the Client The CLIENT acknowledges that it has checked the suitability of the Service for its needs and that it has received from the PROVIDER all the information and advice that it needed to sign the Agreement. The CLIENT acknowledges that the traceability services provided by the Provider are essentially dependent on the CLIENT Data and that the Provider's task is limited to processing the CLIENT Data through the applications selected by the CLIENT. Article 15. Guarantees of the Provider 15.1. The PROVIDER guarantees the physical existence of the Platform, its substantial compliance with the documentation and that it is free from bugs or malware of its own making. The PROVIDER does not guarantee the suitability of the Platform, Services or Deliverables for any particular need of the CLIENT and does not guarantee an uninterrupted and error-free operation of the Platform. 15.2 In the event that the PROVIDER is found to be liable in relation to the Platform, the PROVIDER's sole obligation and the CLIENT's sole remedy shall be for the PROVIDER to use commercially reasonable efforts to (a) repair or replace all or part of the disputed application so that it ceases to be a source of liability for the PROVIDER or, at the PROVIDER's option, (b) identify or make available a workaround or alternative approach that achieves substantially the same result or functionality. Article 16. Liability / force majeure 16.1. The provisions of this Article allocate the risk between the Parties. The Parties acknowledge that the agreed price reflects the allocation of risk and the resulting limitation of liability. 16.2. The PROVIDER can only be held liable in the event of a substantial breach by the PROVIDER of its obligations under the Agreement. The PROVIDER's liability is excluded and it is released from its obligations (including access, maintenance) in the event of : - disclosure or unlawful use of credentials or passwords given confidentially to the CLIENT; - partial or total destruction of the information transmitted or stored as a result of errors attributable directly or indirectly to the CLIENT; - the CLIENT's refusal to collaborate with the PROVIDER in resolving the anomalies and in particular to answer questions and requests for information, - use of the Platform in a manner that does not comply with its purpose or documentation, - failure of the CLIENT to fulfil its obligations under the Agreement, - implementation of any software package, software or operating system not compatible with the Platform or any virus or malware, - failure of third party communication networks or CLIENT, - planned or legitimate maintenance operations, - deliberate act of damage, malice, sabotage, or - deterioration due to force majeure or misuse of the Platform. It is also reminded that the functioning and rendering of the Platform, its performance or results depend on the CLIENT's Data. 16.3. The CLIENT is liable for material and immaterial damage caused to the PROVIDER in the event of a breach, in particular of its obligations under article 13.1, or in the event of incomplete or defective transmission of CLIENT Data that would tarnish the image of the PROVIDER's application. When the CLIENT Data is unavailable, and in particular when it is not provided in time by the CLIENT, the CLIENT acknowledges that the PROVIDER may, if necessary, provide the end user of the online Services with a page containing an explanatory message setting out the cause of the unavailability of the information sought. 16.4. Consequential damages suffered by the CLIENT, as well as special, indirect or direct damages, including, but not limited to, loss of profits, loss of savings or damages resulting from the loss or use of data or project delays attributable in any way to the performance of the Services, business interruption, loss of use of data and any loss caused by the interruption, termination or malfunction of the Internet, third party telecommunication services or third party security functions or systems as well as damage to the CLIENT's image are excluded from any claim for compensation even if the PROVIDER has been informed of the possibility of such damages. The PROVIDER's cumulative liability for all damages suffered by the CLIENT in respect of a Service hereunder shall in no event exceed 50 (fifty) % of the price paid or payable for the Service from which such damages arise. The PROVIDER will not be responsible for the protection or loss of the CLIENT's data or information, in particular when it results from a failure of the host. 16.5. The CLIENT acknowledges and accepts the technical hazards and limits of the Internet network. The PROVIDER is not responsible for technological malfunctions, interruptions and failures of the stations from which the connection is established, the quality of the network and in particular connection speed or acts of piracy by third parties or malicious intrusion, despite the implementation of security measures. 16.6. In the event of a temporary force majeure impediment, the performance of the Parties' obligations shall be suspended unless the resulting delay justifies the termination of the Agreement. If the impediment is definitive, the Agreement shall be terminated by operation of law and the Parties shall be released from their obligations. Force majeure is an event beyond the control of the PROVIDER, which could not be reasonably foreseen when the Agreement was concluded and whose effects cannot be avoided by appropriate measures, preventing the PROVIDER from performing its obligation. 16.7 In any event, the CLIENT will not be able to bring an action or make a claim, in particular concerning the performance of the Agreement or the liability of the PROVIDER and/or its directors, representatives, employees or agents for any reason whatsoever more than one year after it knew or should have known the fact that would enable it to bring this action or make this claim. 16.8. By express agreement, the Parties agree that this Article shall survive in the event of total or partial termination of the Agreement, regardless of the cause thereof. Article 17. Termination 17.1. Any substantial breach by either Party of its obligations under the terms of the Agreement shall entitle the creditor of the unfulfilled obligation to terminate the Agreement by operation of law, thirty (30) days after formal notice to perform has been sent by registered letter with acknowledgement of receipt if the breach persists, without prejudice to the damages to which it may be entitled. 17.2. In the event of termination of the Agreement, each of the Parties shall return to the other within a period of 15 (fifteen) days upon simple request all materials and all items constituting Confidential Information provided under the Agreement. 17.3. The CLIENT remains liable for payment of the invoices issued and, if an invoice has not yet been issued in accordance with the contractual milestone schedule, for all Services performed on the basis of the daily rates in force on the effective date of the termination. Article 18. Evolution & Reversibility 18.1. The Services and their scope have been defined within the framework of the assumptions and scope defined in the aforementioned order forms. The impact of additional Services outside the scope and/or whose execution is made necessary by the CLIENT in order to achieve the contractual objective or at the CLIENT's request, in particular in the event of interference by the CLIENT in the decisions incumbent on the PROVIDER (scheduling of tasks, allocation of resources, choice of working methods, etc.), as well as any new request (addition of workshop, criteria, data, suppliers, web app...), will be dealt with jointly by the designated contacts of each of the Parties and may give rise to additional invoicing, according to the accepted estimate, and to a review of the provisional timetable for the execution of the Services. 18.2. In case of disagreement on the modification, the execution of the Services will continue as initially planned. 18.3. In the event of termination of the contractual relationship, whatever the cause, and provided that the CLIENT is up to date with its obligations, the PROVIDER undertakes to return the CLIENT Data and to delete the data enabling the correspondence between the CLIENT Data and those recorded in the blockchain; it being recalled that all the data stored in the blockchain cannot be deleted by nature. The Provider shall, unless prevented from doing so, at the first request of the CLIENT made by registered letter with acknowledgment of receipt and within a period of 1 month from the date of receipt of this request, provide to the CLIENT all the Data belonging to him in a standard readable format. In the event that the relationship is terminated, it is specified that the Services cease to be provided and that the CLIENT's Data may therefore no longer be available online for the end users of the Services; in this case, the PROVIDER may, if necessary, refer the end users of the online Services to a page containing an explanatory message presenting the cause of the unavailability of the information sought. 18.4. The CLIENT will actively cooperate with the PROVIDER to facilitate the recovery of the Data. Article 19. Non-solicitation of personnel 19.1 The personnel of each Party shall remain under the sole hierarchical authority of their employer. 19.2. The Parties undertake, except by prior written agreement, not to solicit or employ, directly or indirectly, any personnel of the other Party (or any subcontractor of the latter) assigned to the performance of the Agreement , even if the initial solicitation is made by the member of staff. 19.3. This prohibition shall apply for the duration of the Agreement and for two (2) years after the termination thereof for any reason whatsoever. Any breach of this obligation shall oblige the defaulting Party to pay without delay to the other Party, as a penalty clause, an amount equal to twelve (12) times the last gross monthly remuneration of the person concerned. Article 20: Confidentiality 20.1. Each Party undertakes to ensure the utmost confidentiality of the Confidential Information of the other that they receive or to which they have access and consequently they undertake in particular to : - take all necessary measures to protect access to Confidential Information, - not to use the Confidential Information other than for the purposes of the Agreement, - not to use the Confidential Information for its own benefit or for the benefit of any third party outside the strict application of the Agreement, - not to disclose them to any unauthorized third party or to any third party not involved in the subject matter of the Agreement, - disclose them only to its employees who need to know them in order to carry out their duties, - to ensure compliance with this agreement by its employees, and in general to implement all means to ensure compliance with this provision, in particular by members of its staff, employees, subsidiaries, parent company and any subcontractors. 20.2. Each Party shall be released from its confidentiality obligations in the event that: - disclosure of the Confidential Information would be required by law, regulation, court order or if such disclosure is necessary to enforce or prove rights under the Agreement. - the Confidential Information concerned has been made available to the public directly by the other Party without restriction. - the Confidential Information is already publicly known, or has entered the public domain without any intervention by the Party in question. 20.4. In the event of disclosure of Confidential Information by a Party or its employees, it shall be incumbent upon it to prove the compliance of such disclosure with the Agreement. 20.5. Each of the Parties undertakes to respect its obligation of confidentiality as soon as the Agreement is signed and throughout its duration as well as for a period of 5 (five) years following the termination of the Agreement for any reason whatsoever. However, the elements of the PROVIDER protected by trade secrets must remain confidential for as long as they are protected in this respect. Article 21. General 21.1 To ensure proper monitoring of the performance of the Services, the Parties shall each appoint a privileged contact person defined between them to ensure dialogue at the various stages of their relationship. 21.2 Any modification or waiver under the Agreement shall only be effective after the signature of an amendment. 21.3. If one of the contractual clauses is null and void under a law or any other rule of law in force, it shall be deemed not to have been written, without this resulting in the nullity of the Agreement as a whole, the other stipulations retaining all their force and scope. 21.4. The fact that either Party does not require the application of any clause of the Agreement, whether permanently or temporarily, may in no case be considered as a waiver by that Party of the rights arising from said clause. 21.5. In the event of difficulty of interpretation between any of the headings and any of the clauses, the headings shall be declared non-existent. 21.7. The Agreement expresses all the rights and obligations of the Parties. It cancels and replaces any document previously exchanged between the Parties for the Services. Any order issued in addition by the CLIENT shall be placed exclusively under the terms of the Agreement and shall be deemed to constitute acceptance of all of its terms. The general terms and conditions of purchase of the CLIENT, or any other unilateral element communicated or referred to by the CLIENT, as well as any provision of the CLIENT's order supplementing/derogating from the Agreement, are expressly set aside by the Parties 21.8. All electronic writings between the Parties shall be authentic. 21.9. The Agreement is subject to French law. ANY DISPUTE NOT RESOLVED AMICABLY WITHIN ONE MONTH OF ITS OCCURRENCE, WILL BE THE EXCLUSIVE COMPETENCE OF THE COMMERCIAL COURT OF PARIS. This clause will be applicable even in the event of summary proceedings, appeal in warranty or plurality of defendants. 21.10. Each Party is an independent enterprise acting on its own behalf. The Parties shall not be deemed to be representing each other in any legal sense and shall not act or bind each other. Article 22. Assignment The Agreement is freely transferable by the PROVIDER to any entity that it controls or that controls it within the meaning of article L. 233-3 of the French Commercial Code. The CLIENT may not assign all or part of the rights and obligations arising from the Agreement, whether by temporary assignment, sub-license or any other agreement providing for the transfer of said rights and obligations. Annex Personal Data Processing and Security Part 1- Insofar as, during the performance of the Services, the Provider is a Subcontractor and is required to process Personal Data on behalf of the Client, the Data Controller, the Parties hereby undertake to comply with the rules defined below and in particular : (i) Describe the obligations of the Parties (ii) Describe the data processing entrusted to the Provider by the Client (iii) Specify the technical and organizational measures to be taken by them (iv) Define the rules for subcontracting. 1. Definitions - “Personal Data" or "PDP": means any information relating to an identified or identifiable person, directly or indirectly, in particular by reference to an identification number such as a name, an identification number, location data, an online identifier, or to one or more elements specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity, communicated to the Provider or which is accessible to him/her for the purposes related to the performance of the Agreement. - "Legislation for Personal Data" or "Privacy Legislation": Refers to the French and European legislation in force relating to the protection of Personal Data, in particular the French law no. 78-17 of 6 January 1978 as amended, known as the "loi informatique et libertés", and, the General Data Protection Regulation 2016/679 (GDPR). - “Data controller" means the CLIENT insofar as it determines the purposes and means of the processing. - "Subcontractor" means the PROVIDER insofar as it processes PERSONAL DATA on behalf of the Data Controller. 2. Respective obligations It is specified between the Parties that if specific requirements resulting from the processing of PERSONAL DATAs increase the workload of the Provider, the Parties shall agree on an amendment to consider the conditions, in particular the financial conditions, of this extension. In any event, if the CLIENT Data includes PERSONAL DATA, each Party undertakes to comply with its obligations under the Privacy Legislation. The Parties shall refrain from committing any act likely to place the other Party in a position of violation of the said legislation protecting PERSONAL DATA. The Client, as the Data Controller within the meaning of the Privacy Legislation, is responsible for ensuring the effective compliance of the data processed and of the processing that it implements and that it subcontracts to the Provider and guarantees that it has carried out all of the obligations incumbent upon it, in particular that the PERSONAL DATA has been collected fairly and adequately in relation to the purpose of the processing and that it has informed the natural persons concerned of the use that is made of their PERSONAL DATA. In this respect, the Client guarantees the Provider against any recourse, complaint or claim from a natural person whose PERSONAL DATAs are processed under the Agreement. Within the scope of the Agreement, the Provider shall not be obliged to ensure effective compliance or to advise the Client with regard to the Privacy Legislation concerning the processing carried out by the Client. The Provider, if it is a subcontractor within the meaning of the Privacy Legislation, guarantees that it will implement the appropriate technical and organisational measures to ensure that the processing carried out on behalf of the Client meets the requirements of the Privacy Legislation. It is expressly agreed in this context that the Provider : - may only process PERSONAL DATA on the basis of documented instructions from the Client, including transfers to third countries; furthermore, if the Provider is required to transfer PERSONAL DATA to a country outside the European Union or to an international organisation under EU law or the law of the Member State to which the Provider is subject, the Provider shall inform the Client of this legal obligation before the processing, unless the legislation concerned prohibits such information on important public interest grounds ; - will need to ensure that those authorized to handle the PERSONAL DATA are committed to confidentiality or are subject to an appropriate legal obligation; - shall notify the Client of any breach of PERSONAL DATA within the meaning of the Privacy Legislation, as soon as possible after becoming aware of such breach, it being specified that it is the Client's responsibility to notify the competent supervisory authority and the persons concerned, where applicable. Nevertheless, assistance may be provided by the Provider in the context of these notifications, at the request of the CLIENT and according to the terms and conditions discussed between the Parties; - according to the Client's choice, delete all PERSONAL DATA or return them to the Client at the end of the service, and destroy the existing copies unless otherwise provided by law; - to provide the CLIENT with information to demonstrate compliance with its obligations and to allow audits to be carried out. As part of its obligation to assist the Client, the Provider undertakes, where applicable under financial conditions to be defined between the Parties : - to assist the Client, by means of appropriate technical and organisational measures, as far as possible, in fulfilling its obligation to respond to requests from data subjects relating to their rights. In this respect, in the event that the Provider receives such a request directly, it is agreed that the Provider shall forward the request to the Client, who shall be responsible for responding to it in accordance with the Privacy Legislation; - help the Client to guarantee compliance with security obligations. It is understood between the Parties that the Provider's commitments only relate to the means it is able to implement to ensure the confidentiality and security of the PERSONAL DATA; - to assist the Client in the notification of breaches of PERSONAL DATA in the sense of the Privacy Legislation and when the Client decides to carry out an impact analysis relating to the protection of PERSONAL DATA, as well as, where applicable, in carrying out the prior consultation with the supervisory authority, by providing any useful documentation available to the Client that the Client does not hold. The Parties agree that the assistance provided to the Client under this clause shall be carried out taking into account the nature of the processing and the level of information that the Provider receives from the Client and within the limits of the obligations incumbent upon it. Additional requests for assistance not covered by the Agreement shall be subject to a specific agreement between the Parties. 3. Subcontracting Subcontracting is accepted by the Client. The Provider undertakes to comply with the conditions of recruitment of another subcontractor, namely : - the Provider undertakes to inform the Client of any planned changes concerning the addition or replacement of subcontractors, thereby giving the Client the opportunity to object to such changes; the Client must raise its objections within 10 days, stating reasonable and documented reasons for the failure of such subcontractor(s) to comply with the Privacy Legislation. - the Provider imposes the same obligations regarding the protection of PERSONNAL DATA as those provided for herein by contract on its subcontractor; - when this other subcontractor does not fulfil its obligations regarding the protection of PERSONAL DATA, the Provider remains fully responsible to the Client for the performance by the other subcontractor of its obligations. Where the subcontracting involves a transfer of PERSONAL DATA outside the European Union, such transfer shall be based on either (i) a decision by the European Commission that the third country, territory or specific sector(s) in that third country, or the international organization in question provides an adequate level of protection (ii) on Standard Contractual Clauses of the European Commission, with the Client mandating the Service Provider to sign with its subsidiaries located outside the European Union said Standard Contractual Clauses in the name and on behalf of the Client, (iii) on the appropriate safeguards described in Article 46 of the GDPR or (iv) on one of the conditions set forth in Article 49 of the GDPR. Part 2- 1. The description of the treatment is as follows unless otherwise agreed in writing: Object, nature and purpose of the processing: Carrying out the traceability and digital audit in the blockchain on the perimeter described in the Agreement Operations carried out on PERSONAL DATA by the Provider: Reception, consistency check, recording, processing and restitution of data, Delete, Enrich. Duration of treatment : For the duration of the Agreement. Categories of persons concerned : The CLIENT's B2B partners (such as farmers or other types of producers, transporters etc.). Type of personal data concerned: surname, first name, address, identity, professional details, data relating to professional life, economic data. The Client undertakes to update, if necessary, in writing, the aforementioned elements in the event of changes in the mission entrusted to the Service Provider. 2. Safety measures The Provider guarantees that it will implement the appropriate technical and organizational measures concerning the processing of PERSONAL DATA carried out on behalf of the Client, within the limits and material conditions of its mission, namely: - ensure that PERSONAL DATA will not be used for purposes other than those for which they were collected without the explicit consent of the Client and are only processed in accordance with the documented instructions of the Client - shall ensure that persons authorised to process PERSONAL DATA are bound by a confidentiality undertaking as set out in their employment contract or, if they are not employees, in any other contractual document; - to have made all those involved in the Services aware of the various aspects of the security and protection of PERSONAL DATA; - to communicate to any intervening party the list of contacts to be notified in the event of a security failure and to be informed of the procedure to be followed ; - shall take the following security measures: o not to take any copy of the documents and data carriers containing PERSONAL DATA unless it is strictly necessary for the performance of the Agreement, o at the CLIENT's option, delete all data or return it to the CLIENT at the end of the Service, and destroy existing copies unless otherwise required by law, o Set up an authorization management system by validated profile; delete authorizations as soon as employees leave, o Ensure that passwords are stored securely and using state-of-the-art complexity rules, o trace access to sites where data is stored; logs of connections/disconnections; logging of user actions, o Secure workstations with an automatic session locking system, software firewall installed; user agreement obtained before any remote intervention on his workstation; o protect the internal computer network (limiting network flows to what is strictly necessary, securing remote access by VPN, WPA2 or WPA2-PSK protocol for the wifi network); using secure channels for administration tools; security updates applied without delay; o restrict access to the premises and prevent unauthorized persons from gaining access to sites that process and use PERSONAL DATA by : - physical access control to the site such as: recording of visits, locks, alarms, surveillance, accompanying visitors at all times; - system access control: authentication of authorized users by a personal user account, individual access code and password that are unique, sufficiently robust and regularly renewed, or by any other means of authentication; limitation of the number of unsuccessful login attempts; short time limit for session expiration; regular review of accounts; deactivation of accounts that are no longer authorized; o in case of intervention on the CLIENT's site: ensure that the employee respects the written security instructions communicated to the Provider by the CLIENT (internal regulations, IT charter, security rules, etc.) concerning access to the premises, access to the information system, identification and management of badges, logins and passwords which must not be communicated to anyone; o Back up data regularly and secure backups; o Secure data archiving procedures; o erase data from all equipment before disposal; It is specified that as part of its mission, taking into account the limits and conditions of the Services : - The Provider's obligation to assist the Client in guaranteeing compliance with security obligations is limited to the obligations expressly set forth in this appendix, with all other appropriate technical and organizational security measures to guarantee a level of security appropriate to the risk, which the Client alone determines and identifies, being the Client's responsibility; - The Provider will not be able to help the Client for impact analysis and consultation with the supervisory authority and more generally to demonstrate compliance with its obligations only within the strict limits of the information available to it and which the CLIENT does not hold; - The Provider shall notify the Client of any breach of PERSONAL DATA that it alone is able to identify as soon as possible after becoming aware of it, and shall assist the Client in complying with its own notification obligations relating to this breach alone, strictly within the limits of the information available to it that the Client does not hold.