SDS Encryption Service for Google Workspace Privacy Policy

These General Terms of Use (hereinafter "ToU") constitute the entirety of the terms stipulated governing the contractual relationship (hereinafter "Subscription") concerning the Stormshield Encryption Service (hereinafter "Platform") binding, on the one hand, Stormshield, a simplified joint-stock company (société anonyme simplifiée) with a share capital of €2,793,881.60, having its registered office at 2-10 rue Marceau, 92130 Issy-les-Moulineaux, France (hereinafter "Stormshield"), and, on the other hand, the Client (hereinafter "Client").

Stormshield and the Client may hereinafter be referred to individually as a "Party" and collectively as the "Parties".

The Client may grant a right of access, use, administration, and management to authorized individuals (hereinafter "Users").

By accessing and using the Platform, the Client accepts these ToU. Stormshield shall not be held liable for any lack of knowledge thereof.

Article 1 – Definitions

For the purposes of these ToU, terms beginning with a capital letter shall have the following meanings, whether used in the singular or the plural:

Administrator: designates the reference person at the Client's organization, in charge of activating the Platform for all Users and responsible for the escalation of Incidents, defined within the framework of the commercial proposal, by the Client.

Client: designates the person or entity holding a Subscription for the Platform on one of the Third-Party Solutions offered by Stormshield. The Client must provide Stormshield, within the framework of the commercial proposal, with the number of Users for whom they wish to activate the Platform, as well as the contact details of their Administrator (last name, first name, email, and telephone).

Client Side Encryption or "CSE": designates the encryption method developed by Google for its collaborative applications in Google Workspace, such as Drive, Docs, Sheets, and Slides. This option is available in the "Enterprise" edition of Google Workspace.

Confidential Information: designates all information relating to the relationship between the Parties, disclosed within the framework thereof and identified as confidential by the Disclosing Party, by an oral, written, graphic, electronic process, or by any other computer-exploitable process, or via copy, regardless of its subject matter (technical, industrial, financial, commercial, personal data, etc.), nature (including without limitation: know-how, method, technical detail, process, formula, designs and models, software, developments, and future projects...) and medium (written and printed document, drawing, samples, plan, CD-ROM, USB key...).

Documentation: designates the Stormshield documentation necessary for the Client, their Users, and the Administrator to access the activation link of the Platform, Third-Party Solutions, as well as potential new features.

DoubleKey Encryption or "DKE": designates the encryption method developed by Microsoft for its collaborative applications in Office 365, such as Outlook, Word, PowerPoint, and Excel. This option is available in the "Enterprise" edition of Office 365.

Incident: designates an event resulting in unavailability, performance degradation, or non-compliance with an SLI. Each Incident is formally recorded via Stormshield's support system and is classified and defined by Stormshield support, upon its identification, according to one of the following severity levels:

• Severity 1 Incident or "I1": total unavailability of the Platform or inability for the Client and its Users to use a critical feature, without a reasonable workaround.
  
• Severity 2 Incident or "I2": designates a significant degradation of the Platform without total blockage thereof, with a degraded or restrictive workaround.
  
• Severity 3 Incident or “I3”: designates a minor, non-blocking malfunction that does not affect essential features, and has an acceptable workaround.
  
• Severity 4 Incident or "I4": designates a request for information from the Client.

Kubernetes: designates the application service generally incorporating the SDK to offer simple and user-friendly native encryption.

Platform: designates the Stormshield Encryption Service encryption service developed and operated by Stormshield, including key management technologies, the Stormshield SDK DCS, and administration interfaces to ensure data protection.

Service Credit: designates the percentage of financial compensation that will be paid to the Client in the event of non-compliance with the commitments made by Stormshield within the SLOs. Service Credits are calculated on a monthly basis. The latter are limited to each one-month period and therefore cannot be carried over from one month to another.

Service Level Indicator or "SLI": designates the measurable performance indicator used to evaluate the performance of the Platform.

Service Level Objective or "SLO": designates a measurable performance objective for the Platform. Subsequently, the SLI will proceed to verify it.

Stormshield SDK DCS or "SDK" or "DCS Framework": designates the encryption technology based on a Zero-Trust architecture, integrated into CI/CD pipelines, applying ABAC access policies while generating auditable logs.

TAC: designates the Technical Assistance Center.

Third-Party Solutions: designate the application environments, infrastructures, or external productivity suites (such as Google Workspace, Microsoft 365, or Kubernetes clusters) published by third parties or managed by the Client, within which the Platform integrates.

User: designates the person using the Platform, identified by a unique identifier.

Article 2 – Description of the Platform

2.1 Third-Party Solutions

2.1.1 Google Workspace

The SDS encryption service for Google Workspace is an enterprise data protection service managed within the Google Workspace ecosystem. Google Workspace is Google's suite of cloud applications intended for professionals. For more information, please refer to the Google documentation.

The Client decides that this service will be used by a certain number of Users. This number is predefined by the Client within the framework of the commercial proposal. The Administrator (communicated by the Client) is responsible for centrally activating the service for all Users. Activation of the Google Workspace client-side encryption (CSE) service is performed in the Google admin console for a population identified via email address, a group, or an organizational unit. This technology is available only for the Chrome browser.

In any event, the person who manages the allocation of CSE licenses at the Client's organization undertakes to restrict access and use of the Software solely to authorized personnel members. They must also ensure, by their own means, that all Users comply with these General Terms of Use. If a User leaves the company, the Client must ensure that the necessary means have been implemented to recover their encrypted data (see Reversibility section of these General Terms of Use below). They must also ensure that the User in question has been removed from their authentication solution. They may also inquire with Google regarding account delegation based on authentication and access authorization.

Link to the official documentation describing the functionality: knowledge.workspace.google.com/admin/security/about-client-side-encryption

2.1.2 Microsoft

The SDS encryption service for Office 365 is an enterprise data protection service managed within the Office 365 ecosystem. Office 365 is Microsoft's suite of applications intended for professionals. For more information, please refer to the Microsoft documentation.

The Client decides that this service will be used by a certain number of Users. This number is predefined by the Client within the framework of the commercial proposal. The Administrator (communicated by the Client) is responsible for centrally activating the service for all Users. Activation of the Office 365 encryption service (DKE) is performed in the Microsoft admin console for a population identified via email address, a group, or an organizational unit.

In any event, the person who manages the allocation of DKE licenses at the Client's organization undertakes to restrict access and use of the Software solely to authorized personnel members. They must also ensure, by their own means, that all Users comply with these General Terms of Use. If a User leaves the company, the Client must ensure that the necessary means have been implemented to recover their encrypted data (see Reversibility section of these General Terms of Use below). They must also ensure that the User in question has been removed from their authentication solution. They may also inquire with Microsoft regarding account delegation based on authentication and access authorization.

Link to the official documentation maintained by Microsoft: learn.microsoft.com/fr-fr/purview/double-key-encryption

2.2 Kubernetes

The encryption service for Kubernetes is intended to encrypt Kubernetes clusters. The service ensures protection against unauthorized access, even in the event of a master node compromise. All sensitive data (Secrets, ConfigMaps, volumes) are encrypted from the moment they are stored. The in-memory data flow is also protected thanks to a tool named Init-Container. This service meets data localization requirements (GDPR, ITAR, NIS2, DORA, etc.) and allows key rotation or revocation at any time. Stormshield only possesses the secondary key; it can never read the content of the data. The risk of insider threat is limited: Stormshield only sees access metadata and has no access to the data in clear text.

2.3 SDK

The SDK DCS encryption service is intended to encrypt/decrypt data while respecting the Zero-Trust Data Format (ZTDF). The service encrypts data from its creation and encapsulates it in the ZeroTrust Data Format (ZTDF). No sensitive data is ever stored or transmitted in clear text. The encryption key is generated, stored, and controlled exclusively by the Client. Stormshield only possesses the secondary key. This module complies with data residency requirements (GDPR, ITAR, NIS2, DORA).

Attribute-Based Access Control (ABAC) is implemented and allows granular access decisions aligned with internal policies and regulatory requirements. Each ZTDF data carries its own security attributes (role, context, sensitivity). The SDK's primary responsibility is to query the authorization engine before any decryption. This encryption has a negligible impact on critical applications (+1-2% latency on read/write operations).

Article 3 - Configuration & Initialization

Regarding the configuration and initialization of the Platform, the Client and its Users are required to refer to the documentation of the Third-Party Solutions made available to them:

• For Google: documentation.stormshield.eu/SEP/en/Content/Saas_Deployment_Guide/Getting_started_saas.htm
  
• For Microsoft: documentation.stormshield.eu/SEP/en/Content/Administration_Guide/dke_getting_started.htm

Article 4 - Technical Support (TAC)

4.1 Availability Objectives (SLO)

Stormshield undertakes to maintain the availability of the Platform in accordance with the following table:

Service Concerned	SLO in Percentage (%)
Stormshield Data Security	99 % (maximum of 432 minutes of unavailability over 30 days of operation)

Compliance with this SLO will be evaluated across all days of the month and constitutes Stormshield's primary commitment to the Client and its Users to ensure the continuity and quality of the Platform.

4.2 Method for Measuring Availability (SLI)

The availability of the Platform will be measured monthly according to the following formula:

Availability (%) = [ (Total Time - Unavailability Time) / Total Time ] x 100

Here, total time corresponds to the period during which the Platform must be operational and accessible. Unavailability time, for its part, corresponds to the duration during which the Platform is not available. If the availability at the end of the month is lower, then the Client may request compensation according to the procedure provided for this purpose.

4.3 Compensation in Case of Non-Compliance with SLOs

In the event of non-compliance with these SLOs, the Client shall be entitled to request compensation via a claim sent to the following email address: sales@stormshield.eu. This claim will be admissible provided that (i) the Client is up to date with the payment of all invoices issued by Stormshield within the framework of its use of the Platform, (ii) the Client has reported the non-compliance with the SLOs to Stormshield within thirty (30) days following the month during which the non-compliance with the SLOs was observed, (iii) the Client provides, in addition to its request, the log files indicating the period of unavailability, the date, and the time at which they occurred, and (iv) the Client has collaborated in good faith with the competent teams of Stormshield with a view to their resolution, and notably:

• By making themselves available during the entire resolution period of the Incident encountered;
  
• By providing any information they possess regarding the Incident encountered;
  
• By performing any verification that would be necessary to resolve the Incident encountered.

No indemnity may be claimed or granted to a Client who does not comply with all these cumulative requirements. Credits constitute the sole and exclusive financial compensation due by Stormshield under this SLA. Compensation takes the form of a Service Credit applied to the invoice issued for the covered Platform the month following that of the compensation request made by the Client.

The amount of the indemnity is determined according to the table below and corresponds to a percentage of the monthly amount invoiced to the Client in respect of the non-compliance with the SLOs during the month concerned. This indemnity can under no circumstances be reimbursed to the Client in cash.

Monthly Availability Rate	Breach Level	Percentage (%) per Month of Service Credit
98.0% < SLI < 99.00%	Minor breach	10%
95.0% < SLI < 98.0%	Intermediate breach	25%
SLI < 95.0%	Major breach	50%

The maximum indemnity allocated to the Client for the entirety of the unavailability time occurring during the same billing month may under no circumstances exceed fifty percent (50%) of the monthly amount invoiced to the Client for the entirety of the use of the Platform that failed to comply with the SLO during the month concerned.

4.4 Compensation Exclusions

The Client may under no circumstances receive compensation from Stormshield resulting from one or more of the following cases:

• Force majeure events;
  
• Acts of a third party;
  
• Integrations and/or services provided by third parties;
  
• Fault of the Client, its Users, its employees, or its representatives;
  
• Breach by the Client and/or its Users of their contractual obligations;
  
• Elements that are under the sole management of the Client and its Users;
  
• Unavailability occurring during planned or emergency maintenance;
  
• Misuse and/or non-compliant use of the Platform by the Client and its Users, such as, without limitation, uninstallation of the Platform agent, incorrect configuration of routing tables, deactivation of security groups, incorrect configuration of any software installed on the Instance, including: firewall, operating system, antivirus, etc.;
  
• Internet network malfunction;
  
• Failure of the Client to collaborate with Stormshield teams to restore resource availability;
  
• Services in Beta phase;
  
• Unavailability of a hardware component due to a stock shortage;
  
• Services or features for which there is no service commitment explicitly described within this SLA.

Article 5 - Corrective Maintenance

Corrective maintenance includes:

• The provision of diagnostic services to assess any breakdown, defect, or malfunction of the Platform and/or Third-Party Solutions;
  
• The delivery of features, upgrades, patches, or packages that may be necessary to correct any breakdown, defect, or malfunction of the Platform and/or Third-Party Solutions;
  
• The provision of other services to correct or work around breakdowns, defects, or malfunctions of the Platform and/or Third-Party Solutions.

However, corrective maintenance does not include the services necessary to correct or remove a breakdown, defect, or malfunction caused by:

• Inappropriate use of the Platform and/or Third-Party Solutions by the Client, its Users, and the Administrator and/or resulting from third-party products used by the latter in accordance with the written Documentation provided by Stormshield;
  
• Gross negligence or willful misconduct of the Client, its Users, and the Administrator;
  
• Any modification or alteration made to the configuration of the Platform and/or Third-Party Solutions by the Client without the prior authorization of Stormshield.

Article 6 – Confidentiality

Each Party undertakes, as from the effective date of these ToU and for five (5) years after the expiry of the relationship or its termination for any reason whatsoever, to ensure that the Confidential Information it receives from the Disclosing Party:

• Is protected and kept strictly confidential and treated in the same manner and with the same degree of care and protection that the Receiving Party accords to its own confidential information of equal importance, and at a minimum with a reasonable degree of care and protection;
  
• Is disclosed by the Receiving Party solely to those members of its personnel and personnel members;
  
• Is not used, in whole or in part, directly or indirectly, for any purpose other than the Project, without the prior written consent of the Disclosing Party;
  
• Is not disclosed, directly or indirectly, to a third party or to a person other than those authorized by Stormshield, without the prior written authorization of the Disclosing Party, and on condition that the recipient third party undertakes in writing to submit to the same confidentiality obligations as those contained in this Article 6;
  
• Is neither copied nor reproduced in any manner whatsoever, except for the requirements of the Subscription, nor published, in whole or in part, without the prior written authorization of the Disclosing Party;
  
• Remains identified by its initial designation linked to the confidential, classified, or proprietary nature of the Confidential Information, which must not be deleted, altered, or concealed by the Receiving Party;
  
• Is not subjected to reverse engineering, disassembled, or decompiled.

The Party receiving the Information shall have no obligation and shall be subject to no restriction with respect to Confidential Information when it can provide proof:

• That it entered the public domain prior to its disclosure or after it, in the absence of any fault attributable to it;
  
• That it is already legitimately in the possession of the Receiving Party or known to it prior to receipt;
  
• That it was received from a third party in a lawful manner, without restriction or violation of confidentiality obligations;
  
• That it is the result of internal developments undertaken in good faith without access to or use of said Confidential Information;
  
• That its use or disclosure has been authorized in writing by the Party from which it emanates;
  
• That the disclosure of this Confidential Information is required by applicable law, or by a decision of a court or a competent administrative authority.

Article 7 – Obligations of the Client

Stormshield grants the Client a Subscription allowing a number of Users, defined within the framework of the commercial proposal, to use the Platform within the scope of their professional duties; this Subscription excludes any license sharing, is produced and sold to a single firm, is non-assignable and non-transferable for the entire duration of the Subscription.

The Client expressly acknowledges that it enters into these ToU under the following circumstances:

• The Client has taken note of the essential functional characteristics of the Platform and Third-Party Solutions;
  
• Stormshield has given the Client the above guarantees regarding the use of the Platform and Third-Party Solutions.

The Client undertakes to:

• Pay the Fees under the conditions provided for within the framework of the commercial proposal;
  
• Cooperate in good faith with Stormshield in the performance of the ToU;
  
• Not use the Platform to commit crimes, offenses, or misdemeanors penalized by law;
  
• Inform Stormshield as soon as it becomes aware of any act of hacking and, in particular, of any illegal or unauthorized use of the Platform and/or Third-Party Solutions, regardless of how it was disclosed;
  
• Not use applications or devices likely to disrupt the proper functioning thereof;
  
• And, use the Platform and Third-Party Solutions under the terms and conditions set forth in these ToU and the Documentation provided.

In particular, and in accordance with Stormshield's prerequisites, the Client shall be responsible for:

• The management, administration, and control of the Platform;
  
• The use of access by its Users;
  
• Adopting emergency procedures adapted to its own needs and procedures for restart, backup, and data recovery.

By extension, these obligations also apply to Users, and the Client remains responsible for the use of the Platform by Users at all times. Stormshield reserves the right to deactivate access for the Client and Users in the event of a violation of this Article 7.

Article 8 - Personal Data

Stormshield and the Client undertake to comply with the provisions of the regulations in force relating to the protection of personal data and, in particular, the Data Protection Act (loi Informatique et libertés) in its version of June 20, 2018, and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data ("GDPR") and agree as follows:

Within the framework of their contractual relationship, each Party is likely to process, as a data controller, personal data of the other Party exclusively for the following purposes:

• Carry out operations relating to the management, monitoring, and verification of the proper execution of the Subscription;
  
• Carry out operations relating to their commercial relationship;
  
• Verify compliance with applicable contractual obligations;
  
• Manage unpaid bills and disputes;
  
• Respond to potential requests from public authorities;
  
• Fight against all fraud, including money laundering or terrorist financing;
  
• Allow the data subjects affected by the processing to exercise their rights described below.

Each Party undertakes to retain the personal data thus collected for the duration strictly necessary to achieve the purpose of the processing in accordance with the legal provisions in force.

Data subjects affected by the processing benefit from various rights under personal data protection regulations (notably rights of access, rectification, limitation, and deletion of information concerning them) which may be exercised (accompanied by all supporting documents) by email addressed to dpo@stormshiel.eu & dpo@lemonde.fr. Data subjects also have the option to lodge a complaint with a supervisory authority.

Article 9 - Intellectual Property

Stormshield and the Client retain ownership of the intellectual and industrial property rights belonging to them prior to their commercial relationship. Thus, the Platform and everything associated therewith remain the exclusive property of Stormshield and are protected by copyright. The latter remains the sole owner of all economic and moral rights relating thereto. In this sense, the license to use granted by Stormshield to the Client shall not be deemed to constitute a transfer of intellectual property rights. As such, the Client undertakes to keep intact all intellectual property elements appearing on the Platform.

Stormshield guarantees to the Client that it holds all property and usage rights to all elements, documents, data, information, and files communicated and delivered to the Client. Consequently, Stormshield undertakes to defend and indemnify the Client for damages related to claims, proceedings, or orders initiated by a third party alleging that a component of the Platform violates an intellectual property right, provided that the Client immediately notifies Stormshield, in writing, of a legal claim, presents a request for defense, provides full cooperation in said defense, and does not enter into any settlement without the prior written agreement of Stormshield. In the event that one of the cumulative conditions is not met, the indemnification process could present difficulties.

To the extent that Stormshield recognizes that the Platform or one of its components constitutes an infringement, it may, at its discretion and at its expense, decide to (i) modify the Platform or one of its components to end the infringement, (ii) replace it with a non-infringing product having globally equivalent or superior performance functions, or (iii) obtain the usage rights allowing the Client and its Users to continue operating the Platform in accordance with these ToU. This guarantee does not apply to any infringement action due to non-compliant use or exploitation, nor to any modification or adaptation of any of the components of the Platform by the Client.

Article 10 - Liability

The Platform is provided "as is" and under no circumstances can Stormshield, its subsidiaries, its affiliates, its officers, employees, its directors, its agents, or respective partners be held liable for:

• Indirect, consequential, or incidental damages (such as loss of data, loss of clientele or reputation, loss of profits, revenue, or business, loss of contracts, loss of turnover, loss of opportunity);
  
• Damages resulting from installation, settings, configuration, and/or use not compliant with the Platform or contrary to these ToU;
  
• Force majeure events;
  
• Acts committed by a third party;
  
• Any action, inaction, error, omission, or fault falling under the responsibility of the Client, its Users, or any service provider appointed by the Client.

The Client is solely responsible for ensuring that the Platform meets its needs. No provision of these ToU limits our liability in the event of fraud or fraudulent misrepresentation, gross negligence, intentional misconduct, death, or personal injury resulting from our negligence, or to the extent that the limitations or exclusions provided for herein are prohibited by applicable laws. Any fraudulent or illegal use of the Platform by the Client, its Users, its employees, or the service provider appointed by the Client engages the liability of the Client towards Stormshield, as well as third parties who may have suffered damage as a result.

The total and cumulative liability of Stormshield, all causes and all damages combined, under the Contract and for any rolling period of twelve (12) months, is capped at the total amount excluding tax (HT) paid by the Client to Stormshield during said period.

Article 11 – Compliance Audit

An audit may be carried out directly by Stormshield or by an independent third party appointed for this purpose and subject to a confidentiality agreement. Stormshield will inform the Client of its intention to carry out this audit subject to a reasonable notice period of at least fifteen (15) business days. The Client undertakes to cooperate in good faith and to provide the information necessary to carry out the audit.

If the audit reveals non-compliant use or use exceeding the scope of the acquired license, the Client must regularize its situation without delay by paying the corresponding fees. In the event that the excess or non-compliance exceeds 5% of the granted rights, the reasonable costs incurred for carrying out the audit shall be borne exclusively by the Client.

Article 12 - Export Control

Stormshield informs the Client that the Platform may contain technologies subject to the laws of the United States or the European Union regarding export control as well as the laws of the country where it is delivered or used. In accordance with these laws, the Platform cannot be sold, leased, or transferred to persons and/or countries subject to sanctions. The Distributor, Reseller, Client, User, or any other service provider appointed by the Client undertakes to comply with said export control laws and regulations.

The Platform falls into the category of dual-use items that can be used for civil or military purposes. As dual-use items, they are subject to Council Regulation (EU) No 2021/821. In order to respect the international obligations of the European Union and those of its members, the export of dual-use items is subject to control and authorization. In the event that the Platform requires export authorizations or licenses, Stormshield undertakes to take the required steps with the competent authorities. This means that Stormshield is authorized to make the Platform available, but it does not mean that the Client can grant access to the Platform to natural or legal persons who are not authorized under export control regulations.

Any Client and its Users are informed that, if they wish to access the Platform outside the European Union, they must verify the legality of this access with Stormshield via ExportControl@stormshield.eu and submit their requests to the competent authorities in order to obtain an export license. If the Client and/or its Users access the Platform outside the European Union without authorization, it is recommended to contact Stormshield immediately to regularize the situation. Due to the nature of the Platform, encryption processes are implemented for which Stormshield has obtained the required authorization. It is up to any Client and its Users to proceed with all legal and/or regulatory formalities and procedures applicable locally to the Platform. Stormshield undertakes to provide the information and assistance that might reasonably be necessary regarding the guarantees needed to obtain said authorization.

The Client and the User undertake not to make the Platform available in the following sanctioned countries or regions: Cuba, North Korea, Iran, Russia, Belarus, and the occupied regions of Ukraine.

Article 13 – Warranties

Throughout the duration of the Subscription, Stormshield undertakes to use its best efforts to offer the Client all corresponding updates necessary to ensure a level of security compliant with professional standards. To this end, the Client undertakes to report to Stormshield any problem it may encounter or observe when using the Software.

Stormshield provides no warranty on the proper functioning of features not officially supported by the Platform. Stormshield provides no warranty regarding the suitability of the Platform to the specific needs of the Client, nor its compatibility with any computer program run in parallel. As such, it is up to the Client to evaluate its specific needs, to evaluate the suitability of the Platform with regard to these needs, and to ensure that it has the skills necessary to use the Platform and a compatible computer environment, and if necessary, the Client may consult Stormshield.

Stormshield's warranty does not cover the consequences of:

• Any use of Third-Party Solutions by the Client that is not compliant with the Documentation thereof or with the provisions of these ToU;
  
• Any breakdown or malfunction of the operating system used by the Client;
  
• Any modification made by the Client to the Platform or to the terms of use thereof defined in the Documentation;
  
• Any negligence or lack of diligence on the part of the Client and/or its Users in the routine maintenance and management of the hardware used for the use of the Platform for Third-Party Solutions;
  
• Any act committed by a third party or resulting from a Force Majeure event as defined in Article 1218 of the Civil Code;
  
• Any "zero days" vulnerability contained in the Platform for which Stormshield could legitimately justify that it was not aware, and which it guarantees to resolve in accordance with the deadlines;
  
• Any loss or inaccessibility of the Client's Third-Party Solutions account external to Stormshield;
  
• Any modification to the features carried exclusively by Third-Party Solutions.

Article 14 - Subcontractor

Subject to more specific provisions on the subcontracting of personal data, contained in the Subcontracting Agreement, Stormshield shall be free to subcontract all or part of the Platform to any third party of its choice, which the Client accepts without reservation. Stormshield nevertheless remains liable to the Client for the performance of its obligations by subcontractors.

Article 15 – Reversibility

To be able to recover your encrypted data, Google Third-Party Solutions offer methods allowing:

• To export all its encrypted data: support.google.com/a/answer/100458
  
• To decrypt all its files: support.google.com/a/answer/11019500

Thus, the Client's data will not be lost if one of its Users leaves its company or if the Client decides to terminate its Subscription.

Article 16 - Duration and termination

The Subscription entered into between the Parties, within the framework of the commercial proposal, is for a duration of one (1) year, not automatically renewable. The Client will be contacted by Stormshield at least two (2) months before the anniversary date of the Subscription in order to conclude or not the renewal thereof. In the event of non-renewal of the Subscription, the Client will have taken the necessary steps to recover its data.

Article 17 - Suspension and termination

In the event of non-payment, non-compliance with these ToU, or fraudulent use of the Platform, Stormshield reserves the right to immediately suspend access to the Client and its Users after prior formal notice. In the event of an unresolved breach within a period of ten (10) days from receipt of the formal notice, the defaulting Party shall be entitled to immediately terminate the Subscription.

This license may be terminated at any time and without cause by either Party, subject to ninety (90) days' prior notice sent by registered letter with acknowledgment of receipt. Upon expiration or termination of the Subscription, the usage license ends automatically.

Article 18 – Amendments to the ToU and the Platform

Regarding the ToU, Stormshield reserves the right to amend them. Stormshield must then inform the Administrator designated by the Client by email as soon as possible. It is the responsibility of the Administrator to check for updates to these ToU.

Furthermore, Stormshield may be required to evolve the features of the Platform according to technological developments of Third-Party Solutions or market demand, notably by adding or removing one or more features. Stormshield cannot be held liable for any removal or modification of features carried exclusively by Third-Party Solutions. Any functional evolution falling within the initial scope could have an impact on the price, which could increase, or could degrade the quality or features of the service initially subscribed to. If this is the case, Stormshield undertakes to inform the Client as soon as possible.

The new pricing will always apply on the anniversary date, thus leaving the Client the choice to renew or not their subscription. In any event, in case of removal or modification of features of the Platform, Stormshield will inform the Client as soon as it becomes aware of it. The Client will then be free not to renew its Subscription at the anniversary date, or to terminate subject to thirty (30) days' notice, or to contact its Stormshield sales representative.

Article 19 - Force Majeure

Neither Party shall be liable for failure to perform any of its obligations if such failure results from a government decision, including any withdrawal or suspension of any authorization whatsoever; a total or partial strike, whether internal or external to the company; a fire; a natural disaster; a state of war; a total or partial suspension or blockage of telecommunications or electrical networks; a computer hack; or, more generally, any other situation of force majeure whose characteristics are defined by French law and jurisprudence.

The Party aggrieved by the event must immediately inform the other Party of its inability to perform its obligations. The suspension or delay in the performance of any obligation may under no circumstances constitute a ground of liability for non-performance of the obligation in question, nor imply the payment of damages or penalties for delayed performance.

Article 20 - Governing Law and Competent Jurisdiction

These ToU are governed by French law. Any dispute relating to the latter shall be submitted to the exclusive jurisdiction of the competent courts of Paris, France.

Article 21 – Evidence Agreement

The Parties agree that the data, files, connection logs, and computerized records, stored in the computer systems of Stormshield and its partners under reasonable security conditions, have full probative value between the Parties.

Consequently, unless proof to the contrary is provided by the Client, these records shall prevail in the event of a dispute relating to the use of the Platform, the performance of these ToU, or the materiality of the actions carried out by the Client and its Users. The Client undertakes not to contest the admissibility, validity, or probative value of these elements in electronic format.

Article 22 - Miscellaneous Provisions

If any of the provisions of the ToU should be declared null or unenforceable, it would be deemed unwritten (réputée non écrite), without affecting the validity of the other provisions. The failure of a Party to invoke a provision of the ToU shall not be interpreted as a waiver of the right to invoke it subsequently.