Privacy Policy

Purpose of the document :

The purpose of this Privacy Policy (hereinafter the “Privacy Policy”) is to explain how Cryptolog International, a simplified joint stock company with its registered office at 7 rue du Faubourg Poissonnière, 75009 Paris, registered with the Paris Trade and Companies Register under number 439 129 164, (hereinafter “Universign” or “we”) collects and processes your personal data as data controller when you consult or use its websites (hereinafter the “Site”).

The Privacy Policy is intended for visitors, users of the Sites and any natural person in contact with Universign.

The processing of personal data of persons using Universign services is specifically described in the Universign Personal Data Protection Policy (PPDP).

Finally, the collection and processing of data relating to Universign staff is also the subject of separate information in Universign’s internal confidentiality policy.

  1.Preamble 

As part of its activities, Universign collects and processes your personal data in compliance with the French Loi Informatique et Libertés and the General Data Protection Regulation (GDPR) in order to respond to your needs and requests.

The purpose of this document is to explain Universign’s principles and commitments with regard to the protection of Personal Data. 

Its main aim is to inform you about :

  • The personal data that Universign collects and the reasons for such collection,
  • How your personal data will be used,
  • Your rights as a data subject of our data processing operations. 

This Policy applies to all Universign services, whatever their nature.
This Policy applies to all websites and applications managed by Universign: https://www.universign.com/fr/

2. What is the scope of this policy?

The Policy applies to all natural persons in contact with Universign.

3.Who is/are the Controller(s) of your personal data? 

The person responsible for processing personal data is: Cryptolog International, a simplified joint stock company with its registered office at 7 rue du Faubourg Poissonnière, 75009 Paris, registered with the Paris Trade and Companies Register under number 439 129 164, (hereinafter “Universign” or “we”).

4.How does Universign protect personal data?

Universign meets the following requirements:

  1. Integrate the protection of personal data upstream of projects: “Privacy by Design”.

    Universign undertakes to take into account the protection of your Personal Data and your privacy right from the design stage of the services offered to you, thereby minimising the risks of non-compliance with the principles of the GDPR and the French Loi Informatique et Libertés. Appropriate technical and organisational measures proportionate to the processing of Personal Data are therefore taken with regard to the purpose sought by Universign in the envisaged processing.
    The application of this principle therefore makes it possible to implement preventive measures to limit the risks to Personal Data.

  2. To ensure the highest level of protection of personal data by default: “Privacy by default”.

    Universign implements appropriate technical and organisational measures to ensure that, by default, optimum security of processing is organised and implemented.

5.What processing operations are covered by this policy?

Universign undertakes only to collect data that is strictly necessary for processing and not to divert this data from the purpose for which it was initially collected.

Universign collects and processes the data necessary for the purposes described below:

ProcessingPurposeData subjectLegal basis
WEBSITE
Use and operation of the Site– To enable you to use the Universign Site
– Creation of landing pages, pop-up ads and banners
– Visitors
– Customers
– Prospects
Consent
Newsletter management– Subscribe to our newsletter and be informed of events organised by Universign– Visitors
– Customers
– Prospects
Consent
Website audience analysis– Keep the website running smoothly
– Collect consent to personalise the experience by accepting cookies
– Audience measurement and website navigation performance
– Visitors
– Customers
– Prospects
Legitimate interest
Site management – To ensure that the Site functions properly and is secure
– Improve the Site and
– offer you personalised content to make it more relevant and/or in line with your expectations

– Visitors
– Customers
– Prospects
Consent Legitimate interest
Commercial prospecting– Allow you to request information and/or receive solicitations about offers and services marketed by Universign
– Notify you of changes, updates and other announcements relating to our commercial offering

– Visitors
– Customers
– Prospects
Consent
Compliance with legal obligationsComplying with our legal obligations– VisitorsLegal obligation
LEGAL AND FINANCE
Contract management– Formalising pre-contract negotiations
– Enable contracts to be signed
– Maintaining a point of contact with the customer
– Ensuring proper contract management
– Contract monitoring
– Retention of contracts

– Visitors
– Customers
-Service providers
Contract
Advising operational staff– Ensuring the conformity of responses from employees
– Facilitating legal understanding
– Customers
– Prospects
– Agents of the control authority
Legitimate interest
Managing entitlement requests    -Ensuring the proper management of entitlement requests
– Referring and responding to a request to exercise rights
-Judicial requisitions from the authorities
– Customers
– Prospects
– Persons exercising a right Users
Legal obligations
Billing management– Billing
– Payment
-Recovery
– CustomersContract
LEAD GENERATION
Commercial prospecting– Contacting customers to offer them additional products and services– CustomersConsent Contract
Prospect management– Contacting prospective customers in the course of their duties in order to offer them products and services– Prospects  Legitimate interest
CUSTOMER SUCCESS
Prospect management – Product presentation to prospective customers
– Support for prospects
– Communication with prospects
– ProspectsLegitimate interest   Contract
Management of administrative files– Managing administrative files– CustomersContract
Customer and partner follow-up management– Manage customer and partner follow-up– Customers
– Partners  
Contract
Management of customer or user requests relating to the Certificate of a Natural Person or Certificate of a Legal Person– Manage customer requests relating to CPP or CPM– Customers
– Users
Contract
Managing simple customer requests– Manage customer requests for information or debugging  – Customers
– Users
Contract
OPERATING
Managing debugging requests– Manage debugging requests– CustomersContract
Managing data deletion requests– Manage data deletion requests– CustomersLegal obligation
MARKETING AND COMMUNICATION
Management of scoring and customer reminders-Managing the prospect database and assigning a score to each prospect
– Contact prospects according to their scoring
– Contact with the highest scoring SDRs
– Customers
– Partners Prospects
Legitimate
interest
Indirect lead generation and management– Creating a community of partners
– Building a loyal network of partners
– PartnersLegitimate
interest  
Contract
Marketing campaign management– Converting visitors into customers
– Running marketing campaigns
– Invitation to webinars                
– Customers
– Partners
– Prospects
– Visitors
Legitimate
interest
PRODUCTS AND SOLUTIONS
Collection of user data – Communicating the product to target users
– Collect user feedback and interactions in order to improve the product
– Contact users later on the basis of their feedback in order to improve the product
– Customers
– Users
Contract  
Consent
Legitimate
interest
Gathering user requirements– Gathering and centralising development requests from customers/prospects
– Communicating on a product roadmap
– Communicating the product to target users
– Customers
– Prospects
– Users
Contract  
Consent  
Gathering information on users– Obtain customer information for marketing purposes– CustomersLegitimate interest
HUMAN RESOURCES
Recruitment management– Collection of applications
– Carry out the recruitment process
– Organising technical tests for recruitment
– CandidatesLegal basis
Managing CV library– Keep your CVs in our CV library– CandidatesLegitimate
interest  
Consent
CUSTOMER SUPPORT
Customer service support– Assist customers in resolving problems related to the use of services– Customers
– Partners
Contract
Management of legal entity certificate files for the use of an electronic seal– Manage CPM (legal entity certificate) application files for the use of stamps– Customers  Contract
Manual processing of identity documents– Validate (or not) identity documents, based on checkpoint criteria and data consistency, with a view to creating certificates– CustomersContract
Management of evidence file requests– Process requests for evidence files– Customers  
– Signatories Judicial authorities
Contract
Managing customer requests– Be able to respond to any customer queries and analyse the transaction(s) concerned
– Be able to resolve an anomaly after analysing the transaction(s) concerned
– Customers
– Prospects
– Partners  
Contract
SALES CYCLE MANAGEMENT
Sales process management– Customer contact management
– Management and follow-up of exchanges with customers
– Managing customer calendars and appointments
– Customer relationship management
– Gathering information at events
– Customers
– Distributors
– Partners  
Contract  
Legitimate
interest
Managing commercial prospecting – Managing prospective contacts
– Management and follow-up of exchanges with prospects
– Managing lead calendars and appointments
– Prospect relationship management
– ProspectsLegitimate
interest
Management of certificates of natural persons (CPP)Creation and issue of certificates for qualified natural persons– Certificate holderContract
Management of legal entity certificates (CPM)  Creation and issue of legal entity certificates– Certificate holderContract

6.What is the basis for the legitimacy of our treatment?

Universign relies on the following legal bases in order to process personal data: legal obligation, contractual performance, consent and legitimate interest.

7.To whom may your personal data be communicated?

The data collected is intended for Universign.

Your data may be transmitted or communicated depending on the processing concerned:

  • To the relevant Universign internal departments
  • Other Signaturit group entities: Signaturit; Ivnosys or Vialink
  • Service providers and subcontractors carrying out services on behalf of Universign and complying with the requirements of the GDPR
  • Authorised third parties : public authorities or law enforcement officers who can access certain data because they are expressly authorised to do so by law.

8.Can your Personal Data be transferred outside the European Union?

Personal data may be transferred to our subcontractors, some of whom may be located outside the European Union.

In the event of the transfer of your personal data outside the European Union (EU), Universign undertakes to put in place the necessary guarantees required by the regulations on the protection of Personal Data.

In this case, we ensure that we guarantee an adequate protection framework for the transfer of data. As part of these measures, we may, in particular, enter into standard contractual clauses approved by the European Commission with our subcontractors and implement any technical or organisational measures that we consider appropriate.

9.How long are your Personal Data kept ?

The Data retention period depends on the processing carried out.  Universign undertakes not to retain your Personal Data beyond the period necessary for the provision of the service, and therefore for your use of the service, increased by the retention period imposed by the applicable rules on legal prescription.

A table summarising all the retention periods relating to the provision of our Services is available in the Universign’s PPDP.

10.How is your personal data protected?

Universign undertakes to take all measures to ensure the security and confidentiality of your Personal Data and in particular to prevent it from being damaged, deleted or accessed by unauthorised third parties.

Only authorised personnel may access the data. Any subcontractors’ collaborators are always supervised by a Universign and/or IT Department employee when they access the data servers.

We are constantly improving our security procedures as technologies evolve in order to maintain the highest level of protection. Our staff and those of our subcontractors who have access to personal data are contractually bound by an obligation of confidentiality.

Organisational measures include limiting access to personal data to authorised persons who have a legitimate interest in knowing it.

Furthermore, in the event of a security incident affecting your Personal Data (destruction, loss, alteration or disclosure), Universign ensures that it complies with the obligation to notify violations of Personal Data, in particular to the CNIL.

Universign has put in place the following measures to ensure the security of your personal data: 

  • Universign has an access authentication management policy for its employees, both for its own systems and for third-party systems. Access is restricted according to user profiles by assigning users and personalised passwords with a predefined lifetime. 
  • Universign has informed its staff of their rights and duties with regard to the processing of personal data.
  • Universign has an up-to-date list of user profiles and authorisations, both for its own systems and those of third parties.
  • Universign has a system for recording incidents, as well as the protocol to follow in the event of an incident. In its circuit and incident log, it is also possible to record the data recovery process.  
  • Universign makes appropriate arrangements for the transfer of its own data or that of third parties, where applicable.
  • Universign has the information it needs to understand its IS and protect it effectively (IS mapping, flow matrices, etc.).
  • Universign has a daily backup management system for its IT systems.
  • Universign has a data recovery circuit as part of its Business Continuity Plan.
  • Universign has set up cybersecurity governance, in particular by appointing an Information Systems Security Manager (ISSM). 
  • Universign carries out data protection and cyber security audits on a regular basis.
  • Universign has set up traceability and logging systems. 
  • Universign has secure zones with limited physical and logical access to its IT systems, based on policies and the principle of least privilege.  
  • Universign has an information security management system that is at least equivalent in terms of security objectives to ISO 27001: version 2013.

11.What are your rights regarding your Personal Data?

You may at any time exercise with Universign the rights provided for by the regulations in force applicable to personal data, subject to meeting the conditions and depending on the basis for the processing of the data concerned:

Right of access: you may have access to your Personal Data processed by Universign on the basis of your consent, the performance of a public service mission, a legal obligation, the performance of your contract or the legitimate interest of Universign;

Right of rectification: you may update your Personal Data or have rectified your Personal Data processed by Universign based on your consent, the performance of a public service mission, a legal obligation, the performance of your contract or the legitimate interest of Universign ;

Right to object: you may express your wish that your Personal Data no longer be processed if the processing is based on your consent (you withdraw your consent) or on contractual performance (contractual waiver clause) as well as in the case of processing carried out in Universign’s legitimate interests. On the other hand, you may not object to processing carried out in the context of a legal obligation incumbent on Universign or in the context of the performance of a public service mission which presents compelling and legitimate reasons overriding your rights and freedoms;

Right to erasure: you may request the deletion of your Personal Data, subject to the legal retention period, in the event that the processing is based on your consent (you withdraw your consent) or on contractual performance (contractual waiver clause) as well as in the case of processing carried out in Universign’s legitimate interests. However, you may not request the deletion of data processed in the context of a legal obligation or the performance of a public service mission incumbent on Universign;

Right to limitation: you may request the suspension of the processing of your Personal Data based on your consent, legal obligation, contractual performance or Universign’s legitimate interest if you have a pending request for rectification, erasure or objection or if you consider the processing unlawful but Universign objects to the erasure of your Data ;

Right to portability: you may ask Universign to retrieve your Personal Data in order to dispose of it only if the processing is based on your consent or the performance of a contract. You may not benefit from the right to portability if the processing is carried out in the context of a legal obligation, the performance of a public service mission or the legitimate interest of Universign.

12.How can you exercise your rights regarding your personal data?

When your Personal Data is collected, you are given the address (postal and/or electronic) to which to send your request to exercise your rights, a model of which is attached to this policy. Any request that is not made in a way that leaves no doubt as to the identity of the person making the request must be accompanied by a copy of proof of identity. 

Universign undertakes to respond to your requests to exercise your rights as soon as possible and at the latest within one month of receipt of your request and insofar as the exercise of these rights does not obstruct the performance of the contract or compliance with legal and regulatory obligations. If necessary, this period may be extended by two months in the event of complexity and/or a large number of requests.

Universign complies with its obligations regarding the protection, security and confidentiality of users’ personal data and has appointed a Data Protection Officer.

  • You can contact our Data Protection Officer as follows:  Postal address: Universign – Délégué à la Protection des Données, 7 rue du Faubourg Poissonière 75009, Paris.
  • E-mail: privacy@universign.com
  • You may also lodge a complaint with the CNIL by sending your requests to the following website: www.cnil.fr/fr.plaintes/internet

Appendix 1

Form for exercising your rights relating to your personal data for the attention of Universign

In accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter, “GDPR”), you have a number of rights regarding your personal data, as well as the processing thereof.

In order to exercise all the rights granted to you by the GDPR, please complete the form below:

IDENTIFICATION OF THE APPLICANT

Name :

……………………………………………………………………………………………………………………….

First name :

………………………………………………………………………………………………………………………………………..

Postal address:

………………………………………………………………………………………………………………………………….

E-mail :

……………………………………………………………………………………………………………………………..

Receiver identification

Universign

In accordance with articles 39 I and 40 I of law no. 78-17 of 6 January 1978 relating to information technology, files and civil liberties, in order for your request for access to your personal data and your request for rectification of your personal data to be taken into account, you must send the elements required to prove your identity, i.e. a copy of a valid proof of identity.

We would also like to remind you that the exercise of these rights is limited depending on the basis on which the data is processed. For example, your right to erasure is limited where the data is necessary for the performance of a contract or to comply with a legal obligation.

If you would like to know more about how to exercise your rights, please read the section of our privacy policy entitled “What are your rights regarding your personal data”.

Purpose of the request

  • Request access to your personal data, i.e. where you wish to know whether or not Universign is processing your personal data and, if so, you wish to obtain a copy (in accordance with Article 15 “Data subject’s right of access” of the GDPR).
  • Request for rectification of your personal data, i.e. if you consider that certain personal data concerning you are inaccurate or incomplete (in accordance with Article 16 “Right of rectification” of the GDPR).

Please specify the data to which the request for rectification relates: …………………………………………………………………………………………………………………………………

  • Requesting the erasure of your personal data, i.e., the case where you no longer wish your personal data to be processed by Universign (in accordance with Article 17 “Right to erasure (“right to be forgotten”)” of the GDPR).

If applicable, please specify the data to which the request for deletion relates: ……………………………………………………………………………………………………………………………………….

  • Request for limitation of processing, i.e. the case where you wish to limit the processing carried out by the data controller and therefore that the personal data in question may, with the exception of storage, only be processed with your consent (in accordance with Article 18 “Right to limitation of processing” of the GDPR). This request can only take place when:
    • You challenge the accuracy of your personal data for a period of time that allows the data controller to verify the accuracy of the data;
    • The processing is unlawful and you object to their deletion and demand instead that their use be restricted;
    • The data controller no longer needs your personal data for the purposes of processing, but it is still necessary for you to establish, exercise or defend your legal rights;
    • You objected to the processing under Article 21(1) of the GDPR during the verification as to whether the legitimate grounds pursued by the controller override your own.

If applicable, please specify the data covered by the limitation request: ……………………………………………………………………………………………………………………………….

  • Request for data portability, i.e. the case where you wish to receive your personal data provided to a data controller and you wish to transfer it to another data controller (in accordance with Article 20 “Right to data portability” of the GDPR).

If applicable, please tick the following boxes if :

  • You wish to receive your personal data;
  • You would like Universign to transfer your personal data to another organisation responsible for processing (please provide us with proof of this organisation):

…………………………………………………………………………………………………………………………….

  • Request to object to data processing, i.e. the case where you object to the processing of your personal data referred to in Article 6 § 1 e) or f) of the GDPR, i.e. processing necessary for the performance of a public service task by the controller, or processing necessary for the purposes of the legitimate interests pursued by the controller or by a processor, or if you no longer wish your personal data to be processed for the purposes of commercial canvassing (in accordance with Article 21 “Right to object” of the GDPR).

Where appropriate, please specify the data to which the request to object to processing relates:

………………………………………………………………………………………………………………………….

……………………….., ……………………..

Signature :