Data Processing Agreement

****** Data Processing Agreement
Preamble. This Data Processing Agreement amends and forms part of the Agreement between Mistral AI and the Customer. This Data Processing Agreement prevails over any conflicting terms of the Agreement but does not otherwise modify the Agreement.

1. Definitions
   The capitalized words in this Agreement shall have the meaning given below:

“Agreement”: means the service agreement entered into by and between the Parties, governing the provision of the Services by Mistral AI to the Customer.

“Applicable Data Protection Law”: means any applicable national, federal, EU, state, provincial or other privacy, data security, or data protection law or regulation, including, to the extent applicable, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable since 25 May 2018 (the “GDPR”).

“Authorized Recipient”: means (i) Mistral AI’s affiliates, (ii) Mistral AI’s team members, (ii) Mistral AI’s Sub-processors or (iv) any third party that is authorized by the Applicable Data Protection Law to access the Personal Data.

“Authorized Purpose”: means the authorized purpose for the Processing as mentioned in Exhibit 1.

“Customer”: means any legal person who subscribes to the Services and, where applicable, its affiliates.

“Data Controller”: means the person who determines the purposes and the means of the Processing.

“Data Processing Agreement” or “DPA”: means this data processing agreement governing the Processing carried-out by the Parties, that forms part of the Agreement.

“Data Processor”: means the person who carries-out the Processing on behalf of the Data Controller and under its documented instructions.

“Data Subjects”: means the person whose Personal Data is processed.

““International Data Transfer”: means any disclosure of Personal Data by an organization establishes in the EEA to a Restricted Country.

“Mistral AI”: means Mistral AI, a French simplified joint-stock company, registered at the Trade register of Paris under number 952 418 325, having its corporate seat at 15 rue des Halles 75001, Paris, France and its affiliates.

“Personal Data”: means any data relating to an identified or identifiable Data Subject.

“Personal Data Breach”: means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, likely to result in a risk for the rights and freedoms of Data Subjects.

“Processing”: means the processing of Personal Data described in Exhibit 1.

“Restricted Country”: means any country located outside of the European Economic Area (EEA) and that does not benefit from an adequacy decision from the European Commission.

“**SCC”¨¨: means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time.
“Services”: means the services provided by Mistral AI to the Customer under the Services Agreement.

“Sub-processor”: means any Data Processor appointed by Mistral AI to carry-out all or part of the Processing on behalf of the Customer.

“Supervisory Authority”: means any independent authority competent to supervise the Processing.

Terms not defined in this document. Any capitalized word that is not defined in this DPA shall have the meaning given in the Agreement. ******