General Terms and Conditions and Data Processor Agreement

1. Reach

The following general terms and conditions (hereinafter „contract“ or „conditions“) of SESAME LABS, S.L. (hereinafter, „SESAME“ or „The Holder“), apply to your order in the version in force at the time of placing the order.

The terms and conditions apply exclusively to contracts made through the Internet portal and will comply with the provisions of current legislation and, in particular, in Law 7/1998, of April 13, on general conditions of contracting, the Law 34/2002, of July 11, on services of the information society and electronic commerce and other complementary laws.

In the event that a contract/agreement has been concluded between SESAME for the same services as the order placed, the contents of such contract/agreement shall prevail over the provisions of these general contracting conditions.

2. Identification of the holder

The entity with which you are contracting is SESAME LABS, S.L. with registered office at Calle de la Travesía, s/n, Base nº1, 46024 Valencia (Spain) CIF B98719818 and registered in the Mercantile Registry of Valencia Volume: 9938, Book 7220, Folio 87, page V.164478, 1st Inscription. SESAME LABS offers its personnel management service (hereinafter, the “Service”) through its website (hereinafter, the “Website”), as well as through its apps for iOS and Android of which it is the owner (hereinafter, the „Apps“).

The address for the purposes of claims will correspond to the one indicated as the registered office of the company.

These general contracting conditions (hereinafter, the „Conditions“) regulate the contracting of the services that are offered by SESAME, all through its Website, as well as the rights and obligations of the parties, derived from the service provision operations arranged between them.

SESAME has developed and is the legitimate owner of software for managing working hours „SESAME TIME“ or „SAAS“ which is offered as a service accessible from the Internet (URL: or through of its applications for iOS and Android) or “Software as a Service (SaaS) for employer entities (hereinafter, „CLIENT“).

That by accepting these terms and conditions, SESAME grants you a licence to access and use SESAME TIME and the provision of other complementary services, in accordance with the terms and conditions.

3. Definitions

In addition to any other term defined in these conditions, the following terms will have the following meaning:
“Databases”: integrated set of data owned by the CLIENT included within the SAAS during the duration of the Contract. In case of processing of personal data included as part of the Database, the included Treatment Manager Agreement will apply.
“Authorized User(s)”: users who maintain a contractual relationship with the CLIENT and use the SAAS to record and manage their working hours.
“Documentation”: documentation regarding the Services prepared by SESAME and provided to Customer, which may include instruction manuals, technical documentation, etc. in electronic format.

4. Object of the conditions

These general conditions regulate the license of use that SESAME grants to the CLIENT in relation to the SAAS, which is non-sublicensable, non-exclusive, worldwide and with a duration limited to the validity of the agreed conditions, which will be in any case conditional on full payment of the agreed price.

These conditions also regulate the provision of complementary services during the term consisting of technical support in the terms indicated (hereinafter, the use of SESAME TIME and the set of complementary services will be jointly referred to as „Services“).

SESAME reserves the right to modify any term of these conditions, which will be notified to the Client through the SAAS for acceptance. Without prejudice to the updating of the conditions on the SESAME website.

Subscription fee. The price of the Services is fixed in the payment of a subscription fee (the „Fee“) that can be annual or monthly depending on the plan that the CLIENT has selected, said fee is published both on the web and within the SAAS itself. .
Terms of service Free trial

Customers who make use of the Service in its free mode will not be required to provide information for payment. The duration of the free trial will be 14 calendar days from the acceptance of the conditions and the privacy policy. Once the trial period has ended, the CLIENT must select one of the plans offered, which will be governed by the provisions for each of the plans. If the free trial expires and the CUSTOMER has not selected any of the SESAME plans, the account will be blocked and canceled.

Customers who wish to benefit from the free trial service authorise an agent assigned by SESAME to access their account to help them with the configuration and implementation of the service.

Annual Plan Service Conditions

After the 14-day free trial ends or before it ends, the CLIENT may select the annual plan with the different services included in each rate.

Selection of the Annual Fee. With the initial selection or change of plan, the calculation of the calendar year of the service will begin, with the conditions and terms published at the time of selection, including the price, which will remain unchanged during the period of validity.

In the event that the CUSTOMER wishes, during the term of the contract, any modification to the contracted plan will be subject to the terms and conditions that are published by Sesame on the web at the time the modification is made.

CONTRACT RENOVATION. On the expiration date of the annual plan, that is, one calendar year after the selection of the plan, the contract will be automatically renewed for annuities, and the terms and conditions that are in force at the time of renewal will apply. the Sesame website, unless expressly communicated by the CUSTOMER of its intention not to renew the CONTRACTED PLAN at least thirty (30) days before the end date of the initial period or any of its extensions.

You may exercise your right of non-renewal by sending an email to
Modality changes to a lower version may cause the loss of content, features and functionality of the CUSTOMER’s account. SESAME accepts no responsibility for such loss.

Cancellation of the service. The CLIENT may, within the validity of the agreed conditions, terminate the contract, but its cancellation will not give the right to any reimbursement of the amounts already paid to SESAME. The CUSTOMER may cancel his account by sending an email to

Monthly Plan Service Conditions

The CUSTOMER may select after the end of the 14-day free trial or before the end of the monthly plan with the different services included in each rate.
Selection of the Monthly Fee. With the initial selection or change of plan to monthly, the monthly payment of the selected plan will be made immediately.

Update of the Monthly Fee.
SESAME may modify the fee and/or the conditions of the monthly plans freely, notifying the modifications to be made 60 calendar days in advance of their effective application, granting the customer the right to cancel the service, in case of not accepting the new conditions, as long as it is communicated at least 30 days in advance from said notification.
In the event that the aforementioned cancellation is not communicated, SESAME will proceed to apply the new conditions, including the new rates, 60 days after notification, in the event that the last day of this period does not coincide with the first calendar day of the month, effects of computation of whole months, it will be considered as extending this period until the first calendar day of the following month.
Modality changes to a lower version may cause the loss of content, features and functionality of the CUSTOMER account. SESAME accepts no responsibility for such loss.

Cancellation of the service. THE CLIENT will have the right to terminate the contract, but its cancellation will not give the right to any reimbursement of the amounts already paid to SESAME. The termination of the contract must be notified at least thirty (30) days before the end date of the initial period or any of its extensions.

The CUSTOMER may cancel his account by sending an email to


Rights of Use. SESAME grants the Client and the Authorized Users the personal, non-exclusive, non-transferable and non-sublicensable right to use the SAAS and the rest of the Services, worldwide, during the duration of these conditions and their renewals exclusively for the purposes of of their professional activity, in return for the price

Use Restrictions. Customer may not: (a) reverse engineer, decompile, disassemble, or attempt to obtain or derive the source code, underlying ideas, algorithms, file formats, or non-public APIs of the Services, as well as how to translate, modify, or create derivative works of the SAAS, the Services, or any part thereof, except to the extent permitted by applicable law; (b) copy/reproduce, loan, sell, rent, sublicense, broadcast, distribute, edit, transfer to third parties or provide access to the SAAS, or adapt the Services or any part thereof in any way; (c) use the Services for the benefit of any third party; (d) use the Service for any commercial purpose or in a product or service that Customer provides to third parties; (e) circumvent, modify, remove, erase, alter or otherwise tamper with any security, encryption or other technology or program that is part of the Services; (f) access or use the SAAS or the Services for the purpose of conducting competitive analysis or creating a similar or competitive product or service; (g) use the SAAS for any illegal or unauthorized purpose by SESAME, including unsolicited advertising and spam; (h) create, collect, transmit, store, use or process any data through the SAAS that violates any applicable law, or infringes the intellectual property rights or other rights of any third party; (i) introduce or spread content or software (viruses and malware) that may cause damage to the computer systems of SESAME, its technology service providers or third party users; or (j) encourage, enable or assist any third party to do any of the foregoing
Updates and new versions. The updates, successive versions of the SAAS that are provided to the Client during the validity of the Conditions, will be subject to the same terms.


Technical Support Services. SESAME will provide the Customer with telephone or electronic support during SESAME business hours to help the Customer to resolve doubts, locate and correct problems in relation to the SAAS through the email or the chat included in the SAAS itself. During the provision of the service, the Client authorizes SESAME, through its personnel, and with the Client’s prior request, to be able to access the accounts of the Authorized Users to carry out the appropriate actions to solve the doubts or acaricidal incidents with the SAAS.
Availability. SESAME will use commercially reasonable efforts to maintain 99% availability of the SAAS and will use commercially reasonable efforts to give Customer at least 48 hours notice of scheduled maintenance during normal business hours.


Account Access. The Client and the Authorized Users must maintain the security of the access codes to the Authorized User accounts in the SAAS (“Account”). SESAME will not be responsible in any case for any loss of information or damage caused by the breach of this security obligation.
Restrictions. You are not allowed to: (i) share one (1) account among multiple Authorized Users; and (ii) account creation by “bots” or other automated methods. The Client will be responsible for all the actions carried out and all the data uploaded by the Authorized Users in the SAAS.
Account Management. Customer agrees to immediately block or deactivate an Authorized User’s account in the event that: (i) the employment relationship between Customer and Authorized User is suspended or terminated; or (ii) considers that a User has misused their access codes to the SAAS. If SESAME is aware that an Authorized User is in one of the aforementioned cases, SESAME may suspend access to the offending Account temporarily or indefinitely, and SESAME must, in said case, notify the CLIENT of the detected infraction and the measure taken with respect to said Account.


Intellectual and Industrial Property in relation to the Services. SESAME will retain its position as owner of all intellectual and industrial property rights related to all components of the Services, including the SAAS, and any other development, improvement, update or derivative work of this Agreement. Intellectual and industrial property rights shall cover all data, source and object code, scripts, designs, concepts, applications, texts, images, any related documentation, copies, modifications and documents or documentation derived from the foregoing (in whole or in part). ) and all related copyrights, patents, trademarks, trade secrets, and other proprietary rights, are and shall remain the exclusive property of SESAME and/or its licensors.

Intellectual and Industrial Property of the Client. All rights, titles and interests in relation to the Database, trademarks, trade names, and logos of the Client, as well as those that may exist in its own computer system, will remain the property of the Client.

The Customer expressly authorises SESAME to use its trademark and trade name for the purpose of including it on the web portals owned by SESAME for merely advertising purposes.


Definition of Confidential Information. „Confidential Information“ means any material or information disclosed orally or in writing labeled or qualified as confidential or that, by its nature, is reasonably understood as confidential that has been delivered or provided by either Party to the other for the purpose of of these conditions, including information related to the computer systems and the architecture of the systems of the planned or existing systems of the Parties, including the hardware, the software, the SAAS itself, the Documentation, the Database, the methods of processing and operating methods.
Exceptions. Confidential Information will not include information that (i) was in the public domain at the time it was disclosed to the Receiving Party; (ii) entered the public domain through use, publication or the like, subsequent to disclosure to the Receiving Party, through no fault or act of the Receiving Party; (iii) was rightfully in the Receiving Party’s possession and free from any obligation of confidentiality at the time it was disclosed to the Receiving Party; (iv) is lawfully disclosed to the Receiving Party by a third party entitled to disclose such Confidential Information, after the time it was disclosed to the Receiving Party.
Confidentiality duty. The Parties undertake not to use, reveal, copy, publish, use, exploit, disseminate or distribute the Confidential Information of the other Party, nor allow the Confidential Information received to be exploited or distributed by third parties, without the prior written consent of the Disclosing Party, except to the extent necessary to perform its obligations or exercise its rights under the contract. The Parties agree to treat the Confidential Information with the same degree of care that they use to protect their own Confidential Information, and in no event with less than a reasonable degree of care. The obligation of confidentiality will remain in force indefinitely and also extends to the employees and representatives of the Parties, as well as to the external consultants that either of the Parties has hired in connection with this contract.
Disclosure of Confidential Information. The Parties may only disclose the Confidential Information in the following cases: (i) in response to an order of a court or other government agency, or as required by law, (in this case the disclosing Party will be previously notified in writing about such potential disclosure and such disclosure will be limited as much as possible); (ii) when the receiving Party of said Confidential Information must disclose it to its employees, representatives or external advisors (if any) that it has hired, in order to comply with its obligations under this contract and only giving them access to it in the measure of what is necessary; (iii) when a Party has received express written authorization from the other Party to disclose its Confidential Information (or any part of it).
Breach of the duty of confidentiality. Failure to comply with the confidentiality obligations embodied in this contract, or malicious or negligent actions carried out by any of the Parties, their employees or directors, will empower the non-breaching Party to claim by legal means, the responsibilities, direct or indirect or against third parties, including judicial and extrajudicial expenses and defense costs incurred by the non-compliant Party, as well as to indemnify the damages that such non-compliance would have caused to the non-defaulting Party.


Data of the contractors. The Parties inform each other that the personal data of the signatories, as well as of the people who work for the respective Parties, and the contact data indicated for notification purposes, will be processed by the other Party with the sole purpose of manage and execute the contractual relationship. The data will be kept as long as the relationship is in force and once it has ended, they will be kept only for the time necessary to satisfy the fulfillment of fiscal, legal and administrative obligations to which the Parties are obliged.

The basis that legitimizes this treatment is the need to execute this contract. The data will not be communicated or transferred to third parties with the exception of those that are essential for the execution of the contract itself (providers of necessary services) and for the fulfillment of legal obligations (Public Administrations, Auditors, financial entities, insurance companies when appropriate, among other).

In the case of necessary service providers, they may be based outside the EU and an international transfer of data may take place. In this case, the Parties undertake to ensure that their international suppliers have the appropriate guarantees according to the applicable regulations.

The Parties may request the exercise of their rights of access, rectification, deletion, opposition, limitation and portability at the address designated in this contract or at the email address, clearly indicating the right they wish to exercise. Likewise, the Parties are mutually informed that they have the right to file a claim with the Spanish Data Protection Agency ( However, the Parties will use their best means and will try to resolve any issue related to personal data amicably.

Database included by the CLIENT. The treatment of the personal data contained in the Database that will be carried out by SESAME as a consequence of the provision of the Services will be regulated by the Treatment Order Agreement that appears in these conditions.


Ownership guarantee. SESAME guarantees the CLIENT that it is the owner or legitimate holder of all the intellectual property rights necessary to provide the Services and THE SAAS.
Exclusions. Except as expressly stated in the preceding paragraph, SESAME TIME is provided „AS IS“ and „as available“ and SESAME excludes all other warranties, including, but not limited to, the implied warranties of availability, performance, non-infringement, merchantability or suitability for a specific purpose, without prejudice, where appropriate, to the guarantees required by law. The CLIENT accepts that he is solely responsible for the results obtained by the use of the Services and their functionalities. No claims will be accepted for alleged specifications that, in the CLIENT’s opinion, the SAAS or the Services must comply with.


Limitation of Liability. Customer agrees to indemnify and hold SESAME harmless from any third party direct, indirect, incidental or consequential claim, action or demand, as well as from any expense, liability, damage, settlement or fee arising out of misuse of the SAAS or the Services by part of the Client, or of the violation of any of the terms of this contract. SESAME will not assume any responsibility for any claims, losses or damages arising from the use by the Client or any User of any third-party products, services, software or websites that are accessed through links from the SAAS or the SESAME website.
Indirect Damages. SESAME shall not be liable (except as otherwise provided by law) to Customer for any damages, compensation or indemnity based on indirect damages (including, but not limited to consequential damages, loss of use, loss or inaccuracy of data, loss of profits, failure of security mechanisms, business interruption, costs of delay) or any special, incidental or consequential damages of any kind, even if you are advised of the possibility of such damages in advance.
Maximum Liability: SESAME’s maximum liability for any claim arising under this Agreement, whether for breach of contract, breach of warranty, negligence or otherwise, and CUSTOMER’s sole remedy, is limited to direct damages in an amount does not exceed the proportional part of the sum of the amounts and Annual or Monthly Fees paid or payable by the CLIENT to SESAME under this contract in the last twenty-four (24) months prior to the claim.

Nothing in this agreement shall limit or exclude the liability of a Party that cannot be excluded or limited under applicable law.
Force Majeure. Neither party shall be liable to the other for failure to perform its obligations under the Conditions to the extent that such failure or delay is the result of a cause or circumstance beyond the reasonable control of the affected Party and not could have been avoided or overcome by acting in a reasonable and prudent manner (such as, but not limited to, fires, floods, strikes, labor disputes or other industrial disturbances, war – declared or not -, embargoes, blockades, legal restrictions, riots, insurrections, government regulations).
Normative compliance. The CLIENT will be solely responsible for full compliance with all laws applicable to its business in its jurisdiction. The mere contracting of the Services is not equivalent to or guarantees in any way compliance with the regulations applicable to the management of the working day. SESAME TIME is a tool subject to the use of the CLIENT, who is responsible for fulfilling his obligations.


SESAME reserves the right to terminate the Agreement as of right, without prior notice or compensation, in the event that the Client or an Authorized User compromises in any way the integrity of the SAAS, the intellectual and industrial property rights of SESAME over the Services or the reputation of the SESAME brands or products or perform any of the actions provided for in the Clause
Resolution effects. Upon expiration of the contract or its termination for any reason: (i) CLIENT will not be reimbursed for any of the amounts paid to SESAME under this contract and SESAME will invoice all fees owed for the remainder of the current year; (ii) at CLIENT’s request, SESAME undertakes to provide CLIENT with a copy of the Database in a standard technical format. Said request must be made within a period of one (1) from the termination of the contract; (iii) all the provisions of the same will cease to have effect, except for the provisions of this contract that, by their nature, must remain in force, even if the contract is terminated, including the provisions regarding confidentiality, intellectual property and protection of data.


Headings. Clause headings are for illustrative purposes only and shall have no legal effect.
Notifications. The Parties designate the designated electronic addresses, in the case of SESAME the enabled electronic address is
Assignment. The CLIENT may not assign or transfer this contract without the prior written consent of SESAME. However, the contract may be assigned or transferred by SESAME without the need for the CLIENT’s consent, sufficient prior written notification of the assignment to the CLIENT for said assignment to be effective. Once the assignment has been formalized, any reference to the assigning Party contained in this contract shall be understood as a reference to the assignee entity or entities.
Resignation. No delay in exercising any right shall be deemed a waiver thereof, nor shall the waiver of any right or remedy in any particular case constitute a waiver of such right or remedy generally.
Partial disability. If any provision of this Agreement is found to be unenforceable or invalid, the remaining provisions of this Agreement will not be affected and will remain in full force and effect.
Independence. This contract is of a commercial nature, and there is in no case any employment relationship between the Parties, who will be independent for all purposes.


Applicable legislation. The terms of this contract will be governed and interpreted in all aspects in accordance with Spanish law.
Applicable jurisdiction. The Parties jointly declare that, to the extent reasonable, any dispute arising in connection with or arising from this Agreement shall be resolved through mutual negotiations and consultations. In the event that a satisfactory solution is not reached, said dispute will be submitted to the courts of the city of Valencia.


This Treatment Order Agreement is part of the general conditions, hereinafter, the „Contract“, signed by Sesame Labs S.L and the Client, and which includes the terms and conditions applicable to the services provided by Sesame Labs S.L ( services“). This DPA and the rest of the clauses of the Agreement are indicated as a supplement. However, in the event of a conflict, the Processing Order Agreement will prevail.


That the Parties have signed a license agreement for the use of the SaaS Sesame Time software and services (hereinafter, the „Contract“) by virtue of which the Treatment Manager will provide certain services (hereinafter, the „Services“) that will entail access to personal data is the responsibility of the Data Controller.
That Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and by which Directive 95/46/EC (hereinafter, the “RGPD”) imposes the regulation of the obligations related to data protection assumed by the Parties to the Contract.
That, in accordance with the foregoing, the Parties agree to enter into and sign this Processing Order Agreement, which will be governed by the provisions of article 28 of the RGPD, and by the following:


In order to execute the benefits derived from the Contract, and to provide the Services effectively, the Person in Charge of the Treatment may have access to personal data that is the responsibility of the Person in Charge of the Treatment.
Identification of the affected information
For the execution of the benefits derived from the fulfillment of the object of this Treatment Order Agreement, the Treatment Manager makes available to the Treatment Manager, the information described below:
Personal information:
Name and surname
profile picture
Registration of entries and exits
Vacations, permits, other information related to the working day.
Geolocation (if applicable).
Biometric data (if applicable).

Recruitment module:

Name and surname
Image (if applicable)
Curriculum Vitae (academic information and professional experience, personal characteristics, permits and licenses)
State of the candidacy.

Stakeholder categories: Employees; Candidates

Specification of the treatments to be carried out:
X Collection
X Structuring
X Conservation
X Record

The data processing related to the “Recruitment Module” will be applied when the Treatment Manager has contracted the Personnel Selection Services with the Treatment Manager at the initial moment of the relationship between the parties or that has extended the object of the Contract during its validity.


This Processing Order Agreement will enter into force on the date of acceptance of the conditions of the Contract. This Processing Order Agreement is ancillary to the main contract for the provision of services, so its duration is linked to its duration.
Obligations of the Data Controller.

In addition to complying with any obligations attributed to it throughout this Processing Order Agreement, the Data Controller is responsible for carrying out the following tasks:
Comply with all the necessary technical and organizational measures to guarantee the security of the treatment, the premises, equipment, systems, programs and the people who intervene in the activity of the treatment of the referred personal data, which are stipulated in the current regulations and application at all times.
Deliver to the Manager the data referred to in clause 2 of this document, as well as the necessary instructions to carry out the processing of the data in the terms established by the Responsible.
Respond to the rights of individuals affected by the treatment, such as the rights of access, rectification, deletion and opposition, limitation to treatment, data portability and not being the subject of automated individual decisions, in collaboration with the Manager.
Carry out, where appropriate, an assessment of the impact on the protection of personal data of the processing operations to be carried out by the Processor.
Ensure, before and during the treatment, compliance with the applicable regulations on data protection by the Manager.
Supervise the treatment, including the performance of inspections and audits.
Communicate to the Manager any variation that occurs in the personal data provided, so that it can be updated.
Duty of information and legitimate basis

The Controller guarantees that he has complied with the duty to provide all the information to the interested parties at the time of collecting the data object of the treatment, complying with the provisions of art. 12, 13 and 14 of the RGPD, as applicable.
The Data Controller guarantees that it has a legitimate basis for the processing of personal data appropriate to the principles of effectiveness, necessity and proportionality, taking into account the existence of other protection measures that may be less invasive, avoiding discriminatory effects. and establishing adequate guarantees.
The Person in Charge of the Treatment will not be in any case responsible for the lack of compliance or defective compliance with the duty of information or application of an appropriate basis of legitimacy.

Obligations of the Treatment Manager.
The Treatment Manager declares and guarantees the following to the Treatment Manager:
That it will use the personal data object of treatment, or those that it collects for its inclusion, only for the purpose of this assignment. In no case may you use the data for your own purposes;
That it will treat and use the personal data to which it has access, only according to the instructions of the Data Controller, and in accordance with the purposes regulated in the Contract.
The instructions in relation to the treatment of the data and actions entrusted to the Manager must be communicated to the Manager in writing.
If the person in charge of the treatment considers that the fulfillment of a certain instruction of the person in charge could suppose a breach of the regulations on data protection, she will immediately notify the person in charge. The Processor in this communication will request the Controller to amend, withdraw or confirm the instruction provided and may suspend compliance pending a decision by the Controller.
That, if applicable, it will keep, in writing, a record of all the categories of treatment activities carried out on behalf of the person in charge, containing all the information provided for in art. 30 GDPR.
That it will maintain the confidentiality and secrecy of the personal data to which it has access for the provision of the Services.
That it will not communicate to third parties unless it has the express authorization of the data controller, and in the legally admissible cases.
The Processor may communicate the data to other processors of the same controller, in accordance with the latter’s instructions. In this case, the person in charge will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication.
That it will provide the Data Controller with the necessary information to demonstrate compliance with the obligations established in the Contract.
That it will provide the assistance required by the Controller to carry out audits or inspections, carried out by the Data Controller or by another auditor authorized by the Controller. The audits may be carried out periodically, in a planned or „ad hoc“ manner, prior notification to the Processor with a reasonable period of notice, during the usual working hours of the Processor.
That it will guarantee that the persons authorized to process personal data have committed themselves, expressly and in writing, to comply with the established security measures, and to respect the confidentiality of the data. Compliance with this obligation must be documented by the Processor and available to the Data Controller.
That it has appointed a data protection officer (“DPO”) whose contact details are as follows:
That it will collaborate in the fulfillment of the Responsible Party’s obligations, and will offer support to it, when appropriate and so requested by the Responsible Party, in carrying out (i) impact assessments related to the personal data that it has access to; (ii) prior consultations with the control authority.

Data Destination.
At the end of the provision of the Services, the Data Processor will return the personal data to which it has had access and any existing copies, as indicated by the Data Controller in accordance with section 13.2 of the Agreement.
The Person in Charge of the Treatment may keep a copy with the data duly blocked, while responsibilities may arise from the execution of the provision of the Services.

Notification of data security breaches.
The Processor shall notify the Controller, without undue delay, and in any case within a maximum period of 24 hours, of any incident, suspected or confirmed, related to data protection, within his area of ​​responsibility. Among others, you must notify the Responsible of any treatment that may be considered illegal or unauthorized, any loss, destruction or damage to the data and any incident considered a breach of data security. The notification must be accompanied by all the relevant information for the documentation and communication of the incident to the pertinent authorities or affected interested parties.
The Person in Charge of the Treatment, additionally, will provide assistance to the Responsible in relation to the notification obligations in accordance with the RGPD (in particular, articles 33 and 34 of the RGPD) and any other applicable regulation, present or future, that modifies or complements said obligations.

Exercise of rights by interested parties
The Person in Charge of the Treatment will provide the information and/or documentation that the Person in Charge requests to respond to the requests for the exercise of rights that the Person in Charge may receive from the interested parties whose data is processed. The Person in Charge of the Treatment must provide said information in reasonable time and, in any case, sufficiently in advance so that the Responsible Party can comply with the legally applicable deadlines for the response to the exercise of these rights.
When the affected persons exercise the rights of access, rectification, deletion and opposition, limitation to treatment, portability of data and not to be subject to automated individual decisions, before the Person in Charge of Treatment, they will communicate it by email to the address legal@sesametime .com. The communication must be made immediately in order to attend to it within the established legal deadlines, and in no case beyond two working days upon receipt of the request, presenting it to the Responsible together with any information that may be relevant for its resolution.

In relation to the technical and organizational security measures, the Treatment Manager must implement mechanisms to:
Guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services.
Restore the availability and access to personal data quickly, in the event of a physical or technical incident.
Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the safety of the treatment.
Pseudonymize and encrypt personal data, where appropriate.

In particular, the Parties have agreed on a list of measures that the Data Processor must implement, indicated in Appendix A to this Processing Commission Agreement.
If the Controller, after the formalization of the Contract, requires the Controller to adopt or maintain security measures other than those agreed in this Annex I, or if they were mandatory by any future regulation, and this would significantly affect the costs of provision of the Services, the Manager and the Data Controller will agree on the appropriate contractual measures to deal with the effect that such modifications may have on the price of the Services.


The Treatment Manager grants a general authorization so that the Treatment Manager can subcontract part of the Services with third parties or subcontractors (the „Subprocessor“). The Person in Charge of the Treatment will inform the Person in Charge of the Treatment of the treatments that are intended to be subcontracted and clearly and unequivocally identifying the subcontractor company and its contact details. The subcontracting may be carried out if the person in charge does not express its opposition within a period of 15 days.

The Treatment Manager will apply due diligence to choose only those sub-processors that offer sufficient guarantees to apply appropriate technical and organizational measures, so that the outsourced treatments are in accordance with the requirements of the RGPD and the protection of the rights of the interested parties is guaranteed. to treatment.
The Subprocessor, who will also have the status of data processor, will also be obliged to comply with the obligations imposed on the Data Processor and the instructions issued by the Data Controller, as dictated in this Processing Commission Agreement. It is up to the Data Processor to regulate the new relationship in a contract signed by the Data Processor and Sub-processor, so that the Sub-processor is subject to the same conditions (instructions, obligations, security measures…) and with the same formal requirements as the initial Processor, regarding the proper processing of personal data and the guarantee of the rights of the affected persons. In the event of non-compliance by the Subprocessor, the Processor will remain fully responsible to the Data Controller for the fulfillment of the obligations included in this Processing Engagement Agreement.

The list of subprocessors authorized by the Data Controller is attached to this Processing Order Agreement as Appendix B.

International data transfers

The Person in Charge of the Treatment will not carry out international transfers of personal data to which he has access, responsibility of the Person in Charge of the Treatment, unless he has prior authorization from the Person in Charge of the Treatment or they are duly regularized according to the content of articles 45, 46 or 47 of the GDPR. Notwithstanding the authorized subprocessors referenced in Appendix B that carry out certain treatments on behalf of the data processor in territories outside the European Economic Area, which have signed with the data processor the corresponding standard contractual clauses approved by the European Commission (“CCT”), agreement signed between both entities by which the non-EU company guarantees that it applies European data protection standards
The Processor will be considered responsible for the treatment in the event that he uses the data object of this Order Agreement for other purposes, communicates them or uses them in breach of the stipulations of this Order Agreement, responding for the infractions in which he would have incurred personally.

The Data Controller must inform the Processor immediately of the sanctioning procedures initiated against the Data Controller by the AEPD or any other competent authority, for such non-compliance or defective compliance, so that the Processor can assume the legal defense, and must act, in at all times, in coordination with the Responsible Party and preserving its public image and reputation.

Each Party shall hold the other harmless against claims, compensation, actions and expenses arising from claims that the Party is obliged to satisfy by final judgment or award issued by a competent court, or by virtue of an agreement reached between a Party and third-party claimants. , which are a consequence of non-compliance or defective compliance with the applicable regulations.


Our infrastructure is mainly Cloud-based. We use several providers for higher failure-tolerance. We are constantly improving this. 

Our app has a distributed architecture, which allows us to have front end, API and other services necessary for the operation of the application separated. Besides, it allows us a better service scalability as we can separately assess which part of out infrastructure needs to carry the most load.

On the other hand, we have a virtualised development environment that allows our team to make all changes in parallel and controlled by the GIT version control system, which allows us to ensure the integrity of the system. As well as a continuous integration flow with Gitlab.

Development methodologies

  • DDD (Domain Driven Design)
  • Unitary Tests
  • Hex Architecture
  • Multiple authentication  
  • CI/CD with Gitlab.

Programming languages

  • Backend
    • Symfony 4
    • PHP 7.x.x
    • MySQL / MariaDB.
    • Redis. o SQS (or Beanstalk)
    • S3  
    • SQS
  • Frontend
    • VueJS
    • Tailwind
    • Own logic component library  
  • Apps
    • VueJS
    • Capacitor
    • Typescript  
  • Sockets
    • NodeJS
    • Express
    • Typescript
    • SocketIO.


The following infrastructure technologies are available to process all the information.

  • Debian 10
  • Docker
  • K8S
  • AWS
  • Google Cloud
  • OVH Cloud
  • Proxmox
  • HAProxy
  • Cloudflare

Our systems department will be responsible for ensuring that the servers have the necessary software for the correct functioning of the app.


Database server

  • Relational (sql): For relational databases, we will use MaríaDB
  • This database has to be utf8 encoded.
  • We will have a user with the following permissions:
    • Schema (Create objects): Yes (create, modify and delete tables).
    • Writing (SUDI Select, Update, Delete and Insert): Yes 
    • Read (SELECT): Yes

Full weekly backups and daily incremental backups are performed. From our database server, we keep a copy of the copies on a monthly, weekly and daily basis, stored on our slave server. In addition, hourly copies are also made of our main server database.

We keep copies of all web server content, and copies of critical service configuration files.

We use a backup server in France that is redundant in Poland to ensure the availability of backups in case of disaster. 

The manager of the information systems or IT department or the one acting in its stead is the designated responsible party that shall draw up a procedure for testing backups and restoration of backups on a monthly basis.

In case of backup retrieval, the following procedure shall be followed:

Infrastructure security measures


Our servers are outsourced to OVH, number one in Europe and third in the world in web hosting, which has more than 150,000 physical servers. OVH’s success lies in the total control it exercises over the hosting chain, including the production of its servers. OVH is known for the special attention it pays to the selection of the components of its machines, demanding the highest quality.

Each server is systematically subjected to a series of tests to verify its technical compliance and its good performance under all circumstances. As soon as the machine leaves production, it is installed and connected to the OVH datacentres. A robot then checks that the hardware is as ordered by the customer and that its performance meets the specifications.

The checkpoints are as follows:

– processors: compliance, load test, temperature;

– RAM memory: size, memtest;

– BIOS: BIOS version, virtualization;

– disks: speed, SMART test, firmware version, etc.

We also have outsourced services on AWS. AWS has been a pioneer of cloud computing since 2006, creating a cloud infrastructure that allows you to create securely and innovate faster. Their data centres are designed to protect against natural and man-made hazards. They implement controls, develop automated systems and undergo third-party audits to confirm security and compliance. 

Data centres are designed to anticipate and tolerate errors while maintaining service levels. In the event of an error, automated processes divert traffic away from the affected area. Core applications are implemented on an N+1 standard so that in the event of a failure in one data centre, there is sufficient capacity to be able to load balance traffic between the other sites.

AWS monitors and performs preventive maintenance on electrical and mechanical equipment to maintain the constant operation of the systems installed in AWS data centres. Equipment maintenance procedures are performed by qualified individuals and are carried out in accordance with a documented maintenance schedule.

Protection against attacks

Our servers use the anti-DDoS infrastructure deployed by OVH to protect the servers 24 hours a day against any kind of DDoS attack, regardless of its duration and scale.

The objective of a DDoS attack is to take down a server, service or infrastructure by sending multiple simultaneous requests from multiple points in the network.

The intensity of this „crossfire“ destabilises the service, or worse, disables it. This infrastructure allows:

  • analyzing all packets in real time and at high speed,
  • suck incoming traffic from the server,
  • mitigate, i.e. identify all illegitimate IP packets, but let legitimate IP packets through.


Sesame is very aware of data security, data processing and data leakage. That is why we work every day to improve the security of our data, maintaining clear objectives in this area. For this reason, we will now go into more detail on the different aspects that we deal with in terms of security, both in our app and in our infrastructure:

Cloud providers: Sesame works with different cloud providers to provide the highest possible availability and scalability of the app. All our providers have at least the following security certifications: 

  • ISO/IEC 27001, 27017 and 27018
  • PCI DSS Level 1
  • GDPR Compliance with EU Regulation 2016/679 on General Data Protection
  • SSAE 18 Type 2: SOC 1, SOC 2 and SOC 3

Access to these providers is only granted to employees with a very high level of authorisation in the company, almost always by an area or systems manager.

Servers: Access to servers is restricted to employees with a high level of authorisation. Access to the server will use a 2048-bit RSA encrypted key pair and will include a nominal user password which allows the user’s access to be logged as well as the detailed movement of changes or alterations to the machines for possible audit.

Third-party tools: Sesame uses third-party security tools such as which inventories all our machines and domains we use and periodically launches vulnerability and intrusion audits. Therefore, every week our experts have new reports available which indicate possible security breaches which, according to Tenable’s AI algorithm, will be patched in the recommended order of priority.

App access: Access to the platform will always be through our CDN and DNS provider CloudFlare, which has an integrated state-of-the-art WAF capable of detecting and mitigating attacks directly targeting the app.

Patching policy

All services, and the infrastructure that supports them, accessible from the Internet, whether for internal company use or for our customers, follow a policy of agile security updates. These services are patched as soon as a major bug or vulnerability becomes known. In the case of non-critical updates, monthly or quarterly patching is scheduled depending on our needs and the app.

Internal services (printers, local user network equipment, telephone switchboards, etc.) have a policy of regularly scheduled updates (every six months, every year, etc.) depending on needs and are to be carried out by the company’s IT department. 

We also have a virus alert system, ClamAV.


OVH SAS2 rue Kellermann 59100 Roubaix, (Francia)France (OVH Cloud Gravelines (GRA3)
Rte de la Frm Masson
59820 Gravelinas)
Amazon Web Services410 Terry Avenue North, Seattle, WA 98109-5210, ATTNFrance (Amazon Brétigny-sur-Orge
91220 Brétigny-sur-Orge)
The Rocket Science Group (Mailchimp)675 Ponce De Leon Ave NE, Atlanta, Georgia 30308, USUnited States