Security vulnerability notification

Statement

Cybersecurity is a crucial aspect of Capgemini as an organization. We are committed to protecting all of our users and customers everywhere.

Capgemini supports a transparent approach to vulnerability management working with the wider security community.

Capgemini has a dedicated team which monitors closely the cybersecurity of its systems, services and products.  In parallel, our Group Cybersecurity Team runs the Group’s external vulnerability management process, that manages the receipt, assessment (investigation) and response coordination activities.

Vulnerability Disclosure Notification Process

How to notify Capgemini of a security issue

If you discover a vulnerability in our system, services or product, please notify us as quickly as possible by sending an email to: cert.global@capgemini.com

Please include, as a minimum, the following information:

• Your preferred contact details (including Contact Phone number)
• Detailed description of the vulnerability
• Time and method of its discovery
• Specification of system, services or product where the vulnerability has been discovered
• Any other related information (code samples, logs, screenshots, etc)

Resolution process

We will investigate any notification issues and will undertake all required actions and measures to mitigate and/or resolve the notification issue.

Undertakings

By submitting a vulnerability notification, you agree to :-

• Not disclosing or publishing the vulnerability to others before it has been fixed and before expiration of a mutually agreed time frame;
• Not taking advantage of the vulnerability, modifying, downloading or deleting any records or data or to launch any type of attack based on the vulnerability;
• Abide by the laws and regulations related to your location;
• Comply with applicable data protection legislations, in particular by not disclosing a third party’s personal data without any valid legal ground;
• Confirm that the elements contained in the notification you are submitting do not infringe intellectual property rights of any third party (i.e. you did not copy elements available on the internet for example).

By submitting a vulnerability notification to Capgemini, you agree to grant Capgemini an irrevocable, worldwide right to use it, gratuitously and for a period of fifty years.

Processing of your personal data

When submitting your notification, you understand that Capgemini will process your personal data. Such processing is carried out in compliance with applicable data protection laws, and in any case your personal data will be processed only in order to follow up on your notification. Capgemini undertakes not to process your personal data for any other purpose.

With whom do we share your personal data?

Your personal data will be shared with third parties only to the extent strictly necessary. When relying on such third party, be ensured that Capgemini has entered into contractual agreements to ensure that your personal data are processed safely and strictly according to Capgemini’s instructions.

Furthermore, the Capgemini affiliates or the third party at stake, may be located outside of the European Economic Area (“EEA”) thus implying a data transfer of your personal data.

→ Where such a transfer takes place between entities of Capgemini, it will be covered by Capgemini’s Binding Corporate Rules (“BCR”). For further information on Capgemini’s BCR, please click on the following link: https://www.capgemini.com/wp-content/uploads/2017/06/Capgemini-Binding-Corporate-Rules.pdf.

→ Where such transfer takes place between Capgemini and the external third-party, Capgemini and said third-party have into EU Model Clauses approved by the European Commission, to ensure the security of the personal data.

How long does Capgemini keep your personal data?

Capgemini shall keep your personal data for no longer than is necessary for the purpose(s) for which they were collected.

Capgemini shall keep your personal data for three (3) years from date of collection.

What are your rights and how to exercise them?

You can request to access, rectify or erase your personal data. You may also object to the processing of your personal data, or request that it be restricted. In addition, you can ask for the communication of your personal data in a structured, commonly used and machine-readable format.

If you wish to exercise those rights, please contact our Global Data Protection Office by sending an email to the following address: dpocapgemini.global@capgemini.com. Where appropriate we will communicate your request and/or complaint to the relevant local data protection officer.

Please note that you also have the right to lodge a complaint before a data protection authority or the competent court of law.