Data Processing Agreement
Background
(A) The Customer and the Provider entered into the Terms & Conditions on the Commencement Date (Master Agreement) that may require the Provider to process Personal Data provided by or collected for the Customer.
(B) This Data Processing Agreement (DPA) sets out the additional terms, requirements, and conditions on which the Provider will obtain, handle, process, disclose, transfer, or store Personal Data when providing services under the Master Agreement.
Agreed Terms
1. Definitions and Interpretation
The following definitions and rules of interpretation apply in this DPA.
1.1 Definitions:
Business Day: a day other than a Saturday, Sunday or public holiday in England and Wales, when banks in London are open for business.
Business Purpose: the services described in the Master Agreement or any other purpose specifically identified in Annex A.
Contract: means the contract between the Customer and Provider for the supply of the Services more particularly set out in the Order Form, the Conditions, CloudM Terms and the Statement of Work.
Customer: the person, firm or entity who purchases software or services from the Supplier as set out in any Order.
Data Subject: an individual who is the subject of Personal Data.
Order: the Customers order for software or services as set out in the Order Form
Order Form: CloudM’s ordering document that specifies the Service/s purchased by the Customer under the Contract that is entered into by the Customer and CloudM. By entering into an Order Form, Customer agrees to be bound by the terms of the Contract including this DPA.
Personal Data: any information the Provider processes for the Customer that (1) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider’s possession or control or that the Provider is likely to have access to, or (2) the relevant Privacy and Data Protection Requirements otherwise define as protected personal data.
Processing, processes, and process: any activity that involves the use of Personal Data, or as the relevant Privacy and Data Protection Requirements may otherwise define the terms processing, processes or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Data to third parties.
Provider: Cloud Technology Solutions Ltd trading as CloudM incorporated and registered in England & Wales with company number 06738954 whose registered office is at Lowry House, 17 Marble Street, Manchester, M2 3AW
Privacy and Data Protection Requirements: all applicable laws and regulations relating to the processing, protection, or privacy of the Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.
Security Breach: any act or omission that materially compromises the security, confidentiality, or integrity of Personal Data or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorised access, disclosure, or acquisition of Personal Data is a Security Breach.
Standard Contractual Clauses (SCC): the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries, as set out in the Annex to the Commission implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (as replaced, amended or updated from time to time), and/or any other standard contractual clauses under English law.
Sub-Processor: means any Processor engaged by the Provider to assist in fulfilling the Providers obligations with respect to the provision of the Services under the Contract. Sub-Processors will exclude any Provider employee or consultant.
1.2 This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.
1.3 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
1.4 A reference to writing or written includes email.
1.5 In the case of conflict or ambiguity between:
a) any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;
b) the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail;
c) any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail; and
d) any of the provisions of this DPA and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.
2. Personal Data Types and Processing Purposes
2.1 The Customer and the Provider acknowledge that for the purpose of applicable Privacy and Data Protection Requirements, the Customer is the data controller and the Provider is the data processor.
2.2 The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.
2.3 Customer acknowledges and agrees without generality to the foregoing that it is responsible for (i) the accuracy, quality and legality of Customer Data and the means by which Customer acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Privacy and Data Protection Requirements for the collection and use of Personal Data, including obtaining any necessary consents and authorisations (particularly for use by Customer); ensuring Customer has the right to transfer, or provide access to, the Personal Data to Provided for Processing in accordance with the terms of the Contract including this DPA (iv) ensuring that Customers instructions to Provider regarding the Processing of Personal Data comply with all applicable laws applicable to emails, the content of the emails and its email deployment practices. Customer shall inform Provider without undue delay if it is not able to comply with its responsibilities under this clause 2.3 or applicable Privacy and Data Protection Requirements.
2.4 Annex A describes the general Personal Data categories and Data Subject types the Provider may process to fulfil the Business Purposes of the Master Agreement.
3. Provider’s Obligations
3.1 The parties agree that the Contract (including DPA) together with the Customers use of the Services in accordance with the Contract, constitute its complete and final instructions to Provider in relation to the processing of Personal Data, and additional instructions outside the scope of the instructions shall require prior written agreement between the parties. The Provider will only process the Personal Data to the extent as is necessary for the Business Purposes in accordance with the Customer’s instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements. The Provider must promptly notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Privacy and Data Protection Requirements.
3.2 The Provider must promptly comply with any Customer lawful request or instruction requiring the Provider to amend, transfer, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorised processing. Provider is not responsible for compliance of any Privacy and Data Protection Requirements applicable to Customers industry that is not generally applicable to Provider.
3.3 The Provider will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or this DPA specifically authorises the disclosure, or as required by law. If a law requires the Provider to process or disclose Personal Data, the Provider must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.4 The Provider will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, while also considering the nature of the Provider’s processing and the information available to the Provider.
3.5 The Provider must promptly notify the Customer of any changes to Privacy and Data Protection Requirements that may adversely affect the Provider’s performance of the Master Agreement.
3.6 The Customer acknowledges that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from Authorized Persons or the Personal Data other than as required under the Privacy and Data Protection Requirements.
3.7 The Provider will only collect Personal Data for the Customer using a notice or method that the Customer specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Customer’s identity and its appointed data protection representative, the purpose or purposes for which their Personal Data will be processed, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing. The Provider will not modify or alter the notice in any way without the Customer’s prior written consent.
4. Provider’s Employees
4.1 The Provider will limit Personal Data access to: (a) those employees who require Personal Data access to meet the Provider’s obligations under this Agreement; and (b) the part or parts of the Personal Data that those employees strictly require for the performance of their duties.
4.2 The Provider will ensure that all employees:
a) are informed of the Personal Data’s confidential nature and use restrictions;
b) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Data and how it applies to their particular duties; and
c) are aware both of the Provider’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this Agreement.
4.3 The Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of any Provider employee with access to the Personal Data, and will conduct background checks consistent with applicable law on those employees.
5. Security
5.1 The Provider must at all times implement appropriate technical and organizational measures to protect Personal Data against unauthorised or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage including the security measures set out at Annex B.
5.2 The Provider will immediately notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.
5.3 The Provider must take reasonable precautions to preserve the integrity of any Personal Data it processes and to prevent any corruption or loss of the Personal Data, including but not limited to establishing effective back-up and data restoration procedures.
6. Security Breach and Personal Data Loss
6.1 The Provider will promptly notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Data at its own expense.
6.2 Either party will within 2 Business Days notify the other party if it becomes aware of:
A) any unauthorised or unlawful processing of the Personal Data; or
B) any Security Breach.
6.3 Immediately following any unauthorised or unlawful Personal Data processing or Security Breach, the parties will coordinate with each other to investigate the matter. The Provider will reasonably cooperate with the Customer in the Customer’s handling of the matter, including:
A) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider’s employees, former employees and others involved in the matter; and (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer.
6.4 The Provider will not inform any third party of any Security Breach without first obtaining the Customer’s prior written consent, except when law or regulation requires it.
6.5 The Provider agrees that the Customer has the sole right to determine:
A) whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and
B) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under 6.2 and 6.3, unless the Security Breach arose from the Customer’s instructions, negligence, wilful default, or breach of this DPA, in which case the Customer will cover all reasonable expenses.
6.7 The Provider will also reimburse the Customer for actual reasonable expenses the Customer incurs when responding to and mitigating damages, to the extent that the Provider caused a Security Breach, including all costs of notice and any remedy as set out in 6.5.
7. Transfers of Personal Data
7.1 Customer acknowledges and agrees that Provider may access and Process Personal Data on a global basis necessary to provide the Services in accordance with the Contract and in particular where Sub-Processors have operations. Provider will ensure such transfers are made in compliance with the Privacy and Data Protection Requirements.
7.2 If any Personal Data transfer between the Provider and the Customer requires execution of Standard Contractual Clauses in order to comply with the Privacy and Data Protection Requirements, the parties will complete all relevant details in, and execute, the Standard Contractual Clauses, and take all other actions required to legitimise the transfer, including, if necessary:
(a) co-operating to register the Standard Contractual Clauses with any supervisory authority in any member state of the European Economic Area; or (b) procuring approval from any such supervisory authority; or (c) providing additional information about the transfer to such supervisory authority.
8. Sub-Processors
8.1 The Customer agrees that the Provider may engage Sub-Processors to process the Personal Data on its behalf. The Provider has currently appointed the Sub-Processors set out in Annex A.
8.2 Where Provider engages Sub-Processors, the Provider will enter into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA (including where appropriate Standard Contractual Clauses). Provider remains responsible for each Sub-Processors performance of its obligations and for any acts of omissions of such Sub-processor that cause Provider to breach any of its obligations under this DPA.
8.3 The Parties consider the Provider to control any Personal Data controlled by or in the possession of its subcontractors.
8.4 Upon the Customer’s written request, the Provider will audit a subcontractor’s compliance with its obligations regarding the Customer’s Personal Data and provide the Customer with the audit results.
9. Complaints and Data Subject Rights Requests
9.1 The Provider must notify the Customer immediately if it receives any complaint, notice, or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Privacy and Data Protection Requirements
9.2 The Provider must notify the Customer within 3 Business Days if it receives a request from a Data Subject for access to their Personal Data.
9.3 The Provider will give the Customer its full cooperation and assistance in responding to any complaint, notice, communication, or Data Subject request.
9.4 The Provider must not disclose the Personal Data to any Data Subject or to a third party other than at the Customer’s request or instruction, as provided for in this DPA or as required by law.
10. Term and Termination
10.1 This DPA will remain in full force and effect so long as (a) the Master Agreement remains in effect, or (b) the Provider retains any Personal Data related to the Master Agreement in its possession or control (Term).
10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Data will remain in full force and effect.
10.3 The Provider’s failure to materially comply with the terms of this DPA is a material breach of the Master Agreement. In such event, the Customer may terminate any part of the Master Agreement authorising the processing of Personal Data effective immediately upon written notice to the Provider without further liability or obligation.
10.4 If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Privacy and Data Protection Requirement within 20 Business Days, they may terminate the Master Agreement upon written notice to the other party.
11. Data Return and Destruction
11.1 At the Customer’s request, the Provider will give the Customer a copy of, or access to, the Customer’s Personal Data in its possession or control, in the format and on the media reasonably specified by the Customer.
11.2 On termination of the Master Agreement for any reason or expiry of its term, the Provider will securely destroy or, if directed in writing by the Customer, return and not retain, the Personal Data related to this DPA in its possession or control, except for one copy that it may retain and use for 36 months for audit purposes only.
11.3 If any law, regulation, or government, or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
11.4 Where requested by the Customer, the Provider will certify in writing that it has destroyed the Personal Data within 20 Business Days after it completes the destruction.
12. Records
12.1 The Provider will keep detailed, accurate, and up-to-date records regarding any processing of Personal Data it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Data, approved subcontractors and affiliates, and the processing purposes (Records).
12.2 The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this DPA.
13. Audit
13.1 At least once per year, the Provider will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.
13.2 Upon the Customer’s written request, the Provider will make all of the relevant audit reports available to the Customer for review. The Customer will treat such audit information as the Provider’s confidential information under this Agreement.
13.3 The Provider will promptly address any exceptions noted in the audit information with the development and implementation of a corrective action plan by the Provider’s management.
14. Warranties
14.1 The Provider warrants and represents that:
A) its employees, subcontractors, agents and any other person or persons accessing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to the Personal Data; and
B) it and anyone operating on its behalf will process the Personal Data in compliance with all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and
C) it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Master Agreement’s Services; and
D) considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorised or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:
(i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction, or damage; and
(ii) the nature of the Personal Data protected; and
(iii) comply with all applicable Privacy and Data Protection Requirement and its information and security policies, including the security measures required in 5.
14.2 The Customer warrants and represents that the Provider’s expected use of the Personal Data for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.
15. Indemnification
15.1 The Provider agrees to indemnify, keep indemnified, and defend at its own expense the Customer against all reasonable costs, claims, damages, or expenses incurred by the Customer or for which the Customer may become liable due to any failure by the Provider or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.
15.2 During the Term, the Provider must, at its own cost and expense, obtain and maintain insurance, in full force and effect, sufficient to cover the Provider’s potential indemnity or reimbursement obligations. The Provider will produce the policy and premium payment receipt to the Customer on request. The Provider will give the Customer thirty (30) days’ advance written notice if the policy materially changes or is cancelled.
16. Notice
16.1 Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to: For the Customer: The Customer Account Manager or data privacy officer set out in any Order under the MSA. For the Provider: dpo@cts.co.
16.2 Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
This agreement has been entered into on the Commencement Date of any Order Form.
Annex A
Data Processing Purposes and Details
Business Purposes: The Services described on the Order Form to the Master Agreement.
Nature and Purpose of Processing
Provider will Process Personal Data as necessary to provide the Services pursuant to the Contract in accordance with the Order Form and as instructed by Customer in its use of the Services.
Duration of Processing
Provider will Process Personal Data for the duration of the Contract, unless otherwise agreed in writing.
Personal Data Categories:
Customer may submit Personal Data during the use of the Services, the extent of which is determined and controlled by Customer and which may include the following Personal Data relating to the following categories of Personal Data:
Customer contacts and end users including but not limited to Customer employees, contractors, customers, prospects, suppliers, collaborators and subcontractors, it may also include third party individuals attempting to communicate with Customers end users.
Data Subject Types:
Customer may submit Personal Data to the Services, to the extent which is determined and controlled by Customer and which may include but is not limited to the following Data Subject types:
Contact information such as names, email addresses, telephone numbers and any other Personal Data submitted by, sent to or received by Customer or its end users through the Services.
Special Categories of Personal Data (if applicable)
The parties do not anticipate any transfer of special categories of data.
Sub-Processors
Subprocessor | Purpose | Location | Website |
---|---|---|---|
Cloud Services Provider | US/EU | https://cloud.google.com/terms/data-processing-terms | |
Microsoft | Cloud Services Provider | US/EU | https://docs.microsoft.com/en-gb/legal/gdpr |
Salesforce | CRM supporting business processes | xxx | https://www.salesforce.com/ |
Hubspot | Marketing processes | US | https://www.hubspot.com/ |
Atlassian (Jira) | Developer process management | EU | https://www.atlassian.com/software/jira |
Zendesk | Customer support | EU | https://www.zendesk.com/ |
Annex B
Security Measures
This Annex B forms part of the DPA.
Provider currently observes the security measures described in this Annex B.
a) ACCESS CONTROLS.
Software Access. Provider hosts its Software Service on outsourced cloud infrastructure providers. Provider maintains contractual relationships with these providers and in accordance with the DPA to protect any data stored by these providers.
Authentication: Customer products are protected by outsourced single sign on authentication method. No access to any customer data is possible without a valid authorised account managed by the customer on the prospective productivity platform (e.g. Google Workspace).
Physical and environmental security. All product infrastructure for production purposes is hosted by outsourced cloud infrastructure providers and is protected by their published security process including access control.
b) SYSTEM ACCESS CONTROLS. The internal CloudM teams access to customer data is protected by a least privilege model with two factor authentication enforced as default. All access is logged and monitored.
The implementation of infrastructure protection of data differs between infrastructure providers and includes Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
c) TRANSMISSION CONTROLS. All data transmission as part of the CloudM product suite is performed over HTTPS. The highest level of TLS encryption is applied to traffic depending on what is supported by the platform in use.
All data at rest is fully encrypted.
d) INPUT CONTROLS. Full monitoring and alerting of system traffic and behaviour are in place for the CloudM suite of products. Suspected security incidents are acted upon inline with our information security policy. Customers will be notified by CloudM Support if they are impacted by any security breach.
e) DATA BACKUPS. Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones. Backup data is segregated from production data and subject to independent access control and monitoring.
f) DATA SEGREGATION. All customer data related to the CloudM suite of products is subject to full segregation based on a multi-tenanted data model. No customers have access to any data outside of their tenant.