1.1 In accordance with the Terms of Service, this Data Processing Addendum ("DPA") sets out the basis on which the parties Process Customer Personal Data (each as defined below).
1.2 In the event of a conflict between any of the provisions of this DPA and the remaining provisions of the Agreement, the provisions of this DPA shall prevail.
1.3 Both parties will comply with all applicable requirements of the Data Protection Laws (as defined below). This DPA is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Laws.
1.4 For the purpose of this DPA, the parties acknowledge that the Customer is the Controller (as defined below) and Cloud Maker is the Processor (as defined below).
2.1 Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in clause 2.1 of the Terms of Service, and the following capitalised terms used in this DPA shall be defined as follows:
(a) "Controller" has the meaning given in the Data Protection Laws;
(b) "Customer Personal Data" means the Personal Data described in ANNEX 1 and any other Personal Data that Cloud Maker Processes on behalf of the Customer in connection with Cloud Maker's provision of the Cloud Maker Service;
(c) "Data Protection Laws" means (i) the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") and any applicable national implementing legislation, (ii) the UK Data Protection Act 2018, in each case as amended, replaced, or superseded from time to time, and (iii) all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data;
(d) "Data Subject" has the meaning given in the Data Protection Laws;
(e) "European Economic Area" or "EEA" means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
(f) "Personal Data" has the meaning given in the Data Protection Laws;
(g) "Processing" has the meaning given in the Data Protection Laws, and "Process" shall be interpreted accordingly;
(h) "Processor" has the meaning given in the Data Protection Laws;
(i) "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data;
(j) "Standard Contractual Clauses" means the Standard Contractual Clauses (processors) approved by European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission (which will automatically apply);
(k) "Subprocessor" means any Processor engaged by Cloud Maker that agrees to receive from Cloud Maker and Process any Customer Personal Data; and
(l) "Supervisory Authority" has the meaning given in the Data Protection Laws.
3. DATA PROCESSING
3.1 Instructions for Data Processing. Cloud Maker will only Process Customer Personal Data in accordance with (a) the Agreement, to the extent necessary to provide the Cloud Maker Service, and (b) the Customer's written instructions, unless Processing is required under applicable Data Protection Laws to which Cloud Maker is subject, in which case Cloud Maker shall, to the extent permitted by applicable Data Protection Laws, inform the Customer of that legal requirement before Processing that Customer Personal Data.
3.2 The Agreement (subject to any changes to the Cloud Maker Service agreed between the Parties), including this DPA, shall be the Customer's complete and final instructions to Cloud Maker in relation to the Processing of Customer Personal Data.
3.3 Processing outside the scope of the Agreement will require prior written agreement between the Customer and Cloud Maker on additional instructions for Processing.
3.4 Required consents and disclosures. Where required by applicable Data Protection Laws, the Customer will ensure that it has obtained all necessary consents, and has made all necessary disclosures, for the Processing of Customer Personal Data by Cloud Maker in accordance with the Agreement.
4. TRANSFER OF PERSONAL DATA
4.1 Authorised Subprocessors. The Customer agrees that Cloud Maker may use Amazon Web Services, Inc., Microsoft Inc., Google LLC and Prospect Global Ltd (trading as Sopro) as Subprocessors to Process Customer Personal Data.
4.2 The Customer agrees that Cloud Maker may use subcontractors to fulfil its contractual obligations under the Agreement. Cloud Maker shall notify the Customer from time to time of the identity of any Subprocessor it engages. If the Customer (acting reasonably) objects to a new Subprocessor, then without prejudice to any right to terminate the Agreement, the Customer may request that Cloud Maker moves the Customer Personal Data to another Subprocessor and Cloud Maker shall, within a reasonable time following receipt of such request, use all reasonable endeavours to ensure that the Subprocessor does not Process any of the Customer Personal Data.
4.4 Save as set out in clauses 4.1, 4.2 and 4.3, Cloud Maker shall not permit, allow or otherwise facilitate Subprocessors to Process Customer Personal Data without the prior written consent of the Customer, and unless Cloud Maker enters into a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regards to their Processing of Customer Personal Data as are imposed on Cloud Maker under this DPA.
4.5 Liability of Subprocessors. Cloud Maker shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor approved by the Customer as if they were the acts and omissions of Cloud Maker.
4.6 Transfers of Personal Data. To the extent that the Processing of Customer Personal Data by Cloud Maker involves the export of such Customer Personal Data to a third party to a country or territory outside the EEA, other than (i) a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data as determined by the European Commission such as the EU-U.S. Privacy Shield, or (ii) where the third party is a member of a compliance scheme recognised as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission, such export shall be governed by the Standard Contractual Clauses. In the event of any conflict between any terms and conditions of the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall prevail.
5. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
5.1 Cloud Maker Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Cloud Maker shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out in ANNEX 2.
5.2 Security Audits. The Customer may, upon reasonable notice, audit (by itself or using independent third party auditors) Cloud Maker's compliance with the security measures set out in this DPA (including the technical and organisational measures as set out in ANNEX 2), including by conducting audits of Cloud Maker's data processing facilities. Upon request by the Customer, Cloud Maker shall make available all information reasonably necessary to demonstrate compliance with this DPA.
5.3 Security Incident Notification. If Cloud Maker or any Subprocessor becomes aware of a Security Incident, Cloud Maker will (a) notify the Customer of the Security Incident within 72 hours, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
5.4 Cloud Maker Employees and Personnel. Cloud Maker shall treat the Customer Personal Data as the Confidential Information of the Customer, and shall ensure that:
(a) access to Customer Personal Data is limited to those employees or other personnel who have a business need to have access to such Customer Personal Data; and
(b) any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
6. ACCESS REQUESTS AND DATA SUBJECT RIGHTS
6.1 Data Subject Requests. Save as otherwise required (or where prohibited) under applicable law, Cloud Maker shall notify the Customer of any request received by Cloud Maker or any Subprocessor from a Data Subject in respect of their Personal Data included in the Customer Personal Data, and shall not respond to the Data Subject.
6.2 Cloud Maker shall, where possible, assist the Customer with ensuring its compliance under applicable Data Protection Laws, and in particular shall:
(a) provide the Customer with the ability to correct, delete, block, access, or copy the Customer Personal Data in accordance with the functionality of the Cloud Maker Service; or
(b) promptly correct, delete, block, access, or copy Customer Personal Data within the Cloud Maker Service at the Customer's request.
6.3 Government Disclosure. Cloud Maker shall notify the Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
6.4 Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Cloud Maker shall use all reasonable endeavours to assist the Customer by implementing any other appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subject rights laid down in the Data Protection Laws.
7. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
To the extent required under applicable Data Protection Laws, Cloud Maker shall provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Cloud Maker.
8.1 Deletion of data. Subject to clause 8.2 below, Cloud Maker will, at the Customer's election and within ninety (90) days of the date of termination of the Agreement:
(a) delete and use all reasonable efforts to procure the deletion of Customer Personal Data Processed by Cloud Maker and any Subprocessors; or
(b) return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by the Customer to Cloud Maker (and delete, and use all reasonable efforts to procure the deletion of all other copies of, the Customer Personal Data Processed by Cloud Maker and any Subprocessor).
8.2 Cloud Maker and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Cloud Maker shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
DETAILS OF THE PROCESSING OF CUSTOMER PERSONAL DATA
This ANNEX 1 includes certain details of the processing of Customer Personal Data.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and the duration of the Processing of the Customer Personal Data are set out in the Agreement (including this DPA).
The nature and purpose of the Processing of Customer Personal Data
The Customer Personal Data will be subject to the following basic Processing activities: transmitting, collecting, storing, and analysing data in order to provide the Cloud Maker Service to the Customer; and any other activities related to the provision of the Cloud Maker Service or as specified in the Agreement.
The types of Customer Personal Data to be Processed
The types of Customer Personal Data to be Processed concern the following categories of data: name and email address of employees and other personnel of the Customer including Authorised Users; name, email and geographical address and telephone number of employees and other personnel of End Users.
The categories of Data Subject to whom the Customer Personal Data relates
The categories of Data Subject to whom the Customer Personal Data relates concern: employees and other personnel of the Customer including Authorised Users; employees and other personnel of End Users.
The obligations and rights of the Customer
The obligations and rights of the Customer are as set out in the Agreement including this DPA.
TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
1. Cloud Maker maintains (and ensures that its Subprocessors maintain) internal policies and procedures which are designed to:
(a) secure any Customer Personal Data Processed by Cloud Maker against accidental or unlawful loss, access or disclosure;
(b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Customer Personal Data Processed by Cloud Maker;
(c) minimise security risks, including through risk assessment and regular testing.
2. Cloud Maker conducts (and ensures that its Subprocessors conduct) periodic reviews of the security of its network and the adequacy of its information security program as measured against industry security standards and its policies and procedures.
3. Cloud Maker periodically evaluates (and ensures that its Subprocessors periodically evaluate) the security of its network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.