Data Processing Agreement

Background

(A) The Customer and the Provider entered into the Terms & Conditions on the Commencement Date (Master Agreement) that may require the Provider to process Personal Data provided by or collected for the Customer.

(B) This Data Processing Agreement (DPA) sets out the additional terms, requirements, and conditions on which the Provider will obtain, handle, process, disclose, transfer, or store Personal Data when providing services under the Master Agreement.

Agreed Terms

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this DPA.

1.1 Definitions:


Business Day:
a day other than a Saturday, Sunday or public holiday in England and Wales, when banks in London are open for business.

Business Purpose:
the services described in the Master Agreement or any other purpose specifically identified in Annex A.

Contract:
means the contract between the Customer and Provider for the supply of the Services more particularly set out in the Order Form, the Conditions, CloudM Terms and the Statement of Work.

Customer:
the person, firm or entity who purchases software or services from the Supplier as set out in any Order.

Data Subject:
an individual who is the subject of Personal Data.

Order:
the Customers order for software or services as set out in the Order Form

Order Form:
CloudM’s ordering document that specifies the Service/s purchased by the Customer under the Contract that is entered into by the Customer and CloudM. By entering into an Order Form, Customer agrees to be bound by the terms of the Contract including this DPA.

Personal Data:
any information the Provider processes for the Customer that (1) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider's possession or control or that the Provider is likely to have access to, or (2) the relevant Privacy and Data Protection Requirements otherwise define as protected personal data.

Processing, processes, and process:
any activity that involves the use of Personal Data, or as the relevant Privacy and Data Protection Requirements may otherwise define the terms processing, processes or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Data to third parties.

Provider:
Cloud Technology Solutions Ltd trading as CloudM incorporated and registered in England & Wales with company number 06738954 whose registered office is at Lowry House, 17 Marble Street, Manchester, M2 3AW

Privacy and Data Protection Requirements:
all applicable laws and regulations relating to the processing, protection, or privacy of the Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

Security Breach:
any act or omission that materially compromises the security, confidentiality, or integrity of Personal Data or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorised access, disclosure, or acquisition of Personal Data is a Security Breach.

Standard Contractual Clauses (SCC):
the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller to processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, a completed copy of which comprises Annex C.

Sub-Processor:
means any Processor engaged by the Provider to assist in fulfilling the Providers obligations with respect to the provision of the Services under the Contract. Sub-Processors will exclude any Provider employee or consultant.

1.2 This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.

1.3 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

1.4 A reference to writing or written includes email.

1.5 In the case of conflict or ambiguity between:

a) any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;

b) the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail;

c) any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail; and

d) any of the provisions of this DPA and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.

2. Personal Data Types and Processing Purposes


2.1 The Customer and the Provider acknowledge that for the purpose of applicable Privacy and Data Protection Requirements, the Customer is the data controller and the Provider is the data processor.

2.2 The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.

2.3 Customer acknowledges and agrees without generality to the foregoing that it is responsible for (i) the accuracy, quality and legality of Customer Data and the means by which Customer acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Privacy and Data Protection Requirements for the collection and use of Personal Data, including obtaining any necessary consents and authorisations (particularly for use by Customer); ensuring Customer has the right to transfer, or provide access to, the Personal Data to Provided for Processing in accordance with the terms of the Contract including this DPA (iv) ensuring that Customers instructions to Provider regarding the Processing of Personal Data comply with all applicable laws applicable to emails, the content of the emails and its email deployment practices. Customer shall inform Provider without undue delay if it is not able to comply with its responsibilities under this clause 2.3 or applicable Privacy and Data Protection Requirements.

2.4 Annex A describes the general Personal Data categories and Data Subject types the Provider may process to fulfil the Business Purposes of the Master Agreement.

3. Provider's Obligations


3.1 The parties agree that the Contract (including DPA) together with the Customers use of the Services in accordance with the Contract, constitute its complete and final instructions to Provider in relation to the processing of Personal Data, and additional instructions outside the scope of the instructions shall require prior written agreement between the parties. The Provider will only process the Personal Data to the extent as is necessary for the Business Purposes in accordance with the Customer’s instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements. The Provider must promptly notify the Customer if, in its opinion, the Customer's instruction would not comply with the Privacy and Data Protection Requirements.

3.2 The Provider must promptly comply with any Customer lawful request or instruction requiring the Provider to amend, transfer, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorised processing. Provider is not responsible for compliance of any Privacy and Data Protection Requirements applicable to Customers industry that is not generally applicable to Provider.

3.3 The Provider will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or this DPA specifically authorises the disclosure, or as required by law. If a law requires the Provider to process or disclose Personal Data, the Provider must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4 The Provider will reasonably assist the Customer with meeting the Customer's compliance obligations under the Privacy and Data Protection Requirements, while also considering the nature of the Provider's processing and the information available to the Provider.

3.5 The Provider must promptly notify the Customer of any changes to Privacy and Data Protection Requirements that may adversely affect the Provider's performance of the Master Agreement.

3.6 The Customer acknowledges that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from Authorized Persons or the Personal Data other than as required under the Privacy and Data Protection Requirements.

3.7 The Provider will only collect Personal Data for the Customer using a notice or method that the Customer specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Customer's identity and its appointed data protection representative, the purpose or purposes for which their Personal Data will be processed, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing. The Provider will not modify or alter the notice in any way without the Customer's prior written consent.

4. Provider's Employees


4.1 The Provider will limit Personal Data access to: (a) those employees who require Personal Data access to meet the Provider's obligations under this Agreement; and (b) the part or parts of the Personal Data that those employees strictly require for the performance of their duties.

4.2 The Provider will ensure that all employees:

a) are informed of the Personal Data's confidential nature and use restrictions;

b) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Data and how it applies to their particular duties; and

c) are aware both of the Provider's duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this Agreement.

4.3 The Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of any Provider employee with access to the Personal Data, and will conduct background checks consistent with applicable law on those employees.

5. Security


5.1 The Provider must at all times implement appropriate technical and organizational measures to protect Personal Data against unauthorised or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage including the security measures set out at Annex B.

5.2 The Provider will immediately notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.

5.3 The Provider must take reasonable precautions to preserve the integrity of any Personal Data it processes and to prevent any corruption or loss of the Personal Data, including but not limited to establishing effective back-up and data restoration procedures.

6. Security Breach and Personal Data Loss


6.1 The Provider will promptly notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Data at its own expense.

6.2 Either party will within 2 Business Days notify the other party if it becomes aware of:

A) any unauthorised or unlawful processing of the Personal Data; or

B) any Security Breach.

6.3 Immediately following any unauthorised or unlawful Personal Data processing or Security Breach, the parties will coordinate with each other to investigate the matter. The Provider will reasonably cooperate with the Customer in the Customer's handling of the matter, including:

A) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's employees, former employees and others involved in the matter; and (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer.

6.4 The Provider will not inform any third party of any Security Breach without first obtaining the Customer's prior written consent, except when law or regulation requires it.

6.5 The Provider agrees that the Customer has the sole right to determine:

A) whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and

B) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under 6.2 and 6.3, unless the Security Breach arose from the Customer's instructions, negligence, wilful default, or breach of this DPA, in which case the Customer will cover all reasonable expenses.

6.7 The Provider will also reimburse the Customer for actual reasonable expenses the Customer incurs when responding to and mitigating damages, to the extent that the Provider caused a Security Breach, including all costs of notice and any remedy as set out in 6.5.

7. Transfers of Personal Data


7.1 Customer acknowledges and agrees that Provider may access and Process Personal Data on a global basis necessary to provide the Services in accordance with the Contract and in particular where Sub-Processors have operations. Provider will ensure such transfers are made in compliance with the Privacy and Data Protection Requirements.

7.2 If any Personal Data transfer between the Provider and the Customer requires execution of Standard Contractual Clauses in order to comply with the Privacy and Data Protection Requirements, the parties will complete all relevant details in, and execute, the Standard Contractual Clauses contained in Annex C, and take all other actions required to legitimise the transfer, including, if necessary:

(a) co-operating to register the Standard Contractual Clauses with any supervisory authority in any member state of the European Economic Area; or (b) procuring approval from any such supervisory authority; or (c) providing additional information about the transfer to such supervisory authority.

8. Sub-Processors


8.1 The Customer agrees that the Provider may engage Sub-Processors to process the Personal Data on its behalf. The Provider has currently appointed the Sub-Processors set out in Annex A.

8.2 Where Provider engages Sub-Processors, the Provider will enter into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA (including where appropriate Standard Contractual Clauses). Provider remains responsible for each Sub-Processors performance of its obligations and for any acts of omissions of such Sub-processor that cause Provider to breach any of its obligations under this DPA.

8.3 The Parties consider the Provider to control any Personal Data controlled by or in the possession of its subcontractors.

8.4 Upon the Customer's written request, the Provider will audit a subcontractor's compliance with its obligations regarding the Customer's Personal Data and provide the Customer with the audit results.

9. Complaints and Data Subject Rights Requests


9.1 The Provider must notify the Customer immediately if it receives any complaint, notice, or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Privacy and Data Protection Requirements

9.2 The Provider must notify the Customer within 3 Business Days if it receives a request from a Data Subject for access to their Personal Data.

9.3 The Provider will give the Customer its full cooperation and assistance in responding to any complaint, notice, communication, or Data Subject request.

9.4 The Provider must not disclose the Personal Data to any Data Subject or to a third party other than at the Customer's request or instruction, as provided for in this DPA or as required by law.

10. Term and Termination


10.1 This DPA will remain in full force and effect so long as (a) the Master Agreement remains in effect, or (b) the Provider retains any Personal Data related to the Master Agreement in its possession or control (Term).

10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Data will remain in full force and effect.

10.3 The Provider's failure to materially comply with the terms of this DPA is a material breach of the Master Agreement. In such event, the Customer may terminate any part of the Master Agreement authorising the processing of Personal Data effective immediately upon written notice to the Provider without further liability or obligation.

10.4 If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Privacy and Data Protection Requirement within 20 Business Days, they may terminate the Master Agreement upon written notice to the other party.

11. Data Return and Destruction


11.1 At the Customer's request, the Provider will give the Customer a copy of, or access to, the Customer's Personal Data in its possession or control, in the format and on the media reasonably specified by the Customer.

11.2 On termination of the Master Agreement for any reason or expiry of its term, the Provider will securely destroy or, if directed in writing by the Customer, return and not retain, the Personal Data related to this DPA in its possession or control, except for one copy that it may retain and use for 36 months for audit purposes only.

11.3 If any law, regulation, or government, or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.

11.4 Where requested by the Customer, the Provider will certify in writing that it has destroyed the Personal Data within 20 Business Days after it completes the destruction.

12. Records


12.1 The Provider will keep detailed, accurate, and up-to-date records regarding any processing of Personal Data it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Data, approved subcontractors and affiliates, and the processing purposes (Records).

12.2 The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider's compliance with its obligations under this DPA.

13. Audit


13.1 At least once per year, the Provider will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.

13.2 Upon the Customer's written request, the Provider will make all of the relevant audit reports available to the Customer for review. The Customer will treat such audit information as the Provider's confidential information under this Agreement.

13.3 The Provider will promptly address any exceptions noted in the audit information with the development and implementation of a corrective action plan by the Provider's management.

14. Warranties


14.1 The Provider warrants and represents that:

A) its employees, subcontractors, agents and any other person or persons accessing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to the Personal Data; and

B) it and anyone operating on its behalf will process the Personal Data in compliance with all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and

C) it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Master Agreement's Services; and

D) considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorised or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:

(i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction, or damage; and

(ii) the nature of the Personal Data protected; and

(iii) comply with all applicable Privacy and Data Protection Requirement and its information and security policies, including the security measures required in 5.

14.2 The Customer warrants and represents that the Provider's expected use of the Personal Data for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.

15. Indemnification


15.1 The Provider agrees to indemnify, keep indemnified, and defend at its own expense the Customer against all reasonable costs, claims, damages, or expenses incurred by the Customer or for which the Customer may become liable due to any failure by the Provider or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.

15.2 During the Term, the Provider must, at its own cost and expense, obtain and maintain insurance, in full force and effect, sufficient to cover the Provider's potential indemnity or reimbursement obligations. The Provider will produce the policy and premium payment receipt to the Customer on request. The Provider will give the Customer thirty (30) days' advance written notice if the policy materially changes or is cancelled.

16. Notice


16.1 Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to: For the Customer: The Customer Account Manager or data privacy officer set out in any Order under the MSA. For the Provider: dpo@cts.co.

16.2 Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

This agreement has been entered into on the Commencement Date of any Order Form.

Annex A

Data Processing Purposes and Details

Business Purposes:
The Services described on the Order Form to the Master Agreement.

Nature and Purpose of Processing


Provider will Process Personal Data as necessary to provide the Services pursuant to the Contract in accordance with the Order Form and as instructed by Customer in its use of the Services.

Duration of Processing


Provider will Process Personal Data for the duration of the Contract, unless otherwise agreed in writing.

Personal Data Categories:


Customer may submit Personal Data during the use of the Services, the extent of which is determined and controlled by Customer and which may include the following Personal Data relating to the following categories of Personal Data:

Customer contacts and end users including but not limited to Customer employees, contractors, customers, prospects, suppliers, collaborators and subcontractors, it may also include third party individuals attempting to communicate with Customers end users.

Data Subject Types:


Customer may submit Personal Data to the Services, to the extent which is determined and controlled by Customer and which may include but is not limited to the following Data Subject types:

Contact information such as names, email addresses, telephone numbers and any other Personal Data submitted by, sent to or received by Customer or its end users through the Services.

Special Categories of Personal Data (if applicable)


The parties do not anticipate any transfer of special categories of data.

Sub-Processors

SubprocessorPurposeLocationWebsite
GoogleCloud Services ProviderUS/EUhttps://cloud.google.com/terms/data-processing-terms
MicrosoftCloud Services ProviderUS/EUhttps://docs.microsoft.com/en-gb/legal/gdpr
SalesforceCRM supporting business processesxxxhttps://www.salesforce.com/
HubspotMarketing processesUShttps://www.hubspot.com/
Atlassian (Jira)Developer process managementEUhttps://www.atlassian.com/software/jira
ZendeskCustomer supportEUhttps://www.zendesk.com/


Annex B

Security Measures

This Annex B forms part of the DPA.

Provider currently observes the security measures described in this Annex B.

a) ACCESS CONTROLS.

Software Access. Provider hosts its Software Service on outsourced cloud infrastructure providers. Provider maintains contractual relationships with these providers and in accordance with the DPA to protect any data stored by these providers.

Authentication: Customer products are protected by outsourced single sign on authentication method. No access to any customer data is possible without a valid authorised account managed by the customer on the prospective productivity platform (e.g. Google Workspace).

Physical and environmental security. All product infrastructure for production purposes is hosted by outsourced cloud infrastructure providers and is protected by their published security process including access control.

b) SYSTEM ACCESS CONTROLS. The internal CloudM teams access to customer data is protected by a least privilege model with two factor authentication enforced as default. All access is logged and monitored.


The implementation of infrastructure protection of data differs between infrastructure providers and includes Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

c) TRANSMISSION CONTROLS. All data transmission as part of the CloudM product suite is performed over HTTPS. The highest level of TLS encryption is applied to traffic depending on what is supported by the platform in use.


All data at rest is fully encrypted.

d) INPUT CONTROLS. Full monitoring and alerting of system traffic and behaviour are in place for the CloudM suite of products. Suspected security incidents are acted upon inline with our information security policy. Customers will be notified by CloudM Support if they are impacted by any security breach.


e) DATA BACKUPS. Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones. Backup data is segregated from production data and subject to independent access control and monitoring.


f) DATA SEGREGATION. All customer data related to the CloudM suite of products is subject to full segregation based on a multi-tenanted data model. No customers have access to any data outside of their tenant.

Annex C

Standard Contractual Clauses

For the purposes of Article 26

(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

The Customer as defined in the Contract (the data exporter)

And

Cloud Technology Solutions Ltd Trading as CloudM, Lowry House, 17 Marble Street, Manchester M2 3AW.

Each ‘a party’ together ‘the parties’

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Annex A.

1. Definitions

For the purposes of the Clauses:

(a) personal data, special categories of data, process/processing, controller, processor, data subject and supervisory authority shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1);

(b) the data exporter means the controller who transfers the personal data;

(c) the data importer means the processor who agrees to receive from the data exporter personal data intended for processing on its behalf after the transfer in accordance with its instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) the sub-processor means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its instructions, the terms of the Clauses and the terms of the written subcontract;

(e) the applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) technical and organisational security measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

2. Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Annex A which forms an integral part of the Clauses.

3. Third-party beneficiary clause

The data subject can enforce against the data exporter this clause 3, clause 4 (b) to (i), clause 5(a) to (e) and clause 5(g) to (j), and clauses 9 to12 as third-party beneficiary.

The data subject can enforce against the data importer this clause, clause 5(a) to (e) and (g), clause 6, clause 7, clause 8.2 and clause 9 to clause 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3.1 The data subject can enforce against the sub-processor this clause 3.1, clause 5(a) to and clause 5(g), clause 6, clause 7, clause 8.2, and clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

4. Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Annex B to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to clause 5(b) and clause 8.3 to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Annex B and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subjects as the data importer under the Clauses; and(j) that it will ensure compliance with clause 4(a) to (i).

5. Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Annex B before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorised access; and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Annex B which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the sub-processor will be carried out in accordance with clause 11; and

(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

6. Liability

6.1 The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in clause 3 or in clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

6.2 If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or its sub-processor of any of their obligations referred to in clause 3 or in clause 11 because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

6.3 If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in clause 3 or in clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

7. Mediation and jurisdiction

7.1 The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

7.2 The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

8. Cooperation with supervisory authorities

8.1 The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

8.2 The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

8.3 The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in clause 5(b).

9. Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

10. Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.

11. Sub-processing

11.1 The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor's obligations under such agreement.

11.2 The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

11.3 The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

11.4 The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

12. Obligation after the termination of personal data processing services

12.1 The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

ANNEX A to the Standard Contractual Clauses

This Annex forms part of the Standard Contractual Clauses (the Clauses).

Defined terms used in this Annex A shall have the meaning given to them in the Contract.

Data exporter

The data exporter is the legal entity specified as Customer in the DPA.

Data importer

The data importer is the Provider specified in the DPA

Data Subjects

Annex A of the DPA describes the Data Subjects.

Categories of Data

Annex A of the DPA describes the categories of data.

Special Categories of data (if appropriate)

The parties do not anticipate the transfer of special categories of data.

Purposes of Processing

Provider will Process Personal Data as necessary to provide the Services pursuant to the Contract in accordance with the Order Form and as instructed by Customer in its use of the Services.

ANNEX B to the Standard Contractual Clauses


This Annex B forms part of the Standard Contractual Clauses.

Description of the technical and organisational security measures implemented by the data importer in accordance with clause 4(d) and clause 5(c) (or documents/legislation attached):

Annex B of the DPA describes the technical and organisations security measure implemented by Provider.

ANNEX C To the Standard Contractual Clauses


This Annex C forms part of the Standard Contractual Clauses (the Clauses).

This Annex C sets out the parties' interpretation of their respective obligations under specific terms of the Clauses. Where a party complies with the interpretations set out in this Annex C, that party shall be deemed by the other party to have complied with its commitments under the Clauses.

For the purposes of this Appendix, DPA means the Data Processing Agreement in place between Customer and Provider and to which these Clauses are incorporated and "Contract" shall have the meaning given to it in the DPA.

Clause 4(h) and 8: Disclosure of these Clauses


a) Data exporter agrees that these Clauses constitute data importer's Confidential Information as that term is defined in the Contract and may not be disclosed by data exporter to any third party without data importer's prior written consent unless permitted pursuant to Contract. This shall not prevent disclosure of these Clauses to a data subject pursuant to Clause 4(h) or a supervisory authority pursuant to Clause 8.

Clauses 5(a) and 5(b): Suspension of data transfers and termination


a) The parties acknowledge that the data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses.

b) The parties acknowledge that if data importer cannot provide such compliance in accordance with Clause 5(a) and Clause 5(b) for whatever reason, the data importer agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract the affected parts of the Services in accordance with the terms of the Contract.

c) If the data exporter intends to suspend the transfer of personal data and/or terminate the affected parts of the Services, it shall endeavour to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”).

d) If required, the parties shall reasonably cooperate with each other during the Cure Period to agree what additional safeguards or other measures, if any, may be reasonably required to ensure the data importer's compliance with the Clauses and applicable data protection law.

e) If after the Cure Period the data importer has not or cannot cure the non-compliance then the data exporter may suspend and/or terminate the affected part of the Services in accordance with the provisions of the Contract without liability to either party (but without prejudice to any fees incurred or to be incurred by the data exporter prior to suspension or termination). The data exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to data subjects or their personal data.

Clause 5(f): Audit


a) Data exporter acknowledges and agrees that it exercises its audit right under Clause 5(f) by instructing data importer to comply with the audit measures described in the 'Demonstration of Compliance' section of the DPA.

Clause 5(j): Disclosure of Sub-Processor agreements


a) The parties acknowledge the obligation of the data importer to send promptly a copy of any onward Sub-Processor agreement it concludes under the Clauses to the data exporter.

b) The parties further acknowledge that, pursuant to Sub-Processor confidentiality restrictions, data importer may be restricted from disclosing onward Sub-Processor agreements to data exporter. Notwithstanding this, data importer shall use reasonable efforts to require any Sub-Processor it appoints to permit it to disclose the Sub-Processor agreement to data exporter.

c) Even where data importer cannot disclose a Sub-Processor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information it reasonably requires in connection with such Sub-Processing agreement to data exporter.

Clause 6: Liability


a) Any claims brought under the Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Contract. In no event shall any party limit its liability with respect to any data subject rights under these Clauses.

Clause 11: Onward Sub-Processing

a) The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled "FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC" the data exporter may provide a general consent to onward Sub-Processing by the data importer.

b) Accordingly, data exporter provides a general consent to data importer, pursuant to Clause 11 of these Clauses, to engage onward Sub-Processors.

Clause 12: Obligation after the termination of personal data-processing services

a) Data importer agrees that the data exporter will fulfil its obligation to return or destroy all the personal data on the termination of the provision of data-processing services by complying with the 'Data Return and Destruction' section.

Close Menu
Note: This page may contain frames. If you are reading this message then we recommend you update your browser to get the full experience.