CloudM Data Processing Addendum

v1 - 1 April 2024

This Data Processing Addendum (DPA) supplements the Main Agreement (as defined below) entered into between the End User and CloudM and sets out the additional terms, requirements, and conditions on which CloudM will obtain, handle, process, disclose, transfer, or store Personal Data when providing services under the Main Agreement.

1 Definitions and Interpretation

In addition to the definitions and rules of interpretation set out in the Main Agreement, the following applies in this DPA:

1.1 Definitions:

Business Day: a day other than a Saturday, Sunday or public holiday in England and Wales, when banks in London are open for business;

Business Purpose: the provision of the services described in the Main Agreement or any other purpose specifically identified in Annex A;

Main Agreement: means, in respect of:

(i) Direct Customers: the Order Form, including any terms incorporated therein; or

(ii) Indirect Customers: the end-user agreement entered into between the End User and CloudM, being the EULA  or Subscription Agreement, as applicable;  

Controller: shall have the meaning given to it by the Privacy and Data Protection Requirements;

Data Subject: shall have the meaning given to it by the Privacy and Data Protection Requirements;

GDPR:  for any transfers or processing of data in the UK, has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018, and insofar as it relates to personal data processed in the EU, means the General Data Protection Regulation ((EU) 2016/679;

ICO: means the Information Commissioner’s Office or any successor from time to time;

Personal Data: has the meaning given to it under the Privacy and Data Protection Requirements, which is processed by CloudM on behalf of the End User as a result of, or in connection with, the provision of the Services under the Main Agreement; 

Processing, processes, and process: any activity that involves the use of Personal Data, or as the relevant Privacy and Data Protection Requirements may otherwise define the terms processing, processes or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Data to third parties;

Processor: has the meaning given to it by the Privacy and Data Protection Requirements;

Privacy and Data Protection Requirements: all applicable laws and regulations relating to the processing, protection, or privacy of Personal Data, including without limitation: (i) the GDPR; (ii) the Data Protection Act 2018 (DPA); (iii) the Privacy and Electronic Communications Regulations 2003; and (iv) all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications) and where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction;

Security Breach: has the meaning of ‘personal data breach’ as defined in Article 4(12) of the GDPR;

Services: the services procured by the End User from CloudM under an Order Form, as more particularly described in the relevant Main Agreement;

Standard Contractual Clauses (SCC): the ICO’s International Data Transfer Agreement for the transfer of personal data from the UK and/or the ICO’s International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and/or the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, or such alternative clauses as may be approved by the European Commission or by the ICO from time to time;

Sub-Processor: any Processor engaged by CloudM to assist in fulfilling CloudM’s obligations with respect to the provision of the Services under the Main Agreement;     

Third Countries: means: (a) any country outside of the UK, with the exception of any countries that the UK government has declared to have an adequate level of data protection; and (b) any country outside of the EU, with the exception of any countries that the European Commission has declared to have an adequate level of data protection.

1.2 This DPA is incorporated in, and  subject to the terms of, the Main Agreement.

1.3 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

1.4 In the case of conflict or ambiguity between:

1.4.1 any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;

1.4.2 the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail;

1.4.3 any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail; and

1.4.4 any of the provisions of this DPA and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.

2 Personal Data Types and Processing Purposes

2.1 The End User and CloudM acknowledge that for the purpose of applicable Privacy and Data Protection Requirements, the End User is the Controller and CloudM is the Processor.

2.2 The End User retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including (without limitation) for the processing instructions it gives to CloudM.

2.3 The End User acknowledges and agrees that it is responsible for (i) the accuracy, quality and legality of the End User Data and the means by which the End User acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Privacy and Data Protection Requirements for the collection and use of Personal Data, including obtaining any necessary consents and authorisations; ensuring the End User has the right to transfer, or provide access to, the Personal Data to CloudM for Processing in accordance with the terms of the Main Agreement including this DPA; (iv) ensuring that the End User’s instructions to CloudM regarding the Processing of Personal Data comply with all applicable laws. The End User shall inform CloudM without undue delay if it is not able to comply with its responsibilities under this clause 2.3 or the Privacy and Data Protection Requirements.

2.4 Annex A describes the subject matter, duration, nature and purpose of the Processing and the general Personal Data categories and Data Subject types CloudM may process to fulfil the Business Purposes of the Main Agreement.

3 CloudM’s Obligations

3.1 The parties agree that the Main Agreement (including this DPA) together with the End User’s use of the Services in accordance with the Main Agreement, constitute its complete and final instructions to CloudM in relation to the processing of Personal Data, and additional instructions outside the scope of the instructions shall require prior written agreement between the parties, including agreement on any additional fees payable by the End User to CloudM for carrying out such instructions. CloudM will only process the Personal Data to the extent that is necessary for the Business Purposes in accordance with the End User’s instructions. CloudM will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements. CloudM must promptly notify the End User if, in its opinion, the End User’s instruction would not comply with the Privacy and Data Protection Requirements.

3.2 CloudM must promptly comply with any lawful request or instruction of the End User requiring CloudM to amend, transfer, or delete the Personal Data, or to stop, mitigate, or remedy any unauthorised processing. CloudM is not responsible for compliance with any Privacy and Data Protection Requirements applicable to the End User’s industry that is not generally applicable to CloudM.

3.3 CloudM will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless as may be necessary to maintain or provide the Services, and/or unless the End User or this DPA specifically authorises the disclosure, and/or as required by law or a valid and binding order of a governmental body. If applicable law requires CloudM to process or disclose Personal Data, CloudM must first inform the End User of such legal requirement and give the End User an opportunity to object or challenge the requirement, unless applicable law prohibits such notice.

3.4 CloudM will reasonably assist the End User with meeting the End User’s compliance obligations under the Privacy and Data Protection Requirements, whilst taking into account the nature of CloudM’s processing and the information available to CloudM.

3.5 CloudM shall notify the End User immediately if, in CloudM’s opinion, an instruction of the End User infringes the Privacy and Data Protection Requirements, in which case, the End User shall be entitled to withdraw or modify its instructions, subject to the provisions of clause 3.1.

3.6 The End User acknowledges that CloudM is under no duty to investigate the completeness, accuracy, or sufficiency of any specific End User instructions or the Personal Data other than as required under the Privacy and Data Protection Requirements.

4 CloudM’s Employees

4.1 CloudM will limit Personal Data access to: (a) those employees who require Personal Data access to meet CloudM’s obligations under this DPA; and (b) the part or parts of the Personal Data that those employees strictly require for the performance of their duties.

4.2 CloudM will ensure that all employees:

4.2.1 are informed of the Personal Data’s confidential nature and use restrictions;

4.2.2 have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Data and how it applies to their particular duties; and

4.2.3 are aware both of CloudM’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.

4.3 CloudM will take reasonable steps to ensure the reliability, integrity, and trustworthiness of any CloudM employee with access to the Personal Data, and will conduct background checks consistent with applicable law on those employees.

5 Security

5.1 CloudM must at all times implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage including (but not limited to) the security measures set out at Annex B.

6 Security Breach and Personal Data Loss

6.1 CloudM will promptly notify the End User if it becomes aware of a Security Breach affecting the Personal Data

6.2 CloudM will:

6.2.1  comply with any obligations under the Privacy and Data Protection Requirements to report a Security Breach in respect of the Personal Data to any regulatory body and/or affected Data Subjects;  and

6.2.2 provide reasonable assistance to the End User to facilitate the handling of any Security Breach affecting Personal Data.

7 Transfers of Personal Data

7.1 The End User acknowledges and agrees that CloudM may access and Process Personal Data on a global basis, as necessary to provide the Services in accordance with the Main Agreement, and in particular where Sub-Processors have operations. CloudM will ensure such transfers, particularly when to a Third Country, are made in compliance with the Privacy and Data Protection Requirements.

7.2 If any Personal Data transfer between CloudM and the End User requires execution of Standard Contractual Clauses in order to comply with the Privacy and Data Protection Requirements, the parties will complete all relevant details in, and execute, the Standard Contractual Clauses, and take all other actions required to legitimise the transfer, including, if necessary: (a) co-operating to register the Standard Contractual Clauses with any supervisory authority in any member state of the European Economic Area; (b) procuring approval from any such supervisory authority; or (c) providing additional information about the transfer to such supervisory authority.

8 Sub-Processors

8.1 The End User agrees that CloudM may engage Sub-Processors to process the Personal Data on its behalf. CloudM has currently appointed the Sub-Processors set out at www.cloudm.io/legal/sub-processors.

8.2 Where CloudM engages Sub-Processors, CloudM will enter into a written contract with the Sub-Processor that contains terms substantially identical to those set out in this DPA (including, where appropriate, Standard Contractual Clauses). CloudM remains responsible for each Sub-Processor’s performance of its obligations and for any acts or omissions of such Sub-Processor that cause CloudM to breach any of its obligations under this DPA.

8.3 CloudM shall notify the End User if it intends to appoint a new Sub-Processor at least 28 days prior to such appointment. Within 14 days of such notice, the End User may object to the intended involvement of the Sub-Processor, providing detailed and justifiable grounds for the objection. If a justifiable objection is made, CloudM will, at its sole discretion, either (i) not use the Sub-Processor to provide the Services; (ii) propose an alternative or, if neither (i) or (ii) are feasible, (iii) permit the End User to terminate the affected portion of the Services in accordance with the termination provisions in this DPA, and obtain a pro-rata refund for that affected portion.

9 Complaints and Data Subject Rights Requests

9.1 CloudM must promptly notify the End User if it receives any complaint, notice, or communication that relates directly or indirectly to the processing of the End User’s Personal Data. 

9.2 CloudM must notify the End User within 3 Business Days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Privacy and Data Protection Requirements.

9.3 CloudM will provide such assistance as is reasonably required to enable the End User to respond to any complaint, notice, communication, or Data Subject request.

9.4 CloudM must not respond to a request from a Data Subject relating to the Personal Data hereunder, other than at the End User’s request or instruction, as provided for in this DPA or as required by applicable law.

10 Term and Termination

10.1 This DPA will remain in full force and effect so long as (a) the Main Agreement remains in effect, or (b) CloudM retains any Personal Data related to the Main Agreement in its possession or control.  

10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Main Agreement in order to protect Personal Data will remain in full force and effect.

10.3 CloudM’s failure to materially comply with the terms of this DPA is a material breach of the Main Agreement. In such event, the End User may terminate any part of the Main Agreement authorising the processing of Personal Data effective immediately upon written notice to CloudM, without further liability or obligation.

10.4 If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its obligations under the Main Agreement, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Privacy and Data Protection Requirement within 20 Business Days, CloudM may terminate the Main Agreement on no less than 14 Business Days written notice to the End User.

11 Data Return and Destruction

11.1 At the End User’s request, CloudM will give the End User a copy of, or access to, the End User’s Personal Data in its possession or control, in the format and on the media reasonably specified by the End User.

11.2 On termination of the Main Agreement for any reason or expiry of its term, CloudM will securely destroy or, if directed in writing by the End User, return and not retain, the Personal Data related to this DPA in its possession or control, save that CloudM may retain the Personal Data where it has a legitimate reason for doing so and for no longer than the maximum retention period applicable to such Personal Data, as set out in the Privacy and Data Protection Requirements. For the avoidance of doubt, CloudM will retain Personal Data that is relevant to the provisions of the Main Agreement that survive termination for as long as those provisions survive, as well as Personal Data that is necessary to enforce its legal rights.

11.3 If any law, regulation, or government, or regulatory body requires CloudM to retain any documents or materials that CloudM would otherwise be required to return or destroy, it will notify the End User in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.

11.4 Where requested by the End User, CloudM will certify in writing that it has destroyed the Personal Data within 20 Business Days after it completes the destruction.

12 Records

12.1 CloudM will keep detailed, accurate, and up-to-date records regarding any processing of Personal Data it carries out for the End User, including but not limited to, the access, control, and security of the Personal Data, approved subcontractors and affiliates, and the processing purposes (Records).

12.2 CloudM will ensure that the Records are sufficient to enable the End User to verify CloudM’s compliance with its obligations under this DPA.

13 Audit

13.1 At least once per year, CloudM will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.

13.2 CloudM has and maintains ISO 27001 certification, and will make the relevant certificate available to the End User upon request.                                     

14 Warranties

14.1  CloudM warrants that:

14.1.1 its employees, subcontractors, agents and any other person or persons accessing Personal Data on its behalf have received the required training on the Privacy and Data Protection Requirements relating to the Personal Data; and

14.1.2 it and anyone operating on its behalf will process the Personal Data in compliance with all applicable Privacy and Data Protection Requirements; and

14.1.3 it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Services.

14.2 The End User warrants and represents that CloudM’s expected use of the Personal Data for the Business Purpose and as specifically instructed by the End User will comply with all Privacy and Data Protection Requirements.

15 Indemnification

15.1 Upon prompt notification by the End User, CloudM agrees to indemnify, keep indemnified, and defend at its own expense the End User against all reasonable costs, claims, damages, or expenses incurred by the End User or for which the End User may become liable due to any failure by CloudM or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements, subject to clauses 15.2 and 15.3.

15.2 CloudM will not indemnify the End User under clause 15.1 for:

15.2.1 Any sums paid out by the End User without first obtaining CloudM’s consent; or 

15.2.2 regulatory fines and penalties.

15.3 The limitation and exclusions of liability set out in the Main Agreement shall apply to the indemnity in clause 15.1 and CloudM’s reimbursement obligations in this DPA. 

15.4 During the Term, CloudM must, at its own cost and expense, obtain and maintain insurance, in full force and effect, sufficient to cover CloudM’s potential indemnity or reimbursement obligations. CloudM will produce the policy and premium payment receipt to the End User on request. CloudM will give the End User thirty (30) days’ advance written notice if the policy materially changes or is cancelled.

16 Notice

16.1 Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to: 

  • For the End User: The End User Account Manager or data privacy officer set out in the relevant OrderForm; 
  • For CloudM: legal@cloudm.io.

16.2 Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

Annex A

Data Processing Purposes and Details

Business Purposes

The Services procured by the End User under the Order Form, as further described in the Main Agreement. 

Nature and Purpose of Processing

CloudM will Process Personal Data as necessary to provide the Services pursuant to the Main Agreement and as instructed by the End User in its use of the Services.

Duration of Processing

Subject to the terms of clause 11 of the DPA, CloudM will Process Personal Data for the duration of the Main Agreement, unless otherwise agreed in writing.

Categories of Personal Data 

The End User may submit Personal Data during the use of the Services, the extent of which is determined and controlled by the End User, and which may include, but is not limited to, the following categories of Personal Data:

Contact information such as names, email addresses, telephone numbers and any other Personal Data submitted by, sent to or received by the End User and its Authorised Users through the Services.

Types of Data Subject 

The End User may submit Personal Data during the use of the Services, the extent of which is determined and controlled by the End User, and which may include, but is not limited to, the following types of Data Subjects:

End User and its Authorised Users employees, contractors, customers, prospects, suppliers, collaborators and subcontractors, it may also include third party individuals attempting to communicate with the End Users or its Authorised Users.

Special Categories of Personal Data (if applicable)

The parties do not anticipate any transfer of special categories of data.

 

Annex B

Security Measures

CloudM currently observes the security measures described in this Annex B.

ACCESS CONTROLS

Software Access – CloudM hosts its software service on outsourced cloud infrastructure. CloudM maintains contractual relationships with the providers of these cloud infrastructures in accordance with the DPA to protect any data stored by these cloud infrastructure providers.

Authentication – the CloudM Modules are protected by outsourced single sign-on authentication methods. No access to any End User data is possible without a valid authorised account managed by the End User on the Domain. 

Physical and Environmental Security – the infrastructure for all CloudM Modules e for production purposes is hosted by outsourced cloud infrastructure providers and is protected by their published security process, including access control.

SYSTEM ACCESS CONTROLS

CloudM’s access to End User data is protected in accordance with the principle of least privilege, with two factor authentication enforced as default. All access is logged and monitored.

The implementation of infrastructure protection of data differs between infrastructure providers and includes Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

TRANSMISSION CONTROLS

All data transmission to the CloudM Modules is performed over HTTPS. The highest level of TLS encryption is applied to traffic depending on what is supported by the End User’s Domain platform.

All data at rest is fully encrypted.

INPUT CONTROLS

Full monitoring and alerting of system traffic and behaviour are in place for the CloudM Modules. 

DATA BACKUPS

Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. End User data is backed up to multiple durable data stores and replicated across multiple availability zones. Backup data is segregated from production data and subject to independent access control and monitoring.

DATA SEGREGATION

All End User data processed on the CloudM Modules is subject to full segregation based on a multi-tenanted data model. Individual End Users do not have access to any data outside of their tenant.