Last updated on: January 15, 2023
This Data Processing Agreement and its Annexes (“Data Processing Agreement” or “DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by us on behalf of you in connection with the Cloudforest Services under the Cloudforest Customer Terms of Service available at https://legal.cloudforest.io/terms between you and us (also referred to in this DPA as the “Agreement”). The DPA amends the Agreement by and between you and Untrodden Inc. dba Cloudforest, a Delaware corporation with offices at 2150 Hyde St., #11, San Francisco, California USA.
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
BACKGROUND AND PURPOSE OF PROCESSING
In relation to the Services, Cloudforest (the “Processor”) may process information and data, which can be considered Personal Data in the meaning of data protection legislation, i.e. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 effective from 25 May 2018 (“Data Protection Legislation”), on behalf of the User (the “Controller”).
Where the Processor processes such Personal Data on behalf of the Controller, the Processor is considered a data processor according to Data Protection Legislation, and the Controller a data controller.
The purpose of this Data Processing Agreement is to regulate the Parties’ rights and obligations in relation to the Processor’s processing of Personal Data on behalf of the Controller, particularly to ensure the secure processing of the Personal Data and to fulfil the requirement of the Data Protection Legislation.
(a) “Data Protection Legislation” means European Union Regulation 2016/679 (the “General Data Protection Regulation”) or California Civil Code Section 1798.100-1798.199 (the “California Consumer Privacy Act of 2018”), as applicable, and any legislation and/or regulation implementing or made pursuant to it, or which amends or replaces any of it, and any other applicable legislation;
(b) “Data Processor”, “Data Controller”, “Data Subject”, “Processing”, “Subprocessor”, and “Supervisory Authority” shall be interpreted in accordance with the General Data Protection Regulation;
(c) “Service Provider” shall be interpreted in accordance with the California Consumer Privacy Act of 2018;
(d) “Personal Data” as used in this Addendum means information that relates to, or could reasonably be linked with, to an identifiable or identified Data Subject who visits or engages in transactions through your store (a “Customer”), which Cloudforest Processes as a Data Processor or Service Provider in the course of providing you with the Services.
(e) “Data Subject Request” as used in this Addendum means a request for access, erasure, rectification, or portability of your Customer’s Personal Data; and
(f) All other capitalized terms in this Addendum shall have the same definition as in the Agreement.
2 Processing of Personal Data and Categories of Personal Data and Data Subjects
2.1 The Processor will process Personal Data related to the Controller’s business activities on behalf of the Controller (the “Data Subjects”).
2.2 The Processor will process the personal data uploaded by the Controller on the Processor’s Software (the “Personal Data”). They may include e.g.:
- Contact information
- Travel arrangement and participant information
- Sensitive Personal Data, such as religious beliefs and health information.
3 The Processor’s Obligations
3.1 The Processor is only permitted to process Personal Data on behalf of the Controller in accordance with this Data Processing Agreement or in accordance with the Controller’s documented instructions, unless the Processor is authorized to do so by law.
3.2 The Processor shall ensure that its employees, and others who have access to the Personal Data, only process the Personal Data according to the instructions given by the Controller.
4 The Controller’s Obligations
4.1 The Controller warrants that it has the right to process the Personal Data in question, and that it has the right to appoint the Processor to process the Personal Data on the Controller’s behalf.
4.2 The Controller shall be responsible for notifying the processing activities to the applicable data protection authority and/or acquiring a permit for the processing, where applicable.
5 Confidentiality and Training of Employees
The Processor shall ensure that all employees, and others who may have access to the Personal Data, have committed themselves to confidentiality about everything they learn of while processing Personal Data on behalf of the Controller.
6 Security Measures
6.1 The Processor shall ensure that appropriate technical and organizational measures are implemented to ensure a level of security of the Personal Data processed on behalf of the Controller. The measures shall ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
6.2 The Processor is responsible for ensuring that the technical and organizational measures adopted at all times are appropriate and sufficient.
6.3 For the purposes of preventing and limiting damage caused by human error, theft, fraud and other abuse, the Processor will implement and maintain:
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.
6.4 The Processor will limit the access to the Personal Data to only those who need it for the purpose of its duties according to this Data Processing Agreement.
6.5 The Processor will ensure that all employees, who have access to the Personal Data from the Controller, have received appropriate training on the laws relating to the handling of Personal Data and are aware both of the Processors‘ duties, as well as their personal duties and obligations under Data Protection Legislation and this Data Processing Agreement.
6.6 The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach and shall take reasonable steps to mitigate the effects and to minimize any damage resulting from such breach. To assist the Controller in relation to any Personal Data breach notification the Controller is required to make under the relevant Data Protection Legislation, such a notification shall include information the Processor reasonably is able to disclose to the Controller, taking into account the nature of the service, the information available to the Processor and any restriction on disclosing the information, such as confidentiality.
6.7 The Processor shall inform the Controller of where the Personal Data is stored upon request. The Processor may transfer Personal Data outside the European Economic Area, however only if such transfer is to an entity in a country that provides an adequate level of personal data protection within the meaning of Data Protection Legislation or the entity: (a) is part of the EU-U.S. Privacy Shield Framework; or (b) uses Standard Contractual Clauses adopted by the European Commission. If the mechanism used by the Parties for the transfer of Personal Data to third countries should become invalid, the Parties will promptly put in place an alternative mechanism for the transfer of Personal Data to third countries. Cloudforest primarily hosts the Personal Data at Amazon Web Services.
7 Internal Audit
7.1 The Processor shall conduct an internal audit of the processing of Personal Data to make sure the Personal Data is processed in accordance with applicable law and that appropriate security measures have been implemented.
7.2 The internal audit shall be conducted regularly. The frequency and scope of the audit shall be decided depending on the risk involved by the processing, the nature of the data being processed, the technique being used to ensure the security of the data and the cost of the audit. The audit shall be performed at the least once a year.
7.3 The Processor shall prepare a report on the performance of the internal audit. The report shall describe the outcome of each element of the audit. The reports shall be securely stored.
8.1 The Controller accepts the Processor’s use of sub-processors to perform specific processing activities according to this Data Processing Agreement. A list of the Processors sub-processors shall be available upon reasonable request. The Controller can always object to the use of sub-processors within 30 days from receipt of such list.
8.2 The Processor shall impose materially the same data protection obligations as set out in this Data Processing Agreement and the Data Protection Legislation on any sub-processor.
8.3 The Processor shall always remain fully liable to the Controller for the performance of the sub-processor’s obligations.
9 Data Subject Requests and Third Party Rights RIGHTS
9.1 The Processor shall assist the Controller by appropriate technical and organizational measures, to the extent reasonable possible, to respond to requests for exercising any Data Subject’s rights in accordance with the Data Protection Legislation, e.g. access to Personal Data, rectification or erasure of data and portability of data. The same applies to any requests and enquiries by relevant supervisory authorities.
9.2 The Processor shall refer any Data Subjects’ requests which relate to the Controller’s data to the Controller.
10 Duration of Data Processing Agreement
The Data Processing Agreement shall be valid as long as the Agreement is in force.
11 Erasure or Return of Personal Data
11.1 The Processor shall, in consult with the Controller, erase the Personal Data where the data is no longer necessary in relation to the purposes for which they were collected, unless otherwise required by law.
11.2 The Controller can at any time instruct the Processor to erase or return Personal Data to the Controller. The Processor shall respond to such instructions as soon and to the extent reasonably possible.
11.3 Upon the termination of this Data Processing Agreement the Processor shall, at the Controller’s choosing, erase or return all Personal Data it stores or has access to, to the Controller. The Processor shall also erase all copies of the Personal Data, unless the Processor is obligated by law to store the data.
12 Indemnity and Costs
12.1 Each Party will hold the other Party harmless of any claims, damages, penalties and any costs or fees, of whatever nature incurred by the Party or for which the Party may become liable due to any failure by the other Party or its employees or agents to comply with any of its obligations under this Data Processing Agreement or any Data Protection Legislation.
12.2 The Controller shall indemnify and keep indemnified the Processor against all costs that relate to the Processor’s assistance to the Controller based on this Data Processing Agreement.
13 Access to Information on Processing
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down by Data Protection Legislation and this Data Processing Agreement, upon request from the Controller.
All notifications according to this Data Processing Agreement shall be done in writing via email. Cloudforest’s email address is [email protected].
This Data Processing Agreement shall prevail over other agreements in relation to the Processor’s processing of Personal Data on behalf of the Controller and other related obligations. Any other provisions of the Agreement shall remain in effect.
The Processor confirms that it has the ability and competence to fulfill the obligations set out in this Data Processing Agreement.