1. When you, in your quality as Account Owner, use our Service, you will act as a controller (or other processor, as the case may be) of personal data, and we will in turn act as a processor (or sub-processor, as the case may be) of such personal data, under and in accordance with applicable data protection legislation (as defined herein).
2. Customers using cloud services to process personal data are required to have a data processing agreement in place between them (this being, the Account Owner) and their cloud services provider (this being, Us) in order to ensure that any form of processing is conducted in accordance with applicable laws including the GDPR. This Addendum applies if and to the extent that we process personal data of or on behalf of a customer that qualifies as a controller or processor with respect to that personal data under applicable data protection legislation (as defined below).
We are committed to working along your side to ensure GDPR compliance at all times. Any queries regarding this Addendum should be sent to firstname.lastname@example.org.
In this Addendum, the following terms shall have the following meanings:
1. Details of the Processing.
2. Relationship between the parties to this Addendum.
3. Instructions from the Data Controller
4. Prohibited Data
You shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to us for processing unless you have been specifically requested by us to do so.
5. Restricted International Transfers
We shall not transfer Data outside of the European Union/European Economic Area (‘EU/EEA’) unless we have taken such measures as are necessary to ensure that the transfer is compliant with applicable data protection legislation. Such measures may include, without limitation, transferring the Data to a country that is deemed to afford an adequate level of protection of personal data, equivalent to EU standards, or to a data recipient/importer that has otherwise executed standard contractual clauses or binding corporate rules, where applicable, adopted or approved, as the case may be, by the European Commission. In the event of any conflict or inconsistency between this Addendum and any such standard contractual clauses, the standard contractual clauses shall prevail.
6. Confidentiality of Processing and Training
You hereby agree that we may appoint and engage third parties as sub-processors to process Data for the Permitted Purpose on our behalf and/or pursuant to your Instructions, provided that:
8. Data Subject Rights and Cooperation
Taking into account the nature of the processing, we endeavour to co-operate and assist you, to the fullest extent of our ability and in a timely manner, in so far as this is possible and reasonable for us to do so, to respond to any inquiries, communications or requests you receive, in your quality as controller or processor, as the case may be, by data subjects seeking to exercise their rights under applicable data protection legislation, including rights of access, correction, restriction, objection, erasure or data portability, as applicable, or to address any other queries or complaints received from data subjects, competent supervisory authorities or other third parties in relation to the processing of Data. We reserve the right to charge a fee based on reasonable costs incurred for the provision of such assistance, details of which fee shall be provided in advance.
We also undertake to promptly inform you and provide full details, without undue delay, should we receive any such inquiries, communications, requests or complaints directly, including inquiries or requests for disclosure regarding Data from a competent supervisory or other authority or law enforcement authority.
Our Service enables you to activate a number of controls including specific security features and functionalities that you may use to retrieve, correct, delete or restrict Data, which controls may be used to assist you in connection with your respective obligations under the GDPR, including responding to requests from data subjects.
You remain responsible for properly configuring the Service and implementing any such control measures to ensure compliance with GDPR requirements including to respond to queries from data subjects regarding their Data.
9. Security Measures and Security Incidents
We commit to implementing technical and organisational measures – see Annex II of this Addendum – taking into account the state of the art, the costs of implementation, and the nature, scope, context and purpose of the processing, as well as the risk of likelihood and severity of impact to the rights of data subjects, to protect the Data from any security breach or other incident including the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, the Data (‘Security Incident’).
As soon as we become aware of any Security Incident, we undertake to promptly inform you, without undue delay, and shall endeavour to co-operate and assist you, to the fullest extent of our ability, in so far as this is possible and reasonable for us to do so, to enable you to comply with any data breach reporting or notification obligations you may have toward the competent supervisory authority which is concerned by/with the protection of personal data and to data subjects, where applicable, in accordance with applicable data protection legislation. We further undertake to take any and all such reasonable measures and actions to remedy or mitigate the effects of any such Security Incident and to keep you informed of all material developments in connection with the same.v
Our undertakings or commitments in the manner here-afore described do not constitute an admission on our part of any fault or liability with respect to any such Security Incident. Furthermore, unsuccessful Security Incidents fall outside the scope of this provision.
10. Security Reports and Audits
11. Data Protection Impact Assessment
If we believe or become aware that our processing of Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, we shall duly inform you and shall endeavour to co-operate and assist you, to the fullest extent of our ability, in so far as this is possible and reasonable for us to do so, to enable you to carry out any data protection impact assessment that may be required under applicable data protection legislation.
12. Deletion or Return of Data
13. Obligation to demonstrate Compliance
We shall make available to you all information necessary, in so far as this is possible and reasonable for us to do so, to demonstrate our compliance with our obligations under applicable data protection legislation and undertake to carry out audits, including allowing inspections by you or an independent auditor mandated by you, in the manner afore-described.
1. Subject Matter and Duration of Processing of Personal Data
We act as a sub-/processor in relation to personal data when we process such data on your behalf in your quality as data controller or other processor, as the case may be. This may include the processing of personal data relating to organisations or persons whom you elected to add as Users of/to the Service or were otherwise added with your authority or as a result of your use of the Service (‘connected organisations’).
The duration of processing personal data shall be for as long as we have a business relationship with you and at the end of that relationship, we will act in accordance with the provisions of this Addendum regarding the deletion or return of such personal data.
2. Nature and Purpose of Processing Personal Data
3. Types of Personal Data Processed
The types of personal data processed include:
4. Categories of Data Subjects
The categories of data subjects include:
1. Some of the technical and organisational measures adopted and implemented by us include: