Cloudmore Data Processing Terms

Version 2018-05

These Terms reflect the parties’ agreement with respect to terms governing the processing of Personal Data. These Cloudmore Data Processing Terms (including the appendices, “Data Processing Terms”) are entered into by Cloudmore and Customer and supplement the Cloudmore Service Agreement(s).

These Data Processing Terms will be effective and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the Processor Services), from the Terms Effective Date.

These Data Processing Terms sets out in which manner Cloudmore shall Process Personal Data on behalf of Customer.

1       Introduction

These Data Processing Terms reflect the parties’ agreement on the terms governing the processing and security of Customer Personal Data in connection with the Data Protection Legislation.

2       Definitions and Interpretation

In these Data Processing Terms:

 “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

Customer Personal Data” means personal data that is processed by Cloudmore on behalf of Customer in Cloudmore’s provision of the Processor Services.

Data Incident” means a breach of Cloudmore’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Cloudmore. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).

Data Subject Tool” means a tool (if any) made available by a Cloudmore Entity to data subjects that enables Cloudmore to respond directly and in a standardized manner to certain requests from data subjects in relation to Customer Personal Data (for example, online advertising settings or an opt-out browser plugin).

EEA” means the European Economic Area.

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Cloudmore” means the Cloudmore Entity that is party to the Agreement.

Cloudmore Affiliate Subprocessors” has the meaning given in Section 11.1 (Consent to Subprocessor Engagement).

Cloudmore Entity” means Cloudmore AB or any other Affiliate of Cloudmore AB.

Notification Email Address” means the email address (if any) designated by Customer, via the user interface of the Processor Services or such other means provided by Cloudmore, to receive certain notifications from Cloudmore relating to these Data Processing Terms.

Processor Services” means the applicable services listed at http://www.web.cloudmore.com/privacy/services.

“Security Documentation” means any documentation that Cloudmore may make available in respect of the Processor Services.

“Security Measures” has the meaning given in Section 7.1.1 (Cloudmore’s Security Measures).

“Subprocessors” means third parties authorized under these Data Processing Terms to have logical access to and process Customer Personal Data in order to provide parts of the Processor Services and any related technical support.

“Term” means the period from the Terms Effective Date until the end of Cloudmore’s provision of the Processor Services under the Agreement.

“Terms Effective Date” means, as applicable:

  • 25 May 2018, if Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms before or on such date; or
  • the date on which Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms, if such date is after 25 May 2018.

Third Party Product(s)” means any service offered through the Cloudmore Marketplace by a third party.

“Third Party Subprocessors” has the meaning given in Section 11.1 (Consent to Subprocessor Engagement).

The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in these Data Processing Terms have the meanings given in the GDPR.

Any phrase introduced by the terms “including”, “include” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding those terms. Any examples in these Data Processing Terms are illustrative and not the sole examples of a particular concept.

Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3       Duration of these Data Processing Terms

These Data Processing Terms will take effect on the Terms Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by Cloudmore as described in these Data Processing Terms.

4       Application of Data Protection Legislation

These Data Processing Terms will only apply to the extent that the Data Protection Legislation applies to the processing of Customer Personal Data.

5       Processing of Data

5.1       Nature and Purpose of the Processing

Cloudmore will be processing (including, as applicable to the Processor Services and the instructions described in Customer’s Instructions), collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying) Customer Personal Data for the purpose of providing the Processor Services and any related technical support to Customer in accordance with these Data Processing Terms.

 

5.2       Roles and Regulatory Compliance; Authorization

The parties acknowledge and agree that:

  1. Cloudmore is a processor of Customer Personal Data under the Data Protection Legislation;
  2. Customer is a controller or processor, as applicable, of Customer Personal Data under the Data Protection Legislation; and
  3. each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Customer Personal Data.

Customer Personal Data may include the types of personal data described at www.web.cloudmore.com/privacy/services.

If Customer is a processor, Customer warrant to Cloudmore that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Cloudmore as another processor, have been authorized by the relevant controller.

5.3       Categories of Data Subjects

Customer Personal Data will concern the following categories of data subjects:

  • data subjects about whom Cloudmore collects personal data in its provision of the Processor Services; and/or
  • data subjects about whom personal data is transferred to Cloudmore in connection with the Processor Services by, at the direction of, or on behalf of Customer.

Depending on the nature of the Processor Services, these data subjects may include individuals: (a) who have visited specific websites or applications in respect of which Cloudmore provides the Processor Services; and/or (b) who are customers or users of Customer’s products or services.

5.4       Customer Instructions

By entering into these Data Processing Terms, Customer instruct Cloudmore to process Customer Personal Data only in accordance with applicable law: (a) to provide the Processor Services and any related technical support; (b) as further specified via Customer’s use of the Processor Services (including in the settings and other functionality of the Processor Services) and any related technical support; (c) as documented in the form of the Agreement, including these Data Processing Terms; and (d) as further documented in any other written instructions given by Customer and acknowledged by Cloudmore as constituting instructions for purposes of these Data Processing Terms.

5.4.1        Cloudmore’s Compliance with Instructions

Cloudmore will comply with the instructions described in Section 5.4 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Cloudmore is subject requires other processing of Customer Personal Data by Cloudmore, in which case Cloudmore will inform Customer (unless that law prohibits Cloudmore from doing so on important grounds of public interest).

5.4.2        Third Party Products

If Customer uses any Third Party Product, the Processor Services may allow that Third Party Product to access Customer Personal Data as required for the interoperation of the Third Party Product with the Processor Services. For clarity, these Data Processing Terms do not apply to the processing of personal data in connection with the provision of any Third Party Product used by Customer, including personal data transmitted to or from that Third Party Product.

6       Data Deletion

6.1       Deletion During Term

During the Term Cloudmore will comply with:

  1. any reasonable request from Customer to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Processor Services and unless EU or EU Member State law requires storage; and
  2. the data retention practices described at www.web.cloudmore.com/privacy/.

Cloudmore may charge a fee (based on Cloudmore’s reasonable costs) for any data deletion under Section 6.1. Cloudmore will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.

6.2       Deletion on Term Expiry

On expiry of the Term, Customer instruct Cloudmore to delete or anonymize all Customer Personal Data (including existing copies) from Cloudmore’s systems in accordance with applicable law. Cloudmore will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.

7       Data Security

7.1       Cloudmore’s Security Measures and Assistance

7.1.1        Cloudmore’s Security Measures

Cloudmore will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 1 (the “Security Measures”). Cloudmore may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.

7.1.2        Security Compliance by Cloudmore Staff

Cloudmore will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.1.3        Cloudmore’s Security Assistance

Customer agree that Cloudmore will (taking into account the nature of the processing of Customer Personal Data and the information available to Cloudmore) assist Customer in ensuring compliance with any obligations of Customer in respect of security of personal data and personal data breaches, including (if applicable) Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:

  1. implementing and maintaining the Security Measures in accordance with Section 1.1 (Cloudmore’s Security Measures);
  2. complying with the terms of Section 2 (Data Incidents); and
  3. providing Customer with the Security Documentation in accordance with Section 4.1 (Reviews of Security Documentation) and the information contained in these Data Processing Terms.

7.2       Data Incidents

7.2.1        Incident Notification

If Cloudmore becomes aware of a Data Incident, Cloudmore will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data.

7.2.2        Details of Data Incident

Notifications made under Section 7.2.1 (Incident Notification) will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Cloudmore recommends Customer take to address the Data Incident.

7.2.3        Delivery of Notification

Cloudmore will deliver its notification of any Data Incident to the Notification Email Address or, at Cloudmore’s discretion (including if Customer has not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and valid.

7.2.4        Third Party Notifications

Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident.

7.2.5        No Acknowledgement of Fault by Cloudmore.

Cloudmore’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Cloudmore of any fault or liability with respect to the Data Incident.

7.3       Customer Security Responsibilities and Assessment

7.3.1        Customer’s Security Responsibilities.

Customer agrees that, without prejudice to Cloudmore’s obligations under Sections 7.1 (Cloudmore’s Security Measures and Assistance) and 7.2 (Data Incidents):

  • Customer is solely responsible for its use of the Processor Services, including:
    1. making appropriate use of the Processor Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data; and
    2. securing the account authentication credentials, systems and devices Customer uses to access the Processor Services; and
  • Cloudmore has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Cloudmore’s and its Subprocessors’ systems.

7.3.2        Customer’s Security Assessment.

Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Cloudmore as set out in Section 7.1.1 (Cloudmore’s Security Measures) provide a level of security appropriate to the risk in respect of Customer Personal Data.

7.4       Reviews and Audits of Compliance

7.4.1        Reviews of Security Documentation

To demonstrate compliance by Cloudmore with its obligations under these Data Processing Terms, Cloudmore will make the Security Documentation available for review by Customer.

7.4.2        Customer’s Audit Rights

Cloudmore will allow Customer or a third party auditor appointed by Customer to conduct audits (including inspections) to verify Cloudmore’s compliance with its obligations under these Data Processing Terms in accordance with Section 7.4.3 (Additional Business Terms for Audits). Cloudmore will contribute to such audits as described in this Section 7.4 (Reviews and Audits of Compliance).

7.4.3        Additional Business Terms for Audits

  • Customer will send any request for an audit to Cloudmore as described in Section 1 (Contacting Cloudmore).
  • Following receipt by Cloudmore of an audit request under this Section, Cloudmore and Customer will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to such audit.
  • Cloudmore may charge a fee (based on Cloudmore’s reasonable costs) for any audit under Section 4.2. Cloudmore will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any third party auditor appointed by Customer to execute any such audit.
  • Cloudmore may object to any third party auditor appointed by Customer to conduct any audit under Section 4.2 if the auditor is, in Cloudmore’s reasonable opinion, not suitably qualified or independent, a competitor of Cloudmore or otherwise manifestly unsuitable. Any such objection by Cloudmore will require Customer to appoint another auditor or conduct the audit itself.
  • Nothing in these Data Processing Terms will require Cloudmore either to disclose to Customer or its third party auditor, or to allow Customer or its third party auditor to access:
    1. any data of any other customer of a Cloudmore Entity;
    2. any Cloudmore Entity’s internal accounting or financial information;
    3. any trade secret of a Cloudmore Entity;
    4. any information that, in Cloudmore's reasonable opinion, could: (i) compromise the security of any Cloudmore Entity’s systems or premises; or (ii) cause any Cloudmore Entity to breach its obligations under the Data Protection Legislation or its security and/or privacy obligations to Customer or any third party; or
    5. any information that Customer or its third party auditor seeks to access for any reason other than the good faith fulfilment of Customer’s obligations under the Data Protection Legislation.

8       Impact Assessments and Consultations

Customer agrees that Cloudmore will (taking into account the nature of the processing and the information available to Cloudmore) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including (if applicable) Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by:

  1. providing the Security Documentation in accordance with Section 4.1 (Reviews of Security Documentation);
  2. providing the information contained in these Data Processing Terms; and
  3. providing or otherwise making available, in accordance with Cloudmore’s standard practices, other materials concerning the nature of the Processor Services and the processing of Customer Personal Data.

9       Data Subject Rights

9.1       Responses to Data Subject Requests

If Cloudmore receives a request from a data subject in relation to Customer Personal Data, Cloudmore will:

  • if the request is made via a Data Subject Tool, respond directly to the data subject’s request in accordance with the standard functionality of that Data Subject Tool; or
  • if the request is not made via a Data Subject Tool, advise the data subject to submit his/her request to Customer, and Customer will be responsible for responding to such request.

9.2       Cloudmore’s Data Subject Request Assistance

Customer agrees that Cloudmore will (taking into account the nature of the processing of Customer Personal Data and, if applicable, Article 11 of the GDPR) assist Customer in fulfilling any obligation of Customer to respond to requests by data subjects, including (if applicable) Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by:

  • providing the functionality of the Processor Services;
  • complying with the commitments set out in Section 1 (Responses to Data Subject Requests); and
  • if applicable to the Processor Services, making available Data Subject Tools.

Cloudmore is entitled to remuneration for any potential costs and expenses if Customer requests that Cloudmore shall assist Customer with responding to a Data Subject's request to exercise his or her rights according to Applicable Data Protection Laws.

10   Transfer to and processing of personal data in a third country

Cloudmore is entitled to transfer Personal Data belonging to Customer, to a Third Country, provided that:

  • the Third Country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Personal Data;
  • Cloudmore ensures that there are appropriate safeguards in place in accordance with Applicable Data Protection Laws, e.g. standard data protection clauses adopted by the EU Commission under Applicable Data Protection Laws, that comprises the transfer and the Processing of Personal Data; or
  • if there are any other exemptions under Applicable Data Protection Laws that comprise the Processing of Personal Data.

For the avoidance of doubt, Personal Data may not be transferred to or Processed in a Third Country if none of the conditions outlined in Section 10 above exists.

Information about the locations of data centers is available per service at http://www.web.cloudmore.com/privacy/services.

 

11   Subprocessors

11.1   Consent to Subprocessor Engagement

Customer specifically authorizes the engagement of Cloudmore’s Affiliates as Subprocessors (“Cloudmore Affiliate Subprocessors”). In addition, Customer generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”).

11.2   Information about Subprocessors.

Information about Subprocessors is available per service at http://www.web.cloudmore.com/privacy/services.

11.3   Requirements for Subprocessor Engagement

When engaging any Subprocessor, Cloudmore will:

  • ensure via a written contract that:
    1. the Subprocessor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including these Data Processing Terms); and
    2. if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR are imposed on the Subprocessor; and
  • remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

11.4   Opportunity to Object to Subprocessor Changes

(a) When any new Third Party Subprocessor is engaged during the Term, Cloudmore will, at least 30 days before the new Third Party Subprocessor processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor list at http://www.cloudmore.com/privacy/services and by publishing a notification in the Cloudmore Platform.

(b) Customer may object to Cloudmore's assignment of a Subprocessor that shall Process Personal Data on behalf of Customer within 90 days of being informed of the engagement of the new Third Party Subprocessor as described in Section 11.4(a), whereby the Parties shall seek to agree on a solution which is acceptable to both Parties. If a mutual acceptable solution cannot be reached, Customer may terminate the Service Agreement immediately upon written notice to Cloudmore. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third Party Subprocessor.

12   Contacting Cloudmore; Processing Records

12.1   Contacting Cloudmore

Customer may contact Cloudmore in relation to the exercise of its rights under these Data Processing Terms via the methods described at http://www.web.cloudmore.com/privacy/ or via such other means as may be provided by Cloudmore from time to time.

12.2   Cloudmore’s Processing Records

Customer acknowledges that Cloudmore is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Cloudmore is acting and (if applicable) of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, Customer will, where requested and as applicable to Customer, provide such information to Cloudmore via the user interface of the Processor Services or via such other means as may be provided by Cloudmore, and will use such user interface or other means to ensure that all information provided is kept accurate and up-to-date.

13   Liability

The provisions regarding liability under the Service Agreement shall apply correspondingly to this Data Processing Agreement.

14   Effect of these Data Processing Terms

If there is any conflict or inconsistency between the terms of these Data Processing Terms and the remainder of the Service Agreement, the terms of these Data Processing Terms will govern. Subject to the amendments in these Data Processing Terms, the Service Agreement remains in full force and effect.

15   Changes to these Data Processing Terms

15.1   Changes to URLs

From time to time, Cloudmore may change any URL referenced in these Data Processing Terms and the content at any such URL. Cloudmore may only change the list of potential Processor Services at http://www.web.cloudmore.com/privacy/services:

  • to reflect a change to the name of a service;
  • to add a new service; or
  • to remove a service where either: (i) all contracts for the provision of that service are terminated; or (ii) Cloudmore has Customer’s consent.

15.2   Changes to Data Processing Terms

Cloudmore may change these Data Processing Terms if the change:

  • is expressly permitted by these Data Processing Terms, including as described in Section 1 (Changes to URLs);
  • reflects a change in the name or form of a legal entity;
  • is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or
  • does not: (i) result in a degradation of the overall security of the Processor Services; (ii) expand the scope of, or remove any restrictions on, Cloudmore’s processing of Customer Personal Data, as described in Section 4.1 (Cloudmore’s Compliance with Instructions); and (iii) otherwise have a material adverse impact on Customer’s rights under these Data Processing Terms, as reasonably determined by Cloudmore.

15.2.1     Notification of Changes

If Cloudmore intends to change these Data Processing Terms under Section 15.2(c) or (d), Cloudmore will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface for the Processor Services. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Cloudmore within 90 days of being informed by Cloudmore of the change.

16   Confidentiality

Without prejudice to any confidentiality undertakings included in the Service Agreement, Cloudmore shall keep and maintain all Personal Data in strict secrecy and not disclose any Personal Data to a third party, unless otherwise authorized in advance by Customer or otherwise required by Applicable Laws or for the performance of the Data Processing Terms and the Service Agreement. Cloudmore agrees that the confidentiality undertaking under this Section 16 shall apply until all Personal Data have been returned or (upon Customer's written request) have been deleted or anonymized in a secure and irreversible way.

17   Code of Conduct

Cloudmore adheres to the GÉANT Data Protection Code of Conduct.

18   Applicable law

This Data Processing Agreement shall be governed by Swedish law, without regard to any provisions regarding conflict of laws.

19   Dispute

Any dispute arising out of or in connection to this Data Processing Agreement shall be finally settled in accordance with the dispute resolution provisions of the Service Agreement.

END