Updated March 20, 2020
These Data Processing terms supplement the Cloudmore Master Agreement and sets out in which manner Cloudmore shall process Personal Data on behalf of You.
These Data Processing Terms reflect the parties’ agreement on the terms governing the processing and security of Your Personal Data in connection with the Data Protection Legislation.
Capitalized terms used in these Data Processing terms, but not defined below, will have the meaning assigned to them in the Cloudmore Master Agreement.
“Your Personal Data” means Personal Data that is processed by Cloudmore on behalf of You in Cloudmore’s provision of the Services.
“Data Incident” means a breach of Cloudmore’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Personal Data on systems managed by or otherwise controlled by Cloudmore. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Your Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“Data Subject Tool” means a tool (if any) made available by a Cloudmore Entity to Data Subjects that enables Cloudmore to respond directly and in a standardized manner to certain requests from Data Subjects in relation to Your Personal Data (for example, online advertising settings or an opt-out browser plugin).
“EEA” means the European Economic Area.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Cloudmore Entity” means Cloudmore AB or any other Affiliate of Cloudmore AB.
“Security Documentation” means any documentation that Cloudmore may make available in respect of the Services.
“Security Measures” has the meaning given in Section 7.1.1 (Cloudmore’s Security Measures).
“Subprocessors” means third parties authorized under these Data Processing terms to have logical access to and process Your Personal Data in order to provide parts of the Services and any related technical support.
“Third-party Subprocessors” has the meaning given in Section 11.1 (Consent to Subprocessor Engagement).
The terms “Controller”, “Data Subject”, “Personal data”, “Processing”, “Processor” and “Supervisory Authority” as used in these Data Processing Terms have the meanings given in the GDPR.
Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
These Data Processing Terms will take effect on the Agreement Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Your Personal Data by Cloudmore as described in these Data Processing Terms.
These Data Processing terms will only apply to the extent that the Data Protection Legislation applies to the processing of Your Personal Data.
Cloudmore will be processing (including, as applicable to the Services and the instructions described in Your Instructions), collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, combining, erasing, and destroying) Your Personal Data for the purpose of providing the Services and any related technical support to You in accordance with these Data Processing Terms.
The parties acknowledge and agree that:
Your Personal Data may include the types of personal data described at http://web.cloudmore.com/privacy/Services.
If You are a processor, You warrant to Cloudmore that Your instructions and actions with respect to Your Personal Data, including its appointment of Cloudmore as a processor, have been authorized by the relevant controller.
Your Personal Data will concern the following categories of Data Subjects:
Depending on the nature of the Services, these Data Subjects may include individuals: (a) who have visited specific websites or applications in respect of which Cloudmore provides the Services; and/or (b) who are customers or users of Your products or Services.
By entering into these Data Processing Terms, You instruct Cloudmore to process Your Personal Data only in accordance with applicable law:
Cloudmore will comply with the instructions described in Section 5.4 (Your Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Cloudmore is subject requires other processing of Your Personal Data by Cloudmore, in which case Cloudmore will inform You (unless that law prohibits Cloudmore from doing so on important grounds of public interest).
If You use any Third-party Product, the Services may allow that Third-party Product to access Your Personal Data as required for the interoperation of the Third-party Product with the Services. For clarity, these Data Processing Terms do not apply to the processing of Personal Data in connection with the provision of any Third-party Product used by You, including personal data transmitted to or from that Third-party Product.
During the Term Cloudmore will comply with any reasonable request from You to delete or anonymize Your Personal Data, insofar as this is possible taking into account the nature and functionality of the Services and unless EU or EU Member State law requires storage and will carry out this instruction as soon as reasonably practicable and within a maximum period of 180 days.
Cloudmore may charge a fee (based on Cloudmore’s reasonable costs) for any data deletion under Section 6.1. Cloudmore will provide You with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.
On expiry of the Term, You instruct Cloudmore to delete or anonymize all Your Personal Data (including existing copies) from Cloudmore’s systems in accordance with applicable law. Cloudmore will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.
Cloudmore will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described at https://web.cloudmore.com/privacy (the “Security Measures”). Cloudmore may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.
Cloudmore will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Your Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
You agree that Cloudmore will (taking into account the nature of the processing of Your Personal Data and the information available to Cloudmore) assist You in ensuring compliance with any obligations of You in respect of security of personal data and personal data breaches, including (if applicable) Your obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:
If Cloudmore becomes aware of a Data Incident, We will
Notifications made under Section 7.2.1 (Incident Notification) will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Cloudmore recommends You take to address the Data Incident.
Cloudmore will deliver notification of any Data Incident to Your notification email address or, at Cloudmore’s discretion (including if You have not provided a notification email address), by other direct communication (for example, by phone call or an in-person meeting). You are solely responsible for providing the notification email address and ensuring that the notification email address is current and valid.
You are solely responsible for complying with incident notification laws applicable to You and fulfilling any third-party notification obligations related to any Data Incident.
Cloudmore’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Us of any fault or liability with respect to the Data Incident.
You agree that without prejudice to Cloudmore’s obligations under Sections 7.1 (Cloudmore’s Security Measures and Assistance) and 7.2 (Data Incidents):
You acknowledge and agree that (taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing of Your Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Cloudmore as set out in Section 7.1.1 (Cloudmore’s Security Measures) provide a level of security appropriate to the risk in respect of Your Personal Data.
To demonstrate compliance by Cloudmore with its obligations under these Data Processing Terms, Cloudmore will make the Security Documentation available for review by You.
Cloudmore will allow You or a third-party auditor appointed by You to conduct audits (including inspections) to verify Cloudmore’s compliance with its obligations under these Data Processing Terms in accordance with Section 7.4.3 (Additional Business Terms for Audits). Cloudmore will contribute to such audits as described in this Section 7.4 (Reviews and Audits of Compliance).
You agree that Cloudmore will (taking into account the nature of the processing and the information available to Cloudmore) assist You in ensuring compliance with any obligations in respect of data protection impact assessments and prior consultation, including (if applicable) Your obligations pursuant to Articles 35 and 36 of the GDPR, by:
If Cloudmore receives a request from a data subject in relation to Your Personal Data, Cloudmore will:
You agree that Cloudmore will (taking into account the nature of the processing of Your Personal Data and, if applicable, Article 11 of the GDPR) assist You in fulfilling any obligation to respond to requests by Data Subjects, including (if applicable) Your obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by:
Cloudmore is entitled to remuneration for any potential costs and expenses if You request that Cloudmore shall assist You with responding to a Data Subject's request to exercise his or her rights according to Applicable Data Protection Laws.
Cloudmore is entitled to transfer Personal Data belonging to You, to a Third Country, provided that:
For the avoidance of doubt, Personal Data may not be transferred to, or Processed in, a Third Country if none of the conditions outlined in Section 10 above exists.
You specifically authorize the engagement of Cloudmore’s Affiliates as Subprocessors. In addition, You generally authorize the engagement of any other third parties as Subprocessors (“Third-party Subprocessor”).
Information about Subprocessors is available per Service at https://web.cloudmore.com/privacy/sub-processsors.
When engaging any Subprocessor, Cloudmore will:
When any new Third-party Subprocessor is engaged during the Term, Cloudmore will, at least 30 days before the new Third-party Subprocessor processes any of Your Personal Data, inform You of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor list at https://web.cloudmore.com/privacy/sub-processsors and by providing a notification to Your notification email address.
You may object to Cloudmore's assignment of a Subprocessor that shall Process Personal Data on behalf of You within 30 days of being informed of the engagement of the new Third-party Subprocessor, whereby the Parties shall seek to agree on a solution which is acceptable to both Parties. If a mutual acceptable solution cannot be reached, You may terminate the corresponding Service Subscription Agreement immediately upon written notice to Cloudmore. This termination right is Your sole and exclusive remedy if You objects to any new Third-party Subprocessor.
You may contact Cloudmore in relation to the exercise of Your rights under these Data Processing Terms via the methods described at http://web.cloudmore.com/privacy/contact/ or via such other means as may be provided by Us from time to time.
You acknowledge that Cloudmore is required under the GDPR to:
Accordingly, You will, where requested and as applicable to You, provide such information to Cloudmore via the user interface of the Services or via such other means as may be provided by Cloudmore, and will use such user interface or other means to ensure that all information provided is kept accurate and up-to-date.
The provisions regarding liability under the Cloudmore Master Agreement shall apply correspondingly to these Data Processing terms.
If there is any conflict or inconsistency between the terms of these Data Processing terms and the Agreement, the Data Processing terms will govern unless specifically agreed otherwise in the respective Service Subscription Agreement. Subject to the amendment of these Data Processing Terms, the Service Agreement remains in full force and effect.
From time to time, Cloudmore may change any URL referenced in these Data Processing Terms and the content at any such URL. Cloudmore may only change the list of potential Services at https://web.cloudmore.com/privacy/services:
Cloudmore may change these Data Processing Terms if the change:
If Cloudmore intends to change these Data Processing Terms under Section 15.2(c) or (d), Cloudmore will notify You at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by sending an email to Your notification email address.
You may object to a change made in accordance with Section 15.2(d) within 30 days of receiving notice of such change, whereby the Parties shall seek to agree on a solution which is acceptable to both Parties. If a mutual acceptable solution cannot be reached, You may terminate the corresponding Service Subscription Agreement immediately upon written notice to Cloudmore. This termination right is Your sole and exclusive remedy if You object to such change.