These Terms reflect the parties’ agreement with respect to terms governing the processing of Personal Data. These Cloudmore Data Processing Terms (including the appendices, “Data Processing Terms”) are entered into by Cloudmore and Customer and supplement the Cloudmore Service Agreement(s).
These Data Processing Terms will be effective and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the Processor Services), from the Terms Effective Date.
These Data Processing Terms sets out in which manner Cloudmore shall Process Personal Data on behalf of Customer.
These Data Processing Terms reflect the parties’ agreement on the terms governing the processing and security of Customer Personal Data in connection with the Data Protection Legislation.
In these Data Processing Terms:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
“Customer Personal Data” means personal data that is processed by Cloudmore on behalf of Customer in Cloudmore’s provision of the Processor Services.
“Data Incident” means a breach of Cloudmore’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Cloudmore. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“Data Subject Tool” means a tool (if any) made available by a Cloudmore Entity to data subjects that enables Cloudmore to respond directly and in a standardized manner to certain requests from data subjects in relation to Customer Personal Data (for example, online advertising settings or an opt-out browser plugin).
“EEA” means the European Economic Area.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Cloudmore” means the Cloudmore Entity that is party to the Agreement.
“Cloudmore Affiliate Subprocessors” has the meaning given in Section 11.1 (Consent to Subprocessor Engagement).
“Cloudmore Entity” means Cloudmore AB or any other Affiliate of Cloudmore AB.
“Notification Email Address” means the email address (if any) designated by Customer, via the user interface of the Processor Services or such other means provided by Cloudmore, to receive certain notifications from Cloudmore relating to these Data Processing Terms.
“Processor Services” means the applicable services listed at http://www.web.cloudmore.com/privacy/services.
“Security Documentation” means any documentation that Cloudmore may make available in respect of the Processor Services.
“Security Measures” has the meaning given in Section 7.1.1 (Cloudmore’s Security Measures).
“Subprocessors” means third parties authorized under these Data Processing Terms to have logical access to and process Customer Personal Data in order to provide parts of the Processor Services and any related technical support.
“Term” means the period from the Terms Effective Date until the end of Cloudmore’s provision of the Processor Services under the Agreement.
“Terms Effective Date” means, as applicable:
“Third Party Product(s)” means any service offered through the Cloudmore Marketplace by a third party.
“Third Party Subprocessors” has the meaning given in Section 11.1 (Consent to Subprocessor Engagement).
The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in these Data Processing Terms have the meanings given in the GDPR.
Any phrase introduced by the terms “including”, “include” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding those terms. Any examples in these Data Processing Terms are illustrative and not the sole examples of a particular concept.
Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
These Data Processing Terms will take effect on the Terms Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by Cloudmore as described in these Data Processing Terms.
These Data Processing Terms will only apply to the extent that the Data Protection Legislation applies to the processing of Customer Personal Data.
Cloudmore will be processing (including, as applicable to the Processor Services and the instructions described in Customer’s Instructions), collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying) Customer Personal Data for the purpose of providing the Processor Services and any related technical support to Customer in accordance with these Data Processing Terms.
The parties acknowledge and agree that:
Customer Personal Data may include the types of personal data described at www.web.cloudmore.com/privacy/services.
If Customer is a processor, Customer warrant to Cloudmore that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Cloudmore as another processor, have been authorized by the relevant controller.
Customer Personal Data will concern the following categories of data subjects:
Depending on the nature of the Processor Services, these data subjects may include individuals: (a) who have visited specific websites or applications in respect of which Cloudmore provides the Processor Services; and/or (b) who are customers or users of Customer’s products or services.
By entering into these Data Processing Terms, Customer instruct Cloudmore to process Customer Personal Data only in accordance with applicable law: (a) to provide the Processor Services and any related technical support; (b) as further specified via Customer’s use of the Processor Services (including in the settings and other functionality of the Processor Services) and any related technical support; (c) as documented in the form of the Agreement, including these Data Processing Terms; and (d) as further documented in any other written instructions given by Customer and acknowledged by Cloudmore as constituting instructions for purposes of these Data Processing Terms.
Cloudmore will comply with the instructions described in Section 5.4 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Cloudmore is subject requires other processing of Customer Personal Data by Cloudmore, in which case Cloudmore will inform Customer (unless that law prohibits Cloudmore from doing so on important grounds of public interest).
If Customer uses any Third Party Product, the Processor Services may allow that Third Party Product to access Customer Personal Data as required for the interoperation of the Third Party Product with the Processor Services. For clarity, these Data Processing Terms do not apply to the processing of personal data in connection with the provision of any Third Party Product used by Customer, including personal data transmitted to or from that Third Party Product.
During the Term Cloudmore will comply with:
Cloudmore may charge a fee (based on Cloudmore’s reasonable costs) for any data deletion under Section 6.1. Cloudmore will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such data deletion.
On expiry of the Term, Customer instruct Cloudmore to delete or anonymize all Customer Personal Data (including existing copies) from Cloudmore’s systems in accordance with applicable law. Cloudmore will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.
Cloudmore will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 1 (the “Security Measures”). Cloudmore may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.
Cloudmore will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Customer agree that Cloudmore will (taking into account the nature of the processing of Customer Personal Data and the information available to Cloudmore) assist Customer in ensuring compliance with any obligations of Customer in respect of security of personal data and personal data breaches, including (if applicable) Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:
If Cloudmore becomes aware of a Data Incident, Cloudmore will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data.
Notifications made under Section 7.2.1 (Incident Notification) will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Cloudmore recommends Customer take to address the Data Incident.
Cloudmore will deliver its notification of any Data Incident to the Notification Email Address or, at Cloudmore’s discretion (including if Customer has not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and valid.
Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident.
Cloudmore’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Cloudmore of any fault or liability with respect to the Data Incident.
Customer agrees that, without prejudice to Cloudmore’s obligations under Sections 7.1 (Cloudmore’s Security Measures and Assistance) and 7.2 (Data Incidents):
Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Cloudmore as set out in Section 7.1.1 (Cloudmore’s Security Measures) provide a level of security appropriate to the risk in respect of Customer Personal Data.
To demonstrate compliance by Cloudmore with its obligations under these Data Processing Terms, Cloudmore will make the Security Documentation available for review by Customer.
Cloudmore will allow Customer or a third party auditor appointed by Customer to conduct audits (including inspections) to verify Cloudmore’s compliance with its obligations under these Data Processing Terms in accordance with Section 7.4.3 (Additional Business Terms for Audits). Cloudmore will contribute to such audits as described in this Section 7.4 (Reviews and Audits of Compliance).
Customer agrees that Cloudmore will (taking into account the nature of the processing and the information available to Cloudmore) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including (if applicable) Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by:
If Cloudmore receives a request from a data subject in relation to Customer Personal Data, Cloudmore will:
Customer agrees that Cloudmore will (taking into account the nature of the processing of Customer Personal Data and, if applicable, Article 11 of the GDPR) assist Customer in fulfilling any obligation of Customer to respond to requests by data subjects, including (if applicable) Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by:
Cloudmore is entitled to remuneration for any potential costs and expenses if Customer requests that Cloudmore shall assist Customer with responding to a Data Subject's request to exercise his or her rights according to Applicable Data Protection Laws.
Cloudmore is entitled to transfer Personal Data belonging to Customer, to a Third Country, provided that:
For the avoidance of doubt, Personal Data may not be transferred to or Processed in a Third Country if none of the conditions outlined in Section 10 above exists.
Information about the locations of data centers is available per service at http://www.web.cloudmore.com/privacy/services.
Customer specifically authorizes the engagement of Cloudmore’s Affiliates as Subprocessors (“Cloudmore Affiliate Subprocessors”). In addition, Customer generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”).
Information about Subprocessors is available per service at http://www.web.cloudmore.com/privacy/services.
When engaging any Subprocessor, Cloudmore will:
(a) When any new Third Party Subprocessor is engaged during the Term, Cloudmore will, at least 30 days before the new Third Party Subprocessor processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor list at http://www.cloudmore.com/privacy/services and by publishing a notification in the Cloudmore Platform.
(b) Customer may object to Cloudmore's assignment of a Subprocessor that shall Process Personal Data on behalf of Customer within 90 days of being informed of the engagement of the new Third Party Subprocessor as described in Section 11.4(a), whereby the Parties shall seek to agree on a solution which is acceptable to both Parties. If a mutual acceptable solution cannot be reached, Customer may terminate the Service Agreement immediately upon written notice to Cloudmore. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third Party Subprocessor.
Customer may contact Cloudmore in relation to the exercise of its rights under these Data Processing Terms via the methods described at http://www.web.cloudmore.com/privacy/ or via such other means as may be provided by Cloudmore from time to time.
Customer acknowledges that Cloudmore is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Cloudmore is acting and (if applicable) of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, Customer will, where requested and as applicable to Customer, provide such information to Cloudmore via the user interface of the Processor Services or via such other means as may be provided by Cloudmore, and will use such user interface or other means to ensure that all information provided is kept accurate and up-to-date.
The provisions regarding liability under the Service Agreement shall apply correspondingly to this Data Processing Agreement.
If there is any conflict or inconsistency between the terms of these Data Processing Terms and the remainder of the Service Agreement, the terms of these Data Processing Terms will govern. Subject to the amendments in these Data Processing Terms, the Service Agreement remains in full force and effect.
From time to time, Cloudmore may change any URL referenced in these Data Processing Terms and the content at any such URL. Cloudmore may only change the list of potential Processor Services at http://www.web.cloudmore.com/privacy/services:
Cloudmore may change these Data Processing Terms if the change:
If Cloudmore intends to change these Data Processing Terms under Section 15.2(c) or (d), Cloudmore will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface for the Processor Services. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to Cloudmore within 90 days of being informed by Cloudmore of the change.
Without prejudice to any confidentiality undertakings included in the Service Agreement, Cloudmore shall keep and maintain all Personal Data in strict secrecy and not disclose any Personal Data to a third party, unless otherwise authorized in advance by Customer or otherwise required by Applicable Laws or for the performance of the Data Processing Terms and the Service Agreement. Cloudmore agrees that the confidentiality undertaking under this Section 16 shall apply until all Personal Data have been returned or (upon Customer's written request) have been deleted or anonymized in a secure and irreversible way.
Cloudmore adheres to the GÉANT Data Protection Code of Conduct.
This Data Processing Agreement shall be governed by Swedish law, without regard to any provisions regarding conflict of laws.
Any dispute arising out of or in connection to this Data Processing Agreement shall be finally settled in accordance with the dispute resolution provisions of the Service Agreement.