Data Processing Agreement
This Cloudify Data Processing Agreement ("DPA") covers all services offered by Cloudify ApS ("Cloudify", "Processor", "we", "us", or "our"), including digital analysis, SaaS implementation, custom integrations, and Partner Marketplace integrations (DIY automation). This DPA reflects the parties' agreement with respect to the Processing of Personal Data by Cloudify on behalf of the Customer ("Customer", "Controller", "you", or "your") in connection with Cloudify's services under the Customer Terms of Service between Customer and Cloudify (also referred to in this DPA as the "Agreement").
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order, or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
For the full terms and conditions governing your use of Cloudify's services, please refer to our Terms and Conditions, which should be read in conjunction with this DPA.
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order, or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
Cloudify may update these terms from time to time to reflect changes in law, regulations, or business practices. Any significant changes to this DPA that may impact the Customer's rights or obligations will be communicated to the Customer at least 30 days before taking effect. The Customer will be given the opportunity to review and accept the updated terms. If the Customer does not accept the updated terms, the Customer may terminate the Agreement without penalty by providing written notice prior to the effective date of the changes.
The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.
1. Definitions
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Customer is the Controller.
"Customer Data" means all data, including all text, sound, software, image or video files that are provided to Cloudify by, or on behalf of, the Customer and its end users through use of the Marketplace Subscription Services. Customer Data includes both Personal Data and non-personal data.
"Data Protection Law" means all applicable legislation relating to data protection and privacy including without limitation the EU General Data Protection Regulation 2016/679 ("GDPR"), and any applicable national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the European Union, European Economic Area and their member states, Switzerland and the United Kingdom.
"Data Subject" means the identified or identifiable person to whom Personal Data relates.
"Instruction" means the written, documented instruction, issued by the Controller to the Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
"Personal Data" means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
"Processing" means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms "Process", "Processes" and "Processed" will be construed accordingly.
"Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, Cloudify is the Processor.
"Sub-Processor" means any Processor engaged by Cloudify to assist in fulfilling its obligations with respect to providing the Subscription Services pursuant to the Agreement or this DPA.
2. Subject Matter and Nature of Processing
The subject matter of Processing of Personal Data by the Processor is the provision of the services to the Customer that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in the Agreement and an Order.
3. Types of Personal Data and Purpose of Processing
Contact information, the extent of which is determined and controlled by the Customer in its sole discretion, and other Personal Data such as navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end-users via Cloudify's services. Personal Data will be Processed for purposes of providing the services set out and otherwise agreed to in the Agreement and any applicable Order.
4. Categories of Data Subjects
The Customer's contacts and other end users including Customer's employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects also include individuals attempting to communicate with or transfer Personal Data to the Customer's end users.
5. Customer Responsibility
5.1 Compliance with Laws
Within the scope of the Agreement and in its use of the services, the Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to Cloudify.
In particular but without prejudice to the generality of the foregoing, the Customer acknowledges and agrees that they will be solely responsible for:
(i) the accuracy, quality, and legality of their Customer Data and the means by which they acquired Personal Data;
(ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes);
(iii) ensuring they have the right to transfer, or provide access to, the Personal Data to Cloudify for Processing in accordance with the terms of the Agreement (including this DPA);
(iv) ensuring that their Instructions to Cloudify regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and
(v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through Cloudify's services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.
The Customer will inform Cloudify without undue delay if they are not able to comply with their responsibilities under this 'Compliance with Laws' section or applicable Data Protection Laws.
5.2 Controller Instructions
The parties agree that the Agreement (including this DPA), together with the Customer's use of Cloudify's services in accordance with the Agreement, constitute their complete and final Instructions to Cloudify in relation to the Processing of Personal Data, and additional instructions outside the scope of the Instructions shall require a prior written agreement between Cloudify and the Customer.
5.3 Security
The Customer is responsible for independently determining whether the data security provided for in Cloudify's services adequately meets their obligations under applicable Data Protection Laws. The Customer is also responsible for their secure use of Cloudify's services, including protecting the security of Personal Data in transit to and from Cloudify's services (including to securely back up or encrypt any such Personal Data).
6. Obligations of Cloudify as Processor
Cloudify shall collect, process and use Personal Data only within the scope of Customer's Instructions. If Cloudify believes that an Instruction from the Customer infringes the Data Protection Law, it shall immediately inform the Customer without delay. If Cloudify cannot process Personal Data in accordance with the Instructions due to a legal requirement under any applicable European Union or Member State law, Cloudify will:
(i) promptly notify the Customer of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and
(ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Customer issues new instructions with which Cloudify is able to comply.
Cloudify shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. These measures shall include at minimum:
(a) Physical access controls: Measures to prevent unauthorized persons from gaining access to data processing systems (e.g., secured buildings and server rooms with controlled access);
(b) Logical access controls: Measures to prevent data processing systems from being used without authorization (e.g., password policies, two-factor authentication, encryption of systems);
(c) Data access controls: Measures to ensure that persons authorized to use a data processing system have access only to the data they are authorized to access (e.g., role-based access control, need-to-know principle);
(d) Data transfer controls: Measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage (e.g., encryption of data in transit and at rest, secure file transfer protocols);
(e) Input controls: Measures to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems (e.g., logging of data modifications);
(f) Availability controls: Measures to protect data against accidental destruction or loss (e.g., regular backups, redundant systems, disaster recovery procedures);
(g) Segregation controls: Measures to ensure that data collected for different purposes can be processed separately (e.g., multi-tenant architecture with logical separation).
Cloudify shall ensure that Personal Data is backed up and maintained using industry standards and that its infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime for access to Cloudify's services.
Cloudify shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Cloudify shall regularly test, assess and evaluate the effectiveness of its technical and organizational measures to ensure the security of the processing.
7. Data Subject Rights and Requests
Cloudify will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable the Customer to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to Cloudify, Cloudify will promptly inform the Customer and will advise Data Subjects to submit their request to the Customer. The Customer shall be solely responsible for responding to any Data Subjects' requests.
8. Personal Data Breach Notification
Cloudify will notify the Customer without undue delay and, where feasible, within 72 hours after becoming aware of any Personal Data Breach affecting any Personal Data. This notification will include, at a minimum:
(i) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(ii) the name and contact details of Cloudify's data protection officer or other contact point where more information can be obtained;
(iii) a description of the likely consequences of the Personal Data Breach; and
(iv) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
At the Customer's request, Cloudify will promptly provide the Customer with all reasonable assistance necessary to enable the Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if the Customer is required to do so under the Data Protection Law.
9. Sub-Processors
9.1 Authorization of Sub-Processors
The Customer generally authorizes Cloudify to engage Sub-Processors to Process Personal Data on their behalf. Cloudify has currently appointed, as Sub-Processors, the Cloudify Affiliates and third parties listed in Section 9.5.
9.2 Sub-processor Changes
Cloudify shall notify the Customer in writing at least thirty (30) days in advance of any intended addition or replacement of a Sub-Processor. Such notice shall include details of the Processing activity or activities to be undertaken by the new Sub-Processor and the identity and contact details of the Sub-Processor.
The Customer may object to Cloudify's appointment or replacement of a Sub-Processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If no resolution can be reached, Cloudify will either not appoint or replace the Sub-Processor or, if this is not possible, the Customer may terminate the affected service (without prejudice to any fees incurred by the Customer prior to termination).
9.3 Sub-processor Obligations
Where Cloudify engages Sub-Processors, Cloudify will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors.
9.4 Liability
Cloudify shall remain fully liable to the Customer for the performance of any Sub-Processor engaged by Cloudify.
9.5 List of Current Sub-Processors
As of the effective date of this DPA, Cloudify ApS uses the following Sub-Processors in delivering its services:
9.5.1 Internal Systems
9.5.2 Infrastructure
9.5.3 Marketing and Communications
9.5.4 Payment Processing
10. International Data Transfers
10.1 Transfer Mechanisms
Cloudify shall not transfer Personal Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable Data Protection Laws) unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws.
10.2 Standard Contractual Clauses
The EU Standard Contractual Clauses (SCCs) as approved by the European Commission on June 4, 2021, or any subsequent version thereof published by the European Commission, are hereby incorporated by reference and shall apply to any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws of the foregoing territories.
10.3 Data Processing Locations
The Customer acknowledges that in connection with the performance of the Subscription Services, Cloudify may process Personal Data in countries outside the European Economic Area, including in countries not recognized by the European Commission as providing an adequate level of protection. Any such international transfers will be conducted in accordance with the safeguards described in this Section 10.
11. Return or Deletion of Data
Upon termination or expiration of the Agreement, Cloudify shall (at the Customer's election) delete or return to the Customer all Personal Data in its possession or control. This requirement shall not apply to the extent that Cloudify is required by applicable law to retain some or all of the Personal Data.
For Personal Data that Cloudify has archived on back-up systems, Cloudify shall: (i) securely isolate and protect such Personal Data from any further processing except as required by applicable law; (ii) ensure such Personal Data remains subject to the security measures described in Section 6; and (iii) delete such Personal Data within 180 days from the date of termination or expiration of the Agreement, unless a longer retention period is required by applicable law.
Cloudify shall provide written certification of compliance with this Section upon Customer's request.
12. Liability
The parties' liability arising out of or related to this DPA (whether in contract, tort or under any other theory of liability) is subject to the limitations of liability in the Agreement. As between the parties, Cloudify's total liability for all claims from the Customer arising out of or related to the Agreement and this DPA shall apply in the aggregate to all claims under both the Agreement and all DPAs established under the Agreement.
13. Governing Law and Jurisdiction
The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA.
15. Amendments to this DPA
Cloudify may amend this DPA from time to time to reflect: (a) changes in applicable laws; (b) regulatory guidance or best practices; (c) improvements to security practices; or (d) changes to Cloudify's services.
Cloudify will provide the Customer with at least thirty (30) days' prior written notice of any material changes to this DPA. If the Customer objects to any such changes on reasonable grounds, the Customer may terminate the Agreement by providing written notice to Cloudify within thirty (30) days of being notified of the changes.
16. Contact Information
For questions or concerns about this DPA, please contact Cloudify at info@cloudify.biz.