Data Processing Agreement
This Cloudify Data Processing Agreement ("DPA") covers all services offered by Cloudify ApS ("Cloudify", "Processor", "we", "us", or "our"), including digital analysis, SaaS implementation, custom integrations, and Partner Marketplace integrations (DIY automation). This DPA reflects the parties' agreement with respect to the Processing of Personal Data by Cloudify on behalf of the Customer ("Customer", "Controller", "you", or "your") in connection with Cloudify's services.
This DPA forms part of the Terms and Conditions and becomes binding when the Customer uses Cloudify's services after having the opportunity to review it.
For the full terms and conditions governing your use of Cloudify's services, please refer to our Terms and Conditions, which should be read in conjunction with this DPA.
Cloudify may update these terms from time to time to reflect changes in law, regulations, or business practices. Any significant changes to this DPA that may impact the Customer's rights or obligations will be communicated to the Customer at least 30 days before taking effect. The Customer will be given the opportunity to review the updated terms. If the Customer does not accept the updated terms, the Customer may discontinue using Cloudify's services.
1. Definitions
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Customer is the Controller.
"Customer Data" means all data, including all text, sound, software, image or video files that are provided to Cloudify by, or on behalf of, the Customer and its end users through use of Cloudify's services. Customer Data includes both Personal Data and non-personal data.
"Data Protection Law" means all applicable legislation relating to data protection and privacy including without limitation the EU General Data Protection Regulation 2016/679 ("GDPR"), and any applicable national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the European Union, European Economic Area and their member states, Switzerland and the United Kingdom.
"Data Subject" means the identified or identifiable person to whom Personal Data relates.
"Instruction" means the written, documented instruction, issued by the Controller to the Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
"Personal Data" means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
"Processing" means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms "Process", "Processes" and "Processed" will be construed accordingly.
"Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, Cloudify is the Processor.
"Sub-Processor" means any Processor engaged by Cloudify to assist in fulfilling its obligations with respect to providing services to the Customer.
2. Subject Matter and Nature of Processing
The subject matter of Processing of Personal Data by the Processor is the provision of digital analysis, SaaS implementation, custom integrations, Partner Marketplace integrations, and other services to the Customer that involve the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in this DPA and customer usage of Cloudify's services.
3. Types of Personal Data and Purpose of Processing
Contact information, the extent of which is determined and controlled by the Customer in its sole discretion, and other Personal Data such as navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end-users via Cloudify's services. Personal Data will be Processed for purposes of providing the services to the Customer.
4. Categories of Data Subjects
The Customer's contacts and other end users including Customer's employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects also include individuals attempting to communicate with or transfer Personal Data to the Customer's end users.
5. Customer Responsibility
5.1 Compliance with Laws
When using Cloudify's services, the Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to Cloudify.
In particular but without prejudice to the generality of the foregoing, the Customer acknowledges and agrees that they will be solely responsible for:
(i) the accuracy, quality, and legality of their Customer Data and the means by which they acquired Personal Data;
(ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes);
(iii) ensuring they have the right to transfer, or provide access to, the Personal Data to Cloudify for Processing in accordance with this DPA;
(iv) ensuring that their Instructions to Cloudify regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and
(v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through Cloudify's services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.
The Customer will inform Cloudify without undue delay if they are not able to comply with their responsibilities under this 'Compliance with Laws' section or applicable Data Protection Laws.
5.2 Controller Instructions
The parties agree that this DPA, together with the Customer's use of Cloudify's services, constitute their complete and final Instructions to Cloudify in relation to the Processing of Personal Data, and additional instructions outside the scope of these Instructions shall require a prior written agreement with Cloudify.
5.3 Security
The Customer is responsible for independently determining whether the data security provided for in Cloudify's services adequately meets their obligations under applicable Data Protection Laws. The Customer is also responsible for their secure use of Cloudify's services, including protecting the security of Personal Data in transit to and from Cloudify's services (including to securely back up or encrypt any such Personal Data).
6. Obligations of Cloudify as Processor
Cloudify shall collect, process and use Personal Data only within the scope of Customer's Instructions. If Cloudify believes that an Instruction from the Customer infringes the Data Protection Law, it shall immediately inform the Customer without delay. If Cloudify cannot process Personal Data in accordance with the Instructions due to a legal requirement under any applicable European Union or Member State law, Cloudify will:
(i) promptly notify the Customer of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and
(ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Customer issues new instructions with which Cloudify is able to comply.
Cloudify shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. These measures shall include at minimum:
(a) Physical access controls: Measures to prevent unauthorized persons from gaining access to data processing systems (e.g., secured buildings and server rooms with controlled access);
(b) Logical access controls: Measures to prevent data processing systems from being used without authorization (e.g., password policies, two-factor authentication, encryption of systems);
(c) Data access controls: Measures to ensure that persons authorized to use a data processing system have access only to the data they are authorized to access (e.g., role-based access control, need-to-know principle);
(d) Data transfer controls: Measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage (e.g., encryption of data in transit and at rest, secure file transfer protocols);
(e) Input controls: Measures to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems (e.g., logging of data modifications);
(f) Availability controls: Measures to protect data against accidental destruction or loss (e.g., regular backups, redundant systems, disaster recovery procedures);
(g) Segregation controls: Measures to ensure that data collected for different purposes can be processed separately (e.g., multi-tenant architecture with logical separation).
Cloudify shall ensure that Personal Data is backed up and maintained using industry standards and that its infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime for access to Cloudify's services.
Cloudify shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Cloudify shall regularly test, assess and evaluate the effectiveness of its technical and organizational measures to ensure the security of the processing.
7. Data Subject Rights and Requests
Cloudify will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable the Customer to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to Cloudify, Cloudify will promptly inform the Customer and will advise Data Subjects to submit their request to the Customer. The Customer shall be solely responsible for responding to any Data Subjects' requests.
8. Personal Data Breach Notification
Cloudify will notify the Customer without undue delay and, where feasible, within 72 hours after becoming aware of any Personal Data Breach affecting any Personal Data. This notification will include, at a minimum:
(i) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(ii) the name and contact details of Cloudify's data protection contact point where more information can be obtained;
(iii) a description of the likely consequences of the Personal Data Breach; and
(iv) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
At the Customer's request, Cloudify will promptly provide the Customer with all reasonable assistance necessary to enable the Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if the Customer is required to do so under the Data Protection Law.
Customers should report any security concerns or suspected data breaches to Cloudify promptly by contacting support@cloudify.biz.
9. Sub-Processors
9.1 Authorization of Sub-Processors
The Customer generally authorizes Cloudify to engage Sub-Processors to Process Personal Data on their behalf. Cloudify has currently appointed, as Sub-Processors, the Cloudify Affiliates and third parties listed in Section 9.5.
9.2 Sub-processor Changes
Cloudify shall notify the Customer in writing at least thirty (30) days in advance of any intended addition or replacement of a Sub-Processor. Such notice shall include details of the Processing activity or activities to be undertaken by the new Sub-Processor and the identity and contact details of the Sub-Processor.
The Customer may object to Cloudify's appointment or replacement of a Sub-Processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If no resolution can be reached, Cloudify will either not appoint or replace the Sub-Processor or, if this is not possible, the Customer may terminate the affected service (without prejudice to any fees incurred by the Customer prior to termination).
9.3 Sub-processor Obligations
Where Cloudify engages Sub-Processors, Cloudify will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors.
9.4 Liability
Cloudify shall remain fully liable to the Customer for the performance of any Sub-Processor engaged by Cloudify.
9.5 List of Current Sub-Processors
As of the effective date of this DPA, Cloudify ApS uses the following Sub-Processors in delivering its services:
9.5.1 Internal Systems
9.5.2 Infrastructure
9.5.3 Marketing and Communications
9.5.4 Payment Processing
10. International Data Transfers
10.1 Data Storage Location
Cloudify processes all customer data on servers physically located within the European Union. While some Sub-Processors may be based outside the EU, they only process data on EU-based infrastructure under appropriate contractual safeguards.
10.2 Transfer Mechanisms
Cloudify shall not transfer Personal Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable Data Protection Laws) unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws.
11. Return or Deletion of Data
Upon termination of the Customer's use of Cloudify's services, Cloudify shall (at the Customer's election) delete or return to the Customer all Personal Data in its possession or control. This requirement shall not apply to the extent that Cloudify is required by applicable law to retain some or all of the Personal Data.
For Personal Data that Cloudify has archived on back-up systems, Cloudify shall:
(i) securely isolate and protect such Personal Data from any further processing except as required by applicable law;
(ii) ensure such Personal Data remains subject to the security measures described in Section 6; and (iii) delete such Personal Data within 180 days from the date of termination, unless a longer retention period is required by applicable law.
This retention policy aligns with Section 4 of the Terms and Conditions regarding the retention of personal information for up to six months after the subscription ends.
12. Liability
The parties' liability arising out of or related to this DPA (whether in contract, tort or under any other theory of liability) is subject to the limitations of liability in the Terms and Conditions. As between the parties, Cloudify's total liability for all claims from the Customer arising out of or related to Cloudify's services and this DPA shall apply in the aggregate to all claims.
13. Governing Law and Jurisdiction
The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms and Conditions with respect to any disputes or claims howsoever arising under this DPA.
14. Service Stability
Cloudify implements appropriate business continuity and disaster recovery procedures to ensure the stability and reliability of its data processing services. While Cloudify strives to provide uninterrupted services, there may be occasions when services are temporarily unavailable due to maintenance, upgrades, or unforeseen technical issues.
In line with Section 10 of the Terms and Conditions regarding System Stability, Cloudify commits to a Service Level Agreement of 99% uptime for our services. Our infrastructure utilizes AWS services including Lambda and SQS, which have their own SLA commitments (AWS Lambda: 99.95% uptime, AWS SQS: 99.9% uptime).
Cloudify monitors service loads to safeguard against errors and reserves the right to limit the use of services offered for operational and security reasons without notice if necessary to maintain system integrity.
15. Amendments to this DPA
Cloudify may amend this DPA from time to time to reflect: (a) changes in applicable laws; (b) regulatory guidance or best practices; (c) improvements to security practices; or (d) changes to Cloudify's services.
Cloudify will provide the Customer with at least thirty (30) days' prior written notice of any material changes to this DPA. If the Customer objects to any such changes on reasonable grounds, the Customer may discontinue using Cloudify's services.
16. Audit Rights
Upon reasonable request, Cloudify shall provide information necessary to demonstrate compliance with this DPA. Cloudify shall allow for audits by the Customer, subject to reasonable notice and confidentiality requirements.
17. Contact Information
For questions or concerns about this DPA, please contact Cloudify at info@cloudify.biz.
