This Data Processing Agreement (herein referred to as the “DPA”) forms part of the overall Terms of Service and is made and entered into by and between Cloud Access LLC, on behalf of itself and its subsidiaries, (herein referred to as “CloudAccess.net”, “we”, “our”, “ourselves”), and the Customer (herein referred to as “Customer”, “you”, “your”, “yourself”).
“The Services” means services CloudAccess.net may provide to you, collectively or separately, including web hosting, content delivery network, internet security including SSL certificates, domain registrations and other related services either by ourselves or in conjunction with partners and subsidiaries.
“Data Controller” means the Customer.
“Data Processor” means CloudAccess.net.
“Directive” means the EU Data Protection Directive 95/46/EC (as amended).
“General Data Protection Regulation” means the European Union General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Local Data Protection Laws” means any subordinate legislation and regulation implementing the Directive or the General Data Protection Regulation.
“Privacy Laws” means all applicable laws, regulations, and other legal requirements relating to privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
“Data Protection Requirements” means the Directive, the General Data Protection Regulation, Local Data Protection Laws, any subordinate legislation and regulation implementing the General Data Protection Regulation, and all Privacy Laws.
“Personal Data” has meaning as given in Article 4 of the General Data Protection Regulation.
“Customer Personal Data” means Personal Data that the Customer uploads or otherwise provides CloudAccess.net in connection with its use of the Services.
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
“Process” and its cognates has meaning as given in Article 4 of the General Data Protection Regulation.
“Subprocessor” means any entity which provides processing services to CloudAccess.net.
“Supervisory Authority” means an independent public authority which is established by a European Union member state pursuant to Article 51 of the General Data Protection Regulation.
The Customer and CloudAccess.net shall comply with their Data Protection Requirements including the General Data Protection Regulation as well as other applicable Privacy Laws. CloudAccess.net has appointed the Republic of Poland’s Office for the Protection of Personal Data as its Supervisory Authority. The Customer acknowledges that CloudAccess.net collects and maintains records of each Data Controller and Data Processor on behalf of which CloudAccess.net acts and makes available such records to a Supervisory Authority by request. Customer intends to use the Services and in the course of doing so will upload or otherwise provide CloudAccess.net with Customer Personal Data as required by the nature of the Service provided to the Customer.
The Customer shall have sole responsibility for the accuracy, quality and processing of Customer Personal Data. CloudAccess.net shall not access, use or process Customer Personal Data on behalf of Customer except as otherwise required to deliver the Services, provide technical support related to the Services and for maintenance and improvement of the Services unless otherwise directed by Customer. The Customer shall determine the nature and purpose of Customer Personal Data and the categories of Data Subjects.
During the course of using the Services, when Customer Personal Data is uploaded you may access, modify or delete data by logging into the Services using common protocols and tools. After Customer Personal Data has been modified or deleted the original data may continue to be retained in backup storage for up to ninety (90) days. Upon termination or expiry of the Services and upon written request by the Customer, CloudAccess.net will delete all Customer Personal Data in its possession or control. This requirement shall not apply to the extent that CloudAccess.net is required by law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has retained in backup storage, which CloudAccess.net shall take reasonable steps protect from any further processing except to the extent required by law.
The Customer consents to CloudAccess.net engaging third party Subprocessors in connection with the delivery of the Services. These Subprocessors may include partners and subsidiaries. CloudAccess.net maintains an up-to-date list of its Subprocessors. Customer may request information related to the appointment of new or the replacement of existing Subprocessors. CloudAccess.net will respond to reasonable requests for additional information or objections by the Customer to the use of a Subprocessor.
Customer shall have sole responsibility for where they upload Customer Personal Data during the course of using the Services. CloudAccess.net maintains servers in secure data centres worldwide, some of which are located outside of the EU and EEA. The Services allows for selection by the Customer of data centre region during the checkout process as well as through the Cloud Control Panel customer portal. If the Customer is unsure which data centre region the Services are delivered from, or would like to transfer between regions, CloudAccess.net’s support team can provide assistance upon request. Customer acknowledges that certain aspects of the Services, such as the content delivery network, are by their design and purpose, served by multiple worldwide data centres including outside of the EU and EEA. In delivery and support of the Services, the Customer consents to CloudAccess.net engaging international Subprocessors located outside of the EU and EEA including partners and subsidiaries.
CloudAccess.net shall provide reasonable and timely assistance to Customer in accordance with this DPA and the Services, to enable Customer to respond to a request from a Data Subject to exercise any of its rights under the General Data Protection Regulation (including its rights of access, correction, objection, erasure and data portability, as permitted); and any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Customer Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to CloudAccess.net, CloudAccess.net shall inform the Customer providing details of the same unless otherwise prohibited.
CloudAccess.net shall provide the Customer with reasonable assistance in support of a data protection impact assessment, solely in relation to Customer Personal Data, this DPA, the Services and where the Customer would not otherwise have access to the relevant information.
CloudAccess.net shall ensure that appropriate contractual obligations related to confidentiality exist with its personnel and that these survive the termination of engagement.
CloudAccess.net ensures that appropriate technical and organizational safeguards exist for the Processing of Personal Data including the hiring of qualified personnel, physical data centre access controls, systems access controls, data access controls, data transmission protocols, systems logging and backup systems.
If CloudAccess.net becomes aware of a confirmed Personal Data Breach impacting Customer Personal Data, CloudAccess.net shall notify the Customer and where possible shall provide reasonable information and cooperation to the Customer so that the Customer can fulfil any data breach reporting obligations it may have under the General Data Protection Regulation. The Customer shall indemnify and keep indemnified CloudAccess.net against all losses with respect to any Personal Data Breach due to non-compliance by Customer with its Data Protection Requirements or violation of this DPA.
The Customer shall comply with its protection, security and other obligations with respect to Personal Data prescribed by Data Protection Requirements for Data Controllers by establishing and maintaining a procedure for the exercising of the rights of the individuals whose Personal Data are processed by Customer; processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; ensuring compliance with the provisions of this DPA by its personnel or by any third-party accessing or using Personal Data on its behalf. The Customer acknowledges it has reviewed and Consents to CloudAccess.net’s separate Privacy Notice in relation to the Services and will periodically review the Privacy Notice for any changes and additions.
CloudAccess.net shall provide audit and inspection assistance to Customer, if requested in writing to CloudAccess.net’s address of notice, to verify CloudAccess.net’s compliance with its obligations under this DPA. Customer shall be responsible for any costs incurred by CloudAccess.net as the result of providing such assistance. If CloudAccess.net declines to cooperate with an audit or inspection request Customer has the rights to terminate this DPA and the Services.