This Data Processing Addendum (“DPA”) sets out the additional terms and conditions on which A Cloud Guru Ltd. and Serverless Heroes, Inc. or their affiliates (“ACG”), will process Personal Data when providing services to the party subscribing to ACG’s services (“Subscriber,” “you,” “your”), where those services are governed by GDPR or where the parties otherwise agree that this DPA applies. This DPA supplements and is incorporated into the Agreement between ACG and Subscriber.
BACKGROUND AND INTERPRETATION
A. Subscriber and ACG entered into an Agreement that may require ACG to process Personal Data on behalf of Subscriber.
B. This DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation (EU 2016/67) (“GDPR”) for contracts between controllers and processors.
C. This DPA consists of two parts: the main body of the DPA, and Annex A, B (including Appendices 1 and 2) and C. This DPA, including the Standard Contractual Clauses in Annex B, form a part of the Agreement and are each deemed to be executed in connection with the execution of the Agreement by ACG and Subscriber and legally binding upon such parties.
D. The Annexes hereto form part of this DPA, and any reference to this DPA includes the Annexes. In the case of conflicting terms, the following terms will govern, in order of precedence: first, the Standard Contractual Clauses, then the body of this DPA, then the Annexes to this DPA, then the Agreement.
Unless otherwise defined in the Agreement or in the body of this DPA, all capitalized terms used in this DPA will have the following corresponding meanings:
1.1. “ACG Security Standards”: the security standards of ACG set forth on the following webpage https://acloudguru.com/policies/security.
1.2. “Agreement”: the agreement and Order Form(s) or other applicable agreement(s) and/or terms and conditions governing Subscriber’s access to and use of the services, products, and platforms offered by ACG (“Services”).
1.3. “Business Purpose”: (a) to perform in accordance with the terms of the Agreement and to provide, maintain, enhance, and update the Services provided to Subscriber under the Agreement; and (b) to prevent or address service, security, support, or technical issues related to the Services.
1.5. “Data Protection Laws“: all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states (including but not limited to, GDPR), Switzerland, the United Kingdom, and the United States and its states, which are applicable to the Processing of Personal Data under the Agreement.
1.6. “Personal Data“: any information relating to an identified or identifiable natural person that is processed by ACG as a result of, or in connection with, ACG’s provision of the Services under the Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.7. “Personal Data Breach“: a breach of ACG’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.8. “Processing, processes, and process“: any activity that involves the processing of Personal Data or as the Data Protection Laws may otherwise define processing, processes or process. This includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.
1.9. “Standard Contractual Clauses”: the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, a completed copy of which comprises Annex B and which forms a part of this DPA.
2. DATA PROCESSING.
2.1. With respect to Personal Data of Data Subjects: (a) ACG will act as “processor” of Personal Data and Subscriber will act either as “controller” or “processor,” as defined by GDPR; and (b) ACG will acts as a “Service Provider” as defined by CCPA
2.2. Subscriber retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to ACG.
2.3. Annex A describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types, which ACG may process to fulfil the Business Purpose of the Agreement.
2.4. ACG will process Personal Data will process the Personal Data in compliance with applicable Data Protection Laws and other laws, enactments, regulations, orders, standards and other similar instruments binding upon it in the performance of this DPA; and if and to the extent Subscriber processes Personal Data in connection with the Services, subscriber will do the same. Subscriber shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Subscriber acquired Personal Data.
2.5. ACG will process Personal Data only (a) for the Business Purpose, (b) as otherwise initiated or instructed by Subscriber or its Data Subjects (e.g., via email, support tickets or instructions for configuration of tools or features made available by ACG in connection with the Services) (“Instructions“), or (b) as required by Data Protection Laws. The parties agree that the Agreement and DPA are deemed to be Instructions. Any additional or alternate instructions must be agreed separately agreed upon by Subscriber and ACG. ACG will promptly notify Subscriber if, in ACG’s opinion, Subscriber’s Instructions would not comply with Data Protection Laws.
3. CONFIDENTIALITY OF PERSONAL DATA.
ACG will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties except as authorized by Subscriber’s Agreement, as otherwise by Subscriber in writing, or as required by law. If a law, court, regulator or supervisory authority requires ACG to process or disclose Personal Data, ACG will first inform Subscriber of the legal or regulatory requirement and give Subscriber an opportunity to object or challenge the requirement, unless ACG is legally prohibited from doing so. If the Standard Contractual Clauses apply, nothing in this Section 3 varies or modifies the Standard Contractual Clauses.
4. CONFIDENTIALITY Obligations OF ACG PERSONNEL.
ACG restricts its personnel from processing Personal Data without authorization by ACG as described in the ACG Security Standards. ACG imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
5.1. ACG will at all times implement appropriate technical and organizational measures as described in the AGG Security Standards.
5.2. In particular, ACG has implemented and will maintain the following measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(a) the pseudonymization and encryption of Personal Data when such data is being transferred;
(b) process to maintain the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) written plan to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of security measures.
Such measures may be obtained by Subscriber from ACG or directly from a third-party supplier.
6.1. Subscriber agrees that ACG may use sub-processors to fulfill its contractual obligations under the Agreement or this DPA or to provide certain services on its behalf. For the avoidance of doubt, the above authorization constitutes Subscriber’s written consent to the sub-processing by ACG for the purposes of Clause 11 of the Standard Contractual Clauses. ACG’s Sub-processor List (available at https://acloudguru.com/policies/subprocessors) (“Sub-processor List“) contains an updated list of sub-processors that are currently engaged by ACG to carry out processing activities on Personal Data on behalf of Subscriber.
6.2. ACG will provide notice of new subprocessors by publicly posting new sub-processors on ACG’s Sub-processor List, with a date-updated notice, prior to authorizing any to new sub-processor to process Personal Data. Subscriber may also subscribe to receive updates as provided on the Subprocessor List page. Subscriber may reasonably object to ACG’s use of a new sub-processor (if making the Personal Data available to sub-processor may violate applicable Data Protection Laws or weaken the protections of such Personal Data) by notifying ACG in writing within ten (10) business days after receipt of ACG’s notice. Such notice to ACG shall explain the reasonable grounds for the objection. In the event Subscriber so objects to a new sub-processor, ACG will use commercially reasonable efforts to make available to Subscriber a change in the Services or recommend a commercially reasonable change to Subscriber’s configuration or use of the Services to avoid the processing of Personal Data by the objectionable sub-processor without burdening Subscriber. If ACG is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate without penalty the Agreement with respect only to those Services which cannot be provided by ACG without the use of the objectionable new sub-processor by providing written notice to the other party. Except as set forth in this Section, or as Subscriber may otherwise authorize, ACG will not permit any sub-processor to carry out processing activities on Personal Data on behalf of Subscriber.
6.3. Where ACG authorizes any sub-processor as described above:
(a) ACG will restrict the sub-processor’s access to Personal Data only to what is necessary to maintain the Services or to provide the Services to Subscriber and any Users in accordance with the Agreement and ACG will prohibit the sub-processor from accessing Personal Data for any other purpose;
(b) ACG maintains control over all Personal Data it entrusts to the sub-processor;
(c) ACG will enter into a written agreement with the sub-processor and, to the extent that the sub-processor is performing the same data processing services that are being provided by ACG under this DPA, ACG will impose on the sub-processor the same contractual obligations that ACG has under this DPA; and
(d) ACG will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that cause ACG to breach any of ACG’s obligations under this DPA.
7. DATA SUBJECT RIGHTS.
7.1. ACG will, at no additional cost, take such technical and organizational measures as may be appropriate, and promptly provide such information to Subscriber as Subscriber may reasonably require, to enable Subscriber to comply with:
(a) the rights of Data Subjects under applicable Data Protection Laws, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
(b) information or assessment notices served on Subscriber by any supervisory authority under the Data Protection Laws.
7.2. ACG will notify Subscriber immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Laws.
7.3. ACG will notify Subscriber within ten (10) business days if it receives a request from a Data Subject to exercise any of their related rights under the Data Protection Laws.
7.4. ACG will provide Subscriber with reasonable assistance in responding to any complaint, notice, communication or Data Subject request.
7.5. ACG will not disclose the Personal Data to any Data Subject or to a third party other than at Subscriber’s request or instruction, as provided for in this DPA or as required by law.
8. SECURITY BREACH NOTIFICATION.
8.1. ACG will (a) notify Subscriber of a Personal Data Breach without undue delay after becoming aware of the Personal Data Breach, and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach.
8.2. To assist Subscriber in relation to any Personal Data breach notifications Subscriber is required to make under the Data Protection Laws, ACG will include in the notification under Section 8.1(a) such information about the Personal Data Breach as ACG is reasonably able to disclose to Subscriber, taking into account the nature of the Services, the information available to ACG, and any restrictions on disclosing the information, such as confidentiality.
8.3. Subscriber agrees that:
(a) An unsuccessful Personal Data Breach will not be subject to this Section. An unsuccessful Personal Data Breach is one that results in no unauthorized access to Personal Data or to any of ACG’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
(b) ACG’s obligation to report or respond to a Personal Data Breach under this Section is not and will not be construed as an acknowledgment by ACG of any fault or liability of ACG with respect to the Personal Data Breach.
(c) Notification(s) of Personal Data Breaches, if any, will be delivered to one or more of Subscriber’s account administrators or other contact information provided in the Agreement by any reasonable notification means, including via email. It is Subscriber’s sole responsibility to ensure Subscriber’s administrators and contacts maintain accurate contact information on the Subscriber account at all times.
(d) Subscriber will cooperate in good faith with ACG’s reasonable and lawful requests, within Subscriber’s reasonable control, to assist in mitigating the effects and minimizing any damage resulting from a Personal Data Breach.
9.1. ACG shall permit Subscriber (or its appointed third party auditors), at Subscriber’s cost, to audit ACG’s compliance with this DPA or Data Protection Laws, and shall make available to Subscriber all information, systems and staff under the direct control of ACG reasonably necessary for Subscriber (or its third-party auditors) to conduct such audit upon sixty (60) days’ prior written notice, but solely as such audit relates to ACG’s processing of the Personal Data (not any other aspect of ACG’s business or information systems). ACG acknowledges that it will provide Subscriber (or its third-party auditors) all necessary information and personnel as may be required to conduct such audit; provided however, that (a) such audit and the derivative work product produced in response to such audit shall at all times be subject to the provisions set forth in the confidentiality provisions set forth in the Agreement and (b) Subscriber will not have the right to audit, review, inspect or access any third party vendor or subcontractor site, but ACG will have a duty to seek to arrange a site visit when required by a governmental authority. Subscriber will make every effort to cooperate with ACG to schedule such audits at times that are convenient to ACG and Subscriber may not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by the instruction of a competent data protection authority; or (ii) Subscriber reasonably believes a further audit is necessary due to a Personal Data Breach suffered by ACG.
9.2. ACG will reasonably assist Subscriber with meeting Subscriber’s compliance obligations under the Data Protection Laws, taking into account the nature of ACG’s processing and the information available to ACG, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Laws.
9.3. If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses nor affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses.
10. PERSONAL DATA TRANSFERS.
10.1. Subscriber agrees that ACG will have the right to transfer personal Personal Data to ACG or its affiliates located in the United States, the United Kingdom, and/or Australia. Except for the foregoing transfers to ACG or its affiliates, ACG shall not transfer the Personal Data (nor permit the Personal Data to be transferred) to any jurisdiction other than those to which transfers are permitted under the Data Protection Laws unless ACG has first obtained Subscriber’s prior written consent and takes such measures as are necessary to ensure the transfer is in compliance with Data Protection Laws. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with Data Protection Laws, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission. The Standard Contractual Clauses will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the European Economic Area (“EEA“).
10.2. If any Personal Data transfer between Subscriber and ACG requires the execution of the Standard Contractual Clauses in order to comply with the Data Protection Laws (where Subscriber is the entity exporting Personal Data to ACG outside the EEA), the parties hereby agree that the Standard Contractual Clauses contained in Annex B shall be effective and further agree to take all other actions required to legitimize the transfer.
10.3. If Subscriber consents to appointment by ACG located within the EEA of a sub-processor located outside the EEA in compliance with the provisions of Section 6, then Subscriber authorizes ACG to enter into the Standard Contractual Clauses contained in Annex B with the sub-processor on its behalf. ACG will make the executed Standard Contractual Clauses available to Subscriber on request.
This DPA will remain in full force and effect so long as: (a) the Agreement remains in effect; or (b) ACG retains any Personal Data related to the Agreement in its possession or control.
12. DELETION OR RETURN OF DATA.
Upon termination of the Services for which ACG is processing Personal Data, ACG shall delete or return to Subscriber (whichever Subscriber requests) all Personal Data (including all copies) in its possession or control. This requirement shall not apply to the extent that ACG is required by the European Union, or any European Union Member State, or other country law to retain some or all of the Personal Data, in which event ACG shall protect the Personal Data from any further processing except to the extent required by such law.
13.1. ACG will keep reasonably detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for Subscriber, including but not limited to, the access, control and security of the Personal Data, approved subcontractors and affiliates, the processing purposes, categories of processing, any transfers of Personal Data to a third country and related safeguards, and a general description of the technical and organizational security measures (“Records“).
13.2. ACG will ensure that the Records are reasonably sufficient to enable Subscriber to verify ACG’s material compliance with its obligations under this DPA and ACG will provide Subscriber with copies of the Records upon request.
Except as amended by this DPA, the Agreement will remain in full force and effect.
ANNEX A – PERSONAL DATA PROCESSING PURPOSE AND DETAILS
Details of Personal Data processing:
Subject matter of Processing: Personal Data of Subscriber and Data Subjects for whom Subscriber is the data controller and ACG is the data processor.
Duration of Processing: The duration of Personal Data processing is co-extensive with the duration of the Services or as otherwise provided under applicable law.
Nature of Processing:
- Personal data storage and record-keeping
- Processing necessary to provide, maintain and improve the Services provided to Subscriber and Data Subjects
- Processing initiated by Subscriber or Data Subjects
- Provision of customer and technical support
- Authentication and compliance checks to avoid abuse, and security scans.
Data Subject Types: Employees, contractors, customers, and end-users authorized by Subscriber. No data that falls into a Special Category of personal data will be processed.
Legal basis for processing Personal Data outside the EEA in order to comply with cross-border transfer restrictions: Standard Contractual Clauses between Subscriber as “data exporter” and ACG as “data importer”.
ANNEX B – STANDARD CONTRACTUAL CLAUSES
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
The entity identified as “Subscriber” in the DPA
(as determined by the Agreement)
A Cloud Guru Ltd., Regus, Regal House 3, Floor, 70 London Road, Twickenham TW1 3QS United Kingdom
Serverless, Heroes, Inc., 800 Brazos St., Suite 340, Austin, TX 78701
each a “party“; together “the parties“,
HAVE AGREED on the following Standard Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the Personal Data specified in Annex A.
Clause 1 – Definitions
For the purposes of the Clauses:
(a) “personal data,” “special categories of data,“ “process/processing,“ “controller,“ “processor,“ “data subject,“ and “supervisory authority“ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘’the data exporter” means the controller who transfers the personal data;
(c) “the data importer” means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) “the sub-processor“ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) “the applicable data protection law“ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) “technical and organizational security measures“ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2 – Details of the Transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Exhibit 1 which forms an integral part of the Clauses.
Clause 3 – Third-party Beneficiary Clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4 – Obligations of the Data Exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Exhibit 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Exhibit 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5 – Obligations of the Data Importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Exhibit 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorized access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Exhibit 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
Clause 6 – Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Clause 7 – Mediation and Jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8 – Cooperation with Supervisory Authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9 – Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10 – Variation of the Contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11 – Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12 – Obligation After the Termination of Personal Data Processing Services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Exhibit 1 – Details of Processing
This Exhibit forms part of the Clauses. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Exhibit.
A. Data exporter: The data exporter is the Subscriber, as defined in the Services Agreement (Business) (“Agreement”).
B. Data importer: The data importer is A Cloud Guru Ltd. and Serverless Heroes, Inc., providers of subscription-based online training modules and services.
C. Data subjects: Categories of data subjects set out in Annex A of the Data Processing Addendum to which the Clauses are attached (“DPA”).
D. Categories of data: Categories of personal data set out in Annex A of the DPA.
E. Special categories of data (if appropriate): The parties do not anticipate the transfer of special categories of data.
F. Processing operations: The processing activities set out in Annex A of the DPA.
Exhibit 2 – Technical and Organizational Security Measures
This Exhibit forms part of the Clauses.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
ACG currently observes the security practices described on the following webpage https://acloudguru.com/policies/security. Notwithstanding any provision to the contrary otherwise agreed to by the data exporter, ACG may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in DPA.
ANNEX C – ADDITIONAL TERMS TO STANDARD CONTRACTUAL CLAUSES
1. References in this Annex C to (i) “data importer” and “data exporter” shall have the meanings given to them in the Standard Contractual Clauses; and (ii) “Clause” and “Clauses” shall mean clause and clauses in the Standard Contractual Clauses.
2. Clause 4(h) and Clause 8: Disclosure of the Standard Contractual Clauses. Data exporter agrees that the Standard Contractual Clauses constitute data importer’s Confidential Information as that term is defined in the Agreement and may not be disclosed by data exporter to any third party without data importer’s prior written consent unless permitted pursuant to the Agreement. This shall not prevent disclosure of these Clauses to a data subject pursuant to Clause 4(h) or a supervisory authority pursuant to Clause 8.
3. Clause 5(a): Suspension of data transfers and termination. For the purposes of Clause 5(a) of Standard Contractual Clauses, the parties agree that the Instructions (as defined in Section 2 of this DPA) set out the data exporter’s complete and final instructions to the data importer for the Processing of Personal Data. The parties acknowledge that if the data importer cannot provide such compliance for whatever reason, it agrees to promptly inform the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of Personal Data and/or terminate the Agreement. If the data exporter intends to suspend the transfer of Personal Data and/or terminate the Standard Contractual Clauses, it shall endeavor to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”). If after the Cure Period the data importer has not or cannot cure the non-compliance then the data exporter may suspend or terminate the transfer of Personal Data immediately. The data exporter shall not be required to provide such Cure Period in the instance where it considers there is a material risk of harm to data subjects or their Personal Data.
4. Clause 5(f): Audit. The parties agree that Section 9 (Audits) of this DPA governing audit rights under the DPA, shall also govern the Subscriber’s audit rights under the Standard Contractual Clauses. In the event that Subscriber wishes to exercise its audit rights under Standard Contractual Clauses (including under Clause 5(f) and Clause 12(2)), then Section 9 (Audits) of this DPA shall exclusively govern the parties’ obligations with respect to such audits.
5. Clause 5(h) and Clause 11: Onward Sub-processing. Data exporter provides a general consent to data importer, pursuant to Clause 11, to engage onward sub-processors. Such consent is conditional on data importer’s compliance with Section 6 (Subprocessing) of this DPA, which collectively ensure that the onward sub-processor will provide adequate protection for the Personal Data that it Processes.
6. Clause 5(j): Disclosure of Sub-Processor Agreement. The parties agree that at the data exporter’s reasonable written request, ACG shall promptly provide copies of the sub-processor agreements pursuant to Clause 5(j) of the Standard Contractual Clauses. The parties further acknowledge that, pursuant to the sub-processor’s confidentiality restrictions, data importer may be restricted from disclosing onward sub-processor agreement to data exporter. Notwithstanding this, the data importer shall use reasonable efforts to require any sub-processor to permit it to disclose the relevant sub-processors agreement to the data exporter. Data importer may remove or redact all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent.
7. Clause 6(1): Damage Limits. The parties agree that any damages arising under or in connection with Clause 6 will be subject to the limitations or exclusions of liability provisions that apply under the Agreement.
8. Clause 12(1): Termination of Processing. The parties agree that in satisfaction of Clause 12(1), on the completion or termination of the Agreement, ACG shall, upon Subscriber’s written request, delete or return all Personal Data in accordance with Section 7.1(a) (Data Subject Rights) and Section 12 (Return or Deletion of Data) of this DPA. The parties further agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by ACG to Subscriber only upon Subscriber’s request.
9. No Variation. Nothing in the DPA or this Annex C varies or modifies the Standard Contractual Clauses nor affects any supervisory authority’s or Data Subject’s rights under applicable Data Protection Laws. In the event of any conflict or inconsistency between the body of this DPA and any of its Annexes (not including the Standard Contractual Clauses) and the Standard Contractual Clauses in Annex B the Standard Contractual Clauses shall prevail.