This Data Processing Addendum (“Addendum”) supplements the End User License Agreement found at https://cloudcheckr.com/end-user-license-agreement, as updated from time to time between Customer and CloudCheckr, or other written or electronic agreement between Customer and CloudCheckr governing Customers’ use of the Services (the “Agreement”) between CloudCheckr Inc. and its affiliates (CloudCheckr”) and the entity you represent (“Customer”). This Addendum applies when CloudCheckr Processes Customer Personal Data in the course of providing the Services to Customer. Terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
- 1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- 1.1.1 “Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data where Customer is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Customer Personal Data where Customer is subject to any other Data Protection Laws;
- 1.1.2 “Customer Personal Data” means any Personal Data Processed by CloudCheckr or CloudCheckr’s sub-processors on behalf of Customer pursuant to or in connection with the Agreement;
- 1.1.3 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
- 1.1.4 “EEA” means the European Economic Area;
- 1.1.5 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
- 1.1.6 “GDPR” means EU General Data Protection Regulation 2016/679;
- 1.1.7 “Restricted Transfer” means:
- 220.127.116.11 a transfer of Customer Personal Data from Customer to CloudCheckr; or
- 18.104.22.168 an onward transfer of Customer Personal Data from CloudCheckr to a Subprocessor,in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of a recognized compliance standard for the lawful transfer of Personal Data as defined in such relevant Data Protection Laws;
- 1.1.8 “Services” means the services and other activities to be supplied to or carried out by or on behalf of CloudCheckr for Customer pursuant to the Agreement;
- 1.1.9 “Subprocessor” means any person (including any third party and any CloudCheckr affiliate, but excluding an employee of CloudCheckr or any of its sub-contractors) appointed by or on behalf of CloudCheckr to Process Personal Data on behalf of Customer in connection with the Agreement; and
- 1.2 The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Process,” “Processing,” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Customer Personal Data
- 2.1 CloudCheckr shall not Process Customer Personal Data other than on Customer’s documented instructions unless Processing is required by Applicable Laws to which CloudCheckr is subject, in which case CloudCheckr shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the relevant Processing of that Personal Data. CloudCheckr will immediately inform Customer if, in CloudCheckr’s opinion, Customer’s instructions infringe any Applicable Laws.
- 2.2 Customer instructs CloudCheckr (and authorizes CloudCheckr to instruct each Subprocessor) to: Process Customer Personal Data, and in particular, transfer Customer Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with the Agreement, and warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in this section 2.2 on behalf of each relevant Customer Affiliate.
- 2.3 Details of the Processing:
- 2.3.1 Subject Matter: The subject matter of Processing of Personal Data is the performance of the Services pursuant to the Agreement.
- 2.3.2 Duration of Processing: Subject to Section 9 of this Addendum, CloudCheckr will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
- 2.3.3 Nature and Purpose: The nature and purpose of the Processing is to allow CloudCheckr to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as instructed by Customer while it uses the Services.
- 2.3.4 Categories of Data Subjects: Customer employees, Customer subcontractors authorized by Customer to use the Services, and any Customer end user authorized by Customer to use the Services
- 2.3.5 Types of Personal Data: First and last name, contact information (company, email, phone, business address), billing information, job title and/or department, and geolocation data (country and/or IP address).
3. CloudCheckr Personnel
CloudCheckr shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of CloudCheckr who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know and/or access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- 4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CloudCheckr shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk. With respect to the Personal Data Processed on behalf of Customer under the Agreement, CloudCheckr has implemented, and will maintain, a written information security program that includes appropriate physical, technical and organizational measures designed to protect such Personal Data against unauthorized access, use, disclosure, alteration or destruction, a summary of which is set out in Exhibit A hereto. The parties may amend Appendix 2 from time to time in accordance with any changes in Applicable Laws.
- 4.2 In assessing the appropriate level of security, CloudCheckr shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
- 5.1 Customer authorizes CloudCheckr to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Agreement.
- 5.2 CloudCheckr may continue to use those Subprocessors already engaged by CloudCheckr as at the date of this Addendum, subject to CloudCheckr in each case as soon as practicable meeting the obligations set out in section 5.4.
- 5.3 CloudCheckr shall give Customer prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 10 days of receipt of that notice, Customer notifies CloudCheckr in writing of any objections (on reasonable grounds) to the proposed appointment:
- 5.3.1 CloudCheckr shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
- 5.3.2 where such a change cannot be made within 90 days from CloudCheckr’s receipt of Customer’s notice, notwithstanding anything in the Agreement, Customer may by written notice to CloudCheckr with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor.
- 5.4 With respect to each Subprocessor, CloudCheckr shall:
- 5.4.1 before the Subprocessor first Processes Customer Personal Data (or, where relevant, in accordance with section 5.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by the Agreement;
- 5.4.2 ensure that the arrangement between CloudCheckr and Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum;
- 5.4.3 if that arrangement involves a Restricted Transfer, ensure that (i) the Standard Contractual Clauses are at all relevant times incorporated into the agreement between CloudCheckr and Subprocessor or (ii) another recognized compliance standard for the lawful transfer of Personal Data as defined in the applicable Data Protection Laws is in place; and
- 5.4.4 provide to Customer for review such copies of its agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Customer may request from time to time.
- 5.5 CloudCheckr shall ensure that each Subprocessor performs the obligations under sections 2.1, 3, 4, 6.1, 7.2, 8, and 10, as they apply to Processing of Customer Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of CloudCheckr.
6. Data Subject Rights
- 6.1 Taking into account the nature of the Processing, CloudCheckr shall assist Customer and, where applicable, the relevant End User by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s or the relevant End User’s obligations, as reasonably understood by Customer or the relevant End User, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
- 6.2 CloudCheckr shall:
- 6.2.1 promptly notify Customer if CloudCheckr or any Subprocessor receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
- 6.2.2 ensure that it and its Subprocessor(s) do not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the CloudCheckr or its Subprocessor(s) is subject, in which case CloudCheckr shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before CloudCheckr or its Subprocessor responds to the request.
7. Personal Data Breach
- 7.1 CloudCheckr shall notify Customer without undue delay upon CloudCheckr or any Subprocessor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer and, where applicable, the relevant End User, to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
- 7.2 CloudCheckr shall co-operate with Customer and, where applicable, the relevant End User, and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
Where Customer or, where applicable, the relevant End User, reasonably determines that CloudCheckr’s Processing of Customer Personal Data, taking into account the nature, scope, context, and purposes of CloudCheckr’s Processing, is likely to result in a high risk to the rights and freedoms of natural persons, then the Customer or relevant End User may request, and CloudCheckr shall provide, upon reasonable notification to CloudCheckr not less than 10 business days, reasonable assistance, during CloudCheckr’s regular business hours, to Customer or the relevant End User, with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, in each case solely in relation to Processing of Customer Personal Data.
9. Deletion or return of Customer Personal Data
- 9.1 Subject to sections 9.2 and 9.3 CloudCheckr shall promptly upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”) return or delete, at the choice of the Customer, all copies of Customer Personal Data.
- 9.2 CloudCheckr may retain Customer Personal Data to the extent required by Applicable Laws and for such period as required by Applicable Laws, or where such data is necessary to satisfy CloudCheckr’s legal and regulatory obligations, and always provided that CloudCheckr shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws or as required by legal and regulatory obligations requiring its storage and for no other purpose.
- 9.3 CloudCheckr shall provide written certification to Customer upon request that it has fully complied with this section 9.
10. Audit rights
- 10.1 Customer acknowledges that CloudCheckr uses independent third party auditors to verify the adequacy of its security measures and is regularly audited against SOC 2 Type II standards. Upon Customer’s written request., CloudCheckr will provide a copy of the SOC II Type 2 Report to Customer to allow Customer to reasonably verify CloudCheckr’s compliance with its obligations under this Addendum. CloudCheckr shall also respond to any written audit questions reasonably submitted to it by Customer from time to time. The report and any written audit questions shall be subject to the confidentiality provisions of the Agreement.
- 10.2 Customer agrees to exercise any right it may have to conduct an audit or inspection, including under the Standard Contractual Clauses if they apply, by requesting CloudCheckr carry out the audit described in this Section 10. If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending CloudCheckr written notice as provided for in the Agreement. If CloudCheckr declines to follow any instruction requested by Customer regarding audits or inspections, Customer is entitled to terminate this Addendum, the Agreement, and any applicable Services orders or schedules. If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses nor affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses.
- 10.3 CloudCheckr shall cooperate, on request, with the Supervisory Authority in the performance of its tasks.
11. Restricted Transfers
In the event CloudCheckr Processes any Personal Data pursuant to a Restricted Transfer, the Parties agree that the provisions in the European Commission Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries (2010/87/EU) the Standard Contractual Clauses shall apply and are incorporated herein by reference. Pursuant to the Standard Contractual Clauses, Customer shall be the “data exporter,” and CloudCheckr shall be a “data importer.” The (i) Data Subjects in Appendix 1 to the Standard Contractual Clauses shall be Customer employees, Customer subcontractors authorized by Customer to use the Services, and any Customer end user authorized by Customer to use the Services; (ii) the Categories of Data shall be first and last name, contact information (company, email, phone, business address), billing information, job title and/or department, and geolocation data (country and/or IP address); (iii) the Special Categories of data shall be N/A, and (iv) the Processing operations shall be to allow CloudCheckr to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as instructed by Customer while it uses the Services.. The data security measures in Appendix 2 to the Standard Contractual Clauses are those identified in Exhibit A of this Addendum.
12. General Terms
Governing law and jurisdiction
- 12.1 Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
- 12.1.1 the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- 12.1.2 this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Order of precedence
- 12.2 Nothing in this Addendum reduces CloudCheckr’s obligations under the Agreement in relation to the protection of Customer Personal Data or permits CloudCheckr to Process (or permit the Processing of) Customer Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- 12.3 Subject to section 12.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
Changes in Data Protection Laws, etc.
- 12.4 The parties may promptly execute supplemental data processing agreement(s) or take other appropriate steps to address Restricted Transfers if they conclude that such steps are necessary to address applicable data protection or privacy laws concerning Personal Data.
- 12.5 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
CloudCheckr’s technical and organizational security measures are those measures described in CloudCheckr’s confidential SOC 2 Type 2 Report, which CloudCheckr makes available to Customers upon request.