Data Processing Addendum
Last Updated: October 2020
This Data Processing Agreement (“DPA“) forms part of the Customer Terms of Service or other written or electronic agreement ("Principal Agreement") between Cloutlayer LLC (the "Processor") and Customer (the "Customer") (together as the “Parties”) for the use of online services from Cloutlayer (identified either as “Subscription Services” or otherwise in the applicable agreement, and hereinafter defined as “Services”) to reflect the Parties’ agreement with regard to the Processing of Personal Data.
The Customer: (i) acts as a Data Controller and (ii) wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
The Parties: (i) seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and (ii) wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1 Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
“Contracted Processor” means a Sub-Processor;
“Customer Personal Data” means any Personal Data Processed by Processor or/and a Contracted Processor on behalf of Customer pursuant to or in connection with the Principal Agreement;
“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
“DPA” means this Data Processing Agreement and all Schedules;
“EEA” means the European Economic Area;
“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
“GDPR” means EU General Data Protection Regulation 2016/679;
“Data Transfer” means: (i) a transfer of Customer Personal Data from the Customer to a Contracted Processor; or (ii) an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
“Personal Data” means: any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.
“Process” or “Processing” means: any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or blocking, erasure, or destruction;
“Sub-Processor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Customer in connection with the Agreement.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3 Capitalized terms that are not defined in this DPA have the meanings set forth in the Terms of Service.
2 Roles and Responsibilities
2.1 As declared at the beginning of this DPA, the Parties agree that Customer is the Data Controller and Cloutlayer is the Data Processor.
2.2 Customer’s Processing of Personal Data
Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. This DPA and the Principal Agreement are Customer’s complete and final documented instructions to Processor for the Processing of Personal Data, and Customer’s configuration of the Services (if any) shall constitute an additional instruction to Processor. Any additional or alternate instructions must be agreed upon separately. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired the Personal Data.
2.3 Processor’s Processing of Personal Data
Processor shall: (i) comply with all applicable Data Protection Laws in the Processing of Personal Data; (ii) process Personal Data in accordance with the Principal Agreement and applicable Order Form(s); and (iii) process Personal Data to comply with other documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Principal Agreement.
2.4 Ownership of Personal Data
The ownership and control of Personal Data remains with Customer, and Customer will at all times remain the Data Controller. Customer is responsible for compliance with its obligations as Data Controller under the Data Protection Laws, in particular for justification of any transmission of Personal Data to Processor (including providing any required notices and obtaining any required consents), and for its decisions concerning the Processing and use of the Personal Data.
2.5 Prohibited Data
Customer will not provide (or cause to be provided) any Sensitive Data to Cloutlayer for processing under the Principal Agreement, and Cloutlayer will have no liability whatsoever for Sensitive Data, whether in connection with a security incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
2.6 Processor's using of Personal Data
2.6.1 With respect to Customer Personal Data that has been de-identified, anonymized, pseudonymized, masked and/or aggregated (referred to as “De-Identified Personal Data,” but for Personal Data of European residents includes only Personal Data that has been anonymized in accordance with GDPR rules), as well as data which is created, generated, organized, formatted, derived, trained, ensembled, or based from or on De-Identified Personal Data, Processor has the right to:
- use all of the foregoing for its own internal business purposes,
- modify the De-Identified Personal Data,
- aggregate or combine the De-Identified Personal Data with other data,
- disclose De-Identified Personal Data to third parties
- use the De-Identified Personal Data in demonstrations of products and services to third parties, and
- license, assign, convey and/or transfer ownership of De-Identified Personal Data and any or all of Processor’s rights thereto to third parties.
2.6.2 Schedule 2 to this DPA sets out certain information regarding Processor’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
3 Processor Personnel
3.1 Confidentiality
Processor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Processor shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
3.2 Reliability
Processor shall take commercially reasonable steps to ensure the reliability of any Processor personnel engaged in the Processing of Personal Data.
3.3 Limitation of Access
Processor shall ensure that Processor’s access to Personal Data is limited to those people who meet the requirements under Section 3.1.
3.4 Data Protection Officer
Processor shall comply fully with its obligations with respect to the employment of a data protection officer as required under Data Protection Laws and Regulations who may be reached at privacy [at] cloutlayer [dot] com.
4 Security
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5 Sub-Processors
5.1 Appointment of Sub-Processors
Customer acknowledges and agrees that: (i) Processor’s Affiliates may be retained as Sub-Processors; and (ii) Processor and Processor’s Affiliates respectively may engage or replace Sub-Processors in connection with the provision of the Services.
5.2 List of Current Sub-Processors and Notification of New Sub-processors
5.2.1 Attached hereto as Schedule 2 is a current list of Sub-Processors for the Services. Such Sub-Processor list shall include the identities of those Sub-Processors, their country of location as well as the type of processing they perform.
5.2.2 Processor will notify Customer of a new Sub-Processor(s) before authorizing any new Sub-Processor(s) to Process Personal Data in connection with the provision of the applicable Services.
5.3 Objection Right for New Sub-Processors
Customer may object to Processor’s use of a new Sub-Processor. If Customer objects in writing within ten (10) days of receipt of such notice to a particular Sub-processor Processing Personal Data (with specific details of Customer’s reasons for objection), and that objection is not unreasonable in Processor’s reasonable determination, Processor will use commercially reasonable efforts to provide an alternative method for provision of the Services to Customer, without Processing Personal Data using the new Sub-processor. If no objection is received within such ten (10) day period, such Sub-Processor shall be deemed approved. If Processor is unable to make reasonable changes to the Service within sixty
60 days of Customer’s written objection, Customer may terminate the Services.
5.4 Customer’s Processors
Processor’s Services includes the possibility for Customers to integrate their own APIs or those of third parties. Processor is not responsible for the compliance of the Processing carried out by such APIs with the applicable Data Protection Laws. Customer shall remain at all times be responsible for the compliance of the Processing carried out by its own APIs or those of third parties Customer has agreed to integrate in Processor’s Services.
6 Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 Processor shall, to the extent legally permitted and to the extent Processor is able to identify that the request comes from a Data Subject whose Personal Data was submitted to the Services by Customer, promptly notify Customer if Processor receives a request from a Data Subject in relation to the exercise of any Data Subject Right (“Data Subject Request”). Processor shall not respond to a Data Subject Request without Customer’s prior written consent except to confirm that such request relates to Customer, to which Customer hereby agrees.
7 Personal Data Breach
7.1 Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8 Data Protection Impact Assessment and Prior Consultation
8.1 Upon Customer’s request, Processor shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Processor.
8.2 Processor shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority (as defined in the GDPR) in the performance of its tasks relating to Section 8 of this DPA, to the extent required under the GDPR.
9 Deletion of Customer Personal Data
9.1 Processor shall promptly and in any event within 15 business days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data.
10 Audit Rights
10.1 Processor shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors.
10.2 Information and audit rights of the Customer only arise under section 10.1 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
11 Data Transfer
11.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior consent of the Customer. If personal data processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
12 General Terms
12.1 Confidentiality
Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (i) disclosure is required by law or; (b) the relevant information is already in the public domain.
13 Governing Law and Jurisdiction
13.1 This DPA is governed by the laws of Greece.
13.2 Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Greece.
Schedule 1 - Description of Data Processing
Processor may Process personal data as part of the processing described hereunder. At any time, Customer, as Data Controller, may modify the description of the Processing and will notify in writing such modifications to Processor.
Customer shall decide, in its sole discretion, what Personal Data is transferred to and stored on Processor’s Services. While the Customer decides what data to submit, it typically may concern the data described below.
Subject-Matter
The definition of the Services provided by Processor is described in the Principal Agreement entered into between Processor and Customer.
Duration
For the duration of the Principal Agreement.
Nature and purpose of the processing
The purpose of Processing the Personal Data is to provide the Service to Customer in accordance with the Principal Agreement.
Type of personal data processed
The typical personal data processed by Customer using Processor’s Services are the following:
- First and Last Name
- Contact Information
- Demographic data
- Personal and Professional life data
- Relationship data
- (Geo) Locational data
- Publically available Social Media data
- Publically available personal; community; or professional website data
- Public available content from these the websites mentioned above
- Internet Cookies
- Form, event, survey, petition, registration, attendance, and response data
- Engagement data
- Behavioral data
- Profiling data
- Consumer data
- Financial data
- Voice mail, SMSs, emails, text messages and logs
Except where local law provide that a data subject may not consent to any of the items in the following list, Customer may submit special categories of data to the Services to the extent that, under Customer’s sole discretion and control, and which is, for the sake of clarity, Personal Data with information revealing one or more of the following categories of Personal Data:
- Political Party affiliation, participation, voting, contribution and opinion data
- Religious belief
- Philosophical belief data
- Organization donation data
- Trade union membership data
- Ethnic data
Categories of data subjects
(i) Prospects, customers, End-Users, business partners and vendors of Customer (who are natural persons)
(ii) Employees or contact persons of Customer’s prospects, customers, business partners and vendors
(iii) Employees, agents, advisors, freelancers of Customer (who are natural persons)
(iv) Customer’s Users authorized by Customer to use the Services
Schedule 2 - Sub-Processors
Amazon Web Services
Cloud Infrastructure
United States, Europe
https://aws.amazon.com/compliance/gdpr-center/
AMD Telecom S.A. (Routee)
Communication Services provider
Greece
Digital Ocean
Cloud Infrastructure provider
United States
https://www.digitalocean.com/legal/gdpr/
Google
Cloud Infrastructure provider
United States, Europe
Neverbounce
Verification and Enrichment Services provider
United States
MillionVerifier
Verification and Enrichment Services provider
Hungary
MongoDB
Infrastructure Database provider
United States
Redis
Infrastructure Database provider
United States
Stripe
Payment processor
United States
If you need a signed version of this DPA please contact us.