This Data Processing and Protection Addendum (this “DPA”) sets out the terms that apply when Customer Personal Data is Processed by Cloudwick Technologies, Inc. (“Cloudwick”) under the Order Form(s) and Master Services Agreement between Cloudwick and the Customer identified therein, to which this DPA is attached or otherwise incorporated (the “Agreement”). The purpose of this DPA is to ensure the Parties’ agreement with regard to the Processing of Customer Personal Data in accordance with the requirements of Data Protection Laws and Regulations. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
a. “Cloudwick Trust Center” means Cloudwick’s trust center located at https://trust.cloudwick.com/.
b. “Customer Personal Data” means any Personal Data or Sensitive Personal Data that Cloudwick Processes on behalf of Customer under the Agreement, as further described in this DPA.
c. “Data Protection Laws and Regulations” means all data protection laws and regulations applicable to a Party’s processing of Customer Personal Data under the Agreement, including, where applicable, the data protection laws and regulations of the European Union, the European Economic Area and their member states, and of the United Kingdom and Switzerland to the extent that it is not a member state as well as the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder, in each case, as may be amended from time to time (the “CCPA”).
d. “Data Subject” means the identified or identifiable individual to whom Customer Personal Data relates.
e. “Personal Data” means any information relating to
(i) an identified or identifiable person and,
(ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations).
f. “Personal Data Breach” means a breach of Cloudwick’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in connection with the Services. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of the Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks and other network attacks on firewalls or networked systems.
g. “Processing” and its cognates shall have the meaning given to such term under applicable Data Protection Laws and Regulations.
h. “Restricted Transfer” means a transfer of Customer Personal Data originating from Europe to a country that does not provide an adequate level of protection for personal data within the meaning of applicable European Data Protection Laws and Regulations.
i. "Sensitive Personal Data" means any Customer Personal Data that, due to its nature, is subject to heightened privacy and security requirements under applicable Data Protection Laws and Regulations. This includes, without limitation, the following categories of data, as applicable: government-issued identification numbers; financial account information; health and medical information, including Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); biometric data used for identification of a natural person; genetic data; racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; sex life or sexual orientation; precise geolocation data; or any other information designated as “sensitive” or requiring enhanced protection under applicable data protection or privacy laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 (GDPR) and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA).
j. “Standard Contractual Clauses” means the agreement executed by and between Customer and Cloudwick and attached hereto as Schedule 1 pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
k. “Subprocessor” means any Data Processor engaged by Cloudwick to process Customer Personal Data in connection with the Services, as listed on the Subprocessor page of the Cloudwick Trust Center and as may be updated by Cloudwick in Cloudwick’s sole discretion from time to time.
l. “UK International Data Transfer Agreement” means the International Data Transfer issued by the UK Information Commissioner under s119A(1) of the Data Protection Act 2018, version A1.0, in force from 21 March 2022.
a. Relationship of the Parties
Customer is the “Data Controller” and Cloudwick is the “Data Processor.” In some circumstances, Customer may be a Data Processor, in which case Customer appoints Cloudwick as Customer’s Subprocessor, which shall not change the obligations of either Party under this DPA. With respect to the Customer Data to which the CCPA applies, the Parties acknowledge and agree that:
(a) Cloudwick is a “Service Provider” and not a “Third Party”;
(b) Customer is a “Business”; and
(c) each Subprocessor is a “Service Provider”.
b. Customer Obligations
Customer is solely responsible for: (i) its and its Authorized Users’ transmission of Customer Personal Data to the Services; (ii) using the Services in a manner designed to ensure a level of security appropriate to the nature and scope of the Customer Personal Data; (iii) ensuring that all Authorized Users and Data Subjects have consented to the Processing of their Customer Personal Data, in accordance with applicable Data Protection Laws and Regulations, in connection with Customer’s access to and use of the Services; and (iv) ensuring that its processing instructions to Cloudwick comply with all applicable Data Protection Laws and Regulations. Cloudwick will have no obligation to monitor Customer’s compliance with applicable Data Protection Laws and Regulations or to assess the content of Customer Personal Data to identify whether the information is subject to specific legal requirements. As such, Customer is solely responsible for making an independent determination as to whether its use of the Services meets the requirements of applicable Data Protection Laws and Regulations.
c. Customer’s Processing of Personal Data
Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
d. Cloudwick’s Processing of Customer Personal Data
i) Cloudwick will not retain, use, or disclose any Customer Personal Data that is subject to the CCPA (“CCPA Personal Information”) for any purpose other than for the limited and specific purpose of providing the Service to Customer or as otherwise permitted by the CCPA. Cloudwick will not (a) “sell” or “share” CCPA Personal Information (as those terms are defined under the CCPA); (b) retain, use, or disclose CCPA Personal Information outside the direct business relationship between Cloudwick and the Customer, unless expressly permitted by CCPA; or (c) combine CCPA Personal Information received from Customer with Personal Data that Cloudwick receives from, or on behalf of, another person or persons, or collects from its own interaction with consumers, unless expressly permitted by CCPA. Cloudwick will provide the same level of privacy protection for CCPA Personal Information as required under the CCPA and notify Customer if Cloudwick can no longer meet its obligations under the CCPA. Upon such notice from Cloudwick, Customer may direct Cloudwick to take reasonable and appropriate steps to stop and remediate any unauthorized use of CCPA Personal Information by deleting all or the relevant portion of CCPA Personal Information from the Service or by such other means as reasonably agreed between the parties.
ii) Unless otherwise required by applicable Data Protection Laws and Regulations to which Processor is subject, Cloudwick shall only Process Customer Personal Data for the following purposes:
1. Processing in order to provide and support the Services in accordance with the Agreement;
2. Processing initiated by Authorized Users in their use of Services according to the Agreement; and
3. Processing to comply with other reasonable written instructions provided by Customer that are consistent with the terms of the Agreement.
e. Scope, Purpose and Duration
The subject-matter of Processing of Customer Personal Data by Cloudwick is the performance of the Services pursuant to the Agreement. The duration of such Processing shall be for the term of the Agreement. The nature and the purposes of the Processing of Customer Personal Data by Cloudwick, the types of Customer Personal Data and categories of Data Subjects Processed under this DPA, are further specified in Cloudwick’s privacy policy, located at https://cloudwick.com/privacy-policy or otherwise on the Services.
Customer acknowledges and agrees that it is solely responsible for determining whether the technical and organizational security measures implemented by the Services are appropriate for the processing of for Sensitive Personal Data. If Customer determines that such measures are sufficient, then, subject to the terms and conditions of the Agreement and this DPA, Customer may submit Sensitive Personal Data to the Services. The extent and nature of any such submission shall be determined and controlled solely by Customer in its sole discretion. Customer shall be solely responsible and liable for
(i) the lawfulness of the collection, submission, and use of such Sensitive Personal Data,
(ii) ensuring that all necessary notices have been given and all required consents and authorizations have been obtained, and
(iii) any claims, losses, or liabilities arising out of or related to the upload, transmission, or Processing of Sensitive Personal Data in connection with the Services.
Customer acknowledges and agrees that Cloudwick may retain certain Subprocessors to Process Customer Personal Data on Cloudwick’s behalf in order to provide Services under the Agreement. Prior to a Subprocessor’s Processing of Customer Personal Data, Cloudwick will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on Cloudwick under this DPA. Cloudwick remains liable for its Subprocessors’ performance under this DPA to the same extent Cloudwick is liable for its own performance. If Customer would like to receive notifications of new Subprocessors, Customer must request such notifications from Cloudwick at https://trust.cloudwick.com/. Customer may reasonably object to Cloudwick’s use of a new Subprocessor by notifying Cloudwick promptly in writing and in each case within thirty (30) days of such Subprocessor being added to the Cloudwick Trust Center. After receiving an objection to the use of a new Subprocessor, Cloudwick will work with Customer to determine the appropriate course of action.
a. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Cloudwick shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures required by Data Protection Laws and Regulations and in accordance with Cloudwick’s Security Policy found at https://cloudwick.com/support-services-and-legal (or such successor URL as may be designated by Cloudwick).
b. In assessing the appropriate level of security, Processor shall consider the risks that are presented by Processing, in particular from a Personal Data Breach.
c. Cloudwick shall notify Customer without undue delay upon becoming aware of a Personal Data Breach and in any event within forty-eight (48) hours and will make reasonable efforts to investigate, contain and mitigate any adverse effects of such Personal Data Breach within Cloudwick’s control. Cloudwick shall cooperate with Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of any such Personal Data Breach. Any communications by or on behalf of Cloudwick in relation to a Personal Data Breach will not be construed as an admission of fault or liability by Cloudwick with respect to such Personal Data Breach.
To the extent Customer, in its use of the Services, does not have the ability to locate, correct, amend, restrict, copy, block or delete Customer Personal Data, as may be required by Data Protection Laws and Regulations, Cloudwick shall comply with any commercially reasonable request by Customer (including by appropriate technical and organizational measures) to assist such actions to the extent necessary to respond to Data Subjects seeking to exercise their rights under applicable Data Protection Laws and Regulations and Cloudwick is legally permitted to do so. To the extent legally permitted, Customer shall be responsible for any costs arising from Cloudwick’s provision of such assistance. Cloudwick shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise his or her rights in respect of Customer Personal Data. Cloudwick shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. Cloudwick may advise the Data Subject to submit their request to Customer such that Customer shall be responsible for responding to such request.
Deletion of Customer Personal Data. Following termination or expiration of the Agreement, and upon request by Customer, Cloudwick shall delete or return Customer Personal Data and copies thereof to Customer in Cloudwick’s possession, unless EU or member state law requires storage of all or part of the Customer Personal Data.
Upon Customer’s request, Cloudwick shall provide Customer with reasonably requested information regarding the Services in order for Customer to fulfill Customer’s obligation under applicable Data Protection Laws and Regulations to carry out any required data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Cloudwick.
Cloudwick shall make available to the Customer, upon Customer’s request and subject to the confidentiality obligations set forth in the Agreement, all information necessary to demonstrate compliance with this DPA, and, solely to the extent the information provided by Cloudwick is not reasonably sufficient to demonstrate Cloudwick’s compliance with this DPA and no more than once per year during the term of the Agreement, shall allow for and contribute to audits of Cloudwick’s applicable controls, at Customer’s expense and including inspections of Cloudwick’s facilities, by Customer or a mutually agreed upon independent third party auditor who is subject to written confidentiality obligations in relation to the Processing of Customer Personal Data. Before the commencement of any such audit, Customer and Cloudwick shall mutually agree upon the scope, timing, and duration of the audit. For the avoidance of doubt, Cloudwick will not be required to disclose to Customer or any auditor:
(a) any trade secrets;
(b) any information that could compromise the security of Cloudwick’s systems or controls; or
(c) any information that would cause Cloudwick to breach any of its contractual obligations or applicable laws. Customer shall provide at least thirty (30) days’ prior written notice of any proposed audit and shall ensure that such audit is conducted during normal business hours with minimal disruption to Cloudwick's operations.
Cloudwick may process Customer Personal Data anywhere in the world where Cloudwick, its affiliates, or its Subprocessors maintain data processing operations. Customer authorizes Cloudwick and its Subprocessors to make international transfers of Customer Personal Data in accordance with this DPA so long as applicable Data Protection Laws and Regulations are respected. To the extent that Cloudwick Processes Customer Personal Data collected in the EEA, UK or Switzerland or the transfer of Customer Personal Data from Customer to Cloudwick involves a Restricted Transfer, the EU Standard Contractual Clauses will be incorporated and form part of this DPA as follows:
a. EU Transfers. In relation to Customer Personal Data that is subject to the GDPR:
(i) the data exporter is Customer and the data importer is Cloudwick;
(ii) Module Two (Controller to Processor) is selected;
(iii) in Clause 7, the parties permit docking; (iii) in Clause 9, the parties select Option 2 and the notice period for Sub-Processor changes is set out in Section 4.2 of this DPA;
(iv) in Clause 11, the parties do not select the independent dispute resolution option;
(v) in Clauses 17 and 18(b), the parties agree that the governing law and forum for disputes will be the Republic of Ireland;
(vi) the Annexes to the EU Standard Contractual Clauses will be deemed completed with the information provided in Appendices A and B of this DPA.
b. UK Transfers.In relation to Customer Personal Data that is subject to the UK GDPR, the EU Standard Contractual Clauses will apply in accordance with Section 6.2.1 and as modified by the UK Addendum, which will be incorporated and form part of this DPA. Any conflict between the SCCs and the UK Addendum will be resolved in accordance with Sections 10 and 11 of the UK Addendum. Tables 1 to 3 of the UK Addendum will be deemed completed with the information provided in Appendices A and B of this DPA, and Table 4 will be deemed completed by selecting “neither party”.
c. Swiss Transfers. In relation to Customer Personal Data that is subject to the Swiss FADP, the EU Standard Contractual Clauses will apply in accordance with Section 6.2.1 and the following modifications:
(i) references to “Regulation (EU) 2016/679” and specific articles therein will be replaced with references to the Swiss FADP and the equivalent articles or sections therein;
(ii) references to “EU”, “Union” and “Member State” will be replaced with references to “Switzerland”;
(iii) the competent supervisory authority will be the Swiss Federal Data Protection Information Commissioner;
(iv) references to the “competent supervisory authority” and “competent courts” will be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; and
(v) the EU Standard Contractual Clauses will be governed by the laws of Switzerland and disputes will be resolved before the applicable courts of Switzerland.
d. Alternative Transfer Mechanism. If and to the extent that a court of competent jurisdiction or supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Customer Personal Data from Customer to Cloudwick, the parties will reasonably cooperate to agree and take any actions that may be required to implement any additional measures or alternative transfer mechanism to enable the lawful transfer of Customer Personal Data. In the event of any conflict between the terms of this DPA and the EU Standard Contractual Clauses, the terms of the EU Standard Contractual Clauses will supersede and control.
This DPA and any dispute arising out of it or in connection with it shall be subject to the terms of the Agreement. This DPA is effective as of the Effective Date of the Agreement and shall remain in effect for the duration of the Agreement; provided, however, if mandated law requires the Data Processor to retain the data for a specific period of time, this DPA remains in full force until such requirements are fulfilled.
Data Exporter: Customer
Address: Customer’s address as set forth in the Order Form
Contact Person’s Name, Position and Contact Details: As set forth in the Order Form
Activities Relevant to the Data Transferred: Using or accessing the Services
Role: Controller
Signature: By signing the Order Form, the Standard Contractual Clauses and the UK International Data Transfer Agreement, as applicable, will be deemed executed by the Parties.
Data Importer: Cloudwick Technologies, Inc.
Contact Person’s Name, Position and Contact Details: As set forth in the Order Form
Activities Relevant to the Data Transferred: Providing the Services to Customer
Role: Processor
Signature: By signing the Order Form, the Standard Contractual Clauses and the UK International Data Transfer Agreement, as applicable, will be deemed executed by the Parties.
Categories of Data Subjects
Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to Customer Personal Data relating to the following categories of Data Subjects:
Categories of Customer Personal Data
The categories of Customer Personal Data are solely within Customer’s discretion, determination and control, and which may include without limitation:
Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
Sensitive Data Transferred (if appropriate)
Subject to any applicable terms or conditions of the Agreement, Customer may include Sensitive Personal Data in the Customer Personal Data in its sole discretion, determination and control, which may include without limitation:
Frequency of Transfer: Continuous
Duration of Processing: For the duration of the provision of the Services to Customer.
Nature and Purpose of Processing: As necessary for Cloudwick to comply with its obligations and exercise its rights under the Agreement.
Period of Retention for Customer Personal Data: For the term of the Agreement and any period thereafter during which Cloudwick continues to process Customer Personal Data on Customer’s behalf.
Competent Supervisory Authority: Determined in accordance with applicable Data Protection Laws and Regulations.
Technical and Organizational Measures Designed to Ensure the Security of Customer Personal Data: As set forth in Cloudwick’s Security Policy found at https://cloudwick.com/support-services-and-legal (or such successor URL as may be designated by Cloudwick).