Customer and Cloud Elements have entered into this Data Protection DPA (“DPA”) as of the date of agreement into which it is incorporated (“Agreement”). This DPA applies to any and all Services provided by Cloud Elements to Customer that involve the processing of any personal data provided by Customer to Cloud Elements in connection with the Services.
The terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. Except where the context requires otherwise, references in this DPA to the Agreement are to the Agreement as amended by, and including, this DPA.
1.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 “Applicable Laws” (i) prior to May 25, 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and (ii) on and after May 25, 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation” or “GDPR”); and (iii) at all times, any and all other applicable data protection and data privacy laws and regulations . The terms “controller”, “processor”, “data subject”, “personal data”, “processing”, “process”, and “subprocessor” shall have the meanings given in the ADPL.
1.1.2 “Personal Data” means any Personal Data Processed by Cloud Elements on behalf of Company pursuant to or in connection with the Agreement;
1.1.3 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.4 “EEA” means the European Economic Area;
1.1.5 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.6 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.7 “Services” means the API and/or Formula development and other activities to be supplied to or carried out by or on behalf of the Company pursuant to the Agreement;
1.1.8 “Standard Contractual Clauses” means the standard contractual clauses for data transfers between EU and non-EU countries;
1.1.9 “Subprocessor” means any person appointed by or on behalf of Company to Process Personal Data on behalf of Company in connection with the Agreement;
1.2 The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3 The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Processing of Company Personal Data
2.1 Subprocessor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2 Not process Company Personal Data in any manner other than documented instructions unless required by Applicable Laws to which the relevant Subprocessor shall to the extent permitted by Applicable Laws inform the relevant Company of that legal requirement before the relevant Processing of that Personal Data.
3.1 Information security policies of the Cloud Elements are reviewed at least annually and refined as necessary to keep current with modern threats and in line with updates to broadly accepted international standard ISO/IEC 27001. Cloud Elements’ follows a mandated set of employment verification requirements for all new hires, including supplemental employees. These standards also apply to wholly owned subsidiaries and joint ventures. The requirements, which may be subject to change, include, but may not be limited to, criminal background checks, proof of identity validation, and additional checks if the candidate previously worked for a government entity. Each Cloud Elements employee is responsible for implementing the above requirements in its hiring process as applicable and permissible under local law.
Cloud Elements’ employees are required to complete security and privacy education annually and certify each year that they will comply with Cloud Elements’ ethical business conduct, confidentiality, and security requirements, as set out in Cloud Elements’ Acceptable Use Policy.
3.2 Security incidents are handled in accordance with Cloud Elements’ incident management and response policies, taking into account data breach notification requirements under applicable law.
3.3 The core functions of Cloud Elements’ cyber security incident management practice are conducted by Cloud Elements’ Computer Security Incident Response Team (IRT). IRT is managed by Cloud Elements’ Chief Information Security Office and is staffed with incident managers and outsourced forensic analysts. National Institute of Standards and Technology, United States Department of Commerce (NIST) and ISO guidelines for computer security incident handling have informed the development and remain the foundation of Cloud Elements’ incident management processes.
3.3.1 IRT coordinates with other functions within Cloud Elements’ to investigate suspected incidents, and if warranted, define and execute the appropriate response plan. Upon determining that a security incident, including a data breach, has occurred that affects Company, Cloud Elements’ Contracting Party will notify Company within 72 hours of being aware of the breach. For high-risk events, the Cloud Elements will notify Company without undue delay (Article 31). The notification given will provide at least:
- Nature of the breach
- The name and contact details of Cloud Elements Data Protection Officer
- If known, the likely consequences of the breach
- The current measures taken or proposed to be taken to address the breach an mitigate its adverse effects.
3.4 Access, Intervention, Transfer and Separation Control
3.4.1 The architecture of the Cloud Elements maintains logical separation of Company Data. Internal rules and measures separate data processing, such as reading, inserting, copying, amending, making available, deleting, and transferring Company Data, according to the contracted purposes. Access to Company’s data is allowed only by authorized personnel in accordance with principles of segregation of duties, strictly controlled under identity and access management policies, and monitored in accordance with Cloud Elements’ internal privileged user monitoring and auditing program.
3.4.2 Cloud Elements’ privileged access authorization is individual, role-based, and subject to regular validation. Access to Company Data is restricted to the level required to deliver services and support to Company (i.e., least required privilege).
3.4.3 Transfer of Company Personal Data within Cloud Elements” network takes place on wired infrastructure and behind firewalls, without the use of wireless networking.
3.4.4 Upon expiration or cancellation of the Cloud Services, Company Data is rendered unrecoverable in conformity with NIST guidelines for media sanitization, or earlier upon Company’s request.
3.5 Service Integrity & Availability Controls
3.5.1 The Cloud Elements undergoes penetration testing and vulnerability scanning prior to major production releases. Additionally, penetration testing, vulnerability scanning, is performed regularly by Cloud Elements and authorized independent third parties. Modifications to operating system resources and application software are governed by Cloud Elements change management policies.
3.5.2 Cloud Elements maintains working network firewalls to protect data accessible via the internet and will keep all Customer Data protected by the firewall at all times. Changes to network devices and firewall rules are also governed by the change management policies and are separately assessed for security risk prior to implementation.
3.5.3 Cloud Elements’ data center services within AWS support a variety of information delivery protocols for transmission of data over public networks, such as HTTPS, SSH, and SSL. Cloud Elements’ systematically monitors production data center resources 24×7. Internal and external vulnerability scanning is regularly conducted by authorized administrators to help detect and resolve potential exposures.
3.5.4 Cloud Elements has business continuity and disaster recovery plans, which are developed, maintained, verified, and tested in compliance with the ISO 27001 Information Security Controls. Recovery point and time objectives for the Cloud Services are established according to their architecture and intended use and provided in the applicable TD or Attachment. Backup data intended for off-site storage, if any, is encrypted prior to transport.
3.5.5 Security configuration and patch management activities are performed and reviewed regularly. Cloud Elements’ infrastructure is subject to emergency planning concepts, such as disaster recovery and multiple AWS servers available in regions throughout the country. Business continuity plans for Cloud Elements’ infrastructure are documented and regularly revalidated.
3.5.6 Cloud Elements maintains best of breed anti-virus software and scanning technologies, and regularly updated signature files, to ensure that all operating systems, software and other systems hosting, storing, processing, or that have access to Company Data and are known to be susceptible or vulnerable to being infected by or further propagating viruses, spyware and malicious code, are and remain free from such viruses, spyware and malicious code. Cloud Elements will mitigate threats from all viruses, spyware, and other malicious code that are or should reasonably have been detected.
3.6 Activity Logging, Input Control
3.6.1 Cloud Elements policy requires administrative access and activity in the computing environments to be logged and monitored, and the logs to be archived and retained in compliance with Cloud Elements’ records management plan. Changes made to production are recorded and managed in compliance with Cloud Elements change management policy.
3.7 Physical Security, Entry Control
3.7.1 Cloud Elements maintains physical security standards designed to restrict unauthorized physical access to offices. Cloud Elements uses AWS and their data centers are limited controlled access, and monitored by surveillance cameras. Access is allowed only by authorized personnel. (https://aws.amazon.com/compliance/iso-27001-faqs/ and https://d1.awsstatic.com/certifications/iso_27001_global_certification.pdf )
3.7.2 Delivery areas and loading docks where unauthorized persons may enter the premises are strictly controlled. Deliveries are scheduled in advance and require approval by authorized personnel. Personnel who are not part of the operations, facilities, or security staff are registered upon entering the premises and are escorted by authorized personnel while on the premises.
3.7.3 Upon termination of employment, employees are removed from the access list and required to surrender their access badges. Use of access fobs is logged.
3.8.1 Cloud Elements information security standards and management practices are aligned to the ISO/IEC 27001 standard for information security management. Assessments and audits are conducted regularly by Cloud Elements to track compliance with its information security standards. Additionally, independent third-party industry standard audits are performed annually on all Cloud Elements production systems maintained in AWS data centers.
3.9.1 Cloud Elements maintains the following encryption standards:
- Accepted Encryption Algorithms for stored data.
- Public key encryption must use a 2048-bit (or larger) RSA public key
- Symmetric encryption must use AES 256 bit, CBC mode
- API servers must use TLS 1.2 SSL with SHA-256 and 2048-bit public keys and;
- The SHA-2 family of hashes. PBKDF2 (SHA1 + HMAC), key derivation functions
- and random number generators
3.9.2 Company (1) confirms that the above measures provide an adequate level of protection for the Company’s Data, and (2) will ensures that only authorized Cloud Elements Processors will have access to perform the Company’s requests.
4. Data Sharing
4.1 To the extent permitted by law, Cloud Elements Contracting Party will inform Company without delay of data subjects’ requests for rectification, deletion, blocking of data, and enforcement of privacy rights in accordance with applicable law, complaints from data subjects, and/or objections from competent regulators. Upon notification by Cloud Elements Contracting Party, Company is responsible for handling such data subjects’ requests. If Company is obliged to provide information regarding Company Data to third parties (including data subjects or competent regulators), Cloud Elements will support Company to a reasonable extent, provided that (1) Company has requested Cloud Elements Contracting Party in writing and (2) Company agrees to pay the cost of any support (including internal resources) provided by Cloud Elements Contracting Party or its subcontractors (including the Cloud Elements Processors) based on the rates set out in Cloud Elements’ price list for consulting services in excess of four hours per year.
4.2 Cloud Elements will not disclose Company content to any unauthorized third-party subject to mandatory law. If a government demands access to Company Data, Cloud Elements will notify Company prior to disclosure unless prohibited by law.
4.3 Cloud Elements requires all personnel authorized to process Company Data to commit themselves to confidentiality and complete annual security and privacy training. Such an obligation of confidentiality shall continue to be valid after termination of the Agreement and/or of their activity.
4.4 Company and Cloud Elements Contracting Party will inform each other without delay of any suspected non-compliance with applicable data protection laws and regulations or relevant contractual terms. Company and Cloud Elements Contracting Party will support each other in order to rectify any non-compliance as soon as reasonably practicable.
Cloud Elements Data Processors have obtained the standard security certifications and personal data seals and marks listed at the following Web pages for Cloud Elements SaaS https://aws.amazon.com/compliance/iso-27001-faqs/ and https://d1.awsstatic.com/certifications/iso_27001_global_certification.pdf and https://cloud-elements.com/security-compliance/
5.1 Upon Company’s written request, Cloud Elements Contracting Party will provide Company with the most recent certifications and/or summary audit report(s) concerning the security measures for the Cloud Elements computing environment used to provide the Services. Cloud Elements Contracting Party will reasonably cooperate with Company by providing available additional information to help Company better understand such security measures. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable law, only the legally mandated entity (such as a governmental regulatory agency having oversight of Company’s operations) or legally mandated functions within such entity (such as the internal controls function) may conduct an onsite visit of the facilities used to provide the Services, and only in a manner that causes minimal disruption to Cloud Elements’ business and in accordance with Cloud Elements’ security policies to reduce any risk to Cloud Elements’ other customers. Unless mandated by law, no audits are allowed within an AWS data center for security and compliance reasons. Company agrees to pay the costs of any support provided by Cloud Elements (including internal resources) based on the rates set out in Cloud Elements Contracting Party’s price list for consulting services in excess of four hours per year.
5.2 To the extent permitted by applicable law, Company agrees to exercise its audit right as set out above by instructing Cloud Elements Data Processors to execute the audit as described in this Section 4. Changes of this instruction have to be in writing.
5.3 The Cloud Elements Data Processor obligations stated above in Section 4.3 and, as applicable, in Clause 12 paragraph 2 of the EU Standard Contractual Clauses shall be replaced and superseded in their entirety by the Cloud Elements Data Processors obtaining a personal data protection seal or mark, or by the adherence to a certification mechanism or a code of conduct, considered by the European Data Protection Board or the European supervisory authorities as an element to demonstrate sufficient guarantees of appropriate safeguards.
6. Cloud Elements Privacy Contact
The Cloud Elements privacy contact can be contacted at firstname.lastname@example.org
7. Return or Deletion of Company Personal Data
7.1 Unless otherwise required by applicable law, Cloud Elements will destroy or return Company Personal Data within a reasonable period in a reasonable and common format upon receiving written instructions from the Company prior to termination or expiration, provided that the Company Personal Data is available to Cloud Elements.
8. Transborder Data Processing
Cloud Elements subprocessing is located inside the European Economic Area. In the event that the Company conducts business outside the EEA, possibly within the United States, Cloud Elements and the Company will add an DPA to this agreement acknowledging the Company Personal Data residing outside of EU information systems. All Data Process is conducted within Amazon Web Services infrastructure as well as backup/disaster recovery instances.
9. Security Incidents
9.1 Cloud Elements Upon determining that a security incident, including a data breach, has occurred that affects Company, Cloud Elements will notify Company within 24 hours, but not more than 72 hours, after becoming aware of a breach of security in respect of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data transmitted, stored, or otherwise processed by Cloud Elements.