Cloudexter Security and Data Processing Agreement
1.1 The customer agrees to these terms (“The Customer”), and Cloudexter, has entered into an agreement under which Cloudexter has agreed to provide hosting, data processing service and related technical support to the Customer.
1.2 The GDPR makes written contracts between controllers and processors a general requirement. These terms are designed to ensure that processing carried out by a processor meets all the requirements of the GDPR, they reflect the agreement, in regard to the terms governing the processing and security of Customer Data, between Cloudexter and The Customer.
The following definitions will be used throughout this document.
Customer Data means data provided by or on behalf of Customer or Customer End Users via the Services under the Account. Customer Personal Data means the personal data contained within the Customer Data. The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in these terms have the meanings given in the GDPR. Data Incident means a breach of Cloudexter security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Cloudexter. “Data Incidents” do not include unsuccessful attempts to compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks. Notification Email Address means the email address(es) designated by Customer in the Customer Control Panel, or in the Order Process to receive certain notifications from Cloudexter. The term means the period from the Terms Effective Date until the end of Cloudexters provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Cloudexter may continue providing the Services for transitional purposes.
These Terms will take effect on the Terms Effective Date and, even in the event of expiry of the Term, will remain in effect until, and automatically expire upon, deletion of all Customer Data by Cloudexter as described in these Terms.
4. Processing of Data
4.1 Processor and Controller Responsibilities
The European Data Protection Legislation applies to the processing of Customer Personal Data and the parties acknowledge and agree that:
Cloudexter is a processor of Customer Personal Data under the General Data Protection Regulation
The Customer is a controller or processor, as applicable, of that Customer Personal Data under the General Data Protection Regulation.
Each party will comply with the obligations applicable to it under the General Data Protection Regulation with respect to the processing of that Customer Personal Data.
The types of personal data include data relating to individuals provided or uploaded to Cloudexter via the Hosting Service, by (or at the direction of) Customer or by Customer End Users.
4.2 Authorisation by a Third Party Controller
The Customer confirms that the Customer’s instructions and actions in regard to that Customer Personal Data, including its engagement of Cloudexter as another processor, have been authorized by the relevant controller under the General Data Protection Regulation.
5. Scope of Processing
5.1 Customers Instruction
By entering into these Terms, The Customer instructs Cloudexter to process Customer Personal Data in order to:
provide Hosting Services.
Process data as specified via Customer’s use of the Customer Control Panel (including other functionality of the Services).
Process data as documented in these Terms.
5.2 Cloudexter Compliance with Instructions
Cloudexter will comply with the instructions described under “The Customer’s Instructions”.
6. Data Deletion
6.1 Deletion By Customer
Cloudexter will enable The Customer to delete Customer Data during the Term via instruction in writing, by phone or via the use of Customer Control Panel. Confirmation of deletion will be made in writing via support ticket. Infrastructure backups may remain on Cloudexter servers for up to 30 days after this request.
6.2 Deletion on Cancellation
On the expiry of the Term, The Customer instructs Cloudexter to delete all Customer Data (including existing copies) from Cloudexter systems. Infrastructure backups may remain on Cloudexter servers for up to 30 days after this request.
7. Data Security
7.1 Cloudexter Security Measures
Cloudexter will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure
7.2 Staff Security Compliance
Cloudexter will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, and sub-processors including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality.
7.3 Data Incidents
7.3.1 Incident Notification
If Cloudexter becomes aware of a Data Incident, Cloudexter will:
Notify The Customer of the Data Incident promptly and without undue delay after becoming aware of the Data Incident.
Take reasonable steps to minimize harm and secure Customer Data.
7.3.2 Details of Data Incident
Data Incident notifications will include details of the Data Incident including steps taken to mitigate the potential risks and steps Cloudexter recommends The Customer take to address the Data Incident.
7.3.3 Delivery of Notification
Notifications of any data incident will be made via the Support Ticket System. Notification of a support ticket update will be sent to the Notification Email Address provided by the customer. It is the responsibility of the customer to ensure that this email address is kept current and up to date.
7.3.4 No Assessment of Customer Data
Cloudexter will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. The Customer is solely responsible for complying with incident notification laws applicable to The Customer and fulfilling any third-party notification obligations related to any Data Incident.
7.3.5 No Acknowledgement of Fault
Notification of or response to a Data Incident will not be construed as an acknowledgment of fault or liability.
7.3.6 Audit Rights
Cloudexter will provide all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, requested by The Customer, carried out by the ICO https://ico.org.uk/
Cloudexter will inform The Customer immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
8.1 Consent to Sub Processors
The Customer specifically authorizes the engagement of Cloudexter third-party suppliers as Subprocessors. In addition, The Customer generally authorises the engagement of any other third parties as Subprocessors.
8.2 Process to Engage New Subprocessors
Cloudexter will provide notice via this policy of updates to the list of sub-processors that are utilized or which Cloudexter proposes to utilize to deliver its Services. Cloudexter undertakes to keep this list updated regularly to enable the Customer to stay informed of the scope of sub-processing associated with the Cloudexter Services.
The Customer can object in writing to the processing of its Personal Data by a new subprocessor within thirty (30) days after updating of this policy and shall describe its legitimate reasons to object. If the Customer does not object during such time period the new subprocessor(s) shall be deemed accepted.
If the Customer objects to the use of a subprocessor pursuant to the process provided under the DPA, Cloudexter shall have the right to resolve the objection through one of the following options (to be selected at the sole discretion of Cloudexter):
Cloudexter will cease to use the subprocessor with regard to Personal Data or;
Cloudexter will take the corrective steps requested by the Customer in its objection and proceed to use the subprocessor to process Personal Data or;
Cloudexter may cease to provide or The Customer may agree not to use (temporarily or permanently) the particular aspect of a Cloudexter Service that would involve use of the subprocessor to process Personal Data or;
Cloudexter may cease to offer services to The Customer entirely
The list of Cloudexter third party sub-processors is maintained here.