We respect your privacy    |    Used by 9,654 happy customers   |    608,160+ Content Generated

HomeData Processing Agreement

Data Processing Agreement

1. Introduction: This Data Processing Agreement (“DPA”) is an integral part of all agreements between the Customer and Cloudthink, Inc. (“Cloudthink”), a Delaware corporation with its registered office at [Address], USA, acting as the “Processor” or “Cloudthink.” The Customer, identified in the signature block below, and Cloudthink are parties to this DPA, supplementing the Master Subscription Agreement or any services agreement or similar agreement (“Agreement”). This DPA outlines the Parties’ understanding concerning the processing of Controller Data.

2. Definitions: In this DPA, capitalized terms not otherwise defined have the meanings as provided in the Agreement.

(a) “Affiliate” refers to any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.

(b) “Applicable Data Protection Law” encompasses data protection laws applicable to the European Economic Area, Switzerland, the United Kingdom, and other relevant jurisdictions.

(c) “Authorized Affiliate” refers to entities connected by common ownership or control with the Customer.

(d) “California Privacy Law” refers to the California Consumer Privacy Act until January 1, 2023, and subsequently the California Privacy Rights Act.

(e) “Controller” refers to the Customer.

(f) “Controller Data” refers to any Personal Data Processed by Processor on behalf of the Customer under the Agreement.

(g) “Customer” refers to the entity determining the purposes and means of processing Personal Data.

(h) “Data Breach” refers to unauthorized access, disclosure, or loss of Controller Data.

(i) “Permitted Purpose” refers to the use of Controller Data for the provision of Services by Processor to the Controller.

(j) “Personal Data” refers to information related to identified or identifiable natural persons.

(k) “Processing” refers to any operation on Personal Data, including collection, storage, sharing, and more.

(l) “Processor” refers to Cloudthink and its Affiliates, acting on behalf of the Customer.

(m) “Regulator” refers to any supervisory authority with jurisdiction over data protection matters.

(n) “Restricted Transfer” refers to the transfer of Personal Data across borders, subject to applicable regulations.

(o) “Services” refers to products and services offered by Processor to the Controller.

(p) “Sub-processor” refers to third-party data processors engaged by Processor.

(q) Other terms, including “Commission,” “Data Subject,” “Member State,” and “Supervisory Authority,” hold the same meanings as in Applicable Data Protection Laws.

3. Purpose of Processing: 3.1 Roles of the Parties: (a) Under GDPR or UK Data Protection Laws, Customer is the Controller, and Cloudthink is the Processor. (b) Under the California Privacy Law, Cloudthink acts as a Service Provider.

3.2 Controller’s Instructions: Customer ensures lawful processing of Controller Data and provides necessary consents and rights as per Applicable Data Protection Laws.

3.3 Purpose Limitation: Processor processes Controller Data solely according to Customer’s instructions and for Permitted Purposes.

4. Obligations of Processor: 4.1 Confidentiality: Processor restricts Controller Data access to authorized personnel and ensures reliability of its staff.

4.2 Disclosure to Third Parties: Processor doesn’t disclose Controller Data except as allowed by this DPA or Agreement, notifying Customer of any required disclosures.

4.3 Retention: Processor retains Controller Data per Customer’s instructions and as required by law.

4.4 Data Subject and Regulator Requests: Processor assists Customer in handling Data Subject requests and cooperates in Regulator communications.

4.5 Data Protection Impact Assessment: Upon request, Processor aids Customer in conducting data protection impact assessments.

4.6 Security: Processor implements technical and organizational measures to secure Controller Data.

5. Data Breach: 5.1 Data Breach Notification: Processor promptly notifies Customer of any Data Breach, investigates, mitigates, and informs Customer of actions taken.

5.2 Coordination: Processor assists Customer in fulfilling notification obligations to Data Subjects and Regulators.

6. Audits: 6.1 Auditing: Customer may audit Processor’s compliance with this DPA, subject to conditions.

7. Sub-Processors: 7.1 Sub-processor Consent: Processor may engage Sub-processors with appropriate safeguards.

7.2 Sub-processor List: The list of Sub-processors used is available at [Link].

7.3 Objection to Sub-processor: Customer may object to new Sub-processors, and Processor will address objections.

8. International Provisions: 8.1 Jurisdiction Specific Terms: The terms of this DPA may be jurisdiction-specific as outlined in Schedule 4.

9. Limitation On Liability: 9.1 Maximum Liability: Parties’ liability for DPA-related claims is limited.

10. Miscellaneous: 10.1 Amendment and Modification: Amendments are allowed with notice, and acceptance through continued use of Services.

10.2 Confidentiality: The terms are confidential, disclosed to specific parties only.

10.3 Assignment: Assignments require consent, except for Processor’s affiliates or change of control situations.

This DPA becomes effective upon execution and supersedes previous data processing agreements. Written amendments are necessary for modifications.