Effective Date: May 14, 2018
This Oryxcloud Data Processing Addendum forms part of, and is subject to
the provisions of, the Oryxcloud Terms of Service.
Capitalized terms that are not defined in this Data Processing Addendum
have the meanings set forth in the
Terms of Service.
1. Additional Definitions.
The following definitions apply solely to this Data Processing Addendum:
-
the terms “controller”, “data subject”, “personal data”, “process,”
“processing” and “processor” have the meanings given to these terms
in EU Data Protection Law.
-
“Breach” means a breach of the Security Measures resulting in access
to Oryxcloud’s equipment or facilities storing Your Controlled Data and
the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, Your Controlled Data
transmitted, stored or processed by Oryxcloud on your behalf and
instructions through the Services.
-
“Content” means your User Content and any content provided to us
from your End Users, including without limitation text, photos,
images, audio, video, code, and any other materials.
-
“EU Data Protection Law” means any data protection or data privacy
law or regulation of Switzerland or any European Economic Area
(“EEA”) country applicable to Your Controlled Data, including, as
applicable, the GDPR and the e-Privacy Directive 2002/58/EC.
-
“GDPR” means the EU General Data Protection Regulation 2016/679.
-
“Security Measures” means the technical and organizational security
measures set out.
-
“Sub-Processor” means an entity engaged by Oryxcloud to process Your
Controlled Data.
-
“Your Controlled Data” means the personal data in the Content Oryxcloud
processes on your behalf and instructions as part of the Services,
but only to the extent that you are subject to EU Data Protection
Law in respect of such personal data. Your Controlled Data does not
include personal data when controlled by us, including without
limitation data we collect (including IP address, device/browser
details and web pages visited prior to coming to Your Site) with
respect to your End Users’ interactions with Your Site through their
browser and technologies like cookies.
2. Applicability.
This Data Processing Addendum only applies to you if you or your End
Users are data subjects located within the EEA or Switzerland and only
applies in respect of Your Controlled Data. You agree that Oryxcloud is not
responsible for personal data that you have elected to process through
Third Party Services or outside of the Services, including the systems
of any other third-party cloud services, offline or on-premises storage.
3. Details of Data Processing.
-
Subject Matter : The subject matter of the data
processing under this Data Processing Addendum is Your Controlled
Data.
-
Duration : As between you and us, the duration of
the data processing under this Data Processing Addendum is
determined by you.
-
Purpose : The purpose of the data processing under
this Data Processing Addendum is the provision of the Services
initiated by you from time to time.
-
Nature of the Processing : The Services as
described in the Agreement and initiated by you from time to time.
-
Type of Personal Data : Your Controlled Data
relating to you, your End Users or other individuals whose personal
data is included in Content which is processed as part of the
Services in accordance with instructions given through your Account.
-
Categories of Data Subjects : You, Your End Users
and any other individuals whose personal data is included in
Content.
4. Processing Roles and Activities.
-
Oryxcloud as Processor and You as Controller : You are
the controller and Oryxcloud is the processor of Your Controlled Data.
-
Oryxcloud as Controller : Oryxcloud may also be an
independent controller for some personal data relating to you or
your End Users. Please see our
Privacy Policy and
Terms of Service
for details about this personal data which we control. We decide how
to use and process that personal data independently and use it for
our own purposes. When we process personal data as a controller, you
acknowledge and confirm that the Agreement does not create a
joint-controller relationship between you and us. If we provide you
with personal data controlled by us, such as in any access to data
regarding your End Users’ interactions with Your Site, you receive
that as an independent data controller and are responsible for
compliance with EU Data Protection Law in that regard.
-
Description of Processing Activities : We will
process Your Controlled Data for the purpose of providing you with
the Services, as may be used, configured or modified from within
your Account (the “Purpose”). For example, depending on how you use
the Services, we may process Your Controlled Data in order to: (a)
enable you to integrate content or features from a social media
platform on Your Site; or (b) email your End Users on your behalf.
-
Compliance with Laws : You will ensure that your
instructions comply with all laws, regulations and rules applicable
in relation to Your Controlled Data and that Your Controlled Data is
collected lawfully by you or on your behalf and provided to us by
you in accordance with such laws, rules and regulations. You will
also ensure that the processing of Your Controlled Data in
accordance with your instructions will not cause or result in us or
you breaching any laws, rules or regulations (including EU Data
Protection Law). You are responsible for reviewing the information
available from us relating to data security pursuant to the
Agreement and making an independent determination as to whether the
Services meet your requirements and legal obligations as well as
your obligations under this Data Processing Addendum. Oryxcloud will
not access or use Your Controlled Data except as provided in the
Agreement, as necessary to maintain or provide the Services or as
necessary to comply with the law or binding order of a governmental,
law enforcement or regulatory body.
5. Our Processing Responsibilities.
-
How We Process : We will process Your Controlled
Data for the Purpose and in accordance with the Agreement or
instructions you give us through your Account. You agree that the
Agreement and the instructions given through your Account are your
complete and final documented instructions to us in relation to your
Controlled Data. Additional instructions outside the scope of this
Data Processing Addendum require prior written agreement between you
and us, including agreement on any additional fees payable by you to
us for carrying out such instructions. We will promptly inform you
if, in our opinion, your instructions infringe applicable EU Data
Protection Law, or if we are unable to comply with your
instructions. We will notify you when applicable laws prevent us
from complying with your instructions, except if such disclosure is
prohibited by applicable law on important grounds of public
interest, such as a prohibition under law to preserve the
confidentiality of a law enforcement investigation or request.
-
Notification of Breach : We will provide you notice
without undue delay after becoming aware of and confirming the
occurrence of a Breach for which notification to you is required
under applicable EU Data Protection Laws. We will, to assist you in
complying with your notification obligations under Articles 33 and
34 of the GDPR, provide you with such information about the Breach
as we are reasonably able to disclose to you, taking into account
the nature of the Services, the information available to us and any
restrictions on disclosing the information such as for
confidentiality. Our obligation to report or respond to a Breach
under this Section is not and will not be construed as an
acknowledgement by Oryxcloud of any fault or liability of Oryxcloud with
respect to the Breach. Despite the foregoing, Oryxcloud’s obligations
under this Section do not apply to incidents that are caused by you,
any activity on your Account and/or Third-Party Services.
-
Notification of Inquiry or Complaint : We will
provide you notice, if permitted by applicable law, upon receiving
an inquiry or complaint from an End User, or other individual whose
personal data is included in your Content, or a binding demand (such
as a court order or subpoena) from a government, law enforcement,
regulatory or other body in respect of Your Controlled Data that we
process on your behalf and instructions.
-
Reasonable Assistance with Compliance : We will, to
the extent that you cannot reasonably do so through the Services,
your Account or otherwise, provide reasonable assistance to you in
respect of your fulfillment of your obligation as controller to
respond to requests by data subjects under Chapter 3 of the GDPR,
taking into account the nature of the Services and information
available to us. You will be responsible for our reasonable costs
arising from our provision of such assistance.
-
Security Measures : We will maintain the Security
Measures. We may change these Security Measures but will not do so
in a way that adversely affects the security of Your Controlled
Data. We will take steps to ensure that any natural person acting
under our authority who has access to Your Controlled Data does not
process it except on our instructions, unless such person is
required to do so under applicable law, and that personnel
authorized by us to process Your Controlled Data have committed
themselves to relevant confidentiality obligations or are under an
appropriate statutory obligation of confidentiality.
-
Sub-Processors : You agree that we can share Your
Controlled Data with Sub-Processors in order to provide you the
Services. We will impose contractual obligations on our
Sub-Processors, and contractually obligate our Sub-Processors to
impose contractual obligations on any further sub-contractors which
they engage to process Your Controlled Data, which provide the same
level of data protection for Your Controlled Data in all material
respects as the contractual obligations imposed in this Data
Processing Addendum, to the extent applicable to the nature of the
Services provided by such Sub-Processor. A list of our current
Sub-Processors is available upon request by sending an email to
privacy@oryxcloud.com.
Provided that your objection is reasonable and related to data
protection concerns, you may object to any Sub-Processor by sending
an email to
privacy@oryxcloud.com. If
you object to any Sub-Processor and your objection is reasonable and
related to data protection concerns, we will use commercially
reasonable efforts to make available to you a means of avoiding the
processing of Your Controlled Data by the objected-to Sub-Processor.
If we are unable to make available such suggested change within a
reasonable period of time, we will notify you and if you still
object to our use of such Sub-Processor, you may cancel or terminate
your Account or, if possible, the portions of the Services that
involve use of such Sub-Processor. Except as set forth in this
Section 5.6, if you object to any Sub-Processors, you may not use or
access the Services. You consent to our use of Sub-Processors as
described in this Section 5.6. Except as set forth in this Section
5.6 or as you may otherwise authorize, we will not permit any
Sub-Processor to access Your Controlled Data. Oryxcloud will remain
responsible for its compliance with the obligations of this Data
Processing Addendum and for any acts or omissions of any
Sub-Processor or their further sub-contractors that process Your
Controlled Data and cause Oryxcloud to breach any of Oryxcloud’s
obligations under this Data Processing Addendum, solely to the
extent that Oryxcloud would be liable under the Agreement if the act or
omission was Oryxcloud’s own.
-
Oryxcloud Audits : Oryxcloud may (but is not obliged to)
use external or internal auditors to verify the adequacy of our
Security Measures.
-
Customer Audits and Information Requests : You
agree to exercise any right you may have to conduct an audit or
inspection by instructing Oryxcloud to carry out the audit described in
Section 5.7. You agree that you may be required to agree to a
non-disclosure agreement with Oryxcloud before we share any such report
or outcome from such audit with you and that we may redact any such
reports as we consider appropriate. If Oryxcloud does not follow such
instruction or if it is legally mandatory for you to demonstrate
compliance with EU Data Protection Law by means other than reviewing
a report from such an audit, you may only request a change in the
following way:
-
First, submit a request for additional information in
writing to Oryxcloud, specifying all details required to enable
Oryxcloud to review this request effectively, including without
limitation the information being requested, what form you
need to obtain it in and the underlying legal requirement
for the request (the “Request”). You agree that the Request
will be limited to information regarding our Security
Measures.
-
Within a reasonable time after we have received and reviewed
the Request, you and we will discuss and work in good faith
towards agreeing on a plan to determine the details of how
the Request can be addressed. You and we agree to use the
least intrusive means for Oryxcloud to verify Oryxcloud’s
compliance with the Security Measures in order to address
the Request, taking into account applicable legal
requirements, information available to or that may be
provided to you, the urgency of the matter and the need for
Oryxcloud to maintain uninterrupted business operations and the
security of its facilities and protect itself and its
customers from risk and to prevent disclosure of information
that could jeopardize the confidentiality of Oryxcloud or our
users’ information.
You will pay our costs in considering and addressing any Request.
Any information and documentation provided by Oryxcloud or its auditors
pursuant to this Section 5.8 will be provided at your cost. If we
decline to follow any instruction requested by you regarding audits
or inspections, you may cancel any affected Paid Services.
-
Questions : Upon your reasonable requests to us for
information regarding our compliance with the obligations set forth
in this Data Processing Addendum, we shall, where such information
is not otherwise available to you, provide you with written
responses, provided that you agree not to exercise this right more
than one (1) time per calendar year (unless it is necessary for you
to do so to comply with EU Data Protection Law). The information to
be made available by Oryxcloud under this Section 5.9 is limited to
solely that information necessary, taking into account the nature of
the Services and the information available to Oryxcloud, to assist you
in complying with your obligations under the GDPR in respect of data
protection impact assessments and prior consultation. You agree that
you may be required to agree to a non-disclosure agreement with
Oryxcloud before we share any such information with you.
-
Requests : You can delete or access a copy of some
of Your Controlled Data through your Account. For any of Your
Controlled Data which may not be deleted or accessed through your
Account, upon your written request, we will, with respect to any of
Your Controlled Data in our or our Sub-Processor’s possession that
we can associate with a data subject, subject to the limitations
described in the Agreement and unless prohibited by applicable law
or the order of a governmental, law enforcement or regulatory body:
(a) return such data and copies of such data to you provided that
you make such request within no more than ninety (90) days after the
cancellation of the applicable Paid Services; or (b) delete, and
request that our Sub-Processors delete, such data (excluding in the
case of (a) or (b) any of such data which is archived on back-up
systems, which we shall securely isolate and protect from any
further processing, except to the extent required by applicable
law). Otherwise, we will delete Your Controlled Data in accordance
with our data retention policy. This Section 5.10 does not apply to
personal data held by Third Party Services.
6. Data Transfers
You authorize us to transfer Your Controlled Data away from the country
in which such data was originally collected. In particular, you
authorize us to transfer Your Controlled Data to the US. We will
transfer Your Controlled Data to outside the EEA using the Swiss-U.S.
and EU-U.S. Privacy Shield Frameworks or another lawful data transfer
mechanism that is recognized under EU Data Protection Law as providing
an adequate level of protection for such data transfers.
7. Liability
The liability of each party under this Data Processing Addendum is
subject to the exclusions and limitations of liability set out in the
Agreement. You agree that any regulatory penalties or claims by data
subjects or others incurred by Oryxcloud in relation to Your Controlled
Data that arise as a result of, or in connection with, your failure to
comply with your obligations under this Data Processing Addendum or EU
Data Protection Law shall reduce Oryxcloud’s maximum aggregate liability to
you under the Agreement in the same amount as the fine and/or liability
incurred by us as a result.
8. Conflict
In the event of a conflict between this Data Processing Addendum and the
Terms of Service, this Data Processing Addendum will control.
9. Miscellaneous
You are responsible for any costs and expenses arising from Oryxcloud’s
compliance with your instructions or requests pursuant to the Agreement
(including this Data Processing Addendum) which fall outside the
standard functionality made available by Oryxcloud generally through the
Services.