Data Processing Agreement

This Cloudify Data Processing Agreement (“DPA”) is for the product named Marketplace offered by Cloudify ApS. The DPA reflects the parties’ approval with respect to the Processing of Personal Data by us on behalf of you in connection with the Marketplace Subscription Services under the Marketplace Customer Terms of Service (insert a hyperlink to T&Cs) between you and us (also referred to in this DPA as the “Agreement”).

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

We update these terms from time to time. As far as possible, Cloudify will notify the Customer of significant changes.

The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.

1. Definitions

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Protection Law” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time. The terms “process”, “processes” and “processed” will be construed accordingly.

“Data Subject” means the individual to whom Personal Data relates.

“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data.

“Instruction” means the written, documented instruction, issued by the Controller to the Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

2. Subject Matter and Nature of Processing

The subject-matter of Processing of Personal Data by the Processor is the provision of the services to Cloudify that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in the Agreement and an Order.

3. Types of Personal Data and Purpose of Processing

Contact information, the extent of which is determined and controlled by the Customer in its sole discretion, and other Personal Data such as navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end-users via the Marketplace Product. Personal Data will be Processed for purposes of providing the services set out and otherwise agreed to in the Agreement and any applicable Order.

4. Categories of Data Subjects

Cloudify's contacts and other end users including our employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects also include individuals attempting to communicate with or transfer Personal Data to our end users.

5. Customer Responsibility
  • Compliance with Laws

    Within the scope of the Agreement and in its use of the services, the Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to us.

    In particular but without prejudice to the generality of the foregoing, the Customer acknowledges and agrees that they will be solely responsible for: (i) the accuracy, quality, and legality of their Customer Data and the means by which they acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); (iii) ensuring they have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that their Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Subscription Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. The Customer will inform us without undue delay if they are not able to comply with their responsibilities under this 'Compliance with Laws' section or applicable Data Protection Laws.

  • Controller Instructions

    The parties agree that the Agreement (including this DPA), together with the Customer's use of the Subscription Service in accordance with the Agreement, constitute their complete and final Instructions to us in relation to the Processing of Personal Data, and additional instructions outside the scope of the Instructions shall require a prior written agreement between us and them.

  • Security

    The Customer is responsible for independently determining whether the data security provided for in the Subscription Service adequately meets their obligations under applicable Data Protection Laws. You are also responsible for your secure use of the Subscription Service, including protecting the security of Personal Data in transit to and from the Subscription Service (including to securely back up or encrypt any such Personal Data).

6. Obligations of the Processor

The Processor shall collect, process and use Personal Data only within the scope of Cloudify’s instructions. If the Processor believes that an Instruction from us infringes the Data Protection Law, it shall immediately inform us without delay. If the Processor cannot process Personal Data in accordance with the instructions due to a legal requirement under any applicable European Union or Member State law, the Processor will (i) promptly notify Cloudify of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Cloudify issues new instructions with which the Processor is able to comply.

The Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Such measures include, but are not be limited to:

  • The prevention of unauthorized persons from gaining access to Personal Data Processing systems (physical access control),
  • The prevention of Personal Data Processing systems from being used without authorization (logical access control),
  • Ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),
  • Ensuring that Personal Data is processed solely in accordance with the Instructions (control of instructions),
  • Ensuring that Personal Data is protected against accidental destruction or loss (availability control).
  • Ensure that Personal Data is backed up and maintained using industry standards
  • Ensure the infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.99% uptime for access to the Processor’s services.
7. Rectification, Restriction and Erasure of Data

The Processor will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Cloudify to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to the Processor, the Processor will promptly inform Cloudify and will advise Data Subjects to submit their request to us. Cloudify shall be solely responsible for responding to any Data Subjects’ requests. Cloudify shall reimburse the Processor for the costs arising from this assistance.

8. Data Breaches

The Processor will notify Cloudify as soon as practicable after it becomes aware of any of any Personal Data Breach affecting any Personal Data. At our request, the Processor will promptly provide Cloudify with all reasonable assistance necessary to enable us to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if we are required to do so under the Data Protection Law.

9. Sub Processors

The Customer agrees that Cloudify may engage Sub-Processors to Process Personal Data on their behalf. We have currently appointed, as Sub-Processors, the Cloudify Affiliates and third parties listed below. We may notify the Customer if we add or remove Sub-Processors to this list prior to any such changes.

Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors.

Here is a list of the Sub-Processors

  • HubSpot
  • Pipedrive
  • ActiveCampaign
  • Shopify
  • Magento
  • WooCommerce
  • Mailchimp
  • Facebook
  • Airtable
  • Firebase
  • Stripe
  • Previsto
  • Katana
  • ClickUp
  • Notion
  • Discord
  • Google
  • Zapier
  • Autocode
10. Transfer of Personal Data

(A) Cloudify shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws) unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.

(B) The Customer acknowledges that in connection with the performance of the Subscription Services, Cloudify is a recipient of European Data in India. The parties acknowledge and agree to the following:

  • Standard Contractual Clauses: The parties agree to abide by and process European Data in compliance with the Standard Contractual Clauses.
  • Privacy Shield: Cloudify will process European Data in compliance with the Privacy Shield Principles and let the Customer know if it is unable to comply with this requirement.