Data Processing Agreement

 

This Data Processing Agreement (the “DPA”), entered into by the CloudTask customer identified on the applicable subscription form for CloudTask services (“Customer”), governs the processing of Personal Data that Customer shares or otherwise provides CloudTask in connection with the services, the processing of Personal Data by CloudTask on behalf of Customer in connection with the services, and the processing of any Personal Data that CloudTask shares or otherwise provide to Customer in connection with the services. 

This DPA is incorporated into the relevant CloudTask Subscription Agreement attached to or incorporated by reference into the subscription form previously executed by the Customer, referred to in this DPA as the “CSA”. Collectively, the DPA (including the Controller to Processor Standard Contractual Clauses (SCCs), in the Annex to the European Commission Decision of February 5, 2010, as may be amended or replaced from time to time by the European Commission), the CSA, and the applicable subscriptions forms are referred to in this DPA as the “Agreement”. In the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) the SCCs; (b) the applicable ordering document to the Contract; (c) this DPA; (d) the CSA. Except as specifically amended in this DPA, the CSA and applicable ordering document remain unchanged and in 

  1. All capitalized terms not defined herein shall have the meaning set forth in the CSA. 
    1. “Controller” means the entity which determines the purposes and means of the processing of Personal Data. 
    2. “Customer” means the same as “You” and “Your” as defined in the Customer Subscription Agreement. 
    3. “Customer Personal Data” means Personal Data that Customer shares or otherwise provides in connection with its use of CloudTask’s services. 
    4. “CCPA” means the California Consumer Privacy Act of 2018 together with any subordinate legislation or regulations. 
    5. ‘Data Protection Legislation` All applicable laws and regulations relating to the processing of personal data in any jurisdiction (including, where applicable, the guidance and codes of practice issued by any competent authority), with respect to any Customer Personal Data in respect of which any Customer is subject to any other Data Protection Laws. 
    6. “Data Subject” means the identified or identifiable person to whom Personal Data relates. 
    7. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 
    8. “Processor” means the entity which Processes Personal Data on behalf of the Controller. 
  2. Each party agrees to Process Personal Data received under the Agreement only for the purposes set forth in the Agreement. For the avoidance of doubt, the categories of Personal Data Processed and the categories of data subjects subject to this DPA is the Personal Data provided by the data exporter to the data importer in connection with services outlined in the CSA. Such personal data may include first name, last name, email address, contact information, education and work history provided in resumes, CRM data concerning sales leads and customer lists, and any Personal Data provided by the data exporter regarding the foregoing.
  3. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, CloudTask is the Processor. 
  4. Customer agrees shall determine the purposes and general means of CloudTask’s Processing of Customer Personal Data in accordance with this Agreement; and comply with its protection, security, and other obligations with respect to Customer Personal Data prescribed by Data Protection Requirements for data controllers. 
  5. Customer’s instructions for the Processing of Personal Data shall comply with the Applicable Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. 
  6. CloudTask shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s instructions for the following purposes: (i) to anonymously aggregate, publish, or otherwise make known performance benchmarks or other data metrics about the use of the Services, all in accordance with the CSA; and (ii) as reasonably required for proper performance by CloudTask of its obligations. 
  7. Where Personal Data is Processed by CloudTask, its agents, sub-contractors or employees under or in connection with the CSA, CloudTask shall take reasonable steps to ensure that all of its employees, agents, and sub-contractors who may have access to the Personal Data: (a) Are informed of the confidential nature of the Personal Data; and (b) Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality that apply with respect to the Processing of such Personal Data. 
  8. If CloudTask intends to engage Subprocessors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors, (i) exclusive of the list of Subprocessors CloudTask and its Affiliates maintains online (currently available at https:/cloudtask.com/customer-subprocessors), the use of which Customer approves, obtain the prior written consent of Customer to such subprocessing, such consent to not be unreasonably withheld; (ii) remain liable to Customer for the Subprocessors’ acts and omissions with regard to data protection where such Sub Processors act on CloudTask’s instructions; and (iii) enter into contractual arrangements with such Sub Processors binding them to provide the same level of data protection and information security to that provided for herein; and upon request, provide Customer with a mapping of CloudTask's security policies to the controls set forth in the International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27001 standard. 
  9. CloudTask shall only authorize sub-contractors to Process the Personal Data (“Sub-Processor“), subject to: 
    1. Informing the Customer of the identity of the proposed Sub-Processor beforehand, and as described in the Website Terms of Use and Privacy Policy 
    2. including terms in the contract between CloudTask and the Sub-Processor which are substantially the same as those set out in this DPA to the extent applicable to the nature of the Services provided by the Sub-Processor; and 
    3. CloudTask remaining fully liable to the Customer, in accordance with the terms of the CSA relating to liability, for any failure by a Sub-Processor to fulfill its obligations in relation to the Processing of any Personal Data to the same extent CloudTask would be liable if performing the services of the Sub-Processor directly under the terms of this DPA. Notwithstanding the above, Customer hereby acknowledges and agrees that: (a) CloudTask’s affiliates may be retained as Sub-processors, and (b) CloudTask stores and process the Customer Data including the Personal Data within a third-party hosting services.
  10. CloudTask shall maintain appropriate technical and organizational measures for the protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality, and integrity of Customer Data, as set forth in the CSA, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include protection such as encryption for communication and user authentication to prevent unauthorized user access or other malicious activities. In addition, CloudTask limits access to its databases, keeping a clear separation between the off-line servers where Your Customer Data is analyzed, and the online, on-demand servers where processed impact analysis results are stored. While such tools and procedures reduce the risk of security breaches, they do not provide absolute security, and CloudTask cannot guarantee that the Services will be immune from any unlawful interceptions or unauthorized access. 
  11. CloudTask will notify the Customer without undue delay upon becoming aware of a Personal Data Breach, and otherwise assist the Customer, taking into account the nature of Processing and the information available to CloudTask in meeting its obligations regarding the notification, investigation, mitigation, and remediation of a Personal Data Breach under the Data Protection Legislation, without prejudice to CloudTask’s right to charge the Customer any reasonable costs for such assistance. The obligations herein shall not apply where statutory guidance indicates that a Personal Data Breach is not required to be notified by a Processor to a Controller and to incidents that are caused by Customer or Customer’s users. 
  12. CloudTask shall cease Processing the Personal Data upon the termination or expiry of the CSA or if sooner, the Service to which it relates and, at the Customer’s option, either return or delete the Personal Data and any copies of it or of the information it contains, without prejudice to any EU legal obligations for CloudTask to store or archive such Personal Data. 
  13. Upon request, CloudTask shall make available to the Customer all information necessary to demonstrate compliance with its obligations under this DPA and allow for audits conducted by the Customer. 
  14. CloudTask shall cooperate as reasonably requested by the Customer, to the extent necessary to enable the Customer to comply with any exercise of rights by a Data Subject under the Data Protection Legislation in respect of Personal Data Processed by CloudTask under the CSA or comply with any assessment, enquiry, notice or investigation under the Data Protection Legislation, including by any regulator, subject to reasonable advance notice and without prejudice to CloudTask’s right to charge the Customer any reasonable costs for such assistance. 
  15. CloudTask shall, to the extent legally permitted, promptly notify Customer if CloudTask receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, CloudTask shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under the Applicable Data Protection Legislation. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, CloudTask shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent CloudTask is legally permitted to do so and the response to such Data Subject Request is required under the Applicable Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from CloudTask’s provision of such assistance.
  16. Each party’s, taken together in the aggregate, arising out of or related to this DPA, is subject to the ‘Limitation of Liability section of the CSA. For the avoidance of doubt, CloudTask’s total liability for all claims from the Customer arising out of or related to the CSA and this DPA shall apply in the aggregate for all claims under both the CSA and this DPAs established under the CSA, and, in particular, shall not be understood to apply individually and severally. 
  17. The parties agree that for the purposes of the CCPA, CloudTask does not sell Customer Personal Data and shall only use Customer Personal Data for the purposes specified in this DPA and will certifies that it understands its data privacy obligations and will abide by it, including by avoiding any action that would cause CloudTask to be deemed to have sold Personal Data or Personal Information under the CCPA. 
  18. If there is new guidance or a change in the Data Protection Legislation or case law that renders all or part of the Services illegal, CloudTask may terminate the CSA and replace it with a compliant version. 
  19. This DPA shall remain in effect as long as CloudTask carries out Personal Data processing operations on behalf of Customer or until the termination of CSA. 
  20. Notwithstanding anything in the Agreement to the contrary, this DPA shall be governed by the laws of State of Florida, and any action or proceeding related to this DPA (including those arising from non-contractual disputes or claims) will be brought in Florida, USA.