1. Definitions. In addition to any other definitions set out in this Agreement, the following will apply:
“Affiliate” means with respect to either Party, an entity that directly, or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with, such Party, where “control” means: (i) the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entity, whether through the ownership of voting securities, by contract or otherwise; and/or (ii) ownership of at least 50% of the voting stock, shares or interests of any such entity.
“Business Hours” means the period from 9:00 am to 5:00 pm on any Business Day.
“Business Day” means a day other than a Saturday, Sunday or public holiday in the Location, when banks in the Location are open for business.
“Confidential Information” includes proprietary and third party information that is marked as confidential or, from its nature, content or the circumstances in which it is disclosed, might reasonably be considered to be confidential. It does not include information that the recipient already knew, that becomes public through no fault of the recipient, that was independently developed by the recipient or that was lawfully given to the recipient by a third party.
“Customer Data” means any and all data which is provided by or on behalf of Customer to Cloudreach or which is otherwise processed by Cloudreach as a result of or in connection with the provision of the Solution.
“Deliverables” means all documents, analysis, output, products and materials developed by Cloudreach specifically for Customer in connection with an Order Form, including data, reports and specifications (including drafts). Deliverables shall not include any Licenced Materials.
“Intellectual Property Rights” means all patents, rights to inventions, utility models, copyright and related rights, trademarks, service marks, trade, rights in designs, rights in computer software, database rights, topography rights, moral rights, rights in Confidential Information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and all similar or equivalent rights or forms of protection in any part of the world.
“Licenced Materials” (i) all Cloudreach proprietary materials developed at any time independently of Cloudreach’s work under any Order Form, including but not limited to: software, applications, methodologies, code, templates, tools, policies, records, working papers, knowledge, data, know-how, architectures, concepts, techniques, user interfaces; (ii) any developments that constitute improvements, modifications or other supplemental functionality/feature sets to Cloudreach’s independently developed proprietary materials; and (iii) third party Licenced Materials.
“Location” means the location of the Services or Solution, as set out in an agreed Order Form.
“Order Form” means a signed order form describing the Services, Deliverables and Licenced Materials, which may include project scope, milestones, service/subscription term, assumptions, dependencies, fees, and any other applicable terms and conditions.
“Services” means those services to be provided by Cloudreach to Customer, as set out in an Order Form.
“Service or Subscription Period” means the period during which a particular Solution will be provided.
“Solution” means the combination of Services, Deliverables and/or Licenced Materials covered by an agreed Order Form.
2. Term; Termination. The term (“Term”) of this Agreement will begin on the Effective Date and continue until termination. This Agreement may be terminated at any time by either Party as described in the applicable Exhibit or Order Form or upon written notice if the other Party breaches any material term of this Agreement and such breach remains uncured for fifteen (15) Business Days following written notice from the other Party. Either Party may terminate this Agreement immediately upon notice if the other Party becomes insolvent, makes or has made an assignment for the benefit of creditors, is the subject of proceedings in voluntary or involuntary bankruptcy instituted on behalf of or against such Party, or has a receiver or trustee appointed for substantially all of its property. Upon any termination, Cloudreach shall be entitled to be paid for all work performed, all deliverables provided, all accrued charges and all costs incurred up to the effective date of termination.
3. Exhibits; Order Forms; Precedence. Each Exhibit and Order Form shall be incorporated into and governed by this Agreement. Order forms shall define the: (i) Solution to be provided by Cloudreach; (ii) the applicable fees (“Fees”); (iii) the Service or Subscription Period; and (iv) any additional terms and conditions. The Parties agree that this Agreement and the applicable Exhibits and Order Form(s) for the Solution shall govern and supersede any terms and conditions stated on any purchase order submitted by Customer for such Solution. In the event of any conflict between this Agreement and any Exhibit or Order Form, unless otherwise agreed, the following order of precedence shall prevail: (i) the main body of this Agreement; (ii) Exhibits; and (iii) Order Forms.
4. Services; Warranties.
(a) Cloudreach and Customer have entered into the Agreement for their benefit and for the benefit of their Affiliates. In consideration of the Customer’s payment of the Fees, Cloudreach and/or its Affiliates will provide the Solution to the Customer in accordance with and subject to the terms of the applicable Order Form. Unless otherwise specified, each Order Form shall be limited to the specific Customer Affiliate entering into such Order Form.
(b) With respect to Order Forms between Cloudreach or its Affiliates on the one side and Customer or an Affiliate of Customer on the other side, any such party shall be entitled to enforce any and all of the provisions of this Agreement against the other party as though it were party to this Agreement and those provisions were made for its benefit, with the exception of the right to amend or to terminate this Agreement, which rights may only be exercised by Customer and/or Cloudreach.
(c) Cloudreach warrants that at the time of performance all Services will be performed in a good and workmanlike manner and in accordance with generally accepted industry standards. EXCEPT FOR THE FOREGOING, CLOUDREACH MAKES NO REPRESENTATIONS OR WARRANTIES WHATSOEVER, EXPRESS OR IMPLIED, AND CLOUDREACH SPECIFICALLY DISCLAIMS ALL OTHER SUCH WARRANTIES, INCLUDING THE WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE OR USE. CLOUDREACH DOES NOT WARRANT THAT ANY PART OF THE SOLUTION WILL BE FREE FROM DEFECTS. ANY OPEN SOURCE SOFTWARE PROVIDED AS PART OF THE SOLUTION IS PROVIDED “AS IS”.
(d) Cloudreach may recommend third party products. No warranty shall be attributable to Cloudreach with respect to such recommendations or products; the Customer shall look solely to the warranties and remedies provided by any such third party with whom it may contract.
5. Scope Assumptions; Dependencies. Customer will provide all necessary access and cooperation to enable Cloudreach to perform its obligations under an Order Form. Without limiting the generality of the foregoing, key project assumptions and dependencies will be set out in an Order Form. Where it is discovered that an assumption is incorrect, or a Customer or any other dependency is creating an issue, Cloudreach will notify the Customer in writing and the Parties will negotiate in good faith to agree a resolution within ten (10) Business Days. Where the Parties cannot arrive at a mutually satisfactory resolution, Cloudreach in its sole discretion may terminate the Order Form on a further fifteen (15) Business Days’ notice to Customer. Cloudreach shall have no liability for any failure to deliver any Solution resulting in whole or in part from an incorrect assumption or a dependency outside of Cloudreach’s control.
6. Change Requests.
(a) Any change request to an Order Form must be requested by a Party in writing and Cloudreach shall, within a reasonable time, provide a written estimate to the Customer of: (i) the likely time required to implement the change; (ii) any necessary variations to Cloudreach's charges arising from the change; (iii) the likely effect of the change and any required amendment to the applicable Order Form; and (iv) any other impact of the change on this Agreement. If the Customer wishes Cloudreach to proceed with the change, Cloudreach has no obligation to do so unless and until the Parties have agreed in writing the necessary variations.
(b) Notwithstanding Section 6(a), Cloudreach may, from time to time upon reasonable notice, modify the Solution in order to comply with any applicable safety or statutory requirements or overcome any technical issues or make improvements, provided that such changes do not materially affect the nature, scope of, or the charges for the Solution or materially adversely affect the Customer. Cloudreach may discontinue offering the Solution or any portion of the Solution on ninety (90) days’ notice to Customer. If Cloudreach discontinues offering all or part of the Solution, Customer will owe Cloudreach only the amount accrued up to the effective date of such termination.
7. Fees and Expenses; Payment; Taxes.
(a) Customer shall pay Cloudreach the Fees for the Solution as set forth in the fee schedule contained in the applicable Order Form. Time and material engagements will be based on an 8-hour working day during Business Hours and where overtime is required by Customer, an overtime rate equivalent to 150% of the calculated hourly rate will be payable.
(b) Customer shall pay the reasonable travel expenses of Cloudreach employees that are incurred in the course of Cloudreach’s performance of Services, provided that such expenses are in accordance with the limits of the Cloudreach travel and expenses policy attached as Exhibit B. Time spent by Cloudreach personnel travelling to Customer premises will be charged by Cloudreach on an hourly basis at 50% of the relevant individual’s calculated hourly rate.
(c) Customer shall pay invoiced amounts within thirty (30) days of the invoice date. Cloudreach may charge interest for late payments at the lower of: (i) 12% per annum; or (ii) the maximum legal interest rate permitted by applicable law starting on the due date until the date of payment. All payments are to be made in one of GBP/EUR/USD, as indicated on the applicable Order Form.
(d) All charges quoted to the Customer shall be exclusive of VAT, which will be added to invoices at the appropriate rate as required by applicable law. Customer is responsible for and will pay for all taxes and duties. If Customer is required under applicable law to withhold or deduct taxes such as the payment of local withholding taxes, Customer shall pay such additional amounts and ‘gross-up’ as necessary so that the net amount paid is the same amount that is due and requested by Cloudreach.
8. Insurance. During the Term of this Agreement, the Parties will maintain the insurance coverages set out in Exhibit A.
9. Confidentiality. To the extent that Confidential Information of either Party and its Affiliates is disclosed and/or received by the other Party or its Affiliates, each Party agrees not to use the other Party’s Confidential Information except in the performance of, or as authorised by this Agreement, and not to disclose, sell, licence, distribute or otherwise make available such information to third parties. Use by third party contractors may be permitted so long as such contractor has a need to know and is required to maintain the confidentiality of such information as required by this Section 9.
10. Intellectual Property Rights.
(a) Subject to Sections 10(b) and (c), as between Cloudreach and Customer, all Intellectual Property Rights in the Deliverables are and shall be owned by Customer, and Customer shall have all right, title and interest in and to such Deliverables. Customer shall also retain all rights and ownership in its proprietary Confidential Information.
(b) The Licenced Materials shall remain the exclusive property of Cloudreach or its third party licensor(s). Subject to the payment of any applicable Fees and/or third party charges, Cloudreach grants to Customer a royalty-free, non-exclusive, non-transferable licence to use such Licenced Materials solely for Customer’s internal business purposes and as part of the Solution, in accordance with the limitations set forth in this Agreement and any applicable Order Form. Cloudreach shall also retain all rights and ownership in its proprietary Confidential Information.
(c) Customer acknowledges that Cloudreach provides similar services to other customers and that nothing in this Agreement shall be construed to prevent Cloudreach from carrying on such business or from acquiring, licensing, marketing, distributing, developing for itself or others or having others develop for it, similar products, services or materials performing the same or similar functions as the Services and Deliverables contemplated by this Agreement or any Order Form. Therefore, notwithstanding Section 10(a), Cloudreach has the right to retain and use copies of the Deliverables, provided, however, that the foregoing does not include rights to distribute, disclose or create derivative works from Customer’s Confidential Information that is incorporated into the Deliverables.
(d) Customer acknowledges and agrees that Customer’s use of the Deliverables and/or Solution may be conditional on either: (i) Cloudreach obtaining a written licence (or sub-licence) from the relevant licensor or licensors on such terms as will entitle Cloudreach to licence such rights to the Customer; or (ii) the Customer obtaining a written licence from the relevant licensor or licensors or accepting open source or other free third party applications (or appointing Cloudreach to do the same). In such case, fulfilment of the relevant condition by the Customer will be deemed a dependency.
(a) Cloudreach shall defend and indemnify Customer against damages arising from a third party claim where there is a finding by a court of competent jurisdiction that the Customer’s use of the Deliverables infringes the intellectual property rights of that third party; provided that Customer: (i) promptly notifies Cloudreach in writing of any such suit; (ii) grants Cloudreach sole control of the proceedings (including without limitation the right to settle on behalf of Customer); and (iii) cooperates at all times with Cloudreach in connection with its defense at the reasonable expense of Cloudreach.
(b) If Customer is enjoined from using any Deliverable, Cloudreach shall: (i) obtain the right for Customer to continue to use such Deliverable; or (ii) replace or modify the Deliverable so as to make it non-infringing and substantially comparable in functionality. If after using commercially reasonable efforts Cloudreach is unable to do either (i) or (ii) above, such Deliverable shall be returned to Cloudreach and Cloudreach’s sole liability shall be to refund Customer the amount paid to Cloudreach for such item or portion thereof.
(c) Cloudreach will have no obligation to indemnify Customer with respect to any infringement claim based upon: (i) use or modification of a Deliverable other than in accordance with applicable documentation or instructions provided by Cloudreach; (ii) any use of the Deliverables in combination with other products, technologies or data not supplied by Cloudreach; (iii) any refusal to accept or use suitable modified or replacement Deliverables provided by Cloudreach to avoid infringement; (iv) any Deliverables provided on the basis of the Customer’s express instructions or specifications; (v) Customer’s failure to comply with the terms of any licence agreement or other licensor or manufacturer requirements applicable to any software or other products provided by Cloudreach; or (vi) Customer’s negligence, breach or willful misconduct.
12. Limitation of Liability.
(a) IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, PUNITIVE, OR INDIRECT DAMAGES, BUSINESS INTERRUPTION, LOST BUSINESS PROFITS, LOSS OF ANTICIPATED SAVINGS, LOSS OF OR CORRUPTION OF DATA, LOSS OF REPUTATION OR GOODWILL, OR LOSS OF BUSINESS OPPORTUNITY ARISING OUT OF THIS AGREEMENT OR ANY SOLUTION, EVEN IF A PARTY HAS BEEN ADVISED OF OR WAS AWARE OF THE POTENTIAL FOR SUCH DAMAGES IN ADVANCE.
(b) EITHER PARTY’S TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT, INCLUDING IN CONNECTION WITH ANY SOLUTION PROVIDED BY CLOUDREACH (WHETHER IN CONTRACT, TORT, OR OBLIGATION TO INDEMNIFY), SHALL BE LIMITED TO THE FEES PAID BY CUSTOMER TO CLOUDREACH UNDER THE RELEVANT ORDER FORM IN THE 12 MONTH PERIOD IMMEDIATELY PRECEDING THE CLAIM FOR THE SOLUTION THAT IS THE SUBJECT MATTER OF THE CLAIM UP TO A MAXIMUM OF ￡750,000.
(c) IN NO EVENT SHALL CLOUDREACH BE LIABLE FOR ANY CLAIM MADE BY CUSTOMER OR ANY OTHER PERSON TO THE EXTENT SUCH CLAIM ARISES OUT OF MATERIALS PROVIDED BY CUSTOMER TO CLOUDREACH TO USE IN DEVELOPING, PERFORMING OR CUSTOMIZING ANY SERVICES OR DELIVERABLES.
(d) Cloudreach’s sole liability in the event of a breach of the warranty under clause 4(c) of this Agreement is to use reasonable commercial endeavours to provide Services to the extent required to repair any affected Deliverable and/or perform any portion of the Services to the extent those services have not met Cloudreach’s obligation. Notwithstanding anything to the contrary in this Agreement or any Order Form, Cloudreach’s obligations under this clause will not apply to the extent the Customer has caused or contributed to the relevant breach.
(e) Nothing in this Agreement limits or excludes either Party's liability for: (i) death or personal injury resulting from negligence; (ii) fraud or fraudulent misrepresentation; (iii) willful misconduct; or (iv) payment of sums properly due and owing to the other in the course of normal performance of this Agreement and all Order Forms.
13. Employee Non-Solicitation. Unless otherwise agreed in an Exhibit, during the term of any Order Form hereunder and for one (1) year thereafter, each Party agrees not to solicit or recruit for employment any employee of the other Party, provided that this shall not prevent employees from responding to publicly advertised roles where they have not been targeted or invited to apply by the other Party. If either Cloudreach or the Customer commits any breach of this Section 13, the breaching Party shall, on demand, pay to the claiming Party a sum equal to one year's basic salary that was payable by the claiming Party to that employee plus the recruitment costs incurred by the claiming Party in replacing such person.
14. Force Majeure. Neither Party will be liable for any loss, damage or delay resulting from any event beyond such Party’s reasonable control (a “Force Majeure”) and delivery and performance dates will be extended to the extent of any delays resulting from a Force Majeure. Each Party will promptly notify the other upon becoming aware that any Force Majeure has occurred or is likely to occur and will use its best efforts to minimise any resulting delay in or interference with the performance of its obligations under this Agreement.
15. Relationship Between the Parties; Rights of Third Parties. Cloudreach will require that its personnel comply with all reasonable instructions and directions issued by Customer when on Customer’s premises. Cloudreach is an independent contractor and shall not be deemed an employee, partner, joint venturer or agent of Customer. Nothing in this Agreement shall create or confer any rights or other benefits in favour of any person other than the Parties to this Agreement and Order Form.
16. Compliance with Laws. The Parties shall: (i) comply with all applicable laws, rules, statutes and regulations relating to anti-bribery and anti-corruption including but not limited, to the U.K. Bribery Act 2010 (Relevant Requirements); (ii) not undertake, nor cause nor permit to be undertaken, any activity which either: (a) is illegal under any applicable laws, decrees, promulgations, rules, or regulations in effect in any country; or (b) would have the effect of causing the other Party to be in violation of any applicable laws, decrees, promulgations, rules, or regulations in effect, including but not limited to the United Kingdom and any other country where the Solution will be performed; (iii) promptly report to the other Party any request or demand for any undue financial or other advantage of any kind received by it in connection with the performance of this Agreement or any applicable Order Form.
17. Customer Data.
(a) Data Ownership. The Customer shall own all right, title and interest in the Customer Data. The Customer shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data.
(b) Data Protection. To the extent that Customer is established within the European Economic Area or Switzerland or where otherwise required by applicable data protection laws, the Parties agree to the terms of the Data Processing Agreement set out in Exhibit C.
(c) Data Security. Cloudreach has implemented a variety of security measures for the purpose of maintaining reasonable safety of Customer Data that may be sent or made accessible to Cloudreach as part of Cloudreach’s delivery of the Services. However, Cloudreach does not interpret or segment data based upon its contents as a component of the Services it provides to Customer. As a result, Customer must be aware of all data that it chooses to send or make accessible to Cloudreach for processing. As Customer is responsible for the information which is sent or made accessible to Cloudreach, Customer is responsible for ensuring that any data which is not strictly necessary for the delivery of the Services and which should be protected or restricted on a need to know basis such as payment card information or cardholder data (“PCI”), protected health information, classified government information, personal data (as defined by the GDPR) (collectively, all of such data “Sensitive Information”) or other data that requires special or additional protections should not be sent or made accessible to Cloudreach.
(d) Sensitive Information. Any Customer Data which is sent or made accessible to Cloudreach although not being strictly necessary for the delivery of the Services is considered data which is not Sensitive Information and does not require additional security measures or segmentation based upon its contents. In any instances where the aforementioned Sensitive Information is discovered by Cloudreach personnel when performing their services to Customer, Cloudreach will make a reasonable effort to notify Customer that the aforementioned Sensitive Information has been sent or made accessible to Cloudreach. As between Cloudreach and Customer, Customer accepts any and all liability for claims arising out of or related to Sensitive Information and Cloudreach shall have no liability with respect thereto.
18. Marketing. Cloudreach may use Customer's name, trademarks or service marks and reference to this Agreement in promotional and marketing materials, public announcements or required disclosures, subject to any branding or other guidelines provided by Customer from time to time, on written consent from Customer.
19. Entire Agreement; Survival. This Agreement, including all Exhibits and any Order Forms, contains the complete agreement between the Parties relating to the subject matter hereof and supersedes all prior negotiations, representations and understandings. Those Sections that by their nature should logically survive shall remain in force after any termination of this Agreement.
20. Severability. In case any one or more of the provisions contained in this Agreement should be invalid, illegal, or unenforceable in any respect, the validity, legality and enforceability of the remaining provisions contained herein shall not be in any way affected or impaired thereby.
21. Amendment; Waiver. Any modification or amendment of this Agreement must be in writing and signed by both Parties. The failure of either Party to enforce any of the terms or conditions of this Agreement shall not constitute a waiver of any term or condition of this Agreement.
22. Notices. Any notices sent under this Agreement shall be delivered by reliable means to the addresses listed at the beginning of this Agreement, shall reference this Agreement and, in the case of Cloudreach, shall be delivered to the attention of the person listed below with a copy to firstname.lastname@example.org.
23. Assignment. Neither Party may assign any of its rights or obligations under this Agreement or any Order Form without the prior written consent of the other Party. Such consent shall not be unreasonably withheld, provided that Cloudreach can assign to any of its Affiliates, or to an acquirer of a controlling interest, or all or substantially all of the assets of a Party without the consent of the Customer.
24. Governing Law; Jurisdiction. This Agreement shall be governed by the laws of England and Wales. Cloudreach and Customer agree that any controversy or claim arising out of or relating to this Agreement or the breach thereof shall be submitted to binding arbitration via the London Court of International Arbitration (LCIA) under the LCIA Rules.
Exhibit A: Insurance
1. Cloudreach shall maintain, throughout the duration of the Agreement and each Order Form the following insurance with companies which are licenced to provide the applicable insurance:
(a) Worker’s compensation insurance or other similar social insurance in accordance with the laws of the country, state or territory exercising jurisdiction over the employee with the minimum limits required by law.
(b) Employer’s liability insurance, including coverage against legal liability for injury to or illness of employees arising out of or in the course of business by Cloudreach or an amount not less than £10,000,000 per occurrence (including costs).
(c) Products liability insurance for legal liability for injury to third parties or loss of or damage to third party property arising out of the products supplied by Cloudreach for an amount not less than £5,000,000 for all aggregate claims in any one year.
(d) Public liability insurance for legal liability for injury to third parties or loss of or damage to third party property arising out of the business of Cloudreach for an amount not less than £5,000,000 per occurrence.
(e) Professional indemnity insurance for legal liability arising as a direct result of negligence of Cloudreach in the conduct and execution of their professional activities and duties for an aggregate amount of up to £10,000,000 per occurrence.
(f) Comprehensive foreign and domestic business travel and personal accident insurance for all employees or self employed recruiters of Cloudreach, including medical and emergency travel expenses insurance for an amount not less than £10,000,000.
(g) Cyber insurance covering, amongst others, cyber liability, data breach notification, IT asset rectification and cyber business interruption for an amount not less than £10,000,000 for all aggregate claims in any one year.
(h) Crime insurance for an amount not less than £1,000,000 per occurrence.
2. At Customer’s reasonable request, Cloudreach shall furnish Customer with certificates of insurance evidencing compliance with the requirements listed above. Cloudreach shall not modify its insurance in such a way that would adversely affect Customer.
Exhibit B: Travel and Expenses Policy (Europe)
Cost per night (incl. taxes)
UK (excl. London)
Switzerland - Zurich, Geneva
Switzerland - other cities
(incl. taxes & service)
(incl. taxes & service)
(incl. taxes & service)
UK (excl. London)
UK - London
Europe (other excl. UK)
Europe - Paris/Munich
Europe - Switzerland
Transport - flight / taxi
Approved Flight/Train/Ferry limits: Travel should not exceed the limits below for a return trip.
Limit of Return Trip
UK (London / Edinburgh)
Any UK city
UK (London / Edinburgh)
Any European city (excl. UK)
European City (non-UK / Germany)
Any European city
Any European city
Any European city
Air travel: All travel must be in economy class.
Taxis: Taxis can be taken for business purposes if it is the most cost-effective means of transport or there is a genuine business need. The following guidelines apply:
Exhibit C: Data Processing Agreement (the “DPA”)
The DPA forms part of the Agreement between Cloudreach and Customer under which Cloudreach provides the Solution to Customer. Terms not defined in this DPA shall have the meaning given to them in the Agreement. If any term in this DPA conflicts with any term in the Agreement then this DPA shall prevail.
“Customer Data” means any and all data which is provided by or on behalf of Customer to Cloudreach or which is otherwise processed by Cloudreach as a result of or in connection with the provision of the Solution.
“Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this DPA, including local, state, national and/or foreign laws, treaties, and/or regulations, EU Data Protection Laws, and implementations of EU Data Protection Laws into national law.
“EU Data Protection Laws” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
“Personal Data” means any Customer Data that relates to an identified or identifiable natural person (“Data Subject”).
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Processing or Process” means any operation or set of operations performed on Personal Data or sets of Personal Data, such as collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.
“Subprocessor” means a Cloudreach Affiliate or third-party entity engaged by or on behalf of Cloudreach or a Cloudreach Affiliate to process Personal Data.
“Valid Transfer Mechanism” means a data transfer mechanism permitted by EU Data Protection Laws as a lawful basis for transferring Personal Data to a recipient outside the EEA.
“Special Categories of Personal Data”, “Data Processor” and “Data Controller”; shall have the meaning given to it in the GDPR.
2. PROCESSING PERSONAL DATA
2.1 Scope and Role of the Parties. This DPA applies to the Processing of Personal Data by Cloudreach in the course of providing the Solution. For the purposes of this DPA, Customer is the Data Controller and Cloudreach is the Data Processor, Processing Personal Data on Customer’s behalf. Appendix A sets out the scope, nature and purpose of Processing of Personal Data by Cloudreach, the duration of the Processing and the categories of Personal Data and categories of Data Subject.
2.2 Instructions for Processing. Cloudreach shall Process Personal Data in accordance with Customer’s documented instructions unless Cloudreach is required by law to Process Personal Data. Customer instructs Cloudreach to Process Personal Data to provide the Solution in accordance with the Agreement (including this DPA).
2.3 Compliance with Laws. Cloudreach shall comply with all Data Protection Laws applicable to Cloudreach in its role as a Data Processor. For the avoidance of doubt, Cloudreach is not responsible for complying with Data Protection Laws applicable to Customer or Customer’s industry such as those not generally applicable to cloud service providers. Customer shall comply with all Data Protection Laws applicable to Customer as a Data Controller.
2.4 Confidentiality. Cloudreach shall ensure that all personnel who have access to and/or process Personal Data are obliged to keep Personal Data confidential.
2.5 Lawful transfer of Personal Data. Customer shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Cloudreach for the duration and purposes of this DPA.
2.6 Restriction of access. Customer shall restrict Cloudreach’s access to Personal Data to those types of access that are unavoidable for Cloudreach to provide the Solution. In no event shall Cloudreach, its employees, agents and Subprocessor be liable to the Customer to the extent that the processing of personal data is based on Customer’s failure to restrict Cloudreach’s access to Personal Data to those types of access that are unavoidable for Cloudreach to provide the Solution.
2.7 Reliance on Customer. The Customer acknowledges that Cloudreach is reliant on the Customer for direction as to the extent to which Cloudreach is entitled to process Personal Data on behalf of Customer for the performance of the Solution. Consequently, Cloudreach will not be liable under this DPA for any claim brought by a data subject arising from any action or omission by Cloudreach to the extent that such action or omission resulted directly or indirectly from any of the following: Cloudreach’s processing of Personal Data in accordance with this DPA, the Customer’s instructions, or Customer’s failure to comply with its obligations under the applicable Data Protection Laws.
3.1 Use of Subprocessors. Customer specifically authorises the engagement of Cloudreach’s Affiliates as Subprocessors. In addition, Customer generally authorises the engagement of any Subprocessors provided that such Subprocessors have entered into a written agreement with Cloudreach or its Affiliate requiring the Subprocessor to abide by terms no less protective than those provided in this DPA. Cloudreach shall be liable for the acts and omissions of any Subprocessors to the same extent as if the acts or omissions were performed by Cloudreach.
3.2 Notification of new Subprocessors. Cloudreach shall make available to Customer a webpage with a list of Subprocessors authorised to Process Personal Data (“Subprocessor List”) and provide Customer with a mechanism to obtain notice of any updates to the Subprocessor List. The Subprocessor List shall be located at: subprocessors.cloudreach.com (or such other URL as Cloudreach may provide from time to time).
3.3 Subprocessor Objection Right. This clause 3.3 shall apply only where and to the extent that Customer is established within the EEA or Switzerland or where otherwise required by Data Protection Laws applicable to Customer.
(a) Upon receiving any update notification from Cloudreach in accordance with the notification mechanism set out in clause 3.2 above, Customer may object to Cloudreach’s use of a new Subprocessor by notifying Cloudreach in writing within ten (10) Business Days.
(b) Provided Customer’s objection is based on reasonable grounds, Cloudreach will use reasonable efforts to make available to Customer a change in the provision of the Solution to avoid processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening the Customer.
(c) If Cloudreach is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, the Customer may terminate the applicable Order Form(s) with respect only to the portion of the Solution which cannot be provided by Cloudreach without the use of the objected-to new Subprocessor by providing 30 days prior written notice to Cloudreach.
4. DATA TRANSFER
4.1 Access to Personal Data and Processing locations. In order to provide the Solution to the Customer, Cloudreach and its Subprocessors will only access and process Personal Data from (i) countries in the EEA, (ii) countries or territories formally recognised by the European Commission as providing an adequate level of data protection (“Adequate Countries”) and (iii) third countries or territories provided Cloudreach and the relevant Subprocessor have put a Valid Transfer Mechanism in place.
4.2 Transfer of Personal Data to third countries. Subject to clause 4.1 Cloudreach shall not transfer any Personal Data to, or process Personal Data, outside of the EEA without the prior written consent of Customer and provided the following conditions are fulfilled:
(i) Cloudreach has ensured that a Valid Transfer Mechanism is in place in relation to the transfer;(ii) the Data Subject has enforceable rights and effective legal remedies;(iii) Cloudreach complies with its obligations under the Data Protection Laws by providing an adequate level of protection to any Personal Data that is transferred; and(iv) Cloudreach complies with reasonable instructions notified to it in advance by Customer with respect to the processing of the Personal Data.
5. RIGHTS OF DATA SUBJECTS
Cloudreach shall, in relation to any Personal Data processed in connection with the performance by Cloudreach of its obligations under this DPA:
(a) assist Customer in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(b) maintain complete and accurate records and information to demonstrate its compliance with this DPA.
6. RETURN AND DELETION OF PERSONAL DATA
Cloudreach shall at the written direction of Customer, delete or return Personal Data and copies thereof to Customer as soon as practical after Cloudreach ceases to provide the Solution, unless required by Data Protection Laws or other applicable laws to store Personal Data.
7. INFORMATION SECURITY
7.1 Information Security Programme. Cloudreach shall implement and maintain a written information security programme including appropriate policies, procedures, and risk assessments that are reviewed at least annually.
7.2 Technical and organisation safeguards. Cloudreach shall implement, and at all times during this DPA maintain technical and organisational safeguards to protect Personal Data from unauthorised or unlawful processing or accidental loss or damage:
(i) ensuring in each case a level of security appropriate to the risk, including in relation to any Special Categories of Personal Data; and
(ii) maintaining ISO 27001 or similar certification; and
(iii) in addition maintaining controls in line with accepted industry practices including the International Organization for Standardization's standards: Requirements and ISO/IEC 27002 – Code of Practice for International Security Management, the Control Objectives for Information and related Technology (COBIT) standards, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or a SOC type II controls.
7.3 Minimum safeguards. At a minimum, Cloudreach’s safeguards for the protection of Personal Data shall include:
(i) securing business facilities, data centers, paper files, servers, backup systems, and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability;
(ii) implementing network, application, database, and platform security;
(iii) securing information transmission, storage, and disposal;
(iv) implementing authentication and access controls within media, applications, operating systems, and equipment;
(v) encrypting Personal Data at rest where possible;
(vi) encrypting Personal Data transmitted over transit in network;
(vii) strictly segregating Customer Data from information of Cloudreach or its other customers so that Customer Data is not commingled with any other types of information;
(viii) conducting risk assessments, penetration testing, and vulnerability scans and promptly implementing, at Cloudreach’s sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the testing;
(ix) implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable law; and
(x) providing appropriate privacy and information security training to Cloudreach's employees.
7.4 Customer’s Security Responsibilities. Customer shall be solely responsible for:
(i) ensuring a level of security appropriate to the risk in respect of Customer Data; and
(ii) backing up Customer Data in line with industry best practices.
8. PERSONAL DATA BREACH PROCEDURE
8.1 Customer’s security contact. Customer shall provide Cloudreach with the name and contact information for an employee of Customer who shall serve as Cloudreach’s primary security contact and shall be available to assist Cloudreach in resolving obligations associated with a Personal Data Breach.
8.2 Notification of Personal Data Breaches. In the event Cloudreach becomes aware of a Personal Data Breach it shall without undue delay notify Customer by contacting Customer’s security contact using the information provided by Customer in accordance with clause 8.1. To the extent Customer requires additional information from Cloudreach to meet its Personal Data Breach notification obligations under applicable Data Protection Laws, Cloudreach shall provide reasonable assistance to provide such information to Customer taking into account the nature of Processing and the information available to Cloudreach.
9. OVERSIGHT OF SECURITY COMPLIANCE
Upon Customer’s written request providing reasonable notice to Cloudreach and no more than once a year, Cloudreach grants Customer or, upon Customer’s election, a third party on Customer’s behalf, permission to perform an assessment, audit, examination, or review (the “Audit”) during business hours of all controls in Cloudreach’s physical and/or technical environment in relation to all Personal Data being handled and/or services being provided to Customer pursuant to the Agreement. Such an Audit shall be conducted at Customer expense and Cloudreach shall reasonably cooperate by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that processes, stores, or transports Personal Data for Customer pursuant to this DPA. The duration of the Audit shall under no circumstances exceed 2 Business Days.