Data Processing Agreement
Data Processing Agreement Followed by Mikro Cyber Cloud
Last Updated: 01 November, 2023
This Data Processing Agreement (“DPA”), as updated from time to time, supplements and its term and conditions are subject to MikroCyberCloud’s Terms of Service (“TOS”), by and between MikroCyberCloud and Customer, which are incorporated herein by this reference, and governs MikroCyberCloud’s use of Customer’s Data (as defined herein) (as a controller of such data). MikroCyberCloud and Customer may be individually referred to as a “Party” or collectively, the “Parties.”
The Parties have agreed to enter into this DPA to safeguard Personal Data with respect to the requirements of the General Data Protection Regulation (“GDPR”) of the European Union.
1. DEFINITIONS
The following definitions are used in this DPA. Unless otherwise defined herein, all capitalized terms used in this DPA will have the meanings given in the TOS:
1.1. “Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.
1.2. “Authorized Affiliate” means any of Customer Affiliate(s) permitted to or otherwise receiving the benefit of the Services pursuant to the Terms of Service.
1.3. “Agreement” means the TOS and all other written or electronic agreement(s) between MikroCyberCloud and Customer, which govern use of the Website, Products, or Order Form (as applicable), as such terms or agreement may be updated from time to time. For the avoidance of doubt, all references to the “Agreement” shall also include the Standard Contractual Clauses (where applicable, as defined herein).
1.4. “Customer” means a Website visitor, user and/or the party set forth in the related Order Form.
1.5. “Customer Data” means the Personal Data MikroCyberCloud and/or its Affiliates process on behalf of Customer in the course of providing, or via Services, as more particularly described in this DPA.
1.6. “Personal Data” means any information about, or related to, an identifiable natural person, which includes any information that can be linked to an individual or used to directly or indirectly identify an individual, natural person.
1.7. “Data Subject” is defined as the person associated with the Personal Data.
1.8. “Controller” means an entity that determines the purposes and means of the processing of Personal Data.
1.9. “Processor” means an entity that processes Personal Data on behalf of the Controller.
1.10. “Sub-processor” means any Processor engaged by MikroCyberCloud or its Affiliates to assist in fulfilling its obligations with respect to serving or providingthe Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates of MikroCyberCloud but shall exclude MikroCyberCloud’s employees, contractors, or consultants.
1.11. “Processing” means any operation performed upon Personal Data, such as using, accessing, retrieving, collecting, recording, securing, storing, adapting or altering, disclosing by transmission, disseminating or otherwise making available, blocking, erasing, or destroying. “Processes” and “Process” shall be construed accordingly.
1.12. “Data Protection Laws” means all data protection laws, regulations, and legislation relating to data protection and privacy related to processing of Customer Data under the Agreement, including without limitation, where applicable, EU Data Protection Laws, in each case as amended, repealed, consolidated or replaced from time to time.
1.13. “Europe” means the European Economic Area and its member states (“EEA”), Switzerland and the United Kingdom (“UK”).
1.14. “EU Data” means Personal Data under this DPA from the European Union (EU), the European Economic Area (EEA) and/or their member states, Switzerland and/or the United Kingdom.
1.15. “EU Data Protection Laws” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Law”); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”).
1.16. “Sensitive Data” means (i) social security number, passport number, driver’s license number, tax file number, or similar identifier (or any portion thereof); (ii) credit or debit card number (other than the last four digits of a credit or debit card, and/or as required for processing payment); (iii) employment, financial, credit, genetic, biometric or health information; (iv) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; or (v) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.
1.17. “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by MikroCyberCloud.
1.18. “Standard Contractual Clauses” or “SCCs” means (i) the currently effective standard contractual clauses between controllers and processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “Controller-to-Processor Clauses”); or (ii) the standard contractual clauses between processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “Processor-to-Processor Clauses”); as applicable in accordance with the applicable term(s) herein.
2. DATA PROCESSING
2.1. Scope
The Parties acknowledge and agree to comply with this DPA where and only to the extent of either Party’s processing of Customer Data, which is subject to Data Protection Laws of the European Union (EU), the European Economic Area (EEA), and/or their member states, Switzerland and/or the United Kingdom.
2.2. Role
MikroCyberCloud shall process Customer Data as “Processor” to Customer or any Affiliate of Customer who may act either as “Controller” or “Processor” with respect to Customer Data. Nothing in this DPA shall prevent MikroCyberCloud from using or sharing any data that MikroCyberCloud may otherwise collect and process independently of Customer’s use of the Services.
2.3. Purpose Limitation and Customer Controls
MikroCyberCloud shall process Customer Data in the course of providing the Services in accordance with Customer’s Documented Instructions as outlined in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing. MikroCyberCloud provides Customer with several controls, including security features and functionalities, to retrieve, correct, delete or restrict Customer Data. Without prejudice to Section 5.1, Customer may use these controls as technical and organizational measures to assist it concerning its obligations under the GDPR and all other applicable Data Protection Laws, including its obligations relating to responding to requests from Data Subjects.
2.4. Prohibited Data
Customer will not provide (or cause to be provided) any Sensitive Data to MikroCyberCloud for processing. MikroCyberCloud will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise, and this DPA does not apply to Sensitive Data.
2.5. Customer Instructions
The Parties agree that the TOS and this DPA, including the provision of instructions via configuration tools such as any MikroCyberCloud control panel, management console, and APIs made available by MikroCyberCloud to provide Services, constitute Customer’s Documented Instructions regarding MikroCyberCloud’s processing of Customer Data (“Documented Instructions”). MikroCyberCloud will process Customer Data only in accordance with Documented Instructions. Additional instructions concerning processing Customer Data outside the scope of the Documented Instructions (if any) require a prior written agreement between Customer and MikroCyberCloud.
2.6. Compliance with Law
2.6.1. MikroCyberCloud shall comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.
2.6.2. Customer shall comply with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any processing instructions it issues to MikroCyberCloud.
2.6.3. Customer agrees that it has provided all notice and has obtained and will continue to obtain all consents and rights necessary under Data Protection Laws for MikroCyberCloud to process Customer Data to provide the Services for the purposes described in the TOS and this DPA. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and how Customer acquired Customer Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any other content created, sent, or managed through MikroCyberCloud, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.
2.7. Processing of Customer Data
MikroCyberCloud shall process Customer Data, on behalf of Customer, submitted by or for Customer or collected and processed by or for Customer in the course of providing the Services, as a Processor only for the following purposes:
2.7.1. To provide the Services and support in accordance with the TOS.
2.7.2. To perform any steps necessary for the performance of the TOS.
2.7.3. To comply with any other reasonable instructions provided by Customer to the extent they are consistent with this DPA, and the TOS, in accordance with the Customer’s Documented Instructions.
2.7.4. Customer Data may be subject to storage and other processing necessary to improve, provide, and maintain the Services provided to Customer
3. CONFIDENTIALITY OF CUSTOMER DATA
3.1 Confidentiality of Processing
MikroCyberCloud will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to provide the Services, or as necessary, to comply with the law or a valid and binding order of a governmental body (such as a preservation request, warrant, subpoena or court order). If compelled to disclose Customer Data to a government body, MikroCyberCloud will notify Customer unless MikroCyberCloud is legally prohibited from doing so. If the SCCs apply, nothing in this Section varies or modifies the SCCs.
3.2. Obligations of MikroCyberCloud Personnel
MikroCyberCloud restricts its personnel, including staff and Sub-processors, from processing Customer Data without authorization by MikroCyberCloud. MikroCyberCloud shall ensure that any personnel authorized by MikroCyberCloud to process Customer Data (including its employees, agents, and subcontractors) shall be under appropriate obligations, including relevant obligations regarding confidentiality, data protection, and data security (whether a contractual or statutory duty).
4. RIGHT OF USAGE AND DISCLOSURE
Notwithstanding anything to the contrary in the TOS and this DPA, Customer acknowledges that MikroCyberCloud has the right to use and disclose data related to and/or obtained in the course of providing the Services for its legitimate business purposes, such as sales, billing, support, account management, and marketing. MikroCyberCloud shall process such data in compliance with Data Protection Laws to the extent any such data is considered Customer Data under Data Protection Laws.
5. SECURITY OF DATA PROCESSING
5.1. Security Measures
MikroCyberCloud shall implement and maintain adequate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of Customer Data. In assessing the security level, MikroCyberCloud shall consider the risks from a Personal Data breach that Processing presents.
5.2. Updates to Security Measures
Customer acknowledges that the Security Measures are subject to technical progress and development, and that MikroCyberCloud may update or modify the Security Measures from time to time.
5.3. Response to Security Incident
MikroCyberCloud shall promptly take reasonable steps to contain and investigate any Security Incident upon becoming aware of such. MikroCyberCloud’s notification of or response to a Security Incident under this Section shall not be construed as an acknowledgment by MikroCyberCloud of any fault or liability concerning the Security Incident.
5.4. Security Breach Notification
MikroCyberCloud shall notify Customer without undue delay, and where feasible, within forty-eight (48) hours of awareness of a Security Incident or a Personal Data breach affecting Customer’s Personal Data, with timely information related to the Security Incident as it becomes known or as is reasonably requested by Customer, to meet any obligations to report or inform Data Subjects of the Personal Data breach under the Data Protection Laws.
5.5. Customer Responsibility
Customer agrees that, except as provided by this DPA, Customer is responsible for its secure use of the Services, securing Customer Account authentication credentials, protecting the security of Customer Data when in transit to and from the Services, and to securely encrypt or backup any Customer Data uploaded to the Services.
6. SUB-PROCESSING
6.1. Authorized Sub-processors
Customer consents that MikroCyberCloud may engage Sub-processors to carry out Processing activities on Customer Data on behalf of Customer to fulfill contractual obligations or to provide Services on its behalf. The Sub-processors list can be found here.
6.2. Sub-processor Obligations
MikroCyberCloud shall:
6.2.1. Enter into a written agreement with each Sub-processor imposing at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and
6.2.2. Remain responsible for Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that may cause MikroCyberCloud to breach any of its obligations under this DPA.
6.3. Changes to Sub-processors
MikroCyberCloud shall notify Customer with reasonable advance notice if it adds or removes Sub-processors. MikroCyberCloud may update the Sub-processor list and may provide Customer with a mechanism to obtain notice of that update.
6.4. Objection to Sub-processors
Customer may object in writing to MikroCyberCloud of any new Sub-processors on reasonable data protection grounds within five (5) calendar days of receiving such notice following Section 6.3 of this DPA. The Parties shall discuss such concerns in good faith to achieve a commercially reasonable resolution. If no solution can be achieved, either Party may terminate the affected Services per the termination provisions in the TOS without liability to either Party and without prejudice to any fees incurred by Customer prior to termination.
7. DATA SUBJECT RIGHTS
7.1. Data Subject Requests
Taking into account the nature of the Processing, MikroCyberCloud shall, in so far as is possible, at Customer’s expense, provide reasonable cooperation to assist Customer by appropriate technical and organizational measures, to the extent that Customer is unable to independently access the relevant Customer Data within the Services, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Data as per the TOS. In the event that any such request is made to MikroCyberCloud directly, MikroCyberCloud shall not respond to such communication directly without Customer’s prior authorization, except legally required. If MikroCyberCloud is required to respond to such a request, MikroCyberCloud shall, unless legally prohibited from doing so, where Customer is identified or identifiable from the request, promptly notify Customer and provide Customer with a copy of the request. For the avoidance of doubt, nothing in the Agreement (including this DPA) shall restrict or prevent MikroCyberCloud from responding to any Data Subject or data protection authority requests in relation to personal data for which MikroCyberCloud is a controller.
7.2. Data Protection Impact Assessment
To the extent required under applicable Data Protection Laws, MikroCyberCloud shall, at Customer’s expense, provide all reasonably requested information regarding MikroCyberCloud’s processing of Customer Data to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws.
8. TRANSFER OF PERSONAL DATA.
8.1. Processing Locations
Customer agrees that MikroCyberCloud may process, transfer and store Customer Data to and in the United States and anywhere else in the world where MikroCyberCloud, its Affiliates, and/or its Sub-processors maintain data processing operations in accordance with the requirements of Data Protection Laws and this DPA. MikroCyberCloud shall ensure that such Processing complies with the requirements of Data Protection Laws and this DPA to protect Customer Data.
8.2. Transfer Mechanism
Notwithstanding Section 8.1, to the extent that MikroCyberCloud processes or transfers Customer Data from the European Union (EU), the European Economic Area (EEA) and/or their member states, Switzerland and/or the United Kingdom, whether directly or via onward transfer, in or to countries that do not ensure an appropriate level of data protection in respect to applicable Data Protection Laws, MikroCyberCloud shall be deemed to take adequate measures by having aligned its operational policies with the requirements of applicable Data Protection Laws and this DPA to protect Customer Data. Customer hereby authorizes any transfer to, or access to Customer Data from such destinations outside the EU subject to any of these measures having been taken.
9. DATA RETENTION
Upon termination or deactivation of the Services, MikroCyberCloud shall store Customer Data for no longer than 10 years from receipt, subject to an individual’s right to be forgotten at any time, except that this requirement shall not apply to the extent MikroCyberCloud is required by applicable law to retain some or all of Customer Data, or to Customer Data it has archived on back-up systems, which such Customer Data MikroCyberCloud shall securely isolate, protect from any further processing, except to the extent required by applicable law.
10. CONFLICT
In the event of any conflict or inconsistency between this DPA and the TOS, the provisions of the following documents (in order of precedence) shall prevail to the extent of the conflict: this DPA; and then the TOS.
11. INCLUSION
This DPA is a part of and incorporated into the TOS. References to TOS in the TOS shall include this DPA.
12. SUCCESSORS AND ASSIGNEES
No one other than a Party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
13. LIMITATION OF LIABILITY
13.1. Each Party’s and its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.
13.2. Any claims made against MikroCyberCloud or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by Customer.
13.3. In no event shall any Party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
14. GOVERNING LAW AND JURISDICTION
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
15. EFFECTIVE DATE
This DPA is entered into with effect from the earlier date of use of the Services.
16. TERMINATION OF THE DPA
This DPA shall remain in effect for as long as MikroCyberCloud carries out Customer Data processing operations on behalf of Customer or until termination of the Agreement.
17. AMMENDMENTS
This DPA may be amended in any respect at any time by MikroCyberCloud upon the posting of the amended DPA on the MikroCyberCloud.com website. Your continued use of the Services will be deemed consent to any such amended DPA. If you do not wish to continue to use the Services as a result of any such amendments, you may provide notice of your wish to terminate your Services to MikroCyberCloud.