Data Processing Addendum (DPA)
This Data Processing Addendum (“DPA”) is incorporated into, and is subject to the terms and conditions of the CloudHand Terms of Service found at cloudhand.co/terms-of-service which you (the “Client”) have accepted, unless the Client has entered into a superseding written subscription agreement with CloudHand, in which case, it forms a part of such written agreement in addition to the Terms of Service (in either case, the “Agreement”).
This Data Processing Addendum (hereinafter “DPA” or “Addendum”) and its applicable DPA Appendices apply to the Processing of Personal Data by the Parties subject to Data Protection Laws in order to provide services (“Services”) pursuant to the Agreement between CloudHand and Client (collectively, the “Parties”).
As part of their contractual relations, the Parties shall undertake to comply with the applicable Data Protection Laws on personal data processing.
1. Definitions
For the purposes of this DPA, the following terms shall have the meanings set forth below:
1.1 Affiliate means any person or entity that owns or controls, is owned or controlled by, or is under common control or ownership with, a party to this Agreement, where “control” is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.
1.2 Controller has the same meaning as “controller” in GDPR-modeled Data Protection Laws.
1.3 Client means the individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.
1.4 Client Content means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Client or users and is Processed by CloudHand on behalf of Client. For the avoidance of doubt, Client Content does not include usage, statistical, learned, or technical information that does not reveal the actual contents of Client Content.
1.5 Client Personal Data has the same meaning as “controller” in GDPR-modeled Data Protection Laws.
1.6 Data Breach means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Content.
1.7 Data Protection Laws means, to the extent applicable to a Party, the data protection or privacy laws of any country regarding the Processing of Client Personal Data.
1.8 Data Subject means an identified or identifiable natural person about whom Personal Information relates.
1.9 CloudHand Platform means the CloudHand software-as-a-service solution that allows Clients to seamlessly manage relationships with local and international independent contractors, including the receipt of services from Consultants.
1.10 Europe means, for the purposes of this DPA, the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.
1.11 Personal Data means any information relating to, identifying, describing, or capable of being associated with a Data Subject or a household.
1.12 Process means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
1.13 Processor has the same meaning as “processor” in GDPR-modeled Data Protection Laws, and includes any party that constitutes a “service provider” within the meaning of the California Consumer Privacy Act (CCPA).
1.14 Professional Services means implementation, configuration, integration, training, advisory, and other professional services related to the online Services that are provided or controlled by CloudHand.
1.15 Services means the services and software provided on CloudHand’s platform, any services, content, communications, and product features relating to the CloudHand platform and as set forth in this DPA and any other online service or application provided or controlled by CloudHand for use with CloudHand’s services.
1.16 CloudHand Personnel means any individual authorized by CloudHand to Process Client Personal Data.
1.17 Restricted Transfer means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area or Switzerland to a country outside of the European Economic Area or Switzerland which is not subject to an adequacy determination by the European Commission; and (ii) where the UK Data Protection Law applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK Data Protection Law.
1.18 Standard Contractual Clauses means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found here as may be amended, superseded or replaced.
1.19 Sub-Processor means any Processor engaged by us or our affiliates to assist in fulfilling our obligations with respect to the provision of the Services under the Agreement. Sub-Processors may include third parties or our affiliates but will exclude any CloudHand employee or consultant.
Capitalized terms used in this DPA shall have the same meaning given to them under Data Protection Laws or if not defined thereunder, the GDPR, unless a different meaning is specified herein. In regards to the CCPA, terms used in the applicable provisions of the DPA where the CCPA is the applicable law shall be replaced as follows: “Personal Data” shall mean “Personal Information”; “Controller” shall mean “Business”; “Processor” shall mean “Service Provider”; and “Data Subject” shall mean “Consumer”.
2. Contractual Documents
This Addendum and its Appendices constitute the entire Data Processing Agreement between the Parties. It replaces all previous agreements relating to its object. Any prior agreements between the Parties relating to personal data are not binding on the Parties.
Some of the contractual documents may be amended or enriched during the fulfilment of the Addendum. In any event, these amendments or enrichments must be covered by an amendment signed by the Parties. No modifications may be made to the Addendum and its Appendices without a document signed by both Parties.
3. Duration of the DPA & Notice of Termination
3.1 Term of the DPA: The term of this DPA is coextensive with the term of the Agreement. The termination of this DPA therefore depends on the provisions concerning the duration and the termination of the Agreement. Termination of the Agreement shall also have the effect of terminating this DPA.
3.2 Premature Termination: Furthermore, the premature termination of this DPA upon written notice to the other Party shall be permissible in the event of such other Party’s serious breach of statutory or contractual data protection provisions under the Data Protection Laws, insofar as the contracting Party in question cannot reasonably be expected to continue this DPA.
3.3 Data Protection Obligations: The Parties acknowledge that the termination of the DPA at any time and for any reason does not exempt them from their obligations under the Data Protection Laws relating to the collection, processing, and use of Personal Data.
4. Processing of Personal Data
4.1 Role of the Parties: The Parties agree that CloudHand and Client are each independent Controllers with respect to the processing of such Personal Data under this DPA as described in Appendix 1. The purpose(s) and nature of operations carried out on the Personal Data are the ones as described in the Agreement. To perform the Services covered herein, the Client shall provide CloudHand with all the necessary information. Each party shall comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data covered under this DPA.
5. Processors
5.1 Third-Party Processors: Client acknowledges and agrees that CloudHand may engage third-party Processors in connection with the provision of the Services. CloudHand acknowledges and agrees that Client may engage third-party Processors in connection with the receipt of the Services. Both Parties shall have a written agreement with each Processor and agree that any agreement with a Processor shall include substantially the same data protection obligations as set out in this DPA.
5.2 Liability for Processors: Both Parties shall be liable for the acts and omissions of its respective Processors to the same extent such Party would be liable under the terms of this DPA, except as otherwise set forth in the Agreement.
5.3 Transfers of Data: Client acknowledges that in the provision of some services, CloudHand, on receipt of instructions from Client, may transfer Personal Data to and otherwise interact with third-party data processors. Client agrees that if and to the extent such transfers occur, Client is responsible for entering into separate contractual arrangements with such third-party data processors binding them to comply with obligations in accordance with the Data Protection Laws.
6. Technical and Organizational Measures
6.1 Security Measures: CloudHand shall take suitable technical and organizational measures appropriate to the risk to ensure the protection of the security, confidentiality, and integrity of Personal Data it processes under this DPA. CloudHand guarantees that it has carried out the technical and organizational measures specified in Appendix 2 to this DPA.
6.2 Continuous Improvement: The technical and organizational measures are subject to the current state of technology and technical progress. CloudHand is permitted to implement adequate alternative measures, provided that these measures may not provide a lower level of security to Client data than the stipulated measures in Appendix 2.
7. Sub-Processors
7.1 Engagement of Sub-Processors: Client agrees that CloudHand may engage Sub-Processors to process Personal Data on its behalf. CloudHand has currently appointed, as Sub-Processors, the third parties listed in Appendix 3 to this DPA. CloudHand will notify Client if CloudHand adds or replaces any Sub-Processors listed in Appendix 3 at least 30 days prior to any such changes.
7.2 Data Protection Terms for Sub-Processors: Where CloudHand engages Sub-Processors, CloudHand will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. CloudHand will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause CloudHand to breach any of its obligations under this DPA.
8. Cross-Border Transfers of Personal Information
8.1 Adequate Protection for Cross-Border Transfers: CloudHand shall, at all times, provide an adequate level of protection for the Personal Information, wherever processed, in accordance with the requirements of the applicable Data Protection Law.
8.2 Transfers Outside of the EEA/UK: If Personal Information originates from the UK, EEA, or Switzerland and is transferred by Client to CloudHand for processing in a country not subject to an adequacy decision in accordance with the GDPR (“UK/EEA/Switzerland Data Transfer”), the Parties will conduct such UK/EEA/Switzerland Data Transfer in accordance with all applicable laws.
9. Variations in Data Protection Laws
9.1 Notification of Changes: If any variation is required to this DPA as a result of a change in or subsequently applicable Data Protection Law, either Party may provide written notice to the other Party of that change in law. The Parties will then discuss and negotiate in good faith any variations to this DPA necessary to address such changes.
10. Final Provisions
10.1 Amendments: This DPA may only be amended by a written agreement executed by both parties.
10.2 Severability: If any provision of this DPA is held to be invalid or unenforceable by a court of competent jurisdiction, the remainder of the DPA shall remain in full force and effect.
10.3 Governing Law: This DPA shall be governed by the laws of the United Kingdom. Any disputes arising from or related to this DPA shall be subject to the exclusive jurisdiction of the courts in the United Kingdom.
Appendix 1: Details of Processing
- Categories of Data Subjects: [e.g., employees, contractors, clients, suppliers]
- Categories of Personal Data: [e.g., contact details, identity verification data, communication records, transaction history]
- Purpose of Processing: [e.g., to provide HR, payroll, and compliance services to the Client]
- Duration of Processing: [e.g., duration of the Agreement or as required by law]
Appendix 2: Technical and Organizational Measures
- Access Control: Measures to prevent unauthorized access to data processing equipment.
- Encryption: Encryption of data during transmission and storage.
- Incident Response: Measures to detect and respond to security incidents.
- Backups: Regular data backups for disaster recovery.
