Klarity Data Processing Addendum
This Data Processing Addendum (“Addendum”) forms an integral part of Klarity Terms and Conditions, Order for Klarity or other written Klarity agreement (“Agreement”) entered into between Nordcloud or Affiliate of Nordcloud (“Provider”) and the Customer’s entity (“Customer”). Hereinafter, Provider and Customer shall be collectively referred to as the “Parties” and individually a “Party”.
In the event of conflict with the provisions in Agreement and this Addendum, the provisions of this Addendum shall prevail over the rest of the Agreement.
- Processing and Roles
- This Addendum shall apply when personal data is processed by Provider on behalf of the Customer for the provision of the services (“Services”) in accordance with Agreement. In this context, Provider shall be considered as a data processor to Customer and Customer as a data controller within the meaning of the applicable data protection legislation.
- For the purposes of this Addendum, the applicable data protection legislation shall mean the applicable laws and regulations in respect of processing personal data and data protection, including but not limited to, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “EU GDPR”), and “UK GDPR” as the former forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the United Kingdom´s European Union (Withdrawal) Act 2018.
- The Parties agree that this Addendum and the Agreement constitute Customer’s documented instructions regarding the Provider’s processing of personal data. Customer is entitled to issue additional documented instructions to the Provider concerning the data processing subject to acceptance by the Provider and payment of additional fees to the Provider for carrying out such instructions. The Customer is responsible for the lawfulness, maintenance and availability of the instructions.
- Responsibilities of the Parties
- Each Party shall comply with all laws, rules and regulations applicable to it and binding on it in the performance of this Addendum, including the EU GDPR.
- The Customer commits to ensuring compliance with the data controller’s obligations under the applicable data protection legislation. If the Customer is a data processor, Customer warrants that its instructions and actions with respect to that personal data, including its appointment of the Provider as another processor, have been authorised by the relevant data controller.
- The Provider will comply with the applicable data protection legislation. The Provider is not responsible for determining the requirements of laws or regulations applicable to Customer’s business, or that Services meet the requirements of any such applicable laws or regulations. As between the parties, the Customer is responsible for the lawfulness of the processing of the personal data. The Customer will not use the Services in a manner that would violate applicable data protection legislation.
- The Provider processes personal data on behalf of the Customer only in accordance with Customer’s documented instructions unless European or national legislation to which the Provider is subject requires other processing of personal data by the Provider, in which case Provider shall notify the Customer before such other processing. The Provider shall not use personal data it processes on Customer’s behalf for any other purpose than the purposes of the Agreement in accordance with this Addendum and the Customer’s instructions.
- The Provider shall implement appropriate technical and organisational measures for ensuring the security of the processing and maintain appropriate documentation of these measures and processing activities. Information on the Provider’s technical and organisational measures shall be provided to the Customer upon a written request by the Customer.
- The Provider commits to ensuring that all the persons processing personal data under the authority and supervision of the Provider have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, in addition to which such persons shall process personal data only pursuant to this Addendum, the Agreement and the Customer’s instructions.
- The Provider commits to assist the Customer at Customer’s cost to ensure compliance with the provisions on the data subject’s rights and to inform the Customer about the requests received from the data subjects. The Customer shall be responsible for responding to any such request to the extent the information is available to it.
- Taking into account the nature of the processing and the information available to the Provider, the Provider will assist the Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation requests to data protection authorities to the extent they relate to the processing of personal data performed by the Provider in connection with the Services. The Provider shall have the right to charge the Customer for any reasonable costs or expenses incurred by such assistance.
- The Customer provides general authorisation to Provider’s use of sub-processors to process personal data on Customer’s behalf (“Sub-processors”) to provide Services. A list of the current Sub-processors is set out in the Annex 1.
- The Provider will be liable for the actions and omissions of the Sub-processors listed in the Annex 1 and shall ensure that Sub-processors comply with the responsibilities of the Provider under this Addendum or otherwise comply with data processing obligations substantially equivalent as those set out in this Addendum.
- The Provider will notify the Customer in advance of any intended changes concerning the addition or replacement of Sub-processors. The Customer may object to such changes on reasonable grounds. If the Customer objects to the use of Sub-processors, the Customer shall have the right to terminate the Agreement within fourteen (14) days following the Provider’s notification of intended changes. If the Customer does not terminate the Agreement, the Provider shall be entitled to use the new sub-processors included in the notification. If the Customer terminates the Agreement, the termination period set out in the Agreement shall apply.
- Transfer of Personal Data
- The Customer acknowledges that the Provider may transfer and process personal data anywhere where the Provider, its Affiliates or its Sub-processors maintain data processing operations. The Provider is entitled to transfer personal data outside the European Union or the European Economic Area or the United Kingdom, provided that the Provider commits to ensuring that the Provider itself and its subcontractors transfer personal data in compliance with the applicable data protection legislation, including provisions stipulated in the EU GDPR and the UK GDPR.
- The Parties acknowledge that in cases of transfer of personal data outside the European Union or the European Economic Area, The Provider shall commit to transferring the data to any sub-processor only in accordance with a valid data transfer mechanism as per GDPR’s art. 46, such as, but not limited to the Standard Contractual Clauses (“Standard Contractual Clauses”), in accordance with the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
- The Parties acknowledge that in cases of transfer of personal data outside the United Kingdom, the Provider shall commit to transferring the data to any sub-processor only in accordance with a valid data transfer mechanism as per UK GDPR’s art. 46, such as, but not limited to the international data transfer agreement (IDTA) or the UK´s international data transfer addendum to the European Commission’s Standard Contractual Clauses.
- Personal Data Breach
- The Provider will notify Customer without undue delay after becoming aware of a personal data breach with respect to the Services in writing, and take appropriate measures to address the personal data breach.
- Taking into account the nature of processing and the information available to the Provider, the Provider shall assist the Customer in submitting data breach notifications to the supervisory authority and the data subjects.
- The Customer must inform the Provider without undue delay if the Customer becomes aware of a personal data breach which could have an impact on Provider or its processing of personal data. Should the Provider need information in the event of a personal data breach in order to fulfill its obligations under this Addendum and the applicable data protection legislation, the Customer shall provide such information to the Provider without undue delay.
- The Provider shall provide the Customer all information necessary to demonstrate compliance with the obligations concerning the processing of personal data. The Provider shall allow the Customer, either on their own or with a third party (which shall not be a competitor to the Provider), to conduct audits in the presence of the Provider. The Provider shall have the right to determine whether such third party is a competitor to the Provider or not.
- The audit shall be carried out in a manner which does not compromise the business secrets of the Provider, of its sub-processors or of other customers, or the Provider’s undertakings towards other customers. Customer’s auditor shall sign a separate confidentiality undertaking in order to duly protect the Provider’s confidential information.
- The Customer shall notify the Provider in writing at least thirty (30) days in advance, after which the Parties shall mutually agree on the extent and timing of the audit, always conducted during the Service Provider’s normal working hours. The Customer is liable for the audit costs of the third party, otherwise each Party is liable for its part of the audit costs.
- If required to comply with applicable legislation, the Provider may upon Customer’s written request make available an audit report to verify the adequacy of the security measures of its sub-processors. Customer agrees to exercise any right it may have to conduct an audit or inspection, including under the Standard Contractual Clauses, if they apply, by instructing the Provider to make available the audit report as described above.
- Data Deletion
- The Customer is responsible for exporting, before the term of the Agreement expires, any personal data it wishes to retain. If Customer is unable to export personal data, the Provider shall upon Customer’s written request return personal data to the Customer at Customers cost. Such a request shall be made prior to expiry of the term of the Agreement.
- On expiry of the term of the Agreement, Customer instructs the Provider to delete all personal data (including existing copies) in accordance with applicable legislation. The Provider and its sub-processors shall comply with this instruction as soon as reasonably practicable, unless otherwise required by applicable law.
- Liability and Term
- Each Party is liable for any administrative fines imposed by the supervisory authority and/or any damages adjudged by the competent court against such Party based on its infringement of the applicable data protection legislation. In other respects, liability for damage and limitation of liability clauses in the Agreement shall be applied.
- This Addendum enters into force on the effective date of the Agreement and remains in force as long as the Provider processes personal data as the Customer’s data processor to provide Services.
Description of personal data processing
- Nature and purpose of the processing: The Provider processes personal data on behalf of the Customer for the purpose of providing Services as set out in the Agreement.
- Categories of data subjects whose personal data is processed:
The following lists the categories of data subjects whose personal data are processed within the Services:
- end-users who are authorised by Customer to use the Services
- contact persons appointed by the Customer which may include employees, agents, contractors, and other professional experts of the Customer
- Categories of personal data processed:
Categories of personal data processed include:
- Data related to customer’s contact persons: name, email address
- Data related to End-users: authentication credentials and IP address
No sensitive personal data or special category data as defined in the GDPR is being processed.
- Duration of the processing: Term of the Agreement plus the reasonable time period from the expiry of the term until deletion of all personal data by Provider and its sub-processors.
- A list of sub-processors:
- Nordcloud Group companies
Nordcloud companies engaged in the delivery of Services that are located within the European Economic Area (EEA) or countries considered by the European Commission to have adequate protection.
|Nordcloud company (affiliate)||Processing location|
|Nordcloud Hosting Sweden AB||Sweden|
|Nordcloud Deutschland GmbH||Germany|
|Nordcloud Ltd.||United Kingdom|
|Nordcloud Sp. z o.o.||Poland|
|Nordcloud Austria GmbH||Austria|
|Nordcloud Switzerland GmbH||Switzerland|
- Third Party Sub-processors
|Sub-processor||Purpose and description of processing||Data location||Safeguards for transfer outside the EU/EEA|
|Amazon Web Services EMEA SARL||Platform Hosting and Backup||A primary site in Ireland, and a backup site in Germany||EU Standard Contractual Clauses|
|Auth0 Inc.||Identity Management service provider||EU region (Ireland and Germany)||EU Standard Contractual Clauses|
|Datadog, Inc.||Platform monitoring||EU region||EU Standard Contractual Clauses|