Cloudnine Realtime Professional Services – Terms and Conditionals
The following Terms and Conditions govern all “Professional Services” provided by RTB Global, Inc. d/b/a Cloudnine Realtime (hereinafter referred to as “Cloudnine”) or through its affiliates identified in any Service Order or Statement of Work.
- Deliverables– The project deliverables for Professional Services will be identified on an ‘As-Need’ basis, recorded on a Statement of Work (“SOW”) or in a Service Order Form, including an estimate of hours to complete the project, and approved by the Client prior to work commencing. To the extent a SOW is used, such SOW shall be incorporated by reference into these Terms and Conditions and governed by the same terms as set forth below. Upon completion of the work set forth in any SOW, Cloudnine will deliver a document via e-mail entitled “End of Project,” which will signify that Cloudnine has completed the work set forth in the SOW and that no further work will be performed by Cloudnine without Client executing a new SOW. Cloudnine’s Professional Service Department’s hours are Monday through Friday, 6:00 a.m. to 5:00 p.m. (PST) (excepting certain holidays). Cloudnine will make its best efforts to respond to all calls or e-mails to Professional Services by the next business day.
- Confidential Information– To the extent that the completion of the Professional Services set forth in an executed SOW requires Cloudnine to access Client’s data, Cloudnine acknowledges that Client’s data shall be treated as confidential information. Client hereby authorizes Cloudnine to access Client’s data only as reasonably necessary to complete the Professional Services set forth in the particular SOW. To the extent that Client delivers a copy of Client’s data to Cloudnine, Cloudnine will only maintain that copy for purposes of completing a particular project, after which point Cloudnine will destroy all copies of Client’s data that it had in its possession. Cloudnine further warrants that it will maintain the confidential nature of Client’s data and will not disclose the data or its contents to third parties without the Client’s express written consent.
- Data Transfer, Migration, Importation, Copying or Manipulation– Where an SOW calls for data transfer, migration, importation, copying or manipulation, errors and omissions, or other factors which may result in data being over-inclusive, under-inclusive, or incomplete. To the extent Client provides Cloudnine with data for the purposes of transferring, migrating, importation, copying or manipulating, Client herby confirms that it has the legal right to provide the data to Cloudnine, and expressly authorizes Cloudnine to perform such tasks. Client further acknowledges that if a dispute arises over whether Client has the legal right to possess or control the data prior to Cloudnine performing the transfer, migration, importation, copying or manipulation, Cloudnine will not perform such tasks absent written authorization from the party originally disputing Client’s right to the data or a court order.).
- Modification/Customization– To the extent Cloudnine performs for Client any modifications, special features and/or customization to Client’s Cloudnine environment or related applications, Cloudnine shall retain all intellectual property rights to such modifications, special features and/or customization. Client will only receive a non-exclusive, limited and non-transferable license to use the modifications, special features and customizations during the term of Client’s current Subscription, and contingent upon Client timely paying all fees due for such Subscription. Cloudnine shall provide Client with a 30-Day Warranty on any modification, special feature or customization following the delivery of the modification, special feature or customization to Client. After the 30-Day Warranty has expired, Professional Services can be retained on an hourly basis to assist with this assessment or analysis. Any such services shall be governed by a separate SOW.
- Training– To the extent Client uses Professional Service hours for training, unless expressly stated in an SOW or in a Service Order Form, all training will be provided remotely (i.e., not an onsite visit to Client’s location). Client acknowledges that if Client fails to attend a scheduled training session without providing Cloudnine with notice at least 24 hours prior to the scheduled training session, Cloudnine will charge Client the equivalent of one hour of Professional Services time. If such an event occurs and Client does not have any Professional Service hours in its account, Client’s credit card or ACH on file with Cloudnine will be charged $197. Client acknowledges that in certain instances, in order to facilitate training on Client’s actual data, Client’s data may be stored in Microsoft Azure (which Client may be charged for).
- Payment for Services– Cloudnine will charge Client for the Professional Services contemplated in an executed SOW at a rate of $197 per hour. Client shall have an option to purchase Professional Service hours by the block at a discounted price based on the rate set forth in a Service Order or SOW executed by Client. The amount of Pre-Paid blocks of Professional Services hours purchased by Client shall not be deemed as estimate of the hours necessary to complete any Professional Services task or project. Cloudnine will not start work on those Professional Services until it has received written approval from Client for the amount of estimated allocated hours to complete the Professional Services, and either payment for the total amount of hours approved or approval to execute against the Pre-Paid block of Professional Service hours which Client may have on the books. Optionally, Client may request Cloudnine to bill for services rendered against the approved SOW, in which case, Cloudnine shall issue a progress billing invoice on a weekly basis, which shall be due upon receipt. Cloudnine may be required to charge sales tax on any and all charges for Professional Services. Any such taxes will be in addition to the amounts charged for such services. To the extent that any foreign government imposes a tax, tariff or similar charge on Cloudnine arising out of Client’s purchase of Professional Services hours, Client agrees Client will be solely responsible for paying such fees. Cloudnine will not continue to work on a Professional Service project until the last progress bill payment has been processed and posted to the account. Client understands that the estimate to complete the services set forth in the SOW is only an estimate, and it may require more hours to complete the services. To the extent that additional hours are required to complete the work, Cloudnine will provide a change order request to be approved by Client and Client agrees to pay the additional hours estimated to complete the services set in the change order. Where Client has available hours in Client’s Professional Services Account, the additional hours needed to complete the services will be debited from Client’s Professional Services Account. Where Client does not have sufficient hours available in Client’s Professional Services Account to cover all of the hours needed to complete the services Cloudnine will invoice Client for the additional hours that have not been paid and Client agrees to make payment upon receipt of the invoice. To the extent that it takes Cloudnine less than the estimated allocated hours to complete the services set forth in the SOW or Client wishes to cancel the services or Project, the remaining hours purchased that were not expended by Cloudnine in an effort to complete the services contemplated by the SOW will be credited back to Client’s Professional Services Account for future use. Client hereby acknowledges that all Professional Service hours purchased by Client shall expire on the year anniversary of when those particular hours were purchased. Client further acknowledges that to the extent Cloudnine is required to travel to complete the professional services contemplated in a SOW, Client shall be responsible for paying Cloudnine’s reasonable expenses associated with such travel (including but not limited to travel expenses). Any fees due under these Terms and Conditions that are greater than 15 days past due shall bear interest at the rate of one and one-half percent per month.
- Limitation of Liability– IN NO EVENT SHALL CLOUDNINE OR ANY OF ITS AFFILIATES BE LIABLE TO CLIENT FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, LOSS OF BUSINESS OPPORTUNITY, BUSINESS INTERRUPTION, LOSS OF GOOD WILL, DAMAGE TO BUSINESS REPUTATION, LOSS OF BUSINESS INFORMATION, WORK STOPPAGE, LOSS OF DATA, COMPUTER FAILURE OR MALFUNCTION, OR OTHER SUCH PECUNIARY LOSS), WHETHER UNDER A THEORY OF CONTRACT, WARRANTY, TORT, OR OTHERWISE, EVEN IF CLOUDNINE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL CLOUDNINE OR ITS AFFILIATES’ TOTAL AGGREGATE AND CUMULATIVE LIABILITY TO CLIENT FOR ANY AND ALL CLAIMS OF ANY KIND ARISING AS A RESULT OF OR RELATED TO THE PROFESSIONAL SERVICES PERFORMED BY CLOUDNINE OR ITS AFFILIATES, OR TO ANY ACT OR OMISSION OF CLOUDNINE, EXCEED THE AMOUNT ACTUALLY PAID BY CLIENT TO CLOUDNINE FOR THE PROFESSIONAL SERVICES AT ISSUE. THE FOREGOING LIMITATIONS WILL APPLY EVEN IF THE ABOVE STATED REMEDY FAILS OF ITS ESSENTIAL PURPOSE. CLIENT ACKNOWLEDGES THAT THIS PROVISION REFLECTS THE AGREED UPON ALLOCATION OF RISK FOR CLOUDNINE TO PROVIDE THE PROFESSIONAL SERVICES AND THAT CLOUDNINE WOULD NOT ENTER INTO THIS AGREEMENT WITHOUT THESE LIMITATIONS ON ITS LIABILITY.
- Warranty– Due to numerous factors, including but not limited to the rapid changes in technology, Cloudnine cannot guarantee that the deliverables identified in a SOW will be completed precisely as originally contemplated or at all. Cloudnine does warrants that it will use its best efforts to complete the work contemplated in a SOW and that such work be performed in a professional manner. THIS WARRANTY IS EXCLUSIVE AND IS IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND ANY ORAL OR WRITTEN REPRESENTATIONS, PROPOSALS OR STATEMENTS MADE ON OR PRIOR TO THE EFFECTIVE DATE OF ANY AGREEMENT BETWEEN CLIENT AND CLOUDNINE.
- Indemnification– Client shall fully indemnify, hold harmless and defend (collectively “indemnify” and “indemnification”) Cloudnine and its directors, officers, employees, agents, stock holders, subsidiaries and affiliates (collectively, “Indemnified Parties) from and against all claims demands, actions, suits, damages, liabilities, losses, settlements, judgments, costs and expenses (including but not limited to reasonable attorney’s fees and costs), whether or not involving a third party claim, which arises out of or relate to (1) any breach of any representation or warranty of Client contained in these Terms and Conditions, and (2) any breach or violation of any covenant or other obligation or duty of Client under these Terms and Conditions or under applicable law, in each case whether or not caused by the negligence of Cloudnine or any other Indemnified Party and whether or not the relevant claim has merit.
- Severability– If any part or parts of these Terms and Conditions, or corresponding Service Order or SOW executed by Client or any future modifications are held invalid by a court of competent jurisdiction, the remaining parts of these Terms and Conditions, or corresponding Service Order or SOW executed by Client or modifications will continue to be valid and enforceable.
- Waiver– The waiver by either party of a breach or default in any of the provisions of Terms and Conditions, or corresponding Service Order or SOW executed by Client or any future modifications shall not be construed as a waiver of any succeeding breach of the same or other provisions; nor shall any delay or omission on the part of either party to exercise or avail itself of any right, power or privilege that is has or may have hereunder operate as a waiver of any breach or default by the other party.
- Integration– These Terms and Conditions and the corresponding Statement of Work affirmatively accepted by Client (which are incorporated by reference) set forth the entire agreement relating to the subject matter hereof and supersedes all prior agreements, discussions and understandings between them, whether oral or written, relating to the subject matter hereof.
- Governing Law– These Terms and Conditions or SOW executed by Client shall be construed under the laws of the State of California regardless of conflict of law provisions. Client and Cloudnine irrevocably consent to the exclusive jurisdiction and venue of the state or federal courts in San Diego County, California for all disputes arising out of or relating to these Terms and Conditions and/or corresponding Service Order, or SOW executed by Client, or the services contemplated therein. Neither party will bring a legal action arising out of or related to these Terms and Conditions and/or corresponding SOW executed by Client, or the services contemplated therein, more than two years after the cause of action arose. Client and Cloudnine further agree that as a condition precedent to instituting any legal action, the parties must participate in a non-binding mediation in San Diego, California before a neutral from JAMS, with the parties equally splitting the costs of that mediation. If the parties cannot agree on a JAMS neutral, the neutral shall be selected by JAMS at its sole discretion. The mediation process shall be initiated by the aggrieved party submitting the case for mediation to JAMS directly, after providing the other party with notice of its intent to institute mediation.
- Prevailing Party– In the event of any litigation arising out of or related to these Terms and Conditions and/or corresponding SOW affirmatively accepted by Client, the prevailing party shall be entitled to recover from the non-prevailing party all costs and expenses associated with such proceedings, including reasonable attorney’s fees. For purposes of this provision, if a matter is filed in any venue other than the state or federal courts in San Diego County, California and the matter is dismissed for improper venue, the party that did not file the action shall be deemed the prevailing party in that action.
- Data Processing Addendum – The Data Processing Addendum set forth below is expressly incorporated into these Terms and Conditions by reference.
DATA PROCESSING ADDENDUM
Scope, Order of Precedence and Term
This Data Processing Addendum shall be incorporated into the Cloudnine Realtime Professional Services – Terms & Conditions.
- Except as expressly stated otherwise in this Data Processing Addendum, in the event of any conflict between the terms set forth in the Cloudnine Realtime Terms & Conditions, including any policies or schedules referenced therein, and the terms of this Data Processing Addendum, the relevant terms of this Data Processing Addendum shall take precedence.
- “Cloudnine” means RTB Global Inc. d/b/a Cloudnine Realtime, together with the Cloudnine Affiliates.
- “Affiliate,” or “Affiliates” means any entity which is controlled by, controls or is in common control with Cloudnine, which includes Abacus Data Systems, Inc.
- “Applicable Data Protection Law” means (i) Directive 95/46/EC of October 24, 1995, as amended, on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data (‘Directive’) until such time that it is replaced by GDPR, applicable as of May 25, 2018; (ii) the GDPR; and (iii) any other data privacy or data protection law or regulation that applies to the Processing of Personal Data under the Cloudnine Realtime Terms & Conditions.
- “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
- “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
- “Data Subject” “means the individual to whom Personal Data relates (not a business or other entity).
- “GDPR” means the General Data Protection Regulation (EU 2016/679) and/or any legislation which preserves or replaces it following the United Kingdom’s exit from the European Union. To the extent that any legislation preserves or replaces the GDPR following the United Kingdom’s exit from the European Union, references to the GDPR shall be interpreted as references to the nearest equivalent provision(s) of such new legislation.
- “Personal Data” means any information that Cloudnine may Process on Customer’s behalf in connection with the products or services provided to Customer by Cloudnine relating to a Data Subject who can be identified, such as by a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. A Data Subject can also be directly or indirectly identified by a person’s online identifiers such as internet protocol addresses and cookie identifiers which monitor the person’s online behavior.
- “Processing,” “Process,” “Processes” and “Processed” mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structure, storage (including archiving), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
- “Supervisory Authority” means an independent public authority which is established by an EU Member State.
- “Third Party Sub-processor” means a third-party subcontractor, other than an Affiliate, engaged by Cloudnine and which may Process Personal Data as set forth in Section 8.
- “Customer” means the customer (sole proprietorship or entity) that has affirmatively accepted the Cloudnine Realtime Terms & Conditions.
- Controller and Processor of Personal Data and Purpose of Processing
- Customer is and will at all times remain the Controller of the Personal Data Processed by Cloudnine. Customer is responsible for compliance with Customer’s obligations as a Controller under Applicable Data Protection Law, in particular for justification of any transmission of Personal Data to Cloudnine (including providing any required notices and obtaining any required consents and/or authorizations, or otherwise securing an appropriate legal basis under Applicable Data Protection Law), and for Customer’s decisions and actions concerning the Processing of such Personal Data.
- Where Cloudnine Processes Personal Data, Cloudnine is and will at all times remain a Processor with regard to the Personal Data provided by Customer to Cloudnine. Cloudnine is responsible for compliance with its obligations as a Processor under Applicable Data Protections Law. Not all products or services governed by the Cloudnine Realtime Terms & Conditions necessarily require Cloudnine to Process Personal Data.
- Cloudnine and any persons acting under the authority of Abacus, including any Cloudnine Affiliates and Third-Party Sub-processors as set forth in Section 8 will Process Personal Data solely for the purpose of (i) providing the Service, (ii) complying with Customer’s documented written instructions in accordance with Section 5, or (iii) complying with Cloudnine’s regulatory obligations in accordance with Section 13.
- As the Data Controller, Customer warrants, represents and undertakes to Cloudnine that Customer has lawful grounds for the processing of Personal Data.
- Categories of Personal Data and Data Subjects
- In order to provide Customer with the services contemplated by the Cloudnine Realtime Terms & Conditions, Cloudnine may Process some or all of the following categories of Personal Data: personal contact information such as name, home address, home telephone or mobile number, fax number, email address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualification, identification numbers, social security details and business contact details; financial details; goods and services provided; unique IDs collected from mobile devices, network carriers or data providers, IP addresses, and online behavior and interest data.
- Categories of Data Subjects whose Personal Data may be Processed in order to perform any obligations under the Cloudnine Realtime Terms & Conditions or otherwise providing the Service may include, among others, Customer’s representatives and end users, such as Customer’s employees, job applicants, contractors, collaborators, partners, suppliers, customers and clients.
- Content provided to Cloudnine by Customer may not include any sensitive or special personal data that imposes specific data security or data protection obligations on Cloudnine in addition to or different from those specified in the Cloudnine Realtime Terms & Conditions.
- Processing of Personal Data
- Cloudnine will Process Personal Data on Customer’s written instructions as specified in the Cloudnine Realtime Terms & Conditions and this Data Processing Addendum, including instructions regarding data transfers as set forth in Section 7.
- Customer may provide additional instructions in writing to Cloudnine with regard to Processing of Personal Data in accordance with Applicable Data Protection Law. Cloudnine will comply with all such instructions to the extent necessary for Cloudnine to (i) comply with its Processor obligations under Applicable Data Protection Law; or (ii) assist Customer to comply with Customer’s Controller obligations under Applicable Data Protection Law relevant to Customer’s use of the Service, including assistance with notifying Personal Data breaches as set forth in Section 11, Data Subject requests as set forth in Section 6, and Data Protection Impact Assessments (DPIAs).
- To the extent required by Applicable Data Protection Law, Cloudnine will immediately inform Customer if, in its opinion, Customer’s instruction infringes Applicable Data Protection Law. Customer acknowledges and agrees that Cloudnine is not responsible for performing legal research and/or for providing legal advice to Customer.
- Without prejudice to Cloudnine’s obligations under Section 5, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by Cloudnine to comply with instructions with regard to the Processing of Personal Data that require the use of resources different from or in addition to those Cloudnine is required to perform pursuant to the Cloudnine Realtime Terms & Conditions.
- Rights of Data Subjects
- Cloudnine will grant Customer electronic access to the ASP Application to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including requests to access, delete or erase, restrict, rectify, receive and transmit, block access to or object to Processing of specific Personal Data or sets of Personal Data.
- To the extent such electronic access is not available to Customer, Customer can submit a “service request” to email@example.com, and provide detailed written instructions to Abacus, including the Personal Data necessary to identify the Data Subject, on how to assist with such Data Subject requests in relation to Personal Data stored in an applicable cloud environment that holds Personal Data related to the Service. If applicable, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by Cloudnine to comply with instructions that require the use of resources different from or in addition to those Cloudnine is required to perform in connection with the Service.
- If Cloudnine directly receives any Data Subject requests regarding Personal Data, it will promptly pass on such requests to Customer without responding to the Data Subject if the Data Subject identifies Customer as the Data Controller. If the Data Subject does not identify Customer, Cloudnine will instruct the Data Subject to contact the entity responsible for collecting their Personal Data.
- Personal Data Transfers
- Cloudnine may access and Process Personal Data on a global basis as necessary to perform any duties or obligations Cloudnine is required to perform pursuant to the Cloudnine Realtime Terms & Conditions, including for IT security purposes, maintenance and performance of underlying infrastructure, technical support and change management.
- To the extent such global access involves a transfer of Personal Data originating from the European Economic Area (“EEA”) or Switzerland to Cloudnine Affiliates or Third-Party Sub-processors located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national EEA data protection authority, such transfers are subject to EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework.
- Cloudnine Affiliates and Third-Party Sub-processors
- Subject to the terms and restrictions specified in Sections 3 and 7, Customer agrees that Cloudnine may engage Cloudnine Affiliates and Third-Party Sub-processors to assist in the performance of any duties or obligations Cloudnine is required to perform pursuant to the Cloudnine Realtime Terms & Conditions.
- Within fourteen (14) calendar days of Cloudnine providing such notice to Customer, Customer may object to the intended involvement of a Third Party Sub-processor or Cloudnine Affiliate in the performance of any duties or obligations Cloudnine is required to perform pursuant to the Cloudnine Realtime Terms & Conditions, providing objective justifiable grounds related to the ability of such Third Party Sub-processor or Cloudnine Affiliate to adequately protect Personal Data in accordance with Applicable Data Protection Law in writing by submitting a “service request” via Cloudnine Support, or other applicable primary support tool provided for the Services. In the event Customer’s objection is justified, Customer and Cloudnine will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the Third Party Sub-processors’ or Cloudnine Affiliate’s compliance with this Data Processing Addendum and Applicable Data Protection Law, or the performance of any duties or obligations Cloudnine is required to perform pursuant the Cloudnine Realtime Terms & Conditions without the involvement of such Third Party Sub-processor. To the extent Customer and Cloudnine do not reach a mutually acceptable resolution within a reasonable timeframe, Customer shall have the right to terminate the relevant agreement for products or services (i) upon serving prior notice in accordance with the Cloudnine Realtime Terms & Conditions; and (ii) without relieving Customer from Customer’s payment obligations under the Cloudnine Realtime Terms & Conditions.
- The Cloudnine Affiliates and Third-Party Sub-processors are required to abide by the same level of data protection and security as Cloudnine under this Data Processing Addendum as applicable to their Processing of Personal Data. Customer may request that Cloudnine audit a Third-Party Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Customer in obtaining a third-party audit report concerning the Third-Party Sub-processor’s operations) to verify compliance with such obligations. Customer will also be entitled, upon written request, to receive copies of the relevant privacy and security terms of Cloudnine’s agreement with any Third-Party Sub-processors and Cloudnine Affiliates that may Process Personal Data.
- Cloudnine remains responsible at all times for the performance of the Cloudnine Affiliates’ and Third-Party Sub-processors’ obligations in compliance with the terms of this Data Processing Addendum and Applicable Data Protection Law.
- Technical and Organizational Measures, and Confidentiality of Processing
- Cloudnine has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Data. These measures take into account the nature, scope and purposes of Processing as specified in this Data Processing Addendum, and are intended to protect Personal Data against the risks inherent to the Processing of Personal Data in the performance of any duties or obligations Cloudnine is required to perform pursuant to the Cloudnine Realtime Terms & Conditions, in particular risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
- In particular, Cloudnine has implemented the physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures specified in the Cloudnine Realtime Terms & Conditions. Customer is advised to carefully review the Cloudnine Realtime Terms & Conditions to understand which specific security measures and practices apply to the particular products or services ordered by Customer, and to ensure that these measures and practices are appropriate for the Processing of Personal Data pursuant to this Data Processing Addendum.
- All Cloudnine and Cloudnine Affiliate staff, as well as any Third-Party Sub-processors that may have access to Personal Data are subject to appropriate confidentiality arrangements.
- Audit Rights and Cooperation with Customer and Customer’s Supervisory Authorities
- Customer may audit Cloudnine’s compliance with its obligations under this Data Processing Addendum up to once per year. In addition, to the extent required by Applicable Data Protection Law, including where mandated by Customer’s Supervisory Authority, Customer or Customer’s Supervisory Authority may perform more frequent audits. Cloudnine will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the products or services ordered by Customer.
- If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and Cloudnine (except if such Third Party is a competent Supervisory Authority). Cloudnine will not unreasonably withhold its consent to a third-party auditor requested by Customer. The third-party must execute a written confidentiality agreement acceptable to Cloudnine or otherwise be bound by a statutory confidentiality obligation before conducting the audit.
- To request an audit, Customer must submit a detailed proposed audit plan to Cloudnine at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Cloudnine will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Cloudnine security, privacy, employment or other relevant policies). Cloudnine will work cooperatively with Customer to agree on a final audit plan.
- If the requested audit scope is addressed in a SSAE 16/ISAE 3402 Type 2, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third-party auditor within the prior twelve months and Cloudnine provides such report to Customer confirming there are no known material changes in the controls audited, Customer agrees to accept the findings presented in the third-party audit report in lieu of requesting an audit of the same controls covered by the report.
- The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Cloudnine’s health and safety or other relevant policies and may not unreasonably interfere with Cloudnine business activities.
- Customer will provide Cloudnine any audit reports generated in connection with any audit under this Section 10, unless prohibited by Applicable Data Protection Law or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Addendum. The audit reports shall be and shall remain the Confidential Information of the parties.
- All audits are at Customer’s expense. The parties will negotiate in good faith with respect to any charges or fees that may be incurred by Cloudnine to provide assistance with an audit that requires the use of resources different from or in addition to any duties or obligations Cloudnine is required to perform pursuant to the Cloudnine Realtime Terms & Conditions.
- Incident Management and Personal Data Breach Notification
- Cloudnine promptly evaluates and responds to incidents that create suspicion of or indicate unauthorized access to or Processing of Personal Data (“Incident”). All Cloudnine and Cloudnine Affiliates’ staff that have access to or Process Personal Data are instructed on responding to Incidents, including prompt internal reporting, escalation procedures, and chain of custody practices to secure relevant evidence. Cloudnine’s agreements with Third Party Sub-processors contain similar Incident reporting obligations.
- In order to address an Incident, Cloudnine defines escalation paths and response teams involving internal functions such as Information Security and Legal. The goal of Cloudnine’s Incident response will be to restore the confidentiality, integrity, and availability of any applicable cloud environment and the Personal Data that may be contained therein, and to establish root cause(s) and remediation steps. Depending on the nature and scope of the Incident, Cloudnine may also involve and work with Customer and outside law enforcement to respond to the Incident.
- To the extent Cloudnine becomes aware and determines that an Incident qualifies as a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed on Cloudnine systems or the applicable cloud environment that compromises the security, confidentiality or integrity of such Personal Data (“Personal Data Breach”), Cloudnine will inform Customer of such Personal Data Breach without undue delay but at the latest within 72 hours.
- Cloudnine will take reasonable measures designed to identify the root cause(s) of the Personal Data Breach, mitigate any possible adverse effects and prevent a recurrence. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to Cloudnine and to the extent permitted by law, Cloudnine will provide Customer with (i) a description of the nature and reasonably anticipated consequences of the Personal Data Breach; (ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; (iii) where possible, the categories of Personal Data and Data Subjects including an approximate number of Personal Data records and Data Subjects that were the subject of the Personal Data Breach; and (iv) other information concerning the Personal Data Breach reasonably known or available to Cloudnine that Customer may be required to disclose to a Supervisory Authority or affected Data Subject(s).
- Unless otherwise required under Applicable Data Protection Law, the parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or notices to the relevant Supervisory Authorities.
- Return and Deletion of Personal Data
Following termination of Cloudnine’s obligations to provide the Services, Cloudnine will return or otherwise make available for retrieval Customer’s Personal Data, unless otherwise expressly stated in the Cloudnine Realtime Terms & Conditions.
- Upon termination of Cloudnine’s duty to provide the Service or upon expiry of the retrieval period following termination of the Term (if available), Cloudnine will promptly delete all copies of Personal Data from Cloudnine’s systems by rendering such Personal Data unrecoverable, except as may be required by law.
- Legally Required Disclosure Requests
- If Cloudnine receives any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority which relates to the Processing of Personal Data (“Disclosure Request”), it will promptly pass on such Disclosure Request to Customer without responding to it, unless otherwise required by applicable law (including to provide an acknowledgement of receipt to the authority that made the Disclosure Request).
- At Customer’s request, Cloudnine will provide Customer with reasonable information in its possession that may be responsive to the Disclosure Request and any assistance reasonably required for Customer to respond to the Disclosure Request in a timely manner.
- If Customer have any questions or concerns regarding the terms and conditions set forth in this Data Processing Addendum, Customer may write to us at firstname.lastname@example.org by mail to:
Attn: Sr. Cyber Security & Compliance Engineer
4850 Eastgate Mall
San Diego, CA 92121
- If Customer have any questions or concerns regarding the terms and conditions set forth in this Data Processing Addendum, Customer may write to us at email@example.com by mail to: