Data Processing Agreement

  1. Legal
  2. Data Processing Agreement

  1. 1. Parties

    1. This Personal Data Processing Agreement ("Agreement") is entered into between Customer and Civo Limited ("Processor") (collectively referred to as the "Parties").
    2. This Personal Data Processing Agreement forms an integral part of the contract for the provision of Civo's services and governs instances when Civo processes Personal Data on the Customer's behalf as a Data Processor within the meaning of the GDPR (UK/EU).

  2. 2. Background

    • Customer has engaged Processor to provide certain services ("Services") through Civo - Cloud Computing Services Reimagined - Civo.com that may involve the processing of personal data ("Personal Data") subject to the General Data Protection Regulation 2016/679 (UK/EU GDPR).
    • The Parties enter into this Agreement to comply with the GDPR's requirements governing the processing of Personal Data and to ensure that Personal Data is processed by Processor only in accordance with Customer's instructions.
    • This Personal Data Processing Agreement ("Agreement") sets out the terms, requirements and conditions on which the Processor will process Personal Data when providing the Services to the Customer. This Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation 2016/679 (UK/EU GDPR) for contracts between controllers and processors.
  3. Agreed Terms

  4. 3. Definitions And Interpretation

    The following definitions and rules of interpretation apply in this Agreement.

    1. Definitions

      • "Data Subject" means an individual who is the subject of Personal Data.
      • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor as a result of, or in connection with, the provision of the Services; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
      • "Processing, processes and process" means either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.
      • “Data Protection Legislation”:
        • To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data and all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
        • To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject, which relates to the protection of Personal Data.
      • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
      • “International Data Transfer Agreement (IDTA)” means the international data transfer agreement published by the Information Commissioner's Office for the transfer of Personal Data from the UK to processors established or operating in third countries.
      • “Term” means fixed time for which this Agreement is active (from the commencement of the service agreement to termination).
    2. This Agreement is subject to the terms of the contract for the provision of Civo's services and is incorporated into the contract for the provisions of Civo's services. Interpretations and defined terms set forth in the contract for the services apply to the interpretation of this Agreement.
    3. The Appendices form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Appendices.
    4. A reference to writing or written includes faxes and email.
    5. In the case of conflict or ambiguity between:
      • any provision contained in the body of this Agreement and any provision contained in the Appendices, the provision in the body of this Agreement will prevail; and
      • the terms of any accompanying invoice or other documents/ Appendices to this Agreement and any provision contained in the Appendices, the provision contained in the Appendices will prevail;

  5. 4. Personal Data Types And Processing Purposes

    1. The parties acknowledge and agree that for the purpose of the Data Protection Legislation, the Customer is the Controller and Civo is the Processor.
    2. The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Processor.
    3. Appendix A describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which Processor may process in order to provide the Services.

  6. 5. Processor's Obligations

    1. Processor will only process the Personal Data to the extent, and in such a manner, as is necessary to provide the Services and in accordance with the Customer's written instructions provided in service agreement. Processor will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. Processor must promptly notify the Customer if, in its opinion, the Customer's instruction would not comply with the Data Protection Legislation.
    2. Processor must promptly comply with any request or instruction from the Customer requiring Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized processing.
    3. Processor will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or this Agreement specifically authorizes the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Processor to process or disclose Personal Data, Processor must first inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
    4. Processor will reasonably assist the Customer with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of Processor's processing and the information available to Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
    5. Processor must promptly notify the Customer of any changes to Data Protection Legislation that may adversely affect Processor's performance of the Services.
    6. Processor intends to process Customer data and does not need the Customer's consent when processing their personal data for the purpose of fulfilling contractual obligations to the Customer, complying with legal obligations, or for legitimate interests.
    7. However, some processing activities do need the Customer's consent e.g. marketing which is clearly identified on Civo's website. The Customer does not have to give consent and the service is not conditional on them giving consent. The Customer can withdraw their consent at any time by contacting the Processor at: dpo@civo.com.

  7. 6. Processor's Employees

    1. Processor will ensure that all employees:
      • are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
      • have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
      • are aware of both the Processor's duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
    2. Processor will take reasonable steps to ensure the reliability, integrity and trustworthiness of and conduct background checks consistent with applicable law on all of Processor's employees with access to the Personal Data.

  8. 7. Security

    1. Processor will ensure it will at all times implement appropriate technical and organizational measures against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
    2. Processor must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
      • the pseudonymisation and encryption of personal data;
      • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
      • a process for regularly testing, assessing and evaluating the effectiveness of security measures.

  9. 8. Personal Data Breach

    1. Processor will promptly and without undue delay, and in any event within 48 hours, notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Processor will restore such Personal Data at its own expense.
    2. Processor will within 48 hours and without undue delay notify the Customer if it becomes aware of:
      • any accidental, unauthorized or unlawful processing of the Personal Data; or
      • any Personal Data Breach.
    3. Where Processor becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide the Customer with the following information:
      • description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned;
      • the likely consequences; and
      • description of the measures taken, or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects.
    4. Within 48 Hours following any unauthorized or unlawful Personal Data processing or Personal Data Breach, the parties will coordinate with each other to investigate the matter. Processor will reasonably cooperate with the Customer in the Customer's handling of the matter, including:
      • assisting with any investigation;
      • providing the Customer with physical access to any facilities and operations affected;
      • facilitating interviews with Processor's employees, former employees and others involved in the matter;
      • making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
      • taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
    5. Processor will not inform any third party of any Personal Data Breach including authorities, except when required to do so by law.
    6. Processor agrees that the Customer has the sole right to determine:
      • whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and
      • whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
    7. Processor will cover all reasonable expenses associated with the performance of the obligations under clause 6.2 and clause 6.4 unless the matter arose from the Customer specific instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses.
    8. Processor will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to a Personal Data Breach to the extent that Processor caused such a Personal Data Breach, including all costs of notice and any remedy as set out in clause 6.6.

  10. 9. Cross-Border Transfers Of Personal Data

    1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the Processor, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the Processor from fulfilling its obligations under this Agreement. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with this Agreement.
    2. The Parties declare that in providing the warranty in clause 7.1, they have taken due account in particular of the following elements:
      • the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
      • the laws and practices of the third country of destination - including those requiring the disclosure of data to public authorities or authorizing access by such authorities - relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
      • any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
    3. The Processor warrants that, in carrying out the assessment under clause 7.2, it has made its best efforts to provide the Customer with relevant information and agrees that it will continue to cooperate with the Customer in ensuring compliance with these Clauses.
    4. The Parties agree to document the assessment under clause 7.2 and make it available to the competent supervisory authority on request.
    5. The Processor agrees to notify the Customer promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under clause 7.1, including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in clause 7.1.
    6. Following a notification pursuant to clause 7.5, or if the Customer otherwise has reason to believe that the Processor can no longer fulfill its obligations under this Agreement, the Customer shall promptly identify appropriate measures (e.g. technical or organizational measures to ensure security and confidentiality) to be adopted by the Processor to address the situation. The Customer shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the Customer shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these clauses. Where the contract is terminated pursuant to this clause, clause 10.2 shall apply.

  11. 10. Subcontractors

    1. Processor may only authorize a third party (subcontractor) to process the Personal Data if:
      • Processor enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organizational data security measures;
      • Processor maintains control over all Personal Data it entrusts to the subcontractor; and
      • the subcontractor's contract terminates automatically on termination of this Agreement for any reason.
    2. Where the subcontractor fails to fulfill its obligations under such written agreement, the subcontractor remains fully liable to the Customer for the subcontractor's performance of its Agreement obligations.

  12. 11. Complaints, Data Subject Requests And Third Party Rights

    1. Should the Processor make any significant technical and organizational measures, if appropriate, they shall provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
      • the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
      • information or assessment notices served on the Customer by any supervisory authority under the Data Protection Legislation.
    2. Processor must notify the Customer promptly if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
    3. Processor must notify the Customer without undue delay and in any event within 4 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
    4. Processor will reasonably provide cooperation and assistance to the Customer in responding to any complaint, notice, communication or Data Subject request.
    5. Processor will not disclose Personal Data to any Data Subject or to a third party other than at the Customer's request or instruction, as provided for in this Agreement or as required by law.

  13. 12. Term And Termination

    1. This Agreement will remain in full force and effect so long as:
      • Processor provides Services to the Customer; or
      • Processor retains any Personal Data related to the Services in its possession or control ("Term").
    2. Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.
    3. The Processor's failure to comply with the terms of this Agreement is a material breach of the Service Agreement. In such an event, the Customer may terminate the contract between the Provider and the Customer effective immediately on written notice to the Provider without further liability or obligation of the Customer.
    4. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Service Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation, either party may terminate the Contract on written notice to the other party.

  14. 13. Data Return And Destruction

    1. At the Customer's request, Processor will give the Customer a copy of or access to all or part of the Customer's Personal Data in its possession or control in the format agreed between the parties.
    2. Within 6 months from the day of termination of the Services for any reason or expiry of the Term, Processor will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Data related to this Agreement in its possession or control unless retention by the Processor is required as set out at 11.3.
    3. If any law, regulation, or government or regulatory body requires Processor to retain any documents or materials that Processor would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
    4. Processor will confirm in writing that it has destroyed the Personal Data.

  15. 14. Records

    1. Processor will keep detailed, accurate and up-to-date written records the Customer any processing of Personal Data it carries out for the Customer, including but not limited to, the access, control and security of the Personal Data, approved subcontractors and affiliates, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organizational security measures referred to in clause 5.1 ("Records").
    2. Processor will ensure that the Records are sufficient to enable the Customer to verify Processor's compliance with its obligations under this Agreement and Processor will provide the Customer with copies of the Records upon request.
    3. the Customer and Processor must review the information listed in the Appendices to this Agreement as and when required to confirm its current accuracy and update it when required to reflect current practices.

  16. 15. Audit

    1. Processor conducts annual third-party audits and maintains industry standard certifications as required. During the Term, the Customer can request a copy of certifications.
    2. If a Personal Data Breach occurs or is occurring, or Processor becomes aware of a breach of any of its obligations under this Agreement or any Data Protection Legislation, Processor will:
      • promptly, conduct its own audit to determine the cause;
      • produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
      • provide the Customer with a copy of the written audit report; and
      • remedy any deficiencies identified by the audit promptly.

  17. 16. Warranties

    1. Each party warrants and represents that:
      • its employees, subcontractors, agents and any other person or persons accessing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation relating to the Personal Data;
      • it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;
      • it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Services; and
      • considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:
        • the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction or damage;
        • the nature of the Personal Data protected; and
        • comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in clause 5.1.

  18. 17. Indemnification

    1. Each party agrees to indemnify, keep indemnified and defend at its own expense against all costs, claims, damages or expenses incurred by it or for which it may become liable due to any failure by them or its employees, subcontractors or agents to comply with any of its obligations under this Agreement or the Data Protection Legislation.
    2. Each party shall hold valid insurance sufficient to cover any payment that may be required under Clause 15.1, and produce the policy to the other party upon request.

  19. 18. Notice

    1. Any notice or other communication given to the Processor under or in connection with this Agreement must be in writing and delivered to: dpo@civo.com.
    2. Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution which should be delivered by first class registered post to Civo's registered postal address: Civo Ltd, H-K, Gateway 1000, Whittle Way, Stevenage, Herts, England, SG1 2FP.

  20. 19. General

    1. Neither party shall assign, transfer, mortgage, charge, subcontract, declare a trust over or deal in any other manner with any of its rights and obligations under this Agreement.
    2. No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorized representatives).
    3. No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
    4. If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this Agreement.
    5. No one other than a party to this Agreement shall have any right to enforce any of its terms.
    6. This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
    7. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Agreement or its subject matter or formation.

  21. 20. Appendix

    This Agreement has been entered into on the same date that the service agreement has commenced.

    Appendix A: Personal Data Processing Purposes and Details

    1. Subject matter of processing: The nature of the Processing is the performance of the Services pursuant to the Agreement. Civo will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Customer in its use of the Services.
    2. Duration of Processing: For the Term of this Agreement unless otherwise requested by the Customer.
    3. Frequency of the transfer: Continuous basis depending on the use of the Services by Customer.
    4. Nature of Processing: The nature of the Processing is the performance of the Services pursuant to the Agreement.
    5. Personal Data Categories: The Customer may submit Personal Data to Civo, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
    6. Data Subject Types:
      • Customer may submit Personal Data to Civo, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
        • name, email address and telephone number.
      • Customer may submit special categories of data to Civo, the extent of which is determined and controlled by Customer in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
    7. Competent Supervisory Authority:
      • Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
      • Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
      • Where Customer is established in the United Kingdom or falls within the territorial scope of application of the Data Protection Laws and Regulations of the United Kingdom (“UK Data Protection Laws and Regulations”), the Information Commissioner's Office (“ICO”) shall act as competent supervisory authority.
      • Where Customer is established in Switzerland or falls within the territorial scope of application of the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws and Regulations”), the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.
    8. Governing Law: this Agreement is governed by the laws of the United Kingdom, the laws of England and Wales.