PARTIES AND EXECUTION (Reference is made to the service order component of the Main Agreement between CyberFortress and the CyberFortress Customer for entity details and signatures; this DPA was modified to add this notice and the entity detail notes appearing in this section of the form. |
|
Entity details: the CyberFortress entity identified in the service order section of the Main Agreement |
Entity details: the CyberFortress Customer identified in the service order section of the Main Agreement |
Signature: the signature on the Main Agreement that incorporates this DPA by reference is intended to serve as the signature on this DPA |
Signature: the signature on the Main Agreement that incorporates this DPA by reference is intended to serve as the signature on this DPA |
Name: See Main Agreement signature block; the signature on the Main Agreement that incorporates this DPA is intended to service as the signature on this DPA |
Name: See Main Agreement signature block; the signature on the Main Agreement that incorporates this DPA is intended to service as the signature on this DPA |
Title: See Main Agreement signature block |
Title: See Main Agreement signature block |
Date: See Main Agreement signature block |
Date: See Main Agreement signature block |
VARIABLES |
||
Parties’ relationship |
Controller to Processor or Processor to Sub-processor or both and as to Account Data, as defined below, Independent Controller to Controller |
|
Parties’ roles |
Customer is a Controller or Processor and a Business or Service Provider CyberFortress is a Processor and Service Provider and as to Account Data, as defined below, Customer is an Independent Controller and CyberFortress is a Controller |
|
Contacts |
Controller/Processor |
Processor/Sub-processor |
Name: the primary account contact listed on the service order Email: the email listed for the primary account contact listed on the service order The physical address and phone number are those stated for the primary account contact on the service order If the service order does not list a primary account contact, then the primary account is the signatory on the service order. |
Name: Privacy Officer Email: [email protected] 21750 Hardy Oak Blvd, Ste 104, PMB 96884, San Antonio, TX 78258 855-456-0332 |
|
Main Agreement |
Master Services Agreement or other services agreement between Customer and CyberFortress |
|
Term |
This DPA will commence on the final date of signature and will continue for so long as CyberFortress processes personal data of Customer |
|
Breach Notification Period |
Without undue delay but in no event more than 72 hours |
|
Sub-processor Notification Period |
14 days before the new sub-processor takes effect |
|
Liability Cap |
Each party’s aggregate liability under this DPA will not exceed the liability caps as per the Main Agreement |
|
Governing Law and Jurisdiction |
As per the Main Agreement |
|
Data Protection Laws |
The laws and regulations which apply to the processing of personal data in:
This includes the European Union Regulation (EU) 2016/679, the Data Protection Act 2018, California Consumer Privacy Act of 2018 (CCPA)/California Privacy Rights Act of 2020 (CPRA), the Privacy Act 1998 as amended from time to time. This section was modified from the OneDPA template to specify applicable jurisdictions. |
|
Services related to processing |
Access to online software and systems for data and system backup and restoration |
|
Duration of processing |
The term of the Main Agreement plus a reasonable time following expiration or termination of the Main Agreement as reasonably necessary for data destruction process |
|
Nature and purpose of processing |
Processing as configured by Customer for creating backup copies of Customer content, storage of backup copies, and recovery and restoration of backups |
|
Types of personal data |
Account Data: personal data of customer and customer’s personnel who interact with CyberFortress to manage the service relationship, such as Customer’s accounting and technical staff Content Data: personal data that is part of Customer’s backed up content as determined by Customer |
|
Data subjects |
The individuals whose personal data will be processed are: (i) for Account Data – Customer’s staff; and (ii) for Content Data – individuals whose personal data is part of Customers’ backed up content as determined by Customer |
|
Special provisions |
Customer is either a Controller or a Processor and CyberFortress is either a Processor or a Subprocessor. Account Data: Customer is a Controller/Business and CyberFortress is a Processor/Service Provider Content Data: Customer is either a Controller or a Processor and CyberFortress is either a Processor or Sub-Processor For Account Data, Customer is a Controller and CyberFortress is a Controller for the limited purpose of CyberFortress communications about its services offerings that may be of interest to Customer. The OneDPA template was modified so that customer is referred to in all contexts as “Customer” rather than as “Controller” or “Processor” and so that CyberFortress is referred to in all contexts as “Service Provider” rather than “Processor” or “Subprocessor.” |
|
Transfer Mechanism |
Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (as amended from time to time), for the transfer of personal data from the EEA or adequate country to a third country |
ANNEX 1 |
|
Security measures. Technical and organisational measures to ensure the security of the data |
As described in the Main Agreement |
ANNEX 2 |
|
Sub-processors. Current sub-processors |
As identified in a separate document that is either published on Service Provider’s website or that has been provided to Customer |
TERMS
1. What is this agreement about?
1.1 Purpose. The parties are entering into this Data Processing Agreement (DPA) for the purpose of processing personal data.
1.2 Adequate country, Controller, data subject, personal data, process/processing Processor, Sub-processor and supervisory authority have the same meanings as in the Data Protection Laws.
1.3 Business and Service Provider have the same meanings as in the CCPA.
CONTROLLER-PROCESSOR AND PROCESSOR-SUB-PROCESSOR RELATIONSHIPS
2. What are each party’s obligations?
2.1 Customer obligations. For personal data for which Customer is the Controller, Customer is responsible for obtaining all consents, licences and legal bases required to allow Service Provider to process personal data. For personal data for which Customer is a processor, Customer is responsible for sharing the controller’s instructions with Service Provider prior to the processing of personal data.
2.2 Service Provider obligations. Service Provider will:
(a) only process personal data in accordance with this DPA and Customer’s instructions (unless legally required to do otherwise),
(b) not sell, retain or use any personal data for any purpose other than as permitted by this DPA and the Main Agreement,
(c) inform Customer immediately if (in its opinion) any instructions infringe Data Protection Laws,
(d) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved as set out in Annex 1,
(e) notify Customer of a personal data breach within the Breach Notification Period,
(f) ensure that anyone authorised to process personal data is committed to confidentiality obligations,
(g) provide Customer with reasonable assistance in responding to a personal data breach and comply with breach notification obligations,
(h) without undue delay, provide Customer with reasonable assistance with:
(i) data protection impact assessments,
(ii) responses to data subjects’ requests to exercise their rights under Data Protection Laws, and
(iii) engagement with supervisory authorities,
(i) if requested, provide Customer with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA,
(j) allow for audits at Customer’s reasonable request, provided that audits are limited to once a year and during business hours except in the event of a security incident, and
(k)after termination of this DPA, delete or return personal data upon Customer’s written request unless retention is required to meet legal or regulatory obligations.
2.3 Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.
3 Sub-processing
3.1 Use of sub-processors. Customer consents to Service Provider using sub-processors when processing personal data. Service Provider’s existing sub-processors are listed in Annex 2.
3.2 Sub-processor obligations. Service Provider will:
(a) require its sub-processors to comply with equivalent terms as Service Provider’s obligations in this DPA,
(i) ensure appropriate safeguards are in place before internationally transferring personal data to its sub-processor, and
(ii) be liable for any acts, errors or omissions of its sub-processors under this DPA.
3.3 Approvals. Service Provider may appoint new sub-processors provided that they notify Customer in writing within the Sub-processor Notification Period.
3.4 Objections. Customer may reasonably object in writing to any future sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.
4 International personal data transfers
4.1 Instructions. Service Provider will transfer personal data outside the UK, the EEA or an adequate country only on documented instructions from Customer, unless otherwise required by law.
4.2 Transfer mechanism. Where a party processes personal data outside the UK, the EEA or an adequate country:
(a) that party will act as the data importer,
(b) the other party is the data exporter, and
(c) the Transfer Mechanism will apply.
4.3 Additional measures. If the Transfer Mechanism is insufficient to safeguard the transfer, the data importer will promptly implement additional or replacement measures as necessary to ensure personal data is protected to the same standard as under Data Protection Laws.
4.4 Disclosures. If the data importer receives a request from a public authority to access personal data, it will (if legally possible):
(a) challenge the request and promptly notify the data exporter about receiving it, and
(b) if it is necessary to disclose personal data, only disclose the minimum amount required to the public authority and keep a record of the disclosure.
INDEPENDENT CONTROLLER-CONTROLLER RELATIONSHIPS
5 What are each party’s obligations?
5.1 Mutual obligations. Each party will:
(a) only process personal data in accordance with this DPA (unless legally required to do otherwise),
(b) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved as each of the parties set out in Annex 1, and
(c) without undue delay, provide the other party with reasonable assistance with responses to data subjects’ requests to exercise their rights under Data Protection Laws.
5.2 Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.
6 International personal data transfers
6.1 Transfer mechanism. Where a party processes personal data outside the UK, the EEA or an adequate country:
(a) that party will act as the data importer,
(b) the other party is the data exporter, and
(c) the Transfer Mechanism will apply.
6.2 Additional measures. If the Transfer Mechanism is insufficient to safeguard the transfer, the data importer will promptly implement additional or replacement measures as necessary to ensure personal data is protected to the same standard as under Data Protection Laws.
6.3 Disclosures. If the data importer receives a request from a public authority to access personal data, it will (if legally possible):
(a) challenge the request and notify the data exporter about receiving it, and
(b) if it is necessary to disclose personal data, only disclose the minimum amount required to the public authority and keep a record of the disclosure.
7 Other important information
7.1 Survival. Any term of this DPA which is intended to survive termination will remain in full force.
7.2 Order of precedence. In case of a conflict between this DPA and other relevant terms, they will take priority in this order:
(a) Transfer Mechanism,
(b) DPA,
(c) Main Agreement.
7.3 Notices. Formal notices under this DPA must be in writing and sent to the Contact on the Agreement’s front page as may be updated by a party to the other in writing.
7.4 Third parties. Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.
7.5 Entire agreement. This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter and neither party has relied on any statement or representation of any person in entering into this Agreement.
7.6 Amendments. Any amendments to this DPA must be agreed in writing.
7.7 Assignment. Neither party can assign this DPA to anyone else without the other party’s consent.
7.8 Waiver. If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.
7.9 Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.
Updated: July 2022