1. Parties
This DPA is entered into between Clivora ("Processor") and the Customer ("Controller") that subscribes to the Service. The Controller determines the purposes and means of processing personal data; the Processor processes personal data only on documented instructions from the Controller.
2. Definitions
Terms such as "personal data", "processing", "data subject", "controller", "processor", and "sub-processor" have the meanings given in applicable data-protection law. "Customer Data" means any personal data processed by Clivora on behalf of the Customer in connection with the Service.
3. Scope and Subject Matter
The Processor processes Customer Data to provide the Service as described in the Terms of Service. The subject matter, duration, nature, and purpose of processing, the types of personal data, and the categories of data subjects are determined by the Customer's configuration and use of the Service.
4. Roles and Responsibilities
- The Controller is responsible for the lawfulness of processing, for the accuracy of personal data, and for obtaining any consents required from data subjects.
- The Processor processes Customer Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless otherwise required by law.
- The Processor will inform the Controller if, in its opinion, an instruction infringes applicable law.
5. Processor Obligations
The Processor will:
- Process Customer Data only for the purposes set out in the Terms of Service and this DPA.
- Ensure that personnel authorized to process Customer Data are bound by confidentiality.
- Implement appropriate technical and organizational security measures.
- Assist the Controller in fulfilling its obligations regarding data subject rights, security, breach notification, and data protection impact assessments.
- Not transfer Customer Data outside the agreed jurisdictions without appropriate safeguards.
6. Sub-processors
The Controller authorizes the Processor to engage sub-processors (such as cloud hosting, email delivery, error monitoring, and payment processing) to provide the Service. The Processor maintains an up-to-date list of sub-processors available on request and will notify the Controller of intended changes, giving the Controller the opportunity to object on reasonable grounds.
The Processor remains liable for the acts and omissions of its sub-processors as if they were its own.
7. Security Measures
The Processor implements technical and organizational measures appropriate to the risk, including:
- Encryption of Customer Data in transit and at rest.
- Strict access controls, least-privilege access, and multi-factor authentication for internal systems.
- Network segmentation and tenant isolation.
- Logging, monitoring, and intrusion detection.
- Regular backups and tested restoration procedures.
- Vulnerability management and periodic security assessments.
8. Personal Data Breach Notification
The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Data, and provide such information as the Controller reasonably needs to comply with its breach-notification obligations under applicable law.
9. Assistance With Data Subject Requests
Taking into account the nature of the processing, the Processor will assist the Controller through appropriate technical and organizational measures, insofar as possible, in fulfilling its obligation to respond to requests from data subjects exercising their rights under applicable data-protection law.
10. Audits and Inspections
The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality and security requirements.
11. Return and Deletion of Data
Upon termination of the Service, the Processor will, at the Controller's choice, return or delete Customer Data and existing copies, unless retention is required by applicable law. Backups are deleted in accordance with the Processor's standard backup-rotation schedule.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
13. Contact
For questions about this DPA or to submit a sub-processor objection, contact our team using the details below.
Need help?
Questions about this document?
Our team is here to help. Reach out and we will respond within two business days.