Data Processing Amendment

1. Definitions

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The terms “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, “Union” and “Member State” as used in this Data Processing Amendment have the meanings given in the GDPR.

2. Details of processing

Subject matter: the subject matter of the data processing under this DPA is Client data.

Duration: throughout the Term of the Agreement.

Nature and Purpose of the Processing: compute, storage, and such other services as described in the Documentation and initiated by Client. The purpose is the provision of the Services initiated by Client.

Type of personal data: personal data uploaded to the Services under Client’s Exoscale accounts.

Categories of data subjects: the data subjects include without limitation: Client’s customers, employees, suppliers, and end-users.

3. Obligations and rights of the controller

If European Data Protection Legislation applies to the processing of Client’s data, the parties acknowledge and agree that Exoscale is a Processor of Client’s data under European Data Protection Legislation, that Client is a Controller under European Data Protection Legislation (unless when Client acts as a Processor, in which case Exoscale is a sub-Processor) and that the parties complies with their obligations under applicable European Data Protection Legislation with respect to the processing of Personal Data.

4. Client instructions

By entering into this DPA, the parties agree that the DPA constitutes Client’s documented instructions regarding Exoscale’s processing of Personal Data. Exoscale only processes Client data to the extent that is necessary to provide the Services.

5. Confidentiality

Exoscale does not access, use, or share Client data to any third party, except when this access, use or sharing is necessary to provide the Services, or as required to comply with law enforcement requests.

6. Security of processing

Exoscale implement and maintains appropriate technical and organizational security measures to protect Client data against accidental destruction, alteration or access. These measures take into account the state of the art and include (a) the pseudonymisation and encryption of Client data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Exoscale may assess and improve security measures at regular intervals, provided that these improvements lead to an increased level of security for providing the Services. Exoscale assists the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR given the nature of processing and the information available to Exoscale.

7. Processors

Exoscale maintains a list of its sub-Processors at https://exoscale.com/privacy/#data-processors. Exoscale informs the Client of any intended changes concerning the addition or replacement of other Processors at least 30 days in advance. Exoscale makes sure Data Processing Amendments are in place with its sub-Processors to ensure compliance with the GDPR. If the Client objects the addition or replacement of a sub-Processor, they may terminate the services as described in Section 13.2 of Exoscale’s Terms and Conditions.

8. Data Subject rights

Exoscale assists the Client for the fulfilment of their obligation to respond to requests for exercising the data subject’s rights as laid down in Chapter III of the GDPR: (a) right of access by the data subject, (b) right to rectification, (c) right to erasure, (d) right to restriction of processing, and (e) right to data portability.

9. Deletion and return

Client’s right to data return is described in Section 13.5 of Exoscale’s general Terms and Conditions. In addition, Exoscale deletes all the personal data after the end of the provision of Services and deletes existing copies unless Union or Member State law requires storage of the personal data.

10. Audit rights

Exoscale makes available to the Client all information necessary to demonstrate compliance with the obligations and measures described in this DPA. Exoscale allows for and contributes to audits, including inspections, conducted by the Client or another auditor mandated by the Client.