logo
Legal Hub

 

A black text with black letters Description automatically generated

DATA PROCESSING AGREEMENT

 

This Data Processing Agreement (“DPA“) is an integral part of any Agreement and any Attachments for the delivery of Services that is entered into between the Parties (hereinafter together referred to as “Agreement”) and is entered into by and between:

 

Parties

between

Cumulocity (UK) LTD (“Supplier” and “Processor”)

(“Customer” and “Controller”)

Place of Business 

Suite 223-226 Compass House, Vision Park, Chivers Way, Histon, Cambridge CB24 9AD, United Kingdom

 

each a “Party”, together the “Parties”.

 

  1. DEFINITIONS
    1. The following terms apply to this DPA in addition to those defined in the EU General Data Protection Regulation (“GDPR”):

Applicable Data Protection Law

means any data protection law that applies to Customer’s processing of personal data such as but not limited to the EU General Data Protection Regulation (“GDPR”), the UK Data Protection Act (“UK GDPR”), the California Consumer Privacy Act (“CCPA”), the Swiss Federal Act on Data Protection (“FADP”), the Brazilian General Data Protection Law ("LGPD") and the South African Protection of Personal Information Act (“POPIA”).

Services

means services carried out by Supplier on behalf of Customer as set out in the Agreement and the Appendix to this DPA.

Standard Contractual Clauses” (“SCCs”)

means the EU Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Commission Decision 2021/914. To the extent transfers of personal data originate from the UK, the Parties agree that the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall also apply. To the extent transfers of personal data originate from Switzerland, the Parties agree that, for purposes of the EU Standard Contractual Clauses: (i) the term ‘member state’ shall be interpreted to include Switzerland and, for the avoidance of doubt, the term ‘data subject’ includes residents of Switzerland; (ii) references to the GDPR are to be interpreted as including a reference to the FADP; and (iii) for data transfers subject solely to the FADP, the Swiss Federal Data Protection Authority is the competent supervisory authority, and disputes arising from such transfers may be brought in the courts of Switzerland.

Subprocessor

means a sub-contractor that Processor engages to process personal data on behalf of Controller when carrying out the subcontracted Services. The list of Subprocessors is available here: https://www.cumulocity.com/legal/toms-subprocessors/

Restricted Transfer

means a transfer of personal data originating in the EEA, UK or Switzerland that is subject to GDPR, UK GDPR and/or the FADP to a third country, where any required adequacy means can be met e.g. by entering into the SCCs.

 

  1. DETAILS OF PROCESSING
    1. The Appendix to this DPA details the processing operations that Processor provides to Controller.

 

  1. OBLIGATIONS OF CONTROLLER
    1. Controller shall comply with Applicable Data Protection Law and demonstrate such compliance as required under the Applicable Data Protection Law.

 

  1. INSTRUCTIONS
    1. Controller instructs Processor to process personal data on its behalf for the purposes of performing the Services. Controller shall ensure that any instruction given to Processor complies with Applicable Data Protection Law. If Customer is a processor, Customer warrants that its instructions and actions with respect to the processing of the personal data provided to the Supplier, including the appointment of Supplier as another processor, have been authorized by the relevant controller.
    2. Processor shall process the personal data only in accordance with the instructions given by the Controller unless otherwise required by Applicable Data Protection Law.
    3. Any further instructions that go beyond the instructions contained in this DPA or the Agreement must be within the subject matter of this DPA and the Agreement. If the implementation of such further instructions results in costs for Processor, Processor shall inform Controller about such costs with an explanation of the costs before implementing the instructions. Only after Controller's confirmation to bear such costs for the implementation of the instructions, Processor is required to implement such further instructions. Controller shall give further instructions generally in writing, unless the urgency or other specific circumstances require another (e.g., oral, electronic) form. Instructions in another form than in writing shall be confirmed by Controller in writing without delay.
    4. Processor shall immediately inform Controller if, in its opinion, an instruction infringes the Applicable Data Protection Law and request Controller to withdraw, amend or confirm the relevant instruction. Processor shall be entitled to suspend implementation of the relevant instruction pending Controller’s decision to withdraw, amend or confirm such instruction.

 

  1. OBLIGATIONS OF PROCESSOR
    1. Processor shall ensure that all persons authorized by Processor to process personal data on behalf of Controller, particularly personnel of Processor or any Subprocessor, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    2. Before processing personal data to provide the Services, Processor shall implement the following technical and organizational measures: https://www.cumulocity.com/legal/toms-subprocessors/. Processor may amend the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective than those in place as of date that the Parties concluded this DPA.
    3. Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations in the Applicable Data Protection Law. The Parties agree that this information obligation is met by providing Controller with an audit report upon request. To the extent additional audit activities are required by Applicable Data Protection Law, Controller may request inspections conducted by Controller or another auditor mandated by Controller. An on-site audit must:
      1. be limited to processing facilities and personnel of Processor involved in the processing activities covered by this DPA;  
      2. occur no more than once annually or as required by Applicable Data Protection Law or by a competent supervisory authority or immediately after a material personal data breach affecting personal data processed by Processor under this DPA; and
      3. may occur only during regular business hours, after reasonable prior notice, in accordance with Processor's security policies and without substantially disrupting Processor's business operations.

Each Party shall bear its own costs arising out of or in connection with the on-site audit at Controller and Processor. Controller shall create an audit report summarizing the findings and observations of the on-site audit. All audit reports are confidential information of Processor and shall not be disclosed to third parties unless required by Applicable Data Protection Law or with Processor's consent.

  1. Processor shall notify Controller without undue delay:
    1. about any legally binding request for disclosure of the personal data by a law enforcement authority, unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
    2. if applicable law to which Processor or Subprocessor is subject requires Processor or Subprocessor to process the personal data beyond Controller’s instructions, before performing such processing, unless that applicable law prohibits such information. In this case Processor’s notification to Controller must specify the applicable legal requirement; and
    3. after Processor has documented reason to believe that a personal data breach has occurred at Processor or at Subprocessors that may affect the personal data of Controller covered by this DPA. In this case, Processor shall assist Controller with Controller's obligation under Applicable Data Protection Law to inform the data subjects and the supervisory authorities, as applicable, by providing information in accordance with Applicable Data Protection Law as available to Processor. Processor shall implement remediation measure to prevent future breaches.
  2. Processor shall take commercially reasonable measures to provide necessary information and assist Controller with its obligation to carry out a data protection impact assessment or prior consultation in relation to the Services as may be required by Applicable Data Protection Law. Processor must provide such assistance only if Controller cannot meet its obligation through other means.
  3. At the choice of Controller, Processor shall delete or return to Controller all personal data (including any data storage media) processed on Controller’s behalf under this DPA after the end of the provision of Services and delete any existing copies unless applicable law requires Processor to retain such personal data.

 

  1. DATA SUBJECT RIGHTS
    1. Controller is primarily responsible for handling and responding to requests made by data subjects. If a data subject contacts Processor directly, Processor shall communicate the data subject’s request to Controller. Processor shall not respond to any data subject independently.
    2. Processor shall assist Controller using appropriate and possible technical and organizational measures to respond to data subjects’ requests to exercise the rights set out in Applicable Data Protection Law.

 

  1. ARTIFICIAL INTELLIGENCE
    1. The Supplier does not access or use Customer data for the creation or training of Large Language Models or foundational models.
    2. The Supplier may gather information on prompts and outputs in order to improve the AI Agent(s) provided by the Supplier.

 

  1. SUBPROCESSING
    1. Controller authorizes the use of Subprocessors engaged by Processor for the provision of the Services under this DPA. The same applies to the use of further Subprocessors engaged by Subprocessors, in which case the below applies accordingly. Processor shall choose such Subprocessor diligently. Processor remains responsible for any acts or omissions of its Subprocessors in the same manner as for its own acts and omissions hereunder. Controller approves the Subprocessors listed here: https://www.cumulocity.com/legal/toms-subprocessors/.
    2. Processor shall pass on in writing (electronic form is sufficient) to Subprocessors the obligations of Processor under this DPA to the extent applicable to the subcontracted Services.
    3. Processor may replace or appoint suitable and reliable Subprocessors at its discretion in accordance with this clause:
      1. Processor shall after Controller’s online registration at https://www.cumulocity.com/legal/toms-subprocessors/ notify Controller in advance of any changes to its Subprocessor(s) by sending a notification to the given e-mail address of the Controller.
      2. If Controller does not object in accordance with this clause within 30 days of receiving Processor’s notice the Subprocessor(s) will be deemed accepted. If Controller has a legitimate reason to object to a Subprocessor, Controller shall notify Processor thereof in writing within 30 days after receipt of Processor's notice. If Controller objects to the use of the Subprocessor, Processor shall have the right to cure the objection within 30 days after Processor's receipt of Controller's objection. If the objection has not been cured within 30 days after Processor's receipt of Controller's objection, either party may terminate the affected Service with reasonable written notice.

 

  1. RESTRICTED TRANSFER
    1. When the transfer of personal data is a Restricted Transfer, it shall be performed in compliance with the Applicable Data Protection Law. The Customer agrees that where the Processor engages a Subprocessor in accordance with Clause 7 of this DPA for the provision of Services and those involve a Restricted Transfer of personal data, the Processor and the Subprocessor can ensure compliance with Applicable Data Protection Law (i) e.g., by using the SCCs and where legally required; (ii) supplementary contractual, organizational and technical measures to provide a sufficient level of data protection.

 

  1. TERM
    1. This DPA shall remain in effect for each term of an Agreement entered into between the Parties.

 

  1. GENERAL
    1. Any liability arising out of or in connection with a violation of the obligations of this DPA or under Applicable Data Protection Law, shall follow, and be governed by, the liability provisions set forth in, or otherwise applicable to, the Agreement, unless otherwise provided within this DPA.
    2. In the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, the provisions of this DPA will prevail regarding the Parties' data protection obligations. In case of doubt as to whether clauses in such other agreements relate to the Parties' data protection obligations, this DPA will prevail. If any provision of this DPA is held to be invalid, illegal or unenforceable, the remaining provisions shall not be affected or impaired.

 

Agreement

  

 

 

Appendix: Details of Processing

 

Controller

Cloud Services: The Controller is providing business data necessary in course of use of and to assist in the analysis and resolution of Support Incidents reported in the Cloud Services of Processor.

Support Services: The Controller is providing business data to assist in the analysis and resolution of Support Incidents reported in software products of Processor.

Professional Services: The Controller is providing business data to or granting access to Processor to help develop or implement solutions for Controller.

Training, Onboarding, Customer Success Services: The Controller is providing business data to assist with training, onboarding and customer success services.

Processor

The Supplier is the Processor.

Data subjects

  • employees of Controller
  • end-customers of Controller
  • potential end-customers of the Controller

any person with whom Controller maintains a business relationship

Categories of data

  • Name
  • Corporate Personnel ID
  • Business e-mail address
  • Telephone number
  • IP Address
  • Data of the Controller used within the systems which are in the scope as defined in the relevant Statement of Work

Data of the Controller used within the products offered by Processor

Special categories of data (if appropriate)*

Cloud Services: The Controller decides which data is transmitted for the purpose of providing Cloud Services.

Support Services: The Controller decides which data is transmitted for the purpose of providing customer support.

Professional Services: The Controller decides which data is made available to the Processor in the scope of the systems as defined in the relevant Statement of Work.

Training, Onboarding, Customer Success Services: The Controller decides which data is transmitted for the purpose of providing training, onboarding and customer success services.

*The transfer of special categories of personal data is not anticipated.

Processing operations

Cloud Services: Processor processes Controller Data with a Software as a Service /Platform as a Service/Software operated as a Service in a public cloud infrastructure as defined in the Cloud Services Agreement.

Support Services: Support incident solution research using Controller business data to analyze or reproduce incidents reported by the Controller.

Professional Services: The Processor will use the personal data of the Controller only as defined in the Service Agreement.

Training, Onboarding, Customer Success Services: Maintaining a record of application users and training sessions.

Subject matter of the processing

Cloud Services: The subject matter of the data processing under this addendum are the Controller data processed in the Cloud Services as defined in the Cloud Services Agreement including the operation of a Cloud Service platform. To access the operated platform users need to be authenticated and authorized. User details will be used to create unique user IDs that are used for authentication and authorization. Email addresses might be used to send notifications to the users as result of using services of the Cloud Service platform and corresponding support systems (e.g., Ticket system).

Support Services: As described in the applicable Maintenance and Support Service description.

Professional Services: The subject matter of the processing is described in the relevant Statement of Work.

Training, Onboarding, Customer Success Services: As described in the applicable Service description.

Nature and purpose of the processing

Cloud Services: The purpose of the data processing under this addendum is the provisioning of the Cloud Services initiated by the Controller. The Cloud Services processing systems and respective processing properties are defined in the Cloud Services Agreement.

Support Services: Processor processes the personal data of the data subjects on behalf of Controller in order to solve problems in software products of Processor.

Professional Services: Processor processes the personal data of the data subjects on behalf of Controller in order to provide the Consulting Services described in detail in the relevant Statement of Work.

Training, Onboarding, Customer Success Services: Onboarding of new users; Support on questions and ideas (e.g. written request, chat, comments, feature requests); Customer success; Share reports with the Controller.