CloudTask Data Processing and Security Terms (Customers, Partners and Website Users)

 

These Data Processing and Security Terms, including their appendices (the “Terms”) will be effective and replace any previously applicable data processing and security terms as from the Terms Effective May 25, 2018.

The ("Customer", "Partner" or "Website User") agreeing to these terms and CloudTask LLC, a US company with a physcial location in the State of Flodira.  have entered into an agreement under which CloudTask has agreed to provide CloudTask Cloud Platform (as described at www.cloudtask.com) and related technical support to ("Customer", "Partner" or "Website User") (as amended from time to time, the "Agreement").  These Terms supplement our Privacy Notice, Data Retention Policy, Cookies Policy Agreement, and other important legal notices placed on this site, for your information.

INTRODUCTION
These Terms reflect the parties’ agreement with respect to the terms governing the processing and security of ("Customer", "Partner" or "Website User") Data under this Agreement.

DEFINITIONS

Capitalized terms used but not defined in these Terms have the meanings set out in the Agreement, in these Terms, unless stated otherwise: Please see CloudTask’s list of policy terms.

DURATION OF THESE TERMS
These Terms will take effect on May 25th, 2018 and, notwithstanding expiry of the Term, will remain in effect until such time is specified, and automatically expire upon, deletion of all ("Customer", "Partner" or "Website User") Data by CloudTask as described in these Terms.

SCOPE OF DATA PROTECTION LEGISLATION

These terms are within the scope of all adjunct privacy laws of the US accordingly implemented, including that required by CANSPAM, CalOPPA and other privacy related laws, in line with cross border privacy legislation of the UK-EU, Data Protection Bill (DPB) - The Privacy and Electronic Communications Regulations (PECR), including that required by the EU General Data Protection Regulation (GDPR) and PECR; an in line with the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada;

APPLICATION OF EUROPEAN LEGISLATION

The parties acknowledge and agree that the European Data Protection Legislation will apply to the processing of ("Customer", "Partner" or "Website User") Personal Data if, for example:

  • the processing is carried out in the context of the activities of an establishment of ("Customer", "Partner" or "Website User") in the territory of the EEA; and/or
  • the ("Customer", "Partner" or "Website User") Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behaviour in the EEA

APPLICATION OF NON-EUROPEAN LEGISLATION

The parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of ("Customer", "Partner" or "Website User") Personal Data.

APPLICATION OF TERMS

Except to the extent these Terms state otherwise, these Terms will apply irrespective of whether the European General Data Protection Regulation or Non-European Data Protection Legislation applies to the processing of ("Customer", "Partner" or "Website User") Personal Data.

PROCESSING OF DATA

Roles and Regulatory Compliance; Authorization.

Processor and Controller Responsibilities.

If the European Data Protection Legislation applies to the processing of ("Customer", "Partner" or "Website User") Personal Data, the parties acknowledge and agree that:

  • the subject matter and details of the processing are described in Appendix 1;
  • CloudTask is a processor of that ("Customer", "Partner" or "Website User") Personal Data under the General Data Protection Regulation;
  • ("Customer", "Partner" or "Website User") is a controller or processor, as applicable, of that ("Customer", "Partner" or "Website User") Personal Data under General Data Protection Regulation; and
  • each party will comply with the obligations applicable to it under the General Data Protection Regulation with respect to the processing of that ("Customer", "Partner" or "Website User") Personal Data.

Authorization by Third Party Controller

If the General Data Protection Regulation applies to the processing of ("Customer", "Partner" or "Website User") Personal Data and ("Customer", "Partner" or "Website User") is a processor, ("Customer", "Partner" or "Website User") warrants to CloudTask that ("Customer", "Partner" or "Website User")’s instructions and actions with respect to that ("Customer", "Partner" or "Website User") Personal Data, including its appointment of CloudTask as another processor, have been authorized by the relevant controller.

Responsibilities under Non-European Legislation

If Non-European Data Protection Legislation applies to either party’s processing of ("Customer", "Partner" or "Website User") Personal Data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that ("Customer", "Partner" or "Website User") Personal Data.

Scope of Processing.


("Customer", "Partner" or "Website User")’s Instructions

By entering into these Terms, ("Customer", "Partner" or "Website User") instructs CloudTask to process ("Customer", "Partner" or "Website User") Personal Data only in accordance with applicable law: (a) to provide the Services; (b) as further specified via ("Customer", "Partner" or "Website User")’s use of the Services (outlined in our Privacy Policy); (c) as documented in the form of the Agreement, including these Terms; and (d) as further documented in any other written instructions given by ("Customer", "Partner" or "Website User") and acknowledged by CloudTask as constituting instructions for purposes of these Terms.

CloudTask's Compliance with Instructions

CloudTask will comply with the instructions described in the section above (Processing of Data) ("Customer", "Partner" or "Website User")’s Instructions (including with regard to data transfers) unless EU or EEA Member State law to which CloudTask is subject requires other processing of ("Customer", "Partner" or "Website User") Personal Data by CloudTask, in which case CloudTask will inform ("Customer", "Partner" or "Website User") (unless that law prohibits CloudTask from doing so on important grounds of public interest) via infor@cloudtask.com

DATA DELETION

Deletion request by ("Customer", "Partner" or "Website User")

CloudTask will enable ("Customer", "Partner" or "Website User") to as for a deletion of ("Customer", "Partner" or "Website User") Data during the Term in a manner consistent with the functionality of our Services or other obligtions required on processing of data, ontlined in our Privacy Policy and Data Processing Policy.

Deletion on Termination

On expiry of the Term, ("Customer", "Partner" or "Website User") instructs CloudTask to delete all ("Customer", "Partner" or "Website User") Data (including existing copies) from CloudTask's systems in accordance with applicable law. CloudTask will, after a recovery period of up to 30 days following such expiry, comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage. Without prejudice to (Access; Rectification; Restricted Processing; Portability), ("Customer", "Partner" or "Website User") acknowledges and agrees that ("Customer", "Partner" or "Website User") will be responsible for exporting, before the Term expires, any ("Customer", "Partner" or "Website User") Data it wishes to retain afterwards.

DATA SECURITY

CloudTask's Security Measures, Controls and Assistance

CloudTask's Security Measures

CloudTask will implement and maintain technical and organizational measures to protect ("Customer", "Partner" or "Website User") Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in our Privacy Policy. The Security Measures include measures to encrypt personal data; to help ensure ongoing confidentiality, integrity, availability and resilience of CloudTask's systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. CloudTask may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

Security Compliance by CloudTask Staff

CloudTask will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process ("Customer", "Partner" or "Website User") Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

CloudTask's Security Assistance

("Customer", "Partner" or "Website User") agrees that CloudTask will (taking into account the nature of the processing of ("Customer", "Partner" or "Website User") Personal Data and the information available to CloudTask) assist ("Customer", "Partner" or "Website User") in ensuring compliance with any of ("Customer", "Partner" or "Website User")’s obligations in respect of security of personal data and personal data breaches, including if applicable ("Customer", "Partner" or "Website User")’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:

  • implementing and maintaining the Security Measures in accordance with (CloudTask's Security Measures);
  • complying with the terms of (Data Incidents); and
  • providing ("Customer", "Partner" or "Website User") with the Security Documentation in accordance with the law and the information contained in this Agreement including these Term

 

DATA INCIDENTS

Incident Notification

If CloudTask becomes aware of a Data Incident, CloudTask will: (a) notify ("Customer", "Partner" or "Website User") of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure ("Customer", "Partner" or "Website User") Data.

Details of Data Incident

Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps CloudTask recommends ("Customer", "Partner" or "Website User") take to address the Data Incident.

Delivery of Notification

Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at CloudTask's discretion, by direct communication (for example, by phone call or an in-person meeting). ("Customer", "Partner" or "Website User") is solely responsible for ensuring that the Notification Email Address is current and valid.

No Acknowledgement of Fault by CloudTask. CloudTask's notification of or response to a Data Incident under will not be construed as an acknowledgement by CloudTask of any fault or liability with respect to the Data Incident without an investigation.

SECURITY CERTIFICATIONS AND REPORTS

CloudTask will do the following to evaluate and help ensure the continued effectiveness of the Security Measures: maintain the ISO 27001 Certification, ISO 27017 Certification and ISO 27018 Certification; and update our policies as necessary.


REVIEWS AND AUDITS OF COMPLIANCE

Reviews of Security Documentation

In addition to the information contained in the Agreement (including these Terms), CloudTask will make available for review by ("Customer", "Partner" or "Website User") information to demonstrate compliance by CloudTask with its obligations under these Terms:

If the General Data Protection Regulation applies to the processing of ("Customer", "Partner" or "Website User") Personal Data, CloudTask will allow ("Customer", "Partner" or "Website User") or an independent auditor appointed by ("Customer", "Partner" or "Website User") to conduct audits (including inspections) to verify CloudTask's compliance with its obligations under these Terms in accordance with the law. CloudTask will contribute to such audits as described (Security Certifications and Reports) and (Reviews and Audits of Compliance).


If ("Customer", "Partner" or "Website User") has entered into Model Contract Clauses to (Transfer Data Out of the EEA), CloudTask will, without prejudice to any audit rights of a supervisory authority under such Model Contract Clauses, allow ("Customer", "Partner" or "Website User") or an independent auditor appointed by ("Customer", "Partner" or "Website User") to conduct audits as described in the Model Contract Clauses in accordance with the Business Terms for Reviews and Audits.


("Customer", "Partner" or "Website User") may also conduct an audit to verify CloudTask's compliance with its obligations under these Terms by reviewing the Security Documentation (which reflects the outcome of audits conducted by CloudTask's Third Party Auditor).


IMPACT ASSESSMENTS AND CONSULTATIONS


("Customer", "Partner" or "Website User") agrees that CloudTask will (taking into account the nature of the processing and the information available to CloudTask) assist ("Customer", "Partner" or "Website User") in ensuring compliance with any obligations of ("Customer", "Partner" or "Website User") in respect of data protection impact assessments and prior consultation, including if applicable ("Customer", "Partner" or "Website User")’s obligations pursuant to Articles 35 and 36 of the GDPR.


DATA SUBJECT RIGHTS; DATA EXPORT

Access; Rectification; Restricted Processing; Portability. During the Term, CloudTask will, in a manner consistent with the functionality of the Services, enable ("Customer", "Partner" or "Website User") to access, rectify and restrict processing of ("Customer", "Partner" or "Website User") Data, including via the deletion functionality provided by CloudTask and to export ("Customer", "Partner" or "Website User") Data.

Data Subject Requests

("Customer", "Partner" or "Website User")’s Responsibility for Requests

During the Term, if CloudTask receives any request from a data subject in relation to ("Customer", "Partner" or "Website User") Personal Data, CloudTask will advise the data subject to submit their request to ("Customer", "Partner" or "Website User") and ("Customer", "Partner" or "Website User") will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.

CloudTask's Data Subject Request Assistance

("Customer", "Partner" or "Website User") agrees that CloudTask will (taking into account the nature of the processing of ("Customer", "Partner" or "Website User") Personal Data) assist ("Customer", "Partner" or "Website User") in fulfilling any obligation to respond to requests by data subjects, including if applicable ("Customer", "Partner" or "Website User")’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.

DATA TRANSFERS

Data Storage and Processing Facilities

("Customer", "Partner" or "Website User") may select where certain ("Customer", "Partner" or "Website User") Data will be stored (the "Data Location Selection"), and CloudTask will store it there in accordance with the Service Specific Terms. If a Data Location Selection is not covered by the Service Specific Terms (or a Data Location Selection is not made by ("Customer", "Partner" or "Website User") in respect of any ("Customer", "Partner" or "Website User") Data), CloudTask may, store and process the relevant ("Customer", "Partner" or "Website User") Data anywhere CloudTask or its Subprocessors maintains facilities.

Transfers of Data Out of the EEA.

CloudTask's Transfer Obligations

If the storage and/or processing of ("Customer", "Partner" or "Website User") Personal Data involves transfers of ("Customer", "Partner" or "Website User") Personal Data out of the EEA, and the General Data Protection Regulation applies to the transfers of such data (“Transferred Personal Data”), CloudTask will: if requested to do so by ("Customer", "Partner" or "Website User"), ensure that CloudTask LLC as the data importer of the Transferred Personal Data enters into Model Contract Clauses with ("Customer", "Partner" or "Website User") as the data exporter of such data, and that the transfers are made in accordance with such Model Contract Clauses; and/or, offer an Alternative Transfer Solution, ensure that the transfers are made in accordance with such Alternative Transfer Solution, and make information available to ("Customer", "Partner" or "Website User") about such Alternative Transfer Solution.


("Customer", "Partner" or "Website User")’s Transfer Obligations. In respect of Transferred Personal Data, ("Customer", "Partner" or "Website User") agrees that: if under the Generl Data Protection Regulation, CloudTask reasonably requires ("Customer", "Partner" or "Website User") to enter into Model Contract Clauses in respect of such transfers, ("Customer", "Partner" or "Website User") will do so; and if under the General Data Protection Regulation, CloudTask reasonably requires ("Customer", "Partner" or "Website User") to use an Alternative Transfer Solution offered by CloudTask, and reasonably requests that ("Customer", "Partner" or "Website User") take any action (which may include execution of documents) strictly required to give full effect to such solution, ("Customer", "Partner" or "Website User") will do so.


data server INFORMATION

Information about the locations of CloudTask data servers is available in our privacy policy (as may be updated by CloudTask from time to time).

Disclosure of Confidential Information Containing Personal Data.

If ("Customer", "Partner" or "Website User") has entered into Model Contract Clauses, CloudTask will, notwithstanding any term to the contrary in the Agreement, ensure that any disclosure of ("Customer", "Partner" or "Website User")'s Confidential Information containing personal data, and any notifications relating to any such disclosures, will be made in accordance with such Model Contract Clauses.

Subprocessors

Consent to Subprocessor Engagement. ("Customer", "Partner" or "Website User") specifically authorizes the engagement of CloudTask's Affiliates as Subprocessors. In addition, ("Customer", "Partner" or "Website User") generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Subprocessors”). If ("Customer", "Partner" or "Website User") has entered into Model Contract Clauses, the above authorizations will constitute ("Customer", "Partner" or "Website User")’s prior written consent to the subcontracting by CloudTask LLC of the processing of ("Customer", "Partner" or "Website User") Data if such consent is required under the Model Contract Clauses.

Information about Subprocessors. Information about Subprocessors or third party processors, including their functions, is available in our privacy policy

Requirements for Subprocessor Engagement

 

When engaging any third-party or subprocessor, CloudTask will:

ensure via a written contract that:
the Subprocessor only accesses and uses ("Customer", "Partner" or "Website User") Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including these Terms) and any Model Contract Clauses entered into or Alternative Transfer Solution adopted by CloudTask; and if the GDPR applies to the processing of ("Customer", "Partner" or "Website User") Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in these Terms, are imposed on the Subprocessor; and remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.


Opportunity to Object to Subprocessor Changes

When any new Third Party Subprocessor is engaged during the Term, CloudTask will, at least 30 days before the new Third Party Subprocessor processes any ("Customer", "Partner" or "Website User") Data, inform ("Customer", "Partner" or "Website User") of the engagement (including the name and location of the relevant subprocessor and the activities it will perform) by senidng an email.

("Customer", "Partner" or "Website User") may object to any new Third Party Subprocessor by terminating the Agreement immediately upon written notice to CloudTask, on condition that ("Customer", "Partner" or "Website User") provides such notice within 90 days of being informed of the engagement of the subprocessor. This termination right is ("Customer", "Partner" or "Website User")’s sole and exclusive remedy if ("Customer", "Partner" or "Website User") objects to any new Third Party Subprocessor.

Cloud Data Protection Team; Processing Records

CloudTask's DPO can be contacted at info@cloudtask.com

CloudTask's Processing Records

("Customer", "Partner" or "Website User") acknowledges that CloudTask is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which CloudTask is acting and, where applicable, of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of ("Customer", "Partner" or "Website User") Personal Data, ("Customer", "Partner" or "Website User") will, where requested, provide such information to CloudTask via email or other means provided by CloudTask.

LIABILITY

Liability Cap

If Model Contract Clauses have been entered into, the total combined liability of either party and its Affiliates towards the other party and its Affiliates under or in connection with the Agreement and such Model Contract Clauses combined will be limited to the Agreed Liability Cap for the relevant party.

Liability Cap Exclusions

Nothing in this section (Liability Cap) will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

Third Party Beneficiary

Notwithstanding anything to the contrary in the Agreement, where CloudTask LLC is not a party to the Agreement, CloudTask LLC will be a third party beneficiary of Reviews and Audits of Compliance, Consent to Subprocessor Engagement and Liability of these Terms.

Effect of These Terms
Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between these Terms and the remaining terms of the Agreement, these Terms will govern.

Appendix 1: Subject Matter and Details of the Data Processing

Subject Matter

CloudTask's provision of the Services to ("Customer", "Partner" or "Website User").

Duration of the Processing

The Term plus the period from the expiry of the Term until deletion of all ("Customer", "Partner" or "Website User") Data by CloudTask in accordance with the Terms.

Nature and Purpose of the Processing

CloudTask will process ("Customer", "Partner" or "Website User") Personal Data for the purposes of providing the Services to ("Customer", "Partner" or "Website User") in accordance with the Terms.

Categories of Data

Data relating to individuals provided to CloudTask via the Services, by (or at the direction of) ("Customer", "Partner" or "Website User") or by ("Customer", "Partner" or "Website User")

Data Subjects

Data subjects include the individuals about whom data is provided to CloudTask via the Services by (or at the direction of) ("Customer", "Partner" or "Website User") or by ("Customer", "Partner" or "Website User")

Appendix 2: Security Measures


As from the Terms Effective May 25th 2018, CloudTask will implement and maintain the Security Measures set out in this Appendix 2. CloudTask may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

data server and Network Security

data servers

Infrastructure

CloudTask maintains geographically distributed data servers. CloudTask stores all production data in physically secure data servers.

Server Operating Systems

CloudTask servers use an Linux based implementation customized for the application environment. Data is stored using proprietary algorithms to augment data security and redundancy. CloudTask employs a code review process to increase the security of the code used to provide the Services and enhance the security products in production environments.

Businesses Continuity

CloudTask replicates data over multiple systems to help to protect against accidental destruction or loss. CloudTask has designed and regularly plans and tests its business continuity planning/disaster recovery programs.

Networks and Transmission

Data Transmission

data servers are typically connected via high-speed private links to provide secure and fast data transfer between data servers. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. CloudTask transfers data via Internet standard protocols.

External Attack Surface

CloudTask employs multiple layers of network devices and intrusion detection to protect its external attack surface. CloudTask considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.

Intrusion Detection

Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. CloudTask's intrusion detection involves:

  • tightly controlling the size and make-up of CloudTask's attack surface through preventative measures;
  • employing intelligent detection controls at data entry points; and
  • employing technologies that automatically remedy certain dangerous situations.

Incident Response

CloudTask monitors a variety of communication channels for security incidents, and CloudTask's security personnel will react promptly to known incidents.

Encryption Technologies

CloudTask makes HTTPS encryption (also referred to as SSL or TLS connection) available. CloudTask servers support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.

Internal Data Access Processes and Policies

Access Policy

CloudTask's internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. CloudTask designs its systems to (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. CloudTask employs a centralized access management system to control personnel access to production servers, and only provides access to a limited number of authorized personnel. LDAP, Kerberos and a proprietary system utilizing SSH certificates are designed to provide CloudTask with secure and flexible access mechanisms. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. CloudTask requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel’s job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with CloudTask's internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication (e.g., login to workstations), password policies that follow at least industry standard practices are implemented. These standards include restrictions on password reuse and sufficient password strength. For access to extremely sensitive information (e.g. credit card data), CloudTask uses hardware tokens.

Data

Data Storage, Isolation and Logging\

CloudTask stores data in a multi-tenant environment on CloudTask-owned servers. The data and file system architecture are replicated between multiple geographically dispersed servers.


Personnel Security

CloudTask personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. CloudTask conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, CloudTask's confidentiality and privacy policies. Personnel are provided with security training. Personnel handling ("Customer", "Partner" or "Website User") Data are required to complete additional requirements appropriate to their role (eg., certifications). CloudTask's personnel will not process ("Customer", "Partner" or "Website User") Data without authorization.

Subprocessor Security

Before onboarding thirdparty/ independent congtractors, CloudTask conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once CloudTask has assessed the risks presented by the Subprocessor, then subject to the requirements of these Terms, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.