Security of the processing
When you decide to entrust your data to a Cloud service like Cloudeezy®, we are aware of the stakes. This Subcontracting Agreement forms part of the Cloudeezy® Service Agreement between the Customer and Reendex.
Terms that begin with a capital letter and are not defined in this PAD shall have the meaning given to them in the Agreement.
For the purposes of the performance and execution of the Contract, Personal Data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (PDSR) may be communicated to Cloudeezy® and/or Cloudeezy® may have access to it.
The purpose of this Subcontracting Agreement is to define the conditions under which Cloudeezy® undertakes to carry out, for the sole purpose of the strict performance of the Contract, on behalf of the Client and for the sole duration of the Contract, the processing operations of Personal Data. The Parties undertake, as soon as the Contract is signed, to comply with the Data Protection Regulations.
Within the framework of the Contract, the Customer acts as data controller within the meaning of the DPSP, with regard to Personal Data, and Cloudeezy® acts as a subcontractor within the meaning of the DPSP.
The Customer has ensured, on the basis of the information provided by Cloudeezy® and other information at its disposal, that Cloudeezy® offers sufficient guarantees, in particular in terms of experience, resources, capacity and reliability, to implement the technical and organizational measures necessary to ensure that the Processing of Personal Data provided for in the Agreement is carried out in a manner that complies with the Data Protection Regulations.
Cloudeezy® declares and guarantees that it has implemented all the technical and organizational measures necessary to ensure that the Processing of Personal Data is carried out in accordance with the Data Protection Regulations, including the DPMR.
It is also recommended to consult the following article:
Security, redundancy, availability: the Cloudeezy hosting infrastructure in detail.
Article 1. Background and Purpose
The Customer, the data controller, has subscribed to one or more services from Cloudeezy®, within the framework of the Cloudeezy® General Terms and Conditions or within the framework of a specific contract. The Customer hosts personal data on Cloudeezy®'s servers, which gives Cloudeezy® the status of subcontractor, in accordance with the CNIL's doctrine.
The purpose of these clauses is to define the conditions under which the processor undertakes to carry out the personal data processing operations defined below on behalf of the controller.
In the context of their contractual relationship, the parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable from 25 May 2018 (hereinafter, "the European Data Protection Regulation ").
It is reminded that within the framework of its commercial relationship with the Data Controller, Cloudeezy® limits itself to providing hosting space and never intervenes directly in the client's personal data, in the sense that in no case will Cloudeezy® handle the client's personal data, apart from their storage and backup, and, in the latter case, provided that the Client has subscribed to the "backup" option.
As a host, Cloudeezy® has no general obligation to monitor the content it hosts and, unless it subscribes to a particular service, is therefore unaware of whether its customers are hosting personal data on its services.
Article 2. Description of the processing operation being outsourced
The processor is authorised to host and, subject to the subscription to this service, to store, on behalf of the controller, the personal data that it has declared in the declaration form.
The nature of the operations carried out on the data is the hosting of the data and, subject to the subscription to this service, the backup of the data.
The purpose(s) of the processing is ignored by the Sub-processor, in accordance with Article 6-1-2 of Law No. 2004- 575 of 21 June 2004. The Data Controller may however, subject to the implementation of a separate service, bring to the attention of the public the personal data that it hosts on the servers of Cloudeezy®.
The personal data processed is ignored by the Subcontractor, in accordance with Article 6-1-2 of Law No. 2004-575 of 21 June 2004. However, the Data Controller may, subject to the implementation of a separate service, bring to the attention of the Subcontractor the personal data that it hosts on the Cloudeezy® servers.
The categories of persons concerned are ignored by the Sub-processor, in accordance with article 6-1-2 of law n°2004-575 of 21 June 2004. The Data Controller may however, subject to the implementation of a separate service, bring to the attention of the public the personal data that it hosts on the Cloudeezy® servers.
Article 3. Duration of the contract
These general terms and conditions for the hosting of personal data come into force on 01 April 2021.
Article 4. Obligations of the processor towards the controller
The subcontractor agrees to:
- To process the data solely for the purpose for which the data is/have been subcontracted, i.e. to host the data, it being understood that the subcontractor does not carry out any action on the personal data of the data controller other than hosting them on its servers, whether these are production servers and/or backup servers, provided that the data controller has subscribed to the backup for the latter case
- To process the data in accordance with the services contracted by the Customer. If the processor considers that an instruction constitutes a breach of the European Data Protection Regulation or any other provision of Union or Member State law relating to data protection, it shall immediately inform the controller. Furthermore, if the processor is required to transfer data to a third country or to an international organisation under Union law or the law of the Member State to which it is subject, it must inform the controller of this legal obligation prior to the processing, unless the law concerned prohibits such information on important public interest grounds.
- Guarantee the confidentiality of personal data processed under this contract (insofar as the Data Controller does not make its hosting accessible to unauthorized third parties and ensures that security measures allowing confidentiality are taken, since the customer has full access to the personal data hosted by Cloudeezy®)
- Ensure that those authorised to process personal data under this contract :
- Are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality,
- Receive the necessary training on the protection of personal data.
- Consider the principles of data protection by design and data protection by default for its tools, products, applications or services.
Article 5. Subcontracting
The processor may engage another processor (hereinafter referred to as " the sub-processor ") to carry out specific processing activities. In this case, the processor shall inform the controller in advance and in writing of any changes envisaged concerning the addition or replacement of further processors. This information shall clearly indicate the processing activities subcontracted, the identity and contact details of the processor and the dates of the subcontract.
The data controller shall have a maximum of 15 days from the date of receipt of this information to present his objections.
Such outsourcing may only be carried out if the controller has not objected within the agreed time limit.
The sub-processor shall be required to fulfil the obligations of this contract on behalf of and in accordance with the instructions of the controller. It is the responsibility of the original processor to ensure that the subsequent processor provides the same sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the European Data Protection Regulation.
If the sub-processor fails to fulfil its data protection obligations, the original processor shall remain fully liable to the controller for the performance of the other processor's obligations.
Article 6. Right to information of data subjects
It is the responsibility of the data controller to provide information to the data subjects of the processing operations at the time of collection of the data.
Article 7. Exercise of the rights of individuals
To the extent possible, the processor must assist the controller in fulfilling its obligation to comply with requests to exercise the rights of data subjects: right of access, rectification, erasure and objection, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
When data subjects make requests to the processor to exercise their rights, the processor must send these requests upon receipt by e-mail to the address indicated by the Client at the time of subscription to the services.
Article 8. Notification of personal data breaches
The processor shall notify the data controller of any personal data breach as soon as possible after becoming aware of it and by email to the address indicated by the client at the time of subscription to the services.
Such notification shall be accompanied by any relevant documentation to enable the controller, if necessary, to notify the breach to the competent supervisory authority.
The notification shall contain at least:
- a description of the nature of the personal data breach including, if possible, the categories and approximate number of individuals affected by the breach and the categories and approximate number of personal data records affected;
- the name and contact details of the Data Protection Officer or other contact point from whom further information can be obtained;
- a description of the likely consequences of the personal data breach ;
- a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate any negative consequences.
If, and to the extent that, it is not possible to provide all this information at the same time, the information may be provided in a staggered manner without undue delay.
The controller is responsible for communicating personal data breaches to data subjects. It is recalled that the processor has no knowledge of the personal data it hosts and is therefore not likely to determine whether a personal data breach is likely to result in a high risk to the rights and freedoms of an individual.
Article 9. Assistance of the processor in complying with the controller's obligations
The processor shall provide the controller with the relevant documentation for the performance of data protection impact assessments by the latter, only with respect to those aspects for which the processor is responsible, i.e., for the processor, the hosting of the data.
The processor shall assist the controller as far as possible and reasonable in carrying out the prior consultation with the supervisory authority by providing the necessary documentation.
Article 10. Security measures
The subcontractor undertakes to implement the following security measures:
- Classification and control of information assets: designation of information owners, classification of each piece of information, security rules associated with each class of information and inventory.
- Staff security: Cloudeezy® has drawn up a security awareness plan for all staff, adapted to their individual functions. In addition, the Cloudeezy® security team raises the awareness of all staff so that everyone is aware of their responsibility in the security improvement process.
- Cloudeezy®'s logical security policy is based on a set of fundamental principles applied within our infrastructures. These principles are:
- Anything that is not explicitly permitted is prohibited,
- There is never a direct connection between the protected and internal network(s) (firewall),
- The equipment connected to the internal network is "invisible" from the Internet,
- Private communications between different sites through an external network (i.e. not managed by Cloudeezy®) are protected (e.g. via a VPN).
It is reminded that in the context of the hosting service, the data controller decides himself the security policy to which he subscribes and which can be more or less extensive depending on the options chosen (and in particular subscription to a specific firewall, protection of Nextcloud instances by VPN, etc.). Cloudeezy®'s measures do not replace the security measures that the data controller must take for personal data processing to ensure compliance with the RGPD.
Article 11. Fate of the data at the end of the commercial relationship
The fate of the data at the end of the contractual relationship between Cloudeezy® and the Customer is specified in the Cloudeezy® general conditions.
Article 12. Documentation
The processor shall make available to the controller the documentation necessary to demonstrate compliance with all its obligations, within the limits of the processor's role, namely the hosting of the controller's data.
Article 13. Obligations of the controller towards the processor
The data controller undertakes to:
- Document in writing any instructions regarding data processing by the processor,
- To ensure, beforehand and throughout the processing, that the processor complies with the obligations set out in the European Data Protection Regulation,
- Supervise the processing with the subcontractor in accordance with the Contract.
Article 14. Scope of the general conditions for data exchange
These General Terms and Conditions for hosting personal data under the General Data Protection Regulation coming into force on 25 May 2018 and the Cloudeezy® General Terms and Conditions or the particular contract concluded with the Customer form a single contractual document.
All the stipulations of the Cloudeezy® General Terms and Conditions or of the particular contract to which the present General Terms and Conditions for hosting personal data do not derogate or which are not contradictory to the terms of the General Terms and Conditions for hosting personal data remain fully applicable between the parties. In the event of a discrepancy between the Cloudeezy® General Terms and Conditions and the present General Terms and Conditions for Hosting Personal Data, the present General Terms and Conditions for Hosting Personal Data shall prevail from the date they come into force.
If one of the stipulations of the general conditions of hosting of personal data should prove to be null and void, with regard to a rule of law in force or a judicial decision that has become definitive, it shall be deemed unwritten, without however entailing the nullity of these general conditions of hosting of personal data or altering the validity of its other provisions.