RGPD compliance

Security of the processing

When you make the decision to entrust your data to a cloud service like Cloudeezy®, we understand the stakes. We have therefore decided to make available to you the measures taken by our organisation to protect your data.

This Subcontracting Agreement is an integral part of the Contract for Cloudeezy® Services concluded between the Customer and Reendex S.A.S.U..

Terms that begin with a capital letter and are not defined in this PAD shall have the meaning given to them in the Agreement.

For the purposes of the performance and execution of the Contract, Personal Data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (PDSR) may be communicated to Cloudeezy® and/or Cloudeezy® may have access to it.

The purpose of this Subcontracting Agreement is to define the conditions under which Cloudeezy® undertakes to carry out, for the sole purpose of the strict performance of the Agreement, on the exclusive account of the Customer and for the sole duration of the Agreement, the operations of Processing of Personal Data. The Parties undertake to comply with the Data Protection Regulations as soon as the contract is signed.

Within the framework of the Contract, the Customer acts as data controller within the meaning of the DPSP, with regard to Personal Data, and Cloudeezy® acts as a subcontractor within the meaning of the DPSP.

The Customer has ensured, on the basis of the information provided by Cloudeezy® and other information at its disposal, that Cloudeezy® offers sufficient guarantees, in particular in terms of experience, resources, capacity and reliability, to implement the technical and organizational measures necessary to ensure that the Processing of Personal Data provided for in the Agreement is carried out in a manner that complies with the Data Protection Regulations.

Cloudeezy® declares and guarantees that it has implemented all the technical and organizational measures necessary to ensure that the Processing of Personal Data is carried out in accordance with the Data Protection Regulations, including the DPMR.

1. Definitions

In addition to the terms and expressions defined in this Subcontracting Agreement ("Subcontracting Agreement"), the terms and expressions "International Organization", "Data Protection Officer" and "Personal Data Violation" have the same meaning as given to them in the DPMR. In addition, the following terms and expressions shall have the meanings set out below, whether used in the singular or plural :

- Personal Data" means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data or to one or more elements specific to his physical, physiological, genetic, mental, economic, cultural or social identity, which may be communicated or made available in the context of the execution and performance of the Contract;

- Security Measures" means the security measures provided for in the Data Protection Regulation and any other obligations under the Data Protection Regulation to ensure the security and confidentiality of Personal Data, including the activities to be carried out in the event of a Personal Data Violation, in particular in order to avoid or reduce the adverse effects of the Personal Data Violation on Data Subjects;

- Agent" refers to the employees, authorized persons or any other natural person authorized to carry out Processing Operations on Personal Data communicated or made available by Cloudeezy® and/or its possible Subsequent Sub-Contractors;

- Concerned Person" means the identified or identifiable natural persons to whom the Personal Data refers;

- Data Protection Regulations" refers to the RGPD, Law no. 78-17 of 6 January 1978 relating to information technology, files and freedoms and its successive amendments ("Loi Informatique et Libertés"), Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector of 12 July 2002, as well as all legislative provisions, regulations, guidelines and opinions, certifications, approvals, recommendations or final court decisions relating to the protection of personal data applicable to the Processing of Personal Data, already in force or which will come into force during the term of this Subcontracting Agreement, including the measures, guidelines and opinions of the Working Party referred to in Article 29 of Directive 95/46/EC of the European Data Protection Committee referred to in Articles 63 et seq. of the DPMR and of any other competent authority. In the event of any contradiction between the Data Protection Act, the RGPD and/or the measures adopted by the competent authorities in the implementation thereof, the provisions of the RGPD and the measures adopted for its implementation shall prevail.

- "Processing(s)" means the processing of Personal Data within the meaning of the DGR, entrusted to Cloudeezy® in the context of the Agreement and described in this Subcontracting Agreement.

2. Treatment(s) subject to Subcontracting

2.1. The Processing carried out by Cloudeezy® for the purposes of this Subcontracting Agreement shall relate solely to the types of Personal Data and the categories of Concerned Persons defined by the Customer.

2.2 Cloudeezy® undertakes to guarantee the confidentiality of the Personal Data and to ensure that all Cloudeezy® Employees and Subcontractors authorized to process Personal Data under this Subcontracting Agreement respect the confidentiality of the Personal Data. The obligation of confidentiality of the Personal Data will remain in force for five years after the expiration of the Contract.

3. Nature, purposes and methods of the Processing

3.1 Cloudeezy®, as Sub-Contractor of the Treatment, undertakes, at its own expense, to :

  1. process Personal Data for the exclusive purpose of performing the Contract within the limits and according to the terms and conditions stipulated in the Contract, this Subcontracting Agreement and the Data Protection Regulations;
  2. not to define independently the modalities for the Processing of Personal Data and not to act as an independent controller of the Processing in relation to such data;
  3. scrupulously respect the written instructions communicated by the Customer and to inform the Customer if it considers that an instruction infringes the Data Protection Regulations or, more generally, the applicable legislation;
  4. only process Personal Data that are strictly necessary for the execution of the Contract or to comply with legal obligations;
  5. process Personal Data in a lawful manner, and in accordance with the Contract, this Subcontracting Agreement and the requirements set forth in the Data Protection Regulations;
  6. inform the Customer of any requirements to modify, update, correct or delete Personal Data and undertake to update, modify, correct or delete at the Customer's request;
  7. to assist and collaborate with the Customer in the event of a request from the competent authorities, the Persons Concerned and in order to comply with the obligations arising from the Data Protection Regulations;
  8. make available to the Customer all the information in its possession that is necessary to demonstrate that it complies with the obligations set out in the Data Protection Regulations.

3.2 Cloudeezy® is expressly prohibited from using all or part of the Personal Data, for any purpose whatsoever, for its own account or for the account of a third party, whether during the term of the Contract or after its expiry.

4. Record of Processing Activities

4.1. In accordance with article 30, paragraph 2, of the RGPD, Cloudeezy® undertakes to keep a separate register, permanently updated, concerning all categories of activities relating to the Processing of Personal Data carried out on behalf of the Customer.

It will include:

  1. the name and contact details of Cloudeezy® and its Subsequent Subcontractors, those of the Customer and, if applicable, of the Customer's Data Protection Officer and Cloudeezy® ;
  2. the categories of the Treatments carried out on behalf of the Customer;
  3. where applicable, transfers of Personal Data to a third country or to an International Organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDMP, documents attesting to the existence of the appropriate safeguards imposed by Article 49 of the GDMP; and
  4. a general description of the technical and organisational security measures referred to in Article 32(1) of the RGPD including, inter alia, as appropriate:
    1. pseudonymisation and encryption of Personal Data ;
    2. means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
    3. the means to restore the availability of and access to Personal Data within appropriate time limits in the event of a physical or technical incident;
    4. a procedure for regularly testing, analysing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.

4.2 Cloudeezy® undertakes to provide the Customer without delay with a copy of the register referred to in clause 4.1 at the request of the Customer and/or the competent authorities.

4.3. Cloudeezy® undertakes to provide the Customer with all the information relating to the Processing of Personal Data that the Customer reasonably needs in order to be able to establish its own register of activities relating to the processing referred to in article 30, paragraph 1, of the RGPD.

5. Obligations relating to Attendants

5.1. Cloudeezy® undertakes to ensure that the Agents have exclusive access to Personal Data that is strictly necessary for the performance of the Contract or in order to carry out legal obligations and shall exclusively Process such Personal Data, in all cases, within the limits and terms of this Subcontracting Agreement, the Contract and the Data Protection Regulations.

5.2. Cloudeezy® also undertakes to authorize the Processing of Personal Data only to those Employees who :

  1. by virtue of their experience, skills and training, are able to guarantee compliance with the Data Protection Regulations and who must have access to them in order to execute the Contract;
  2. have undergone training at least once a year on the obligations laid down in the Data Protection Regulations;
  3. have been designated in writing as Processing Operations Officers;
  4. obliged, in writing, to observe strict confidentiality obligations during the Processing of Personal Data;

and to ensure scrupulously that the Employees scrupulously carry out the instructions received and the obligations incumbent upon them.

5.3. Cloudeezy® undertakes to establish physical, technical and organizational measures designed to ensure that :

  1. each Agent may have access exclusively to the Personal Data that may be Processed according to the authorisation available to the Agent, taking into account the activity that the Agent must carry out within the framework of the Contract;
  2. any Processing of Personal Data constituting a breach of this Subcontract Agreement, the Contract and/or the Data Protection Regulations is promptly identified and reported to the Customer, including in accordance with the procedure and within the time limits referred to in Article 8 in the event of a Personal Data Breach; and
  3. upon termination of the Contract or of the mission entrusted to the Agent, the Agent shall immediately cease Processing Personal Data and shall refrain from keeping any copies of the Personal Data in any form whatsoever, in particular in electronic or paper format.

6. Subsequent subcontractors

6.1. Cloudeezy® may only use another subcontractor ("Further Subcontractor") to perform specific Processing activities. At the Customer's request, Cloudeezy® shall provide the Customer with a list of the Subsequent Subcontractors involved in the Agreement and shall inform the Customer in the event of a change in these Subsequent Subcontractors.

6.2. Cloudeezy® shall ensure that each Further Processor provides adequate safeguards with respect to the Data Protection Regulations regarding the technical and organizational measures adopted for the Processing of Personal Data and shall ensure that each Further Processor immediately ceases the Processing of Personal Data if such safeguards are not met. If an Ultimate Subcontractor fails to meet its obligations with respect to the protection of Personal Data, Cloudeezy® shall remain fully responsible to the Customer for the performance by the Ultimate Subcontractor of its obligations.

6.3. Cloudeezy® shall ensure that each Subsequent Subcontractor is subject to adequate confidentiality obligations and that it undertakes to comply with the obligations of this Subcontract Agreement on behalf of and as directed by the Customer, by a written agreement having a similar content to the Subcontract Agreement.

7. Security measures

7.1. Cloudeezy® undertakes to adopt Security Measures in accordance with the provisions of the Data Protection Regulations and this Subcontracting Agreement.

7.2. More specifically, Cloudeezy®, taking into account the current situation, the costs of implementation, and the nature, purpose, context and context of the Processing of Personal Data, as well as the risk that the Processing presents for the rights and freedoms of individuals and the likelihood and seriousness of this risk, undertakes to implement adequate technical and operational measures in order to ensure a level of security appropriate to the risk involved in the Processing of Personal Data, including, where appropriate, the measures provided for in Article 32(1) of the DPMR. In all cases, Cloudeezy® commits itself :

  1. to adopt, as a minimum requirement, all the technical and organisational measures imposed by the Data Protection Regulations ;
  2. to keep the Personal Data separate from other data processed on its behalf or that of third parties, only in the places indicated by the Customer; and
  3. to send, at the Customer's request, information relating in particular to the physical, organizational and technical measures adopted for the Processing of Personal Data by Cloudeezy® and its own possible Subsequent Subcontractors, as well as any other additional information that may be requested by the Customer in relation to the physical, technical and organizational measures implemented in connection with the Processing of Personal Data.

8. Violation of Personal Data

8.1. In the event of a Personal Data Breach, incidents that may compromise the security of Personal Data (for example: loss, damage or destruction of Personal Data, regardless of the medium or format (paper, electronic or other), unauthorized access by third parties to Personal Data or any other Personal Data Breach), including Personal Data Breaches resulting from the conduct of any Subsequent Subcontractors and/or Cloudeezy® , Cloudeezy® , Cloudeezy® , Cloudeezy® Employees:

  1. inform the Customer without delay after becoming aware of the violation, by means of a notification sent by e-mail to the Customer's contact address and provide the Customer with the relevant information in order to enable the Customer, if necessary, to notify the competent supervisory authority of the violation; and
  2. in collaboration with the Client, will immediately and, in any event, without undue delay, adopt any measure necessary to minimise the risks of any kind to the Personal Data and arising from the Violation thereof and will implement any operation that may be necessary to remedy the Violation of the Personal Data in order to mitigate the possible adverse effects and investigate the cause thereof.
    • For the purposes of this Subcontracting Agreement, Cloudeezy® represents and warrants that it and its potential Subsequent Subcontractors have adopted technical and organizational measures that make it unlikely that a possible Violation of the Personal Data will threaten the rights and freedoms of the corresponding Data Subjects, including by means of technologies such as encryption that render the Personal Data incomprehensible to any person not authorized to access it.
    • Cloudeezy® undertakes to keep a register listing the Personal Data Violations relating to the Personal Data subject to this Subcontracting Agreement, the circumstances associated therewith, their consequences, the measures adopted to remedy them, as well as any breaches of this Subcontracting Agreement.

9. Rights of Persons Concerned

Cloudeezy® undertakes to collaborate with the Customer to a reasonable extent in order to guarantee the satisfaction, within the time limits and in accordance with the procedures laid down by law, of the requests for exercise of the rights of the Persons Concerned provided for by the Data Protection Regulations, and more generally, in order to guarantee full compliance with the Data Protection Regulations. In this respect, Cloudeezy® undertakes to inform the Customer of any requests for the exercise of rights made by the Concerned Persons in question.

10. Communication and transfer of Personal Data

Cloudeezy® undertakes, as part of the Treatment that is the subject of this Subcontracting Agreement,

  1. to refrain from disseminating or communicating the Personal Data to third parties, including any Subsequent Subcontractors, unless the applicable Regulations or the Agreement expressly so provides or the Customer authorises it in writing; and
  2. to refrain from transmitting, disseminating or storing Personal Data in a country outside the European Union without the prior and express consent of the Customer. If Cloudeezy® is required to transfer Personal Data to a third country or to an international organisation, by virtue of the law of the Union or the law of the Member State to which it is subject, it must inform the Customer before the processing and justify the imperative nature of this obligation, unless the law concerned prohibits such information for important reasons of public interest.

11. Control

11.1. Cloudeezy® undertakes to provide the Customer, upon request, with any document reasonably necessary to ensure that it complies with the obligations arising from this Subcontract Agreement.

11.2 Cloudeezy® acknowledges that the Customer may, at its own expense, have the organizational, technical and security measures adopted by Cloudeezy® in connection with the Processing of Personal Data evaluated by a trusted third party, recognized as an independent auditor of the Parties and designated by Cloudeezy®, under the conditions to be defined by Cloudeezy® and the Customer and within the limits of maintaining the Services and the confidentiality and security of Cloudeezy®'s other customers.

12. Compensation

The Customer expressly acknowledges and agrees that Cloudeezy® may be compensated for the Treatment Subcontractor activity performed by it and its Subsequent Subcontractors under this Subcontract Agreement.

13. End of the Contract

Upon termination of the Contract for any reason whatsoever, Cloudeezy® shall immediately cease all Processing of Personal Data and shall delete the Personal Data and any copies thereof, whether in electronic or paper format, from computer systems, archives or any other place or device where the Personal Data is stored, within ten working days, unless the retention of the Personal Data is required by applicable law, in which case such retention shall only take place within the limits strictly provided for by such law. It is therefore incumbent on the Customer to ensure that its Personal Data is kept prior to the end of the Contract.

14. Deletion and Restitution of Personal Data

At the end of the Service (in particular in the event of termination or non-renewal), Cloudeezy® undertakes to delete, in accordance with the terms of the Agreement, any Content (including but not limited to information, data, files, systems, applications and other elements) reproduced, stored, hosted or otherwise used by the Customer in connection with the Services, unless a request by a competent legal or judicial authority, or the applicable law of the European Union or a Member State of the European Union, requires otherwise. The Customer is solely responsible for ensuring that the operations necessary (such as backup, transfer to a third party solution, snapshots, etc.) for the retention of Personal Data are carried out, in particular before the termination or expiry of the Services, and before carrying out any operation to delete, update or reinstall the Services. In this respect, the Customer is informed that the termination and expiration of a Service for any reason whatsoever (including, but not limited to, non-renewal), as well as certain operations to update or reinstall the Services, may automatically result in the irreversible deletion of any Content (including information, data, files, systems, applications and other items) reproduced, stored, hosted or otherwise used by the Customer in connection with the Services, including any potential backups.

15. Responsibility

Cloudeezy® may only be held liable for damage caused by processing for which (i) it has not complied with the obligations provided for in the GDR that are specifically incumbent on subcontractors or for which (ii) it has acted outside or contrary to the Customer's lawful instructions. In such cases, the liability provision of the Contract shall apply. Where Cloudeezy® and the Customer are involved in processing under this Agreement which has caused damage to a person concerned, the Customer shall first pay the full amount of the actual compensation (or any other compensation) due to the person concerned and shall then claim from Cloudeezy® the portion of the compensation corresponding to Cloudeezy®'s share of liability for the damage, it being specified that the limitation of liability clauses provided for in the Agreement shall remain applicable.

16. Audits

Cloudeezy® provides the Customer with all the information necessary to (a) demonstrate compliance with the requirements of the GDGR and (b) conduct audits. This information is available in the standard documentation on the Cloudeezy® website or on the website of the Service operating a Cloudeezy® trademark subscribed to by the Customer. Additional information may be communicated to the Customer upon request to Cloudeezy® Support. If a Service is certified, complies with a code of conduct or is subject to specific control procedures, Cloudeezy® shall make available, upon written request by the Customer, the corresponding certificates and control reports. If the above information, reports and certificates are insufficient to enable the Customer to demonstrate that the obligations under the GCPR are being met, Cloudeezy® and the Customer shall meet to agree on the operational, safety and financial terms of an on-site technical inspection. In any event, the conditions of this inspection must not affect the safety of other Cloudeezy® customers.

The abovementioned on-site inspection and the communication of certificates and inspection reports may give rise to a reasonable additional charge. Any information communicated to the Customer pursuant to this clause that is not available on the Cloudeezy® Web Site or on the Service's Web Site using a Cloudeezy® trademark subscribed to by the Customer shall be considered confidential information of Cloudeezy® under the Agreement. Before releasing this information, Cloudeezy® may require the signing of a specific confidentiality agreement. Notwithstanding the foregoing, the Customer is entitled to respond to requests from the competent supervisory authority provided that any disclosure of information is strictly limited to what is requested by the said authority. In such a case, and unless prohibited by applicable law, the Customer must first consult with Cloudeezy® regarding any required disclosure.


Annex 2 of the Convention in accordance with Art. 28 of the GDPR

Technical and organisational measures in accordance with Art. 32 of the GDGR and amendments

1. Privacy

  • Physical access control
    • Data centre parks
      • electronic physical entry control system with logbook
      • high-security perimeter fencing around the entire data centre grounds
      • documented distribution of the keys granted to the supplier's employees and colocation customers - for colocation racks (for each Customer, only for his rack)
      • policies for accompanying and designating guests in the building
      • 24-hour data centre staff
      • video surveillance at entrances and exits; security door locking systems and server rooms
      • for persons external to the provider (visitors to the data center), access to the building is only permitted in the company of a data center employee
    • Monitoring
      • electronic physical access control system with logbook
      • video monitoring for all inputs and outputs
  • Electronic access control
    • For managed server, web hosting and storage service implementations
      • Access is password protected and only the supplier's employees have access to the passwords. Passwords should be kept to a minimum length and new passwords should be changed regularly.
      • the Client's password for the administration interface, after initial deployment, can only be changed by the Client; the password must conform to the predefined guidelines. In addition, the Client can use two-factor authentication to further secure their account.
  • Internal access control
    • For the vendor's internal administration systems
      • The Provider shall prevent unauthorized access by applying regular security updates and using state-of-the-art technology.
      • a mandatory, revision-proof authorization process for supplier employees.
    • For the production of storage services
      • The Provider shall prevent unauthorized access by applying regular security updates and using state-of-the-art technology.
      • a mandatory, revision-proof authorization process for supplier employees; and
      • only the Customer is responsible for the data / software transferred with regard to security and updates
  • Transfer control
    • Data centre parks
      • disks that were running on cancelled servers will be deleted several times (wiped) in accordance with the data protection policies at the end of the contract. After extensive testing, the scanned disks will be reused.
      • Defective disks that cannot be securely deleted must be destroyed (shredded) directly in the data centre.
  • Isolation control
    • For the vendor's internal administration systems
      • the data must be physically or logically isolated and saved separately from other data
      • data backups must also be made using a similar system of physical or logical isolation
    • For the production of storage services
      • the data must be physically or logically isolated and saved separately from other data
      • data backups must also be made using a similar system of physical or logical isolation

2. Integrity (Art. 32 (1) (b) of the RGPD)

  • Data transfer control
    • all employees are trained in accordance with Art. 32(4) of the DPMR and are required to ensure that personal data are processed in accordance with data protection regulations
    • deletion of data in accordance with data protection regulations after termination of the contract
    • encrypted data transmission options are provided as part of the service description of the main commission
  • Data Entry Control
    • For the vendor's internal administration systems
      • the data is entered or collected by the Client
      • data changes are saved
    • For the production of storage services
      • the data is entered or collected by the customer
      • data changes are saved

3. Availability and resilience (art. 32, para. 1, clause b of the GDPR)

  • Availability check
    • For the vendor's internal administration systems
      • backup and restore concept with daily backups of all relevant data
      • professional use of security programs (antivirus, firewall, encryption programs, spam filters)
      • use of disk mirroring on all relevant servers
      • monitoring of all relevant servers
      • use of an uninterruptible power supply or emergency power system
      • DDoS protection permanently active

Other similar articles