1. Scope and application
This Addendum will apply, if required by Data Protection Legislation (as defined below) and only to the extent that, ClawCloud processes personal data contained in or generated in relation to Your Member Content (the “Data”) as a processor on behalf of You in the course of providing any ClawCloud Services to You.
This Addendum forms part of ClawCloud Terms and Conditions or other equivalent agreement between You and ClawCloud in relation to Your use of ClawCloud Services (the “Agreement”).
Capitalised terms not defined herein will have the meaning given in the Agreement. In the event and to the extent of a conflict between the other terms of the Agreement including its Addenda or any other agreements between You and ClawCloud regarding the Data and this Addendum, this Addendum will prevail.
2. Definitions
In this Addendum:
“controller”, “data subject”, “process”, “processor” and “supervisory authority” each has the meaning given in GDPR, or the equivalent term under applicable Data Protection Legislation.
“Data Protection Legislation” means, as applicable: all laws and regulations applicable to and binding on the processing of Data by You and/or ClawCloud, including but not limited to (i) GDPR, (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the “UK GDPR”), (iii) the Singapore Personal Data Protection Act 2012 (“PDPA”), and in each case, any related national laws, legislation, rules or regulations, related to privacy and data protection. For clarity, a reference to Data Protection Legislation, includes a reference to Data Protection Legislation as amended, modified, extended, re-enacted, consolidated or replaced from time to time.
“GDPR” means Regulation (EU) 2016/679.
“personal data” means personal data, personal information, personally identifiable information or other equivalent term (each as defined in Data Protection Legislation).
“Restricted Transfer” means (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country, territory or organisation outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country, territory or organisation which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
“Standard Contractual Clauses” means (i) where the Data is protected by the GDPR, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914/EU of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) and (ii) where the Data is protected by the UK GDPR, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”). A copy of the Standard Contractual Clauses can be obtained at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc, or by contacting us at [email protected].
3. Description of processing
For the purposes of this Addendum, You (the controller or processor) appoint ClawCloud as Your processor to process the Data, for the duration of the Agreement, for the purposes of providing the ClawCloud Services to You and complying with applicable law (the “Permitted Purpose”).
4. Data processing
In processing the Data under the Agreement, ClawCloud shall, to the extent such Data is in ClawCloud’s possession or under its control:
(a) only process the Data on Your documented instructions unless required otherwise by applicable law;
(b) ensure that all personnel authorised by ClawCloud to process the Data are subject to suitable confidentiality obligations;
(c) implement and maintain appropriate technical and organisational security measures (including access control), or otherwise making reasonable security arrangements, as described at https://claw.cloud/security, designed to: (i) protect the Data processed by ClawCloud against unauthorized or accidental access, processing, erasure, loss or use of the Data arising from a breach of ClawCloud’s security (a “Security Incident”); ClawCloud may change those measures from time to time, but not so as to reduce the level of protection for Data below the mandatory minimum required under Data Protection Legislation (as applicable). In the event of a confirmed Security Incident, to the extent required under Data Protection Legislation: (1) ClawCloud shall notify You without undue delay and shall provide reasonable information and cooperation to You so that You can fulfil any data breach reporting obligations You may have under (and in accordance with the timelines required by) applicable Data Protection Legislation; and (2) ClawCloud shall further take any reasonably necessary measures and reasonably necessary actions to remedy or mitigate the effects of the Security Incident, and shall keep You informed of all material developments in connection with the Security Incident. Security Incident shall be deemed to include a “personal data breach” or equivalent terms defined under the applicable Data Protection Legislation;
(d) hereby be granted Your general authorisation to engage third party subcontractors to process the Data for the Permitted Purpose, provided that ClawCloud (i) (subject to your compliance with Clause 5 below) shall remain fully liable for any of its subcontractors; and (ii) shall impose data protection terms on any subcontractor it appoints to process any Data, that require it to protect such Data to at least the standard required by applicable Data Protection Legislation, or the provisions of this Addendum, whichever is more protective. You may object to ClawCloud’s appointment or replacement of such a subcontractor before its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, ClawCloud will either not appoint or replace the relevant subcontractor or, if this is not possible, You may terminate the relevant ClawCloud Service and this Addendum to the extent it applies to that ClawCloud Service, but You shall not be entitled to any refund of any fees or costs incurred by You for that ClawCloud Service before that termination and the termination of such ClawCloud Service shall not affect any other services provided to You, and any fees or costs in relation to those other services;
(e) assist You to respond to data subjects’ requests to exercise their rights regarding any Data under applicable Data Protection Legislation by providing You with technical measures to enable You, to the extent consistent with the functionality of the ClawCloud Services and ClawCloud’s role as a processor, to access, rectify, erase, restrict or export Data directly (and You agree that, taking into account the nature of the processing, this paragraph reflects the extent to which it is possible for ClawCloud to provide You with such assistance). If a data subject, supervisory authority or any other party directly approaches ClawCloud with any request, query or complaint regarding any Data, ClawCloud shall, promptly notify You accordingly or notify that person that they should approach You instead;
(f) if ClawCloud believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, promptly inform You and provide reasonable cooperation to You (at Your expense) in connection with any data protection impact assessment and/or prior consultation that You may be required under applicable Data Protection Legislation to undertake for Your use of ClawCloud Services;
(g) at Your choice, delete or return all Data in ClawCloud’s possession or control following the termination of the Agreement provided that the costs incurred by ClawCloud for such deletion or return of Data shall be borne by You. This requirement shall not apply to the extent that ClawCloud is required or permitted by applicable law to retain some or all of the Data, or Data archived on back-up systems, in which event ClawCloud shall securely isolate and protect such Data from any further processing except: (i) to the extent required by such law until deletion is possible; or (ii) where such Data ceases to contain personal data;
(h) make reasonable security arrangements, at ClawCloud’s selection and expense, to (at appropriate regular intervals) verify the adequacy of its security measures; and
(i) abstain from implementing policies or taking actions that may diminish the protection of Data in a manner inconsistent with Data Protection Legislation.
If You were granted an audit right such as by Standard Contractual Clauses, or by applicable Data Protection Legislation, then You agree to exercise Your audit right by instructing ClawCloud to execute the audit as described in this clause. If You desire to change this instruction, then You have the right to do so by requesting in writing, or as set forth in the Standard Contractual Clauses which change shall also be requested in writing (for clarity, nothing in the foregoing shall require ClawCloud to make available any data, material or information of any of ClawCloud’s other customers).
For the avoidance of doubt, nothing herein obliges ClawCloud to disclose any information that is subject to any right, privilege or immunity conferred, or obligation (including without limitation in connection with ClawCloud’s performance of any contractual obligation) or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information.
5. Your responsibilities
You agree:
(a) to comply with your obligations under all applicable Data Protection Legislation in relation to Your: (i) use of ClawCloud Services for processing of any personal data comprised within the Data; (ii) appointment of us as Your processor to process the Data as contemplated under this Addendum; and (iii) processing of any personal data comprised within the Data.
(b) that this Addendum, the Agreement, Your other applicable agreements with ClawCloud and Your configuration and use of the ClawCloud Services will together comprise Your complete and final documented instructions to ClawCloud on the processing of Data; and
(c) that You shall not give ClawCloud as Your processor any instructions, nor shall You use the ClawCloud Services in any way, that in any such case could infringe any Applicable Data Protection Legislation or could cause ClawCloud or any of its affiliates to infringe any Applicable Data Protection Legislation. Without prejudice to the generality of the foregoing, you agree and acknowledge that where You disclose personal data to ClawCloud, you shall have: (i) obtained or procured all necessary consents where required under applicable law from the relevant data subject(s) for the processing and disclosure of such data subject(s)’s personal data to ClawCloud for ClawCloud's collection, use and/or disclosure for the Permitted Purpose (without prejudice to any other lawful basis for such handling of personal data by ClawCloud), and that such consents have not been withdrawn; or (ii) to the extent consent is not required under applicable law, you have secured all necessary legal bases under Data Protection Legislation for processing and disclosing personal data to ClawCloud for ClawCloud’s handling of the personal data for the Permitted Purpose as contemplated under this Addendum.
(d) that You shall be responsible for the correctness of the Data and ensuring that it is kept up-to-date and shall handle any requests or complaints raised by data subjects.
6. International transfers
6.1 You may decide where to store Data (“Selected Region”). You consent to the storage of Data in, and transfer of Data into, the Selected Region. If the processing of Data involves a transfer outside Selected Region, Clawcloud will take such measures as are necessary as a processor to ensure the transfer is in compliance with applicable Data Protection Legislation.
6.2 To the extent that the transfer of Data from You to ClawCloud constitutes a Restricted Transfer, You agree that the Standard Contractual Clauses will be deemed entered into (and incorporated by reference into this Addendum) between You (as data exporter) and ClawCloud (as data importer) as follows:
6.2.1 In relation to Data that is protected by the GDPR, the EU SCCs will apply completed as follows:
(a) If and to the extent You are a controller of such Data Module Two will apply, and if and to the extent You are a processor of such Data Module Three will apply, in each case as follows:
(i) in Clause 7, the optional docking clause will apply (provided that any new party to the EU SCCs shall be subject to ClawCloud's prior written agreement);
(ii) in Clause 9, Option 2 will apply, and the time period for prior notice of subcontractor changes shall be as set out in Clause 4(d) of this Addendum.
(iii) in Clause 11, the optional language will not apply;
(iv) in Clause 17, Option 1 will apply and the EU SCCs will be governed by Dutch law;
(v) in Clause 18(b) disputes shall be resolved before the courts of the Netherlands;
(vi) Annex I of the EU SCCs shall be deemed completed with the information set out in this Addendum and/or in the Appendix 1 to this Addendum, and the competent supervisory authority under Part C of Annex I shall be determined in accordance with Clause 13 of the EU SCCs;
(vii) Annex II of the EU SCCs shall be deemed completed with the information set out in the document linked to in Clause 4(c) of this Addendum;
(b) The following clarifications shall apply to the EU SCCs:
(i) You may exercise Your right of audit under the EU SCCs as set out in and subject to the requirements, of Clause 4(h) of this Addendum;
(ii) ClawCloud may appoint subcontractors as set out in and subject to the requirements of Clause 4(d) of this Addendum and You may exercise Your right to reject to subcontractors under the EU SCCs in the manner set out in Clause 4(d) of this Addendum;
(iii) Clause 4(g) shall apply in relation to the deletion or return of transferred Data on any termination of the Agreement;
(iv) For the avoidance of doubt, in light of the nature of the ClawCloud Services You are solely responsible for the accuracy of the Data and the legality of its collection by You, and ClawCloud is not obliged to check any transferred Data for accuracy;
(c) You will pay ClawCloud fees at its then standard professional services rates and also reimburse ClawCloud for its reasonable costs reasonably incurred in dealing with any inquiries from You relating to any transferred Data and/or for providing You with any assistance requested by You under the EU SCCs, including without limitation for notifying or otherwise assisting You with data subject requests or responses to data subjects, and cooperation with You to erase or rectify any transferred Data.
6.2.2 In relation to Data protected by the UK GDPR, the UK Addendum will apply completed as follows:
(a) the EU SCCs, completed as set above in clause 6.2.1 shall apply and shall be modified by the UK Addendum (completed as set out in sub-clause (b) below): and
(b) Tables 1 to 3 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs, completed as set out above, and the options “Exporter” and “Importer” shall be deemed checked in table 4. The start date of the UK Addendum (as set out in table 1) shall be the date of this Addendum.
6.2.3. In relation to Data that is subject to jurisdictions outside the scope of the GDPR and UK GDPR, to the extent that such jurisdiction permits the use of EU SCCs (subject to modifications to align with respective Data Protection Law) then the provisions under the EU SCCs shall apply with necessary modifications to align with the respective Data Protection Legislation of the relevant jurisdiction.
6.2.4. In relation to Data that is protected by the PDPA, ClawCloud will take steps as reasonably necessary to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided under the PDPA. This may include entering into written agreements including contractual clauses, binding corporate rules and other data protection agreements with recipients.
6.3 With respect to onward transfers with subcontractors, ClawCloud shall only participate in such onward transfer (including a Restricted Transfer) of Data where the onward transfer is made in full compliance with Data Protection Legislation.
6.4 In the event that any provision of this Addendum contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
6.5 Save as specifically provided under this Addendum, you agree and acknowledge that you are solely responsible to comply with Data Protection Legislation in respect of: (a) your transfer of Data from one jurisdiction to another; and/or (b) your instructions to ClawCloud (as Your processor) to transfer Data from one jurisdiction to another. Without prejudice to the generality of the foregoing, you agree and acknowledge that you shall not instruct us nor cause us to transfer any personal data to any country or territory except in accordance with the requirements prescribed under Data Protection Legislation for such transfer, including without limitation in connection with Your obligation, as may be required under Data Protection Legislation, to ensure a standard of protection to Data so transferred that is comparable to the protection under Data Protection Legislation.
7. Miscellaneous
(a) For clarity, the total aggregate liability of ClawCloud and all its affiliates, employees, agents, affiliates, representatives or anyone acting on its behalf together, arising from or in connection with the Agreement and/or this Addendum and/or the Standard Contractual Clauses or any matter arising therefrom shall not exceed the maximum liability of ClawCloud as limited by the paragraph following Clause 11.6 of the ClawCloud Terms and Condition.
(b) ClawCloud may modify the terms of this Addendum, for example to comply with Data Protection Legislation or to implement any standard contractual clauses adopted by the Information Commissioner's Office, or the European Commission, or a supervisory authority or other competent supervisory authorities under Data Protection Legislation, but it will not do so in a way that would reduce the protections required to be afforded to You below the mandatory minimum required under Data Protection Legislation (as applicable). If ClawCloud modifies the terms of this Addendum, the Addendum will be an amended and restated version on the ClawCloud Platform, and ClawCloud will provide at least 15 days prior written notice of any material amendments to the Addendum to You (which may be posted on the ClawCloud Platform or displayed in Your ClawCloud account). By continuing to use the relevant products or services after the receipt of written notification of such changes by ClawCloud, You agree to be bound by the amended and restated Addendum.
Appendix 1
A. LIST OF PARTIES
Data exporter(s):
Name: The entity identified as “Customer” in the ClawCloud Terms and Condition.
Address: The address for Customer associated with its ClawCloud account or as otherwise specified in this Data Processing Addendum or the ClawCloud Terms and Conditions.
Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as otherwise specified in this Data Processing Addendum or the ClawCloud Terms and Conditions.
Activities relevant to the data transferred under these Clauses: The activities specified in Sections 3 and 4 of this Data Processing Addendum.
Signature and date: Clicking “I Agree” button when you register for an Account constitutes an acknowledgement, signature and acceptance of the Terms and Condition and this Data Processing Addendum on the same day.
Role (controller/processor): Controller or processor, as set out in this Data Processing Addendum
Data importer(s):
Name: “ClawCloud” as identified in the ClawCloud Terms and Conditions.
Address: The address for ClawCloud specified in the ClawCloud Terms and Conditions.
Contact person’s name, position and contact details: The contact details for ClawCloud specified in the Addendum or the ClawCloud Terms and Conditions.
Activities relevant to the data transferred under these Clauses: The activities specified in Sections 3 and 4 of this Data Processing Addendum.
Signature and date: Clicking “I Agree” button when you register for an Account constitutes an acknowledgement, signature and acceptance of the Terms and Condition and this Data Processing Addendum on the same day.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: The data subjects may include Your customers, employees, supplier and end-users.
Categories of personal data transferred: Capitalised terms not defined herein will have the meaning given in Your ClawCloud Terms and Conditions with ClawCloud. The personal data includes any information, content, material and data in electronic format as may be contained in or generated in relation to Member Content.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: You may upload special categories of personal data to Your ClawCloud Services at Your sole choice, which could include (depending on Your choice) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, and/or personal data relating to criminal convictions and offences or related security measures. Before uploading any sensitive data, You are obliged to assess and confirm that the technical and organizational measures taken by ClawCloud are sufficient for the sensitive data that You choose to upload.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Data may be transferred on an occasional or continuous basis solely for the purposes of providing You with the ClawCloud Services and as otherwise set out in the Agreement.
Nature of the processing: The personal data will be processed and transferred for the purposes of providing You with the ClawCloud Services and as otherwise set out in the Agreement.
Purpose(s) of the data transfer and further processing: The personal data will be processed and transferred for the purposes of providing You with the ClawCloud Services and as otherwise set out in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data will be processed and transferred for the duration of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: The above shall apply to such transfers to sub-processors.
C. COMPETENT SUPERVISORY AUTHORITY
Competent supervisory authority: For the purposes of the EU GDPR, the competent supervisory authority shall be construed in accordance with Clause 13 of the EU SCCs; for the purposes of the UK GDPR, the competent supervisory authority shall be the UK Information Commissioner's Office.