Data Processing Agreement (DPA) – Cloudorka

1. Purpose and Scope

1.1 This Agreement sets out the terms under which Cloudorka (“Processor”) processes Personal Data on behalf of the customer (“Controller”) in connection with the Services.

1.2 It supplements the Terms of Use and applies for as long as the Processor processes Personal Data for the Controller.

1.3 This Agreement is intended to meet the requirements of Article 28 GDPR and similar data protection laws, where applicable.

2. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Processing” means any operation performed on Personal Data (e.g., collection, storage, use, disclosure, deletion).
• “Controller” means the entity determining the purposes and means of Processing Personal Data.
• “Processor” means the entity processing Personal Data on behalf of the Controller.
• “Sub-processor” means any third party engaged by the Processor to process Personal Data.

3. Processor Obligations

• Documented Instructions: Process Personal Data only on the Controller’s documented instructions, unless required by applicable law.
• Confidentiality: Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
• Security: Implement appropriate technical and organizational measures to protect Personal Data.
• Assistance: Assist the Controller in meeting obligations regarding security, breach notifications, impact assessments, and regulatory consultations, where relevant.
• Return/Deletion: Delete or return Personal Data upon termination of Services, unless retention is required by law (in which case it will be securely isolated and protected).

4. Controller Obligations

• Ensure a lawful basis to provide Personal Data to the Processor and that processing instructions comply with applicable laws.
• Be responsible for the accuracy, quality, and legality of Personal Data supplied to the Processor.
• Provide timely, lawful, and reasonable instructions for Processing.

5. Sub-processors

• The Controller authorizes the Processor to engage Sub-processors as reasonably necessary for delivering the Services.
• The Processor will ensure Sub-processors are bound by written terms imposing data protection obligations no less protective than those in this Agreement.
• A list of current Sub-processors is available upon request; the Processor will provide notice of material changes where required by law.

6. International Transfers

If Personal Data is transferred outside the country of origin, the Processor will ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses or other legally recognized transfer mechanisms).

7. Security Measures

The Processor shall implement appropriate measures proportionate to risk, including where applicable:

• Encryption of data in transit and, where appropriate, at rest;
• Access controls, authentication, and least-privilege principles;
• Vulnerability management, logging/monitoring, and regular security testing.

8. Personal Data Breach Notification

In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay after becoming aware of the breach and provide information reasonably required for the Controller to meet any applicable reporting obligations.

9. Data Subject Rights

The Processor will, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, to fulfill the Controller’s obligations to respond to requests to exercise Data Subject rights.

10. Duration and Termination

This Agreement remains in effect while the Processor processes Personal Data for the Controller. Upon termination of Services, the Processor will delete or return Personal Data as directed by the Controller, unless retention is required by law.

11. Governing Law

This Agreement is governed by the same law that governs the primary agreement (e.g., Terms of Use) between the parties, without regard to conflict-of-laws principles, unless otherwise required by applicable data protection law.

12. Acceptance of Terms

By accessing or using the Cloudorka website, products, or Services, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement. If you do not agree to these terms, please do not use our website, products, or Services.