Oriental Cloud Data Processing Addendum

The following Data Processing Addendum (hereby referred as merely addendum) complements the End-User license found at Oriental Cloud site, or any other online or written agreement between users/customers and Oriental Cloud governing customers’/users’ user of services (hereby referred as merely agreement) between Oriental Cloud and all its affiliates and the user (you.) The given addendum is applied whenever Oriental Cloud practices customer’s personal data within the procedure of offering services to the customers. Any terms that are otherwise not defined here shall possess the assigned meaning within the agreement. Otherwise except as per the modifications below, the agreement’s terms must remain legal, in effect, and applicable.

1.Definitions

1.1 Within the addendum, the given terms signify the stated meaning:

1.1.1 By “Applicable Law” we mean a) Member State Laws or European Union in regards to any such personal customer data where the customer is subjected to the EU’s data protection law; and/or b) any additional law in regards to the personal data of customers where the customer is subjected to any other data protection law;

1.1.2 By “Customer Personal Data” we mean any such personal information/data processed by Oriental Cloud’s processors for the customers in connection with or pursuant to within the agreement.

1.1.3 By “Data Protection Law” we mean EU’s data protection law and to the applicable extent, any privacy or data protection law of any country;

1.1.4 By “EFA” we mean the European Economic Area;

1.1.5 By “EU’s data protection law” we mean EU’s Directive 95-45-EC, as imposed within the domestic authority of every Member State and as replaced, superseded, or amended timely, including by GDPR or/and any law supplementing or implementing GDPR;

1.1.6 By “GDPR” we mean EU’s General Data Protection Regulation 2016-679;

1.1.7 By “Restricted Transfer” we mean:

1.1.7.1 Any transfer of customer’s personal data from the customers to Oriental Cloud; or/and

1.1.7.2 Any further transfer of customer’s personal data from Oriental Cloud to any subprocessor, in every situation, where any such transfer is restricted by the data protection laws (or data transfer agreement’s terms imposed for addressing the data sharing restrictions of data protection laws) in absence of any recognized obedience standards for a legal transfer of personal information/data as stated within the relevant data protection law;

1.1.8 By “services” we mean activities and services carried out or supplied to on Oriental Cloud’s behalf for the customer’s pursuant towards the agreement;

1.1.9 By “Subprocessor” we mean any individual (including 3rd parties and Oriental Cloud affiliates, excluding Oriental Cloud employee or/and its subcontractors) on behalf of or appointed by Oriental Cloud for processing personal data for customers in relation to agreement; and

1.2 Every term like Controller, Commission, Data Subject, Personal Data/Information, Processing, Supervisory Authority, Process, Member State, and Personal Data Breach shall possess a meaning akin to the mention in GDPR, and the terms cognate to them should be accordingly constructed.

2. Processing Customer Personal Data

2.1 Oriental Cloud should not process the customer’s personal information/data additional than mentioned on the user’s specified instructions unless the processing is needed by the applicable laws under which Oriental Cloud is subjected, in which scenario Oriental Cloud may to lawful extent process the data after the customer is informed. Oriental Cloud immediately informs the customers in case, in the company’s opinion, the customers’ instructions hinder any applicable law.

2.2 The customers instruct Oriental Cloud (and also authorize them for instructing every subprocessor) for: Processing the customer personal information/data, and particularly, transferring the customer personal information/data to any territory or country as reasonably required for provision of consistency and services within agreement, and warranting and representing that it’s and it’ll at every relevant time stay effectively and duly authorized for giving the instructions set in the section 2.2 on behalf of every reasonably relevant user/customer affiliate.

2.3 Processing Details:

2.3.1 Subject Matter: Subject matter of the processing of the personal data is the fulfillment/performance of services pursuant to agreement.

2.3.2 Processing Duration: Subject to the Section 9 of the addendum, Oriental Cloud will process the personal information/data only during the agreement’s duration, except if otherwise agreed upon in written.

2.3.3 Purpose and Nature: The purpose and nature of processing is for allowing Oriental Cloud to undertake services pursuant to agreement, as additionally specified within the document, and also as specified by customers while they use the services.

2.3.4 Data Subject Categories: Customer subcontractors, customer employees authorized by users for using services, and any user/customer end user authorized by the customers for using services.

2.3.5 Personal Data Types: Full name with first and last initials, contact information (email, company, phone, business address), job department and/or tittle, geographical data (IP address and/or), billing information.

3. Oriental Cloud Personnel
Oriental Cloud takes reasonable measures for ensuring any agent, contractor, or employee’s reliability, when the said personnel is appointed by Oriental Cloud and has the access to customer’s personal data, making sure that every time the access is restricted to personnel who require to know or/and access the customer’s personal data, as required for agreement’s purpose, and for complying with the applicable laws in relevance of the personnel’s duties/responsibilities, ensuring that every individual is subject to the confidentially proceedings or statutory or professional confidential obligations.

4. Security

4.1 Considering the implementation costs, state of art, and the scope, nature, purpose, and context of processing and risk of differing severity and likelihood for freedom and rights of natural persons, Oriental Cloud should in relation to customer’s personal data implements apt organizational and technical measures for ensuring a security level adequate to risks. In regards of personal information/data processed on customer’s behalf under agreement, Oriental Cloud has implemented, maintained, and is going to maintain, a written data/information security program including apt technical, organizational, and physical measures aimed for protecting such personal information/data against any unauthorized use, access, alteration, destruction, or disclosure, of which a summary is set within thereto in the Exhibit A. The involved parties might modify the Appendix 2 timely as per any change in the applicable laws.

4.2 While investigating the apt security level, Oriental Cloud will consider every specific risk faced while processing, in regards through a personal information/data breach.

5. Subprocessing

5.1 The user allows Oriental Cloud for appointing (and permitting every appointed subprocessor as per this section for appointing) subprocessors as per this section and any prohibitions in agreement.

5.2 Oriental Cloud might continue using pre-existing subprocessors before this addendum subjected to Oriental Cloud in every case whenever practicable meet obligations set in 5.4 section.

5.3 Oriental Cloud will provide prior notice in writing to users in case of any new subprocessor is appointed, including every detail of processing undertaken by subprocessor. In case within ten days of notice’s receipt, the user notifies Oriental Cloud regarding any reasonable objection in wiring for the said appointment:

5.3.1 Oriental Cloud will work the user in good faith for making available every monetarily reasonable modification within the service’s provision for avoiding the said subprocessors’ usage; and

5.3.2 In case any such modification is not viable within ninety days from Oriental Cloud’s receiving the notice, without standing anything in agreement, the user can via a notice in writing to Oriental Cloud with instant effect end the agreement to a reasonable extent in relation to the services requiring the utilization of said subprocessor.

5.4 In regards to every subprocessor, Oriental Cloud will”

5.4.1 Before the said subprocessor processes any customer personal information/data (or, wherever relevant, as per 5.2 section0, carry apt diligence for ensuring that the said subprocessor is competent for offering the security for the customer’s personal information/data as needed by agreement.

5.4.2 Ensuring that agreement between Oriental Cloud and the subprocessor is ruled by written contract with the terms at least as strict as the security for the customer’s personal information/data as set in the current addendum;

5.4.3 In case the arrangement comprises the involvement of restricted transfer, make sure that a) every basic contractual clause at every relevant time is incorporated within agreement between subprocessor and Oriental Cloud or b) additional recognized obedience standard for legal transfer of personal information/data as mentioned in applicable data protection law in set; and

5.4.4 Allow the customers to review every copy of agreement with the subprocessors (which might be redacting for removing every commercial information irrelevant to addendum requirements) as users may timely request.

5.5 Oriental Cloud must make sure that every subprocessor fulfills the responsibilities under the sections 3, 6.1, 4, 2.1, 10, 8, and 7.2, as they all each apply to the processing of the customer’s personal information/data carried by the said subprocessor, in case it was a part of the addendum in Oriental Cloud’s place.

6. Data Subject Rights

6.1 Considering the processing’s nature, Oriental Cloud shall aid the users and, whenever applicable, the end users by offering apt organizational and technical measures, and whenever it’s possible, for the user or end-user’s fulfillment, to satisfy requests for exercising data subject rights under data protection law.

6.2 Oriental Cloud will:

6.2.1 Readily inform users in case Oriental Cloud or other Subprocessor gets any request from data subject under Data Protection Law in regards of the customer’s personal information/data; and

6.2.2 Make sure that Oriental Cloud and its every subprocessor doesn’t respond to such requests except on written requests of the users or as needed by the applicable laws under which Oriental Cloud and its subprocessors are subjected, where Oriental Cloud may to a permitted extent by relevant law inform the customers about the legal need prior to Oriental Cloud or its subprocessors respond to request.

7. Personal Data Breach

7.1 Oriental Cloud should promptly inform the users whenever Oriental Cloud or its subprocessors become aware of any personal data/information breach affecting the customer’s personal information/data, providing the users apt information for allowing the users, and when applicable, relevant end-user, to meet every obligation for informing or reporting the data subjects of the said personal information/data breach under data protection law.

7.2 Oriental Cloud should cooperate with the users and, wherever applicable, end-users, and undertake reasonable monetary measures directed by the users for assistance in mitigation, remediation, and investigation of every personal information/data breach.

8. Data Protection Impact’s Evaluation and Any Prior Consultation
When the user or, wherever relevant, the end-user, reasonably decides the way of Oriental Cloud processing the customer’s personal information/data, considering the scope, nature, purpose, and context of Oriental Cloud’s processing, may end up being highly risky to freedom and right of individuals, the users or end-users can request, and Oriental Cloud should offer, only on reasonable information and notification to Oriental Cloud more than ten business days, in Oriental Cloud’s operational hours, rational assistance, to users or end-users, with the data/information protection impact’s evaluation, and prior consultations with capable data security authorities or supervising authorities if merely in relation to the processing of the user’s personal information/data.

9. Return or deletion of User’s Personal Information/Data

9.1 Subject to the sections 9.2 and 9.1, Oriental Cloud should quickly on the services cessation date regarding the processing of the user’s personal information/data (hereby called cessation date) delete or return, at the user’s choice, every copy of the user’s personal information/data.

9.2 Oriental Cloud can retain the user’s personal information/data to an extent necessary by the applicable law and for a period as needed by law, or under circumstances where the information/data is needed for fulfilling Oriental Cloud’s obligatory and legal obligations, and given that Oriental Cloud shall make sure the secrecy and confidentiality of the user’s personal information/data and will make sure that the user’s personal information/data is merely processed as required for purposes mentioned in applicable laws or needed by regulatory and legal obligations needing its storage and nothing else.

9.3 Oriental Cloud will propose certification in writing for the users on a request that is in compliance under the section 9.

10. Audit Rights

10.1 The user acknowledges that Oriental Cloud utilizes independent 3rd party auditors for verifying the aptness of their security measures and is routinely modified and audited against SOC 2 type 2 standards. Upon the user’s request in writing, Oriental Cloud will offer a copy of SOC II type II report to the users for allowing them to verify Oriental Cloud’s obedience with its responsibilities under the Addendum. Oriental Cloud will also respond to questions written in audits submitted reasonably by users timely. Report and audit questions in written are subject to confidentiality agreement provisions.

10.2 User agrees for exercising rights he might have for conducting an inspection or audit, which includes standard contractual clauses in case they apply, after requesting Oriental Cloud carry audit mentioned in Section 10. In case the user wants to change the audit’s instruction, they have right to change after sending Oriental Cloud a notice in written as provided in agreement. If Oriental Cloud doesn’t follow the requests, the user can end the addendum, agreement, applicable services, schedules, or orders. If standard contractual clause apply, this section remains same, and does not modify or affect standard contractual clauses or its authority or data subject rights under standard contractual clauses.

10.3 Oriental Cloud will cooperate, on a request, with supervisory authority in task performance.

11. Restricted Transfer
In case Oriental Cloud processes any personal information/data pursuant to restricted transfer, involved parties agree the provisions in EU Commission Standard Contractual Clauses for personal information/data transfer to processors situated in 3rd countries 2010/87/EU standard contractual clauses will apply and are integrated by reference. As per standard contractual clauses, the users will be data exporter and Oriental Cloud shall be data importer. The a) data subject within Appendix 1 to standard contractual clauses will be user’s employees, user subcontractors authorized by user for using services, and every end-user authorized by user for using services; b) data categories will be starting and ending name, contact data (email, company, business data, phone), job title or/and department, geolocation data (IP address or/and country), and billing information; c) special data categories will be not available, and d) processing operation will allow Oriental Cloud for performing services as per agreement, as mentioned in documents, and instructed by users while using services. Data security steps in 2 Appendix to standard contractual clauses are identified in addendum exhibit A.

12. General Terms
Governing Jurisdiction and Law

12.1 With no prejudice to 7 clauses (mediation & jurisdiction) and 9 (governing law) of standard contractual clauses:

12.1.1 Parties to addendum submit to jurisdiction choice in agreement for claims or disputed arising under addendum, which includes disputes about its validity, termination, consequences of nullity, and existence; and

12.1.2 Addendum and non-contractual or additional responsibility arising out or connected with are ruled by laws of territory or country stipulated for purpose in agreement.
Order of Precedence

12.2 Nothing in addendum decrease Oriental Cloud responsibility under agreement in regards to security of the user’s personal information/data or allows Oriental Cloud to process (or permit processing) the user’s personal information/data in a way restricted by agreement. In case of inconsistency or conflict between standard contractual clauses and addendum, it is the standard contractual clause prevails.

12.3 As per 12.2, in regards to subject matter of addendum, in case of inconsistencies between addendum provisions and other agreement between parties, which includes agreement and includes (except agreed and signed in writing) agreement purported to or entered into after addendum date, addendum provision prevails.
Changes in Data Protection Laws

12.4 Parties might quickly implement supplemental agreement for processing the data in agreement or may undergo rational steps for addressing restricted transfer if concluded that those steps are required for addressing the privacy laws or data protection regarding personal information/data.
Severance

12.5 In case there is a provision of addendum that is unenforceable or invalid, the remaining addendum will still remain valid and enforceable. The unenforceable or invalid provision section should be either a) amended as required for ensuring its enforceability and validity, till possible, b) modified in a way the unenforceable or invalid part was never there.

Exhibit A
Appendix II to Standard Contractual Clauses
Description of organizational and technical security steps implemented by data importer as per Clauses 5(c) and 4(d) (or legislation/document attached 🙂

Oriental Cloud’s organizational and technical security steps are as mentioned in Oriental Cloud’s confidential SOC II Type II report, which is made available by Oriental Cloud upon the user’s request.