Customer Support
Watch Demo Contact Us

Cloud Services Data Processing Agreement

This Data Processing Agreement, including its annexes, ("DPA") supplements and forms part of the Cloud Inventory Master Service Agreement ("Agreement"). This DPA applies where and to the extent that Data Systems International, Inc. dba Cloud Inventory a Nextworld Company ("Cloud Inventory") processes Personal Data on behalf of Customer in the course of providing the Services pursuant to the applicable Agreement. Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Affiliates, if and to the extent Cloud Inventory processes Personal Data on behalf of such Affiliates.

  1. Definitions. For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
    1. Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or Cloud Inventory respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
    2. CCPA” means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time.
    3. Data Protection Laws" means with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Personal Data, including, where applicable, European Data Protection Laws, California Consumer Privacy Act (CCPA), Safeguard Rule under the Gramm-Leach-Bliley Act and the any other national, state, provincial, or local privacy and data protection laws, rules, and regulations in effect on or after the effective date of the Agreement.
    4. Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
    5. "EEA" means the European Economic Area as well as any country for which the European Commission has published an adequacy decision.
    6. “European Data Protection Laws” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time, (“GDPR”) and any other data protection laws of the European Union, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent it applies to Cloud Inventory’s Processing of Personal Data under the Agreement.
    7. Personal Data” means any information provided to Cloud Inventory by or on behalf of Customer for the provision of the Services that constitutes “personal data,” “personal information,” “personally identifiable information” or similar information defined in and governed by Data Protection Laws. For purposes of this DPA, Personal Data does not include personal data of representatives of Customer with whom Cloud Inventory has business relationships independent of the Services.
    8. Security Incident” means an actual or suspected breach of Cloud Inventory’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Cloud Inventory’s possession, custody or control. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
    9. Services” means the services that Cloud Inventory has agreed to provide to Customer under the Agreement.
    10. Standard Contractual Clauses” or "SCCs" means the mandatory provisions of the standard contractual clauses for the transfer of personal data to processors established in third countries in the form set out by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
    11. "SCCs (Controller-to-Processor)" means the terms at https://www.cloudinventory.com/controller-processor-standard-contractual-clauses.
    12. "SCCs (Processor-to-Processor)" means the terms at https://www.cloudinventory.com/processor-processor-standard-contractual-clauses.
    13. Subprocessor” means any third party or Cloud Inventory Affiliate appointed by Cloud Inventory to Process Personal Data on behalf of Customer.
    14. Usage Data” means technical logs, account and login data, data, and learnings about Customer’s use of the Services.
  2. Duration and Scope of DPA.
    1. This DPA will, notwithstanding the expiration or termination of the Agreement, remain in effect, and automatically expire, once Cloud Inventory ceases Processing Personal Data.
    2. Annex 1 (EU Annex) to this DPA applies solely to Personal Data or the Processing thereof subject to European Data Protection Laws. Annex 2 (California Annex) to this DPA applies solely to Personal Data or the Processing thereof subject to the CCPA.
  3. Processing of Personal Data. Cloud Inventory will Process Personal Data only in accordance with Customer’s documented instructions. By entering into this DPA, Customer instructs Cloud Inventory to process Personal Data to provide the Services. Customer acknowledges and agrees that such instruction authorizes Cloud Inventory to process Personal Data (a) to perform its obligations and exercise its rights under the Agreement; (b) perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement; (c) pursuant to any other written instructions given by Customer and acknowledged in writing by Cloud Inventory as constituting instructions for purposes of this DPA; and (d) as reasonably necessary for the proper management and administration of Cloud Inventory’s business.
  4. Confidentiality. Cloud Inventory shall take reasonable steps to ensure that personnel that Process Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
  5. Security.
    1. Cloud Inventory will implement and maintain technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure of, or access to Personal Data. These technical and organizational measures are described in Annex 3 of this DPA.
    2. If Cloud Inventory becomes aware of a confirmed Security Incident, Cloud Inventory will (a) notify Customer of the Security Incident within forty-eight (48) hours of confirmation of the Security Incident and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm and prevent a recurrence. Notifications made pursuant to this Section 5.2 will describe, to the extent possible, details of the Security Incident, including steps taken to mitigate the potential risks and steps Cloud Inventory recommends Customer take to address the Security Incident. Cloud Inventory’s notification of or response to a Security Incident under this Section 5.2 will not be construed as an acknowledgement by Cloud Inventory of any fault or liability with respect to the Security Incident.
  6. Subprocessing
    1. Customer specifically authorizes Cloud Inventory to use its Affiliates as Subprocessors and generally authorizes Cloud Inventory to engage Subprocessors to Process Personal Data. Cloud Inventory will (a) enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to this DPA, and (b) remain liable for compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Cloud Inventory to breach any of its obligations under this DPA.
    2. A list of Cloud Inventory’s Subprocessors, including their functions and locations, is available at https://www.cloudinventory.com/subprocessor-list or such other website as Cloud Inventory may designate (“Subprocessor Page”), and may be updated by Cloud Inventory from time to time in accordance with this DPA.
    3. When any new Subprocessor is engaged, Cloud Inventory will, at least ten (10) calendar days before the new Subprocessor Processes any Personal Data, notify Customer of the engagement, which notice may be given by updating the Subprocessor Page. Notwithstanding the foregoing, Cloud Inventory may engage a new Subprocessor without prior notice to Customer if Cloud Inventory reasonably believes such engagement is necessary to protect the confidentiality, integrity or availability of the Personal Data or avoid material disruption to the Services, provided that Cloud Inventory will notify Customer of such engagement as soon as reasonably practicable. If, within five (5) calendar days of such notice, Customer notifies Cloud Inventory in writing that Customer objects to Cloud Inventory appointment of a new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved.
  7. Data Subject Rights
    1. Taking into account the nature of the Processing, Cloud Inventory shall provide such assistance as Customer reasonably requests, insofar as this is possible, to help Customer comply with its obligations under Data Protection Laws to effectively respond to requests from individuals to exercise their rights under Data Protection Laws relating to Personal Data.
    2. Cloud Inventory shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Laws in respect of Personal Data. As between Cloud Inventory and Customer, Customer shall be responsible for responding to any such request.
  8. Customer Responsibilities
    1. Customer agrees that, without limitation of Cloud Inventory’s obligations under Section 5 of this DPA (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Cloud Inventory uses to provide the Services; and (d) backing up Personal Data. Customer is solely responsible for evaluating for itself whether the Services and Cloud Inventory’s commitments under this DPA will meet Customer’s needs, including with respect to any security obligations of Customer under Data Protection Laws or other laws.
    2. Customer represents and warrants to Cloud Inventory that (a) Customer has established or ensured that another party has established a legal basis for Cloud Inventory’s Processing of Personal Data contemplated by this DPA; (b) all notices have been given to, and consents and rights have been obtained from, the relevant Data Subjects and any other party as may be required by Data Protection Laws and any other laws for such Processing; and (c) Personal Data does not and will not contain any protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), any biometric information, any special categories of personal data (as defined under GDPR), or any payment card information subject to the Payment Card Industry Data Security Standard (other than any Customer payment card information used to pay for the Services).
  9. Deletion or Return of Personal Data. Subject to this Section 9, Cloud Inventory shall promptly upon Customer’s request or in any event as soon as practicable after the effective date of termination or expiration of the Agreement delete all Personal Data from Cloud Inventory’s systems. Cloud Inventory may retain Personal Data to the extent required by applicable law, which data will remain subject to the requirements of this DPA.
  10. General Terms. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (2) construed in a manner as if the invalid or unenforceable part had never been contained therein. Except as expressly modified by this DPA, the terms of the Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Any liabilities arising in respect of this DPA are subject to the limitations of liability under the Agreement.

Annex 1 - EU Annex

  1. Definitions; Processing of Personal Data.
    1. Definitions. As used in this Annex 1, the terms “controller,” “processor,” and “supervisory authority” shall have the meanings given in the GDPR and “Personal Data” shall mean any Personal Data (as defined in the DPA) that constitutes “personal data” under the GDPR.
    2. Roles and Regulatory Compliance of the Parties; Authorization. The parties acknowledge and agree that with regard to the Processing of Personal Data under the Agreement: (a) Customer is a controller and Cloud Inventory is a processor of that Personal Data under European Data Protection Laws; or (b) Customer is a processor of that Personal Data under European Data Protection Laws, in which case Customer appoints Cloud Inventory as Customer’s sub-processor, which shall not change the obligations of either Customer or Cloud Inventory under this DPA, as Cloud Inventory will remain a processor with respect to the Customer in such event. Each party will comply with the obligations applicable to it in such role under the European Data Protection Laws with respect to the Processing of that Personal Data. To the extent that Usage Data contains information that constitutes “personal data” under the GDPR, Cloud Inventory is the controller with respect to such data and will process Usage Data in accordance with its Privacy Policy, currently available at www.cloudinventory.com/privacy-policy.
    3. Cloud Inventory’s Compliance with Instructions. Cloud Inventory will only Process Personal Data in accordance with Customer’s instructions described in Section 3 of the DPA (Processing of Personal Data) unless Processing is required by European Data Protection Laws, in which case Cloud Inventory shall to the extent permitted by European Data Protection Laws inform Customer in writing of that legal requirement before Processing Personal Data.
    4. Subject Matter and Details of Processing. The parties acknowledge and agree that: (a) the subject matter of the Processing under the Agreement is Cloud Inventoryd’s provision of the Services; (b) the duration of the Processing is from Cloud Inventory’s receipt of Personal Data until deletion of all Personal Data by Cloud Inventory in accordance with the Agreement and the DPA; (c) the nature and purpose of the Processing is to provide the Services as described in the Agreement; (d) the Data Subjects to whom the Processing pertains are Customer’s personnel, clients, suppliers, vendors, business partners, and other third parties; and (e) the categories of Personal Data are as is contemplated or related to the Processing described in the Agreement.
  2. Security. Cloud Inventory will (taking into account the nature of the processing of Personal Data and the information available to Cloud Inventory) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Personal Data under European Data Protection Laws, including Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining appropriate technical and organizational measures to ensure a level of security appropriate to the risk; (b) complying with the terms of Section 5 of the DPA (Security); and (c) complying with this Annex 1.
  3. Data Protection Impact Assessment and Prior Consultation. Cloud Inventory will (taking into account the nature of the processing and the information available to Cloud Inventory) reasonably assist Customer in complying with its obligations under Articles 35 and 36 of the GDPR, by: (a) making available documentation describing relevant aspects of Cloud Inventory’s information security program and the security measures applied in connection therewith; and (b) providing the other information contained in the Agreement including this DPA.
  4. International Data Transfer.
    1. Data Processing Locations. Cloud Inventory may, subject to Section 4.b of this Annex 1 (Transfers From the EEA or UK), Customer authorizes Cloud Inventory and its Subprocessors to transfer Personal Data to the United States or anywhere Cloud Inventory or its Subprocessors operate. Additionally, for purposes of providing Services including technical support, updates, upgrades and fixes, Customer Data may be accessed from any location where Cloud Inventory and Affiliates are located.
    2. Transfers From the EEA or UK. If Personal Data is to be transferred out of the EEA or the United Kingdom to provide Services from a country not deemed by the European Commission to have adequate data protection, the transfer will be governed by the SCCs (Controller-to-Processor) and/or SCCs (Processor-to-Processor), and the IDTA for transfers from the UK to the US. The IDTA terms are incorporated in the SCCs.
  5. Relevant Records and Audit Rights.
    1. Upon Customer's request, Cloud Inventory shall promptly make available to Customer on request all information reasonably necessary to demonstrate compliance with this DPA. In addition to any audit rights granted pursuant to the Agreement, Cloud Inventory shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer (“Mandated Auditor”) of any premises where the Processing of Personal Data takes place in order to assess compliance with this DPA, and shall provide reasonable access to the Mandated Auditor to inspect, audit, and copy any relevant records, processes, and systems documents in order that Customer may satisfy itself that the provisions of this DPA are being complied with.
    2. To request an audit, Customer must submit a detailed proposed audit plan to Cloud Inventory at least two weeks in advance of the proposed audit date and any Mandated Auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof.
    3. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Cloud Inventory has confirmed there are no known material changes in the controls audited, Customer agrees to accept such report lieu of requesting an audit of such controls or measures. Any information provided by Cloud Inventory under this Section 5 constitutes Cloud Inventory’s confidential information under the Agreement.
    4. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Cloud Inventory’s safety, security or other relevant policies, and may not unreasonably interfere with Cloud Inventory business activities.
    5. Customer will promptly notify Cloud Inventory of any non-compliance discovered during the course of an audit and provide Cloud Inventory any audit reports generated in connection with any audit under this Section 5, unless prohibited by Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
    6. Any audits are at Customer’s expense. Customer shall reimburse Cloud Inventory for any time expended by Cloud Inventory or its Subprocessors in connection with any audits or inspections under this Section 5, at Cloud Inventory’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any Mandated Auditor to execute any such audit. Nothing in this DPA shall be construed to require Cloud Inventory to furnish more information about its Subprocessors in a connection with such audits than such Subprocessors make generally available to their customers.

Annex 2 - California Annex

  1. Definitions; Processing of Personal Data.
    1. Definitions. As used in this Annex 2, the terms “business,” “service provider,” and “sell” shall have the meanings given in the CCPA and “Personal Data” shall mean any Personal Data (as defined in the DPA) that constitutes “personal information” under the CCPA.
    2. Roles and Regulatory Compliance of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data under the Agreement Cloud Inventory is a service provider. To the extent that Usage Data contains information that constitutes “personal information” under the CCPA, Cloud Inventory is the business with respect to such data and will process Usage Data in accordance with its Privacy Policy, currently available at https://www.cloudinventory.com/privacy-policy.
  2. Processing by Service Provider. Cloud Inventory will not (a) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services, or as otherwise permitted by CCPA, including retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services; (b) sell any Personal Data; or (c) retain, use or disclose the Personal Data outside of the direct business relationship between Cloud Inventory and Customer. Cloud Inventory hereby certifies that it understands its obligations under this Section 2 and will comply with them. The parties acknowledge and agree that the Processing of Personal Data authorized by Customer’s instructions described in Section 3 of the DPA (Processing of Personal Data) is integral to and encompassed by Cloud Inventory’s provision of the Services and the direct business relationship between the parties.
  3. No Consideration. The parties acknowledge and agree that Cloud Inventory’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

Annex 3 - Data Protection and Security Measures

As of the Agreement Effective Date, Cloud Inventory will implement and maintain these data protection and security measures.

  1. Asset Management
    1. Cloud Inventory maintains asset management policies and procedures to maintain accurate inventory and establishes ownership of assets.
    2. Cloud Inventory maintains an acceptable use policy for all information and physical assets that must be acknowledged by personnel.
  2. Business Continuity and Disaster Recovery
    1. Cloud Inventory maintains business continuity plans and system resiliency policies to enable adequate response to and recovery from business interruptions impacting services provided to the Customer.
    2. Cloud Inventory tests the business continuity and disaster recovery plan at least annually.
    3. Cloud Inventory replicates data across multiple locations to assist in recovery operations.
  3. Data Protection
    1. Cloud Inventory maintains policies and procedures for the classification, protection, and handling of data in accordance with applicable laws, regulations, standards and risk level. These policies are reviewed at least annually.
    2. Cloud Inventory has implemented practices that encrypts Customer Data in transit and at rest when stored in Cloud Inventory systems.
    3. Cloud Inventory limits access to infrastructure that stores and processes Customer Data to personnel with job duties that require access. Customers control and grant access to their tenant.
    4. Cloud Inventory maintains measures to segregate Customer Data from other data.
    5. Cloud Inventory personnel have been trained on data protection policies and procedures.
    6. Cloud Inventory maintains policies and procedures to permanently delete, destroy, and render unrecoverable all Customer Data upon termination of the Agreement. Cloud Inventory ensures third-party infrastructure and data center provider adheres to NIST 800-88.
  4. Identity and Access Management
    1. Cloud Inventory maintains identity and access management policies and procedures that implements the principles of least privilege. These policies are reviewed at least annually.
    2. Cloud Inventory maintains authentication and authorization procedures that ensure unique user IDs, complex passwords, and multi-factor authentication. Personnel are assigned roles in systems that process Customer Data using defined roles based on authorized personnels’ job responsibilities and a need to know basis.
    3. Cloud Inventory maintains a policy for personnel to maintain exclusive control of their user ID and password. User IDs and passwords must not be shared with other personnel or stored in a clear text format in a location where unauthorized persons might discover user IDs and passwords.
    4. Cloud Inventory requires personnel to immediately change any passwords that provide access to Cloud Inventory systems if the credentials are suspected or known to have been compromised by disclosure to unauthorized persons.
    5. Cloud Inventory conducts quarterly reviews of personnel access to systems that store and process Customer Data.
    6. Cloud Inventory maintains procedures to terminate personnel access to systems within one (1) business day of termination of employment.
  5. Incident Response
    1. Cloud Inventory maintains incident response policies and plans to detect and respond to suspected or confirmed breach of security.
    2. Cloud Inventory maintains procedures for notifying Customer of a confirmed breach of Customer Data within 48 hours. Customers will be informed of, to the extent possible, the details of the incident, steps taken to mitigate the risks and the steps we recommend the Customer to take to address the incident.
    3. Cloud Inventory conducts exercises of the incident response plan at least once a year.
  6. Personnel Management
    1. Cloud Inventory maintains policies and procedures for ensuring the integrity and reliability of personnel hired who have access to Customer Data. Cloud Inventory hiring process includes pre-employment criminal background checks on personnel.
    2. Cloud Inventory personnel are required to complete security training upon hire and annually thereafter.
    3. Cloud Inventory personnel are required to sign a Confidentiality Agreement to protect Customer Data upon hire.
  7. Security Operations
    1. Cloud Inventory maintains information security policies and procedures to implement security measures that comply with appropriate legislation and industry best practices.
    2. Cloud Inventory has implemented firewalls to monitor and restrict inbound and outbound traffic.
    3. Cloud Inventory maintains policies and procedures to identify and remediate vulnerabilities in systems that store and process Customer Data.
    4. Cloud Inventory contracts a third-party to conduct an annual penetration test of Cloud Inventory systems that store and process Customer Data.
    5. Cloud Inventory has implemented procedures and tools to continuously scan systems for vulnerabilities and remediate findings based on the risk they pose to Customer Data. Cloud Inventory follows industry standards (such as CVSS, OWASP, SANS, etc.) to prioritize vulnerabilities based on risk criticality.
    6. Cloud Inventory maintains procedures to provide, maintain, and support the Licensed Products with updates, upgrades, and fixes so that the Licensed Products remain secure and deliver the agreed upon functionality.
  8. Third-Party Management
    1. Cloud Inventory maintains policies and procedures to evaluate third parties with access to Customer Data. Cloud Inventory assesses the security and data protection practices of these third parties to ensure they provide a level of security and protection appropriate to their access to Customer Data and scope of services they provide.
    2. Cloud Inventory requires confidentiality or non-disclosure agreements to be in place with third parties with access to Customer Data.