Data Processing Agreement

Data Protection

Cloudteam Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Master Service Agreement or other written agreement between Cloudteam and the Client for the provision of services. This DPA sets out the terms that apply when personal data is processed by Cloudteam on behalf of the Client.

12 sections covered in this agreement
01

Definitions

In this DPA, the following terms shall have the meanings set out below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

  • "Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
  • "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
  • "Personal Data" means any information relating to a Data Subject that is processed by Cloudteam on behalf of the Client under the Agreement.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
  • "Processor" means the entity which processes Personal Data on behalf of the Controller.
  • "Sub-processor" means any third party appointed by Cloudteam to process Personal Data on behalf of the Client.
  • "Data Protection Laws" means all applicable legislation relating to data protection and privacy including, where applicable, the EU General Data Protection Regulation (GDPR), Thailand Personal Data Protection Act (PDPA), and Vietnam Decree 13/2023/ND-CP on personal data protection.
02

Scope and Roles

The Client (Controller) appoints Cloudteam (Processor) to process Personal Data on its behalf as necessary to perform services under the Agreement. Cloudteam shall process Personal Data only in accordance with the Client's documented instructions.

  • Categories of Data Subjects: Client employees, end-users, customers, contractors, and other individuals whose data is submitted to Cloudteam services.
  • Types of Personal Data: Contact information, identification data, professional information, technical data (IP addresses, device identifiers), and any other personal data submitted through the services.
  • Processing activities: Storage, hosting, backup, technical support, software development, testing, and maintenance as described in the Agreement.
  • Duration: Personal Data will be processed for the duration of the Agreement unless otherwise required by applicable law.
03

Obligations of Cloudteam

Cloudteam shall comply with the following obligations when processing Personal Data on behalf of the Client:

  • Process Personal Data only on documented instructions from the Client, unless required by applicable law.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  • Not engage another Processor (Sub-processor) without prior specific or general written authorization of the Client.
  • Assist the Client in ensuring compliance with data security, breach notification, impact assessments, and prior consultation obligations under Data Protection Laws.
  • At the Client's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
  • Make available to the Client all information necessary to demonstrate compliance with obligations and allow for audits and inspections.
04

Security Measures

Cloudteam maintains comprehensive technical and organizational measures to protect Personal Data, including but not limited to:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
  • Access controls with role-based permissions and multi-factor authentication.
  • Regular security assessments, penetration testing, and vulnerability scanning.
  • Physical security measures for data centers and office premises.
  • Business continuity and disaster recovery planning with regular testing.
  • Employee security awareness training conducted at least annually.
  • Logging and monitoring of access to systems containing Personal Data.
  • ISO 27001 and SOC 2 Type II certified information security management.
05

Sub-processors

Cloudteam may engage Sub-processors to assist in providing services. Cloudteam shall maintain an up-to-date list of Sub-processors and notify the Client of any intended changes.

  • Cloudteam will provide the Client with prior written notice before engaging a new Sub-processor, allowing the Client a reasonable period to object.
  • Where the Client objects to a new Sub-processor on reasonable grounds, Cloudteam shall use commercially reasonable efforts to make available an alternative arrangement.
  • Cloudteam shall impose contractual obligations on each Sub-processor that are no less protective than those set out in this DPA.
  • Cloudteam remains fully liable for the acts and omissions of its Sub-processors.
06

Data Subject Rights

Cloudteam shall assist the Client in fulfilling its obligations to respond to Data Subject requests exercising their rights under applicable Data Protection Laws.

  • Right of access — Data Subjects may request confirmation of processing and access to their Personal Data.
  • Right to rectification — Data Subjects may request correction of inaccurate or incomplete Personal Data.
  • Right to erasure — Data Subjects may request deletion of their Personal Data where legally applicable.
  • Right to restriction — Data Subjects may request limitation of processing in certain circumstances.
  • Right to data portability — Data Subjects may request their Personal Data in a structured, machine-readable format.
  • Right to object — Data Subjects may object to processing based on legitimate interests or direct marketing.
  • Cloudteam will promptly notify the Client of any request received directly from a Data Subject and will not respond without the Client's authorization unless legally required.
07

Data Breach Notification

In the event of a Personal Data breach, Cloudteam shall comply with the following notification obligations:

  • Notify the Client without undue delay and no later than 48 hours after becoming aware of a Personal Data breach.
  • Provide sufficient information to allow the Client to meet its obligations to report the breach to supervisory authorities and affected Data Subjects.
  • Notification shall include: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
  • Cooperate with the Client and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
  • Document all Personal Data breaches, including facts, effects, and remedial actions taken.
08

International Data Transfers

Where Personal Data is transferred to a country outside the jurisdiction of the Client, Cloudteam shall ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
  • Binding Corporate Rules or other legally recognized transfer mechanisms.
  • Assessment of the data protection laws of the recipient country to ensure adequate protection.
  • Additional technical measures (encryption, pseudonymization) where necessary to supplement transfer safeguards.
  • Cloudteam will inform the Client of any legally binding request for disclosure of Personal Data by a law enforcement authority unless otherwise prohibited.
09

Audits and Inspections

Cloudteam shall make available to the Client all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits.

  • The Client may conduct audits, including inspections, no more than once per year with at least 30 days prior written notice.
  • Cloudteam shall provide reasonable assistance during audits, including access to relevant facilities, systems, and personnel.
  • Audit findings shall be treated as Confidential Information of Cloudteam.
  • Cloudteam may satisfy audit requests by providing copies of relevant certifications (ISO 27001, SOC 2 Type II) and third-party audit reports.
  • If an audit reveals material non-compliance, Cloudteam shall promptly remediate identified issues at its own expense.
10

Term and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination or expiry:

  • Cloudteam shall, at the Client's election, return or securely delete all Personal Data within 30 days of the termination date.
  • Cloudteam may retain Personal Data to the extent required by applicable law, provided that such data is protected in accordance with this DPA.
  • Upon request, Cloudteam shall provide written certification of the deletion of Personal Data.
  • Obligations under this DPA that by their nature should survive termination shall continue to apply, including confidentiality and data breach notification obligations.
11

Liability and Indemnification

Liability arising under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except where prohibited by applicable Data Protection Laws.

  • Each party shall be liable for damages caused by processing that infringes applicable Data Protection Laws.
  • Cloudteam shall indemnify the Client for any losses arising from Cloudteam's breach of this DPA or applicable Data Protection Laws.
  • The total aggregate liability of either party under this DPA shall be subject to the liability cap in the Agreement.
12

Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in the Agreement. Where the Agreement is silent, this DPA shall be governed by the laws of the Socialist Republic of Vietnam.

Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Agreement.