GDPR & Data Processing Agreement
1. Applicability
This Jetserver Cloud Data Processing Agreement (“DPA”) shall apply to all of your (“User’s”) agreements (“Agreements”) with Jetserver Cloud and its affiliates and/or subsidiaries (“Jetserver Cloud”) and you and/or the entity you represent (“Customer”) supplements the Jetserver Cloud terms of use available at: https://www.jetserver.co.il/tos/, as updated from time to time (“TOU”), or any agreement between Customer and Jetserver Cloud, governing Customer’s use of the Services (“Agreements”) to the extent that Jetserver Cloud processes data.
2. Definitions.
2.1. Terms used in this DPA but not defined herein (whether or not capitalized) shall have the meanings assigned to such terms in the Agreements, or in the Applicable Data Protection Laws, as applicable.
2.2 ”Applicable Data Protection Laws“ shall mean, to the extent applicable to Jetserver Cloud’’s processing of Personal Data hereunder (with respect to each data subject): (i) General Data Protection Regulations (European Parliament and Council of European Union (2016) Regulation (EU) 2016/679) (EU GDPR); (ii) EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 and UK Data Protection Act 2018 (UK GDPR) ; (iii) California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA); (iv) Protection of Privacy Law (Israel); and (v) any rules or regulations that amend and/or replace any of the aforementioned Data Protection Laws. In the event of any conflict between the Applicable Data Protection Laws, the most restrictive law applicable to the Customer shall govern.
2.3 “Customer Data” shall mean the Personal Data (as defined below) that is uploaded to the Jetserver Cloud Services which may include software, data, text, audio, video, or images that Customer or any of its end customers transfers to Jetserver Cloud for processing, storage, or hosting by the Services. Customer Data does not include account information about Customer relating to and/or in connection with Customer account (e.g., Customer name and surname, phone numbers, email addresses, payment information or other information related to the management of Jetserver Cloud resources such as access permissions, service usage, etc.) which is governed by the Privacy Notice (“PN”).
2.4 Personal Data“ refers to the definition of that term or any other similar term defined under the Applicable Data Protection Laws.
2.5 “Standard Contractual Clauses or SCCs” shall mean: where the EU GDPR applies, the standard contractual clauses pursuant to the EU Commission’s Implementing Decision 2021/914 of 4 June 2021 currently set out at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (“EU SCCs”); (ii) where the UK GDPR applies, the EU SCCs together with the UK Information Commissioner’s Office addendum, under S119A(1) of the Data Protection Act 2018 (“UK Addendum”); or any other Standard Contractual Clauses which amended and/or replace such Standard Contractual Clauses in accordance with Applicable Data Protection Law.
2.6.“Services” means the services and products provided to Customer by Jetserver Cloud in accordance with the Agreements.
3. Processing of Personal Data on behalf of a Customer.
The Parties acknowledge and agree that with regard to the Processing of Personal Data performed solely on behalf of Customer: (i) Customer is the Controller or Business (to the extent the CCPA is applicable) of Personal Data; (ii) Jetserver Cloud acts as a Processor or Service Provider (to the extent the CCPA is applicable) for Customer, and upon the instructions of Customer, as set forth herein, and in the Agreements, as may be amended from time to time by Jetserver Cloud (collectively, the “Terms“), pursuant to which personal data may be disclosed to Jetserver Cloud and Jetserver Cloud may process such personal data (the “Contracted Business Purpose”).
4. Customer Representations.
Customer sets forth the details, including the purpose, the means and the ways in which Jetserver Cloud shall process the Customer Data, as required by Applicable Data Protection Laws in Appendix A (Details of Processing of Processed Personal Data), attached hereto, and Customer represents and warrants that:
4.1. It complies with personal data security and other obligations prescribed by Applicable Data Protection Laws for controller/businesses, and that the provision of Customer Data to Jetserver Cloud complies with Applicable Data Protection Laws;
4.2. It only processes personal data/personal information that has been collected in accordance with the Applicable Data Protection Laws;
4.3. It has in place procedures in case individuals/consumers whose personal data is collected, wish to exercise their rights in accordance with the Applicable Data Protection Laws;
4.4. It provides Customer Data to Jetserver Cloud for a business purpose in accordance with the representations Customer makes to consumers in Customer’s privacy policy, and Customer does not sell Customer Data to Jetserver Cloud;
4.5. It shall provide to Jetserver Cloud as a processor/service provider, or otherwise have Jetserver Cloud (oranyone on its behalf) process such Customer Data which is explicitly permitted under Jetserver Cloud’s PN (“Permitted Personal Data“). Solely Customer shall be liable for any data which is made available to Jetserver Cloud in excess of the Permitted Personal Data (“Non-Permitted Data”).Jetserver Cloud’s obligations under the Terms shall not apply to any suchNon-Permitted Data;
4.6. It is and will remain duly and effectively authorized to give the instruction set out herein and any additional instructions as provided pursuant to the Terms, at all relevant times and at least for as long as the Terms are in effect and for any additional period during which Jetserver Cloud is lawfully processing personal data/personal information;
4.7. Notwithstanding anything to the contrary herein, Customer acknowledges that Jetserver Cloud is able to access Customer Data, and might do so when required for operational and maintenance purposes and if required to provide the Services.
5. Jetserver Cloud Obligations.
5.1. Jetserver Cloud carries out the processing of Customer Data on Customer’’s behalf;
5.2. Pursuant to the provisions of Article 28 of the GDPR, Jetserver Cloud represents and warrants that it will:
5.2.1. Process Customer Data solely on Customer’s behalf and in compliance with User’s instructions (including relating to international data transfers ), including instructions in this DPA and all Terms, unless required to do so by EU or applicable Member State law;
5.2.2. Implement appropriate technical and organizational measures to provide an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR;
5.2.3. Take reasonable steps to ensure that access to the processed Customer Data is limited on a need to know/access basis, and that all Jetserver Cloud personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Customer Data.
5.2.4. It shall provide reasonable assistance to Customer with any data protection impact assessments or prior consultations with supervising authorities in relation to processing of Customer Data by the processor/service provider, as required under any Applicable Data Protection Laws, at the written request of the Customer, and at Customer’s sole expense.
5.3. Pursuant to the CCPA, to the extent applicable with respect to each data subject, Jetserver Cloud agrees that:
5.3.1.Jetserver Cloud is acting solely as a service provider with respect to Customer Data for the purposes of the Contracted Business Purpose;
5.3.2.Jetserver Cloud shall not retain, use or disclose Customer Data for any purpose other than for theContracted Business Purpose
5.3.3.Jetserver Cloud may de-identify or aggregate Customer Data as part of performing the servicesspecified in the Terms.
5.3.4.Jetserver Cloud will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.
6. Sub-Processing
6.1. Customer authorizes Jetserver Cloud to appoint sub-processors in accordance with the provision of the Terms. Any subcontractor used must qualify as a service provider under the Applicable Data Protection Laws.Jetserver Cloud cannot make any disclosures to the subcontractor that the CCPA would treat as a sale.
6.2. Jetserver Cloud may continue to use those sub-processors already engaged by Jetserver Cloud as of the date of this DPA. Customer acknowledges and agrees that as of the date of this DPA Jetserver Cloud uses certain subprocessors; a list of such sub-processors will be provided upon request.
6.3. Jetserver Cloud may appoint new sub-processors and shall give reasonable notice of the appointment of any new sub-processor. Customer’s continued use of the applicable services after such notification constitutes Customer’s acceptance of the new sub-processor.
7. Data Subjects’ Rights
7.1. Customer shall be solely responsible for compliance with any statutory obligations concerning requests to exercise data subject rights under Applicable Data Protection Laws (e.g., for access, rectification, deletion of processed Customer Data, etc.). Jetserver Cloud shall reasonably endeavor to assist Customer insofar as feasible, to fulfil Customer’s said obligations with respect to such data subject requests, as applicable, at Cutseomr’s sole reasonable expense.
7.2. Jetserver Cloud shall (i) without undue delay notify customer if it receives a request from a data subject under any Applicable Data Protection Laws in respect of Processed Personal Data; and (ii) not respond to that request, except on the written instructions of Customer or as required by Applicable Data Protection Laws, in which case Jetserver Cloud shall, to the extent permitted by Applicable Data Protection Laws, inform controller/business of that legal requirement before it responds to the request.
8. Personal Data Breach
8.1. Jetserver Cloud shall notify Customer without undue delay upon Jetserver Cloud becoming aware of any personal data breach within the meaning of Applicable Data Protection Laws relating to Customer Data which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Laws “Personal Data Breach“.
8.2. At the written request of the Customer and at Customer’s sole expense, Jetserver Cloud shall provide reasonable co-operation and assistance to Customer in respect of Customer’s obligations regarding the investigation of any Personal Data Breach and the notification to the supervisory authority and data subjects in respect of such a Personal Data Breach; provided, however, that Jetserver Cloud shall, at its own expense, use reasonable efforts to contain and remedy any Personal Data Breach caused by Jetserver Cloud (or its agents, representatives, or subcontractors) without undue delay and prevent any further Personal Data Breach, including, but not limited to taking any and all reasonable action necessary to comply with Applicable Data Protection Laws.
9. Deletion or Return of Processed Personal Data
9.1. Subject to the terms hereof, Jetserver Cloud shall within up to sixty (60) days, unless a sooner time period is required by Applicable Data Protection Laws, return and then destroy the Customer Data, except such copies as authorized including under this DPA or required to be retained in accordance with Applicable Data Protection Laws.
9.2. Jetserver Cloud may retain Customer Data only to the extent authorized or required by Applicable Data Protection Laws, provided that Jetserver Cloud shall ensure the confidentiality of such Customer Data and shall ensure that it is only processed for such legal purpose(s). The provisions of this DPA shall govern any such retained Customer Data.
9.3. Upon Customer’s prior written request, Jetserver Cloud shall provide written certification to Customer that it has complied with this Section 9.
10. Audit Rights
10.1. Subject to the terms hereof, and not more than once in each calendar year, Jetserver Cloud shall make available to a reputable auditor mandated by Customer in coordination with Jetserver Cloud, at the reasonable cost of the Customer upon prior written request, within normal business hours at Jetserver Cloud premises, such information necessary and relevant to reasonably demonstrate compliance with this DPA, and shall allow for audits by such reputable auditor mandated by the Customer in relation to the processing of the Customer Data by Jetserver Cloud, provided that such third-party auditor shall be subject to confidentiality obligations.
10.2. Customer shall use (and ensure that each of its mandated auditors use) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to Jetserver Cloud’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
11. International Data Transfers
11.1. Customer may select the datacenters locations as offered by Jetserver Cloud where Customer Data will be processed. Once Customer has made its choice, Jetserver Cloud will not transfer Customer Data from Customer’s selected locations, except as necessary to provide the Services initiated by Customer, or as specifically required by the Customer, or as necessary to comply with applicable law.
11.2. Subject to Section 11.1, Personal Data may be transferred from the European Economic Area and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions, as determined by the European Commission pursuant to Article 45 of GDPR, and by the Secretary of State, pursuant to Section 17A of the United Kingdom Data Protection Act 2018, respectively, or other adequate authority, as determined by the EU and the UK (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.
11.3. To the extent that Jetserver Cloud transfers (either directly or via onward transfer) Personal Data to countries outside of the European Economic Area and/or outside of the UK, which have not been subject to a relevant Adequacy Decision, or such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Jetserver Cloud for the lawful transfer of Personal Data (as set out under the GDPR), and to the extent applicable with respect to each data subject, such transfer of Customer’s Personal Data to other countries, shall be subject, where the application of such SCCs, as between the parties, is required under Applicable Data Protection Laws, to the Standard Contractual Clauses, as such are incorporated into this DPA by reference, and shall be implemented as follows:
11.3.1.In the case of transfer of Personal Data between Customer to Jetserver Cloud, the parties shall implement Module II – “Controller to Processor”, of the Standard Contractual Clauses, with modifications detailed under this Section 11.3.2. However, when Customer is acting as a processor Module III (“Processor-to-Processor”) shall apply, provided that, taking into account the nature of the processing, Customer agrees that it is unlikely that Jetserver Cloud will know the identity of Customer’s controllers, as Jetserver Cloud has no direct relationship with Customer’s controllers and therefore, Customer will fulfil Jetserver Cloud’s obligations to Customer’s controllers under the Processor-to-Processor SCCs.
11.3.2.The parties are deemed to have accepted and executed the SCCs, including the associated annexes. The contents of Annex I of the SCCs are included within Appendix A to this DPA. The contents of Annex II of the SCCs are included within Appendix B to this DPA. The parties further agree to the following implementation choices under the SCCs:
11.3.2.1. Clause 7: shall not be applicable.
11.3.2.2. Clause 9(a): The parties choose Option 2, “General Written Authorization” and specify a time period of thirty (30) days.
11.3.2.3. Clause 11: The parties choose not to include the optional language relating to the use of an independent dispute resolution body.
11.3.2.4. Clause 17: The parties select Option 1 and specify the law of Ireland.
11.3.2.5. Clause 18(b): The parties specify the courts of Ireland.
11.3.3.In the case of transfer of Personal Data between Jetserver Cloud and its Sub-Processors for the purposes of carrying out specific Processing activities (on behalf of Customer) the Partis will enter into Module III (“Processor-to-Processor”) of the Standard Contractual Clauses.
11.3.4.If applicable, when transferring Personal Data governed by the UK GDPR, the parties agree to implement the applicable SCCs, as modified by the UK Addendum. The information required by Table 1 of the UK Transfer Addendum appears within Appendix A to this DPA. In addition, the parties adopt the SCCs, as modified by the UK Transfer Addendum, as to applicable international transfers of UK Personal Data in exactly the same manner set forth in Section 11.1 above, subject to the following:
11.3.4.1. Clause 13: The UK Information Commissioner’s Office (“ICO”) shall be the competent supervisory authority.
11.3.4.2. Clause 17: The SCCs, as modified by the UK Transfer Addendum, shall be governed by the laws of England and Wales.
11.3.4.3. Clause 18: The parties agree that any dispute arising from the SCCs, as modified by the UK Transfer Addendum, shall be resolved by the courts of England and Wales. A UK Data Subject may also bring legal proceedings against the Data Exporter and/or Data Importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.
11.4. Appendixes A and B, attached to this DPA shall also apply in connection with the processing of Personal Data, subject to Applicable Data Protection Law.
11.5. Jetserver Cloud reserves the right to adopt an alternative compliance standard to the SCCs for the lawful transfer of Personal Data, provided it is recognized under Data Protection Law. Jetserver Cloud will provide 30 days’ advance notice of its adoption of an alternative compliance standard.
12. General Terms
12.1. Governing Law and Jurisdiction. All disputes with respect to this DPA shall be determined in accordance with the laws of the State of Israel and shall be handled at a competent court in Tel Aviv-Yafo.
12.2. Conflict. In the event of any conflict or inconsistency between this DPA and any other agreements between the parties, including agreements entered into after the date of this DPA, the provisions of this DPA shall prevail.
12.3. Changes in Applicable Data Protection Laws. Jetserver Cloud may by at least forty-five (45) calendar days’ prior written notice to Customer, request in writing any changes to this DPA, if they are required, as a result of any change in any Applicable Data Protection Law, regarding the lawfulness of the processing of Customer Data. If Customer provides its modification request, Jetserver Cloud shall make commercially reasonable efforts to accommodate such modification request, and Customer shall not unreasonably withhold or delay agreement to any consequential changes to this DPA to protect Jetserver Cloud against any additional risks, and/or to indemnify and compensate Jetserver Cloud for any further costs associated with the changes made hereunder.
12.4. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.