This Data Processing Addendum (“DPA”) forms part of the agreement between Cloack (“Processor”) and the customer (“Controller”) and governs the processing of personal data that Cloack carries out on the Controller’s behalf under the GDPR and equivalent laws. It applies where Cloack processes personal data as a processor.
1. Roles of the parties
The Controller determines the purposes and means of processing end-user/lead personal data. Cloack acts as Processor and processes that data only on documented instructions from the Controller, including as set out in the agreement and the Privacy Policy.
2. Subject matter and scope
The subject matter is the provision of the Service. The nature and purpose of processing, categories of data subjects, and types of personal data are described in the Privacy Policy and an appendix to be attached. [Placeholder — attach a processing-details appendix.]
3. Processor obligations (GDPR Article 28)
- Process personal data only on the Controller’s documented instructions.
- Ensure persons authorised to process data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (Art. 32).
- Respect the conditions for engaging sub-processors (Section 4).
- Assist the Controller in responding to data-subject requests and in meeting its obligations under Articles 32–36.
- Delete or return personal data at the end of the services, subject to legal retention.
- Make available information necessary to demonstrate compliance and allow for audits.
[Placeholder — expand each clause with counsel.]
4. Sub-processors
The Controller authorises Cloack to engage the sub-processors listed on our Sub-processors page. Cloack imposes data-protection obligations on each sub-processor consistent with this DPA and remains responsible for their performance.
5. International transfers
Where processing involves transfers of personal data outside the EEA/UK, the parties rely on appropriate safeguards such as the EU Standard Contractual Clauses. [SCC module selection and appendices — placeholder to be completed with counsel.]
6. Security and breach notification
Cloack maintains security measures appropriate to the risk and will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller’s data.
7. Return and deletion
On termination, Cloack will delete or return personal data as instructed by the Controller, save for copies required to be retained by law.