Data processing agreement

Data Processing Agreement
This Data Processing Agreement ("DPA")specifies the data protection rights and obligations of the parties inconnection with the processing of personal data processed by Iron Eagle CapitalGmbH (hereinafter "Processor") on behalf of "Customer"under the contract based on the General Terms and Conditions, the applicableService Specific Terms and (if applicable) the Third Party Provider Terms (hereinafter"Main Agreement") concluded between the parties.
1
Scope of application
When providing the services in accordance with the MainAgreement, Processor processes personal data which Customer has made availablefor purpose of providing the services and in respect of which Customer acts as controller in the sense of dataprotection law ("Customer Data"). In the event of contradictions between this DPAand provisions from other agreements, in particular from the Main Agreement,the provisions of this DPA shall take precedence.
2
Subject matter and scope of the processing / Customer’s authority to issue instructions
2.1
When providing the services in accordance with the MainAgreement, Processor processes personal data which Customer has made availablefor purpose of providing the services and in respect of which Customer acts as controller in the sense of dataprotection law ("Customer Data"). In the event of contradictions between this DPAand provisions from other agreements, in particular from the Main Agreement,the provisions of this DPA shall take precedence.
2.2
The processing of Customer Data by Processor shall be carried out exclusively in the nature, to the extent, and for the purposes specified in Annex 1 to this DPA; the processing shall only concern the types of personal data and categories of data subjects specified therein.
2.3
The duration of the processing corresponds to the term of the Main Agreement.
2.4
Processor is allowed to process Customer Data or have Customer Data processed by sub-processors outside the European Economic Area ("EEA") in accordance with Section 5 of this DPA if the requirements of Articles 44 to 48 GDPR are fulfilled, if an exception under Art. 49 GDPR applies or if the transfer outside the EEA is expressly requested or initiated by Customer.
2.5
The instructions are set out in the Main Agreement. Customer is entitled to issue further instructions regarding the nature, scope, purposes and means of processing Customer Data only where such instructions are required by the laws of the European Union or a Member State, or by court or administrative order.]
2.6
Instructions shall be in writing (e-mail sufficient). Customer will confirm oral instructions in writing or by e-mail.
2.7
Processor shall inform Customer immediately if, in its opinion, an instruction infringes this DPA, the GDPR or other data protection provisions of the European Union or the Member States. Processor is entitled to suspend the execution of such an instruction until Customer confirms the instruction in writing (e-mail sufficient). If Customer insists on the execution of an instruction despite the concerns expressed by Processor, Customer shall indemnify and hold harmless Processor from and against any and all damages and costs incurred by Processor as a result of the execution of Customer's instruction. Processor shall inform Customer of any damages and costs asserted against Processor, shall not acknowledge any claims of third parties without the consent of Customer and shall, in Processor's discretion, either conduct the defense in co-ordination with Customer or leave it to Customer.
3
Requirements for personnel
3.1
Processor shall obligate all personnel processing Customer Data to maintain confidentiality, unless they are subject to appropriate statutory confidentiality obligations.
3.2
Processor shall ensure that all personnel under his authority who have access to Customer Data only process this data in accordance with this DPA and Customer's instructions, unless they are required to process Customer Data under the law of the European Union or the Member States.
4
Security of processing
4.1
Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organisational measures to ensure a level of security for Customer Data appropriate to the risk.
4.2
Prior to the beginning of the processing of Customer Data, Processor shall in particular implement the technical and organisational measures specified in Annex 2 to this DPA and maintain them for the duration of the Main Agreement and ensure that the processing of Customer Data is carried out in accordance with these measures.
4.3
Customer shall verify the technical and organisational measures implemented by Processor, in particular whether they are also sufficient with regard to circumstances of data processing not known to Processor.
4.4
Since the technical and organisational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Annex 2. If Processor makes significant changes to the measures set out in Annex 2, it shall inform Customer thereof in advance.
5
Use of sub-processors
5.1
Processor uses the sub-processors listed in Annex 3 for the processing of Customer Data. These are deemed to be authorised upon conclusion of this DPA.
5.2
Processor may use further sub-processors to process Customer Data subject to the following conditions: Processor shall inform Customer at least 30 days before making use of the further sub-processor in written form (e-mail sufficient) to a contact address specified by Customer for this purpose. Unless Customer raises an objection within 14 days, the use of the further sub-processor shall be deemed to have been authorised.
5.3
If Customer objects to the use of a further sub-processor Processor shall be entitled, at its discretion, to continue to provide the services without the rejected sub-processor or to terminate the Main Agreement and this DPA.
5.4
Processor must obligate each sub-processor by means of a written agreement which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on Processor in accordance with this DPA.
5.4
Processor shall be obligated to select and use only those sub-processors who offer sufficient guarantees that the appropriate technical and organisational measures are implemented in such a way that the processing of Customer Data is carried out in accordance with the requirements of the GDPR and this DPA.
6
Rights of data subjects
6.1
Processor shall take all reasonable technical and organisational measures to assist Customer in fulfilling its obligation to respond to requests from data subjects to exercise their rights.
6.2
Processor will in particular, within the scope of his possibilities:
a)
inform Customer without undue delay if a data subject should contact Processor directly with a request to exercise his rights in relation to Customer Data;
b)
provide Customer, upon request, with all information in its possession concerning the processing of Customer Data which Customer requires in order to respond to the request of a data subject and which is not available to Customer himself;
c)
correct, delete or limit the processing of Customer Data without undue delay at Customer's instruction, insofar as Customer cannot do this himself and this is technically possible for Processor;
d)
to assist Customer, if necessary, to receive Customer Data processed in Processor's sphere of responsibility – as far as technically possible – in a structured, commonly used and machine-readable format, provided that the data subject has a right to data portability with regard to Customer Data.
7
Other obligations of Processor to assist Customer
7.1
Processor shall take all reasonable technical and organisational measures to assist Customer in fulfilling its obligation to respond to requests from data subjects to exercise their rights.
a)
the nature of the Customer Data breach, specifying, where possible, the data categories and approximate number of data subjects concerned;
b)
the likely consequences of the Customer Data breach;
c)
the measures taken or proposed by Processor to remedy the Customer Data breach and, where appropriate, measures to mitigate its possible adverse effects.
7.2
In the event of any Customer Data breach, Processor shall, without delay, take all necessary and reasonable measures to remedy Customer Data breach and, if necessary, to mitigate its possible adverse effects.
7.3
If Customer is obligated to provide information about the processing of Customer Data to a government agency or a third party or to otherwise cooperate with such entity, Processor shall be obligated to support Customer in providing such information or in fulfilling other obligations to cooperate.
7.4
Processor shall assist Customer in complying with its obligations under Art. 32 GDPR, to the extent possible considering the information Processor has with respect to Customer’s use of Processor’s services.
7.5
In the event that Customer is obligated to inform supervisory authorities and/or data subjects in accordance with Art. 33, 34 GDPR, Processor shall, insofar as this is possible, assist Customer in complying with these obligations at the latter's request. In particular, Processor is obligated to document all Customer Data breaches, including all related facts, in a manner that enables Customer to prove compliance with any relevant statutory reporting obligations.
7.6
Processor shall support Customer with the information available to him and assist, within reason, in any data protection impact assessment to be carried out by Customer and, if necessary, subsequent consultations with the supervisory authorities in accordance with Art. 35, 36 GDPR.
8
Data deletion and return
8.1
Upon termination of the Main Agreement , Processor shall, upon Customer's instruction, either completely delete all Customer Data or return it to Customer and delete existing copies, unless the law of the European Union or a Member State requires the continued storage of Customer Data.
8.2
However, Processor is entitled to keep backup copies of Customer Data for a period of 30 days, insofar as deletion of Customer Data from these backup copies is not required for technical reasons or with regard to Art. 32 GDPR. For this period, the rights and obligations of the parties under this DPA with regard to the backup copies shall continue to apply in deviation from Section 2.3
8.3
Documentation which serves as proof of the orderly and proper processing of Customer Data is to be kept by Processor in accordance with the statutory retention periods beyond the term of this DPA.
9
Audit rights
9.1
Processor shall ensure and regularly evaluate that the processing of Customer Data is carried out in accordance with this DPA, the Main Agreement and Customer's instructions.
9.2
Processor shall document the implementation of the obligations under this DPA in a suitable manner and shall provide Customer with all necessary evidence of Processor's compliance with its obligations under the GDPR and this DPA at Customer's request.
9.3
Customer shall be entitled to audit Processor regularly during the term of the Main Agreement with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures in accordance with Annex 2, either itself or through a qualified auditor subject to appropriate confidentiality obligations; this shall include inspections. Processor shall allow and shall contribute to such audits by taking all reasonable and appropriate measures; inter alia by granting the necessary access rights and by providing all necessary information.
9.4
The audits and inspections shall not, as far as possible, obstruct or unduly burden Processor in his normal business operations. In particular, inspections at Processor's premises without any specific reason should not take place more than once per calendar year and only during Processor's normal business hours. Customer shall notify Processor of inspections in good time in advance and in writing (e-mail sufficient).
9.5
In accordance with the provisions of the GDPR, Customer and Processor are subject to public controls by the competent supervisory authority. At the request of Customer, Processor shall provide the supervisory authority with the desired information and shall give the supervisory authority or the persons appointed by it the opportunity to carry out audits, including inspections of Processor. In this context, Processor shall grant the competent supervisory authority the necessary rights of access, information and inspection.
10
Liability
The limitations of liability agreed in the Main Agreement apply accordingly.
11
Miscellaneous
11.1
Amendments and subsidiary agreements to this DPA must be made in writing. This also applies to this written form clause.
11.2
Agreements on the choice of law and place of jurisdiction from the Main Agreement shall apply accordingly to this DPA.]
Annex 1 - Purpose, nature andextent of data processing, type of data and categories of data subjects
Purpose of the data processingAccess to the Nuco.cloud web application and provision of the Services set out in the Main Agreement.
Nature and scope of data processing Automated processing of Customer Data to provide the Services set out in the Main Agreement. Provision of the Nuco.cloud web application.
Type of dataAll data uploaded, downloaded or generated by Customer when using the Services. Name, email address, password and billing information of Customer and/or its employees.
Categories of data subjectsAll data subjects concerned by the data uploaded, downloaded or generated by Customer when using the services. Employees of Customer
Annex 2 – Technical andorganisational measures
Dependingon the third-party providers supplying the Services the following additionaltechnical and organisational measures apply to the respective Services:
Hetzner Online GmbH: https://www.hetzner.com/AV/TOM.pdf
Vultr: https://www.vultr.com/legal/eea-gdpr-privacy/
Cudo VenturesLimited: https://www.cudocompute.com/privacy
Annex 3 – Sub-processors
NameNature of the service
Hetzner Online GmbHThird-party provider (if applicable)
The Constant Company, LLC.Third-party provider (if applicable)
Cudo Ventures LimitedThird-party provider (if applicable)

Data Processing Agreement

This Data Processing Agreement ("DPA") specifies the data protection rights and obligations of the parties in connection with the processing of personal data processed by Iron Eagle Capital GmbH (hereinafter "Processor") on behalf of "Customer" under the contract based on the General Terms and Conditions, the applicable Service Specific Terms and (if applicable) the Third Party Provider Terms (hereinafter "Main Agreement") concluded between the parties. 

1. Scope of application

When providing the services in accordance with the Main Agreement, Processor processes personal data which Customer has made available for purpose of providing the services and in respect of which Customer acts as controller in the sense of data protection law ("Customer Data"). In the event of contradictions between this DPA and provisions from other agreements, in particular from the Main Agreement, the provisions of this DPA shall take precedence.

2. Subject matter and scope of the processing / Customer’s authority to issue instructions

  1. Processor will process the Customer Data exclusively on behalf of Customer and in accordance with Customer's instructions, unless Processor is legally required to process such data under the law of the European Union or a Member State. In such a case, Processor shall inform Customer of these legal requirements prior to processing, unless the law in question prohibits such information on important grounds of public interest. 
  2. The processing of Customer Data by Processor shall be carried out exclusively in the nature, to the extent, and for the purposes specified in Annex 1 to this DPA; the processing shall only concern the types of personal data and categories of data subjects specified therein. 
  3. The duration of the processing corresponds to the term of the Main Agreement. 
  4. Processor is allowed to process Customer Data or have Customer Data processed by sub-processors outside the European Economic Area ("EEA") in accordance with Section 5 of this DPA if the requirements of Articles 44 to 48 GDPR are fulfilled, if an exception under Art. 49 GDPR applies or if the transfer outside the EEA is expressly requested or initiated by Customer. 
  5. The instructions are set out in the Main Agreement. Customer is entitled to issue further instructions regarding the nature, scope, purposes and means of processing Customer Data only where such instructions are required by the laws of the European Union or a Member State, or by court or administrative order.]
  6. Instructions shall be in writing (e-mail sufficient). Customer will confirm oral instructions in writing or by e-mail.
  7. Processor shall inform Customer immediately if, in its opinion, an instruction infringes this DPA, the GDPR or other data protection provisions of the European Union or the Member States. Processor is entitled to suspend the execution of such an instruction until Customer confirms the instruction in writing (e-mail sufficient). If Customer insists on the execution of an instruction despite the concerns expressed by Processor, Customer shall indemnify and hold harmless Processor from and against any and all damages and costs incurred by Processor as a result of the execution of Customer's instruction. Processor shall inform Customer of any damages and costs asserted against Processor, shall not acknowledge any claims of third parties without the consent of Customer and shall, in Processor's discretion, either conduct the defense in co-ordination with Customer or leave it to Customer.  

3. Requirements for personnel

  1. Processor shall obligate all personnel processing Customer Data to maintain confidentiality, unless they are subject to appropriate statutory confidentiality obligations. 
  2. Processor shall ensure that all personnel under his authority who have access to Customer Data only process this data in accordance with this DPA and Customer's instructions, unless they are required to process Customer Data under the law of the European Union or the Member States.

4. Security of processing

  1. Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organisational measures to ensure a level of security for Customer Data appropriate to the risk. 
  2. Prior to the beginning of the processing of Customer Data, Processor shall in particular implement the technical and organisational measures specified in Annex 2 to this DPA and maintain them for the duration of the Main Agreement and ensure that the processing of Customer Data is carried out in accordance with these measures.
  3. Customer shall verify the technical and organisational measures implemented by Processor, in particular whether they are also sufficient with regard to circumstances of data processing not known to Processor.
  4. Since the technical and organisational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Annex 2. If Processor makes significant changes to the measures set out in Annex 2, it shall inform Customer thereof in advance.

5. Use of sub-processors

  1. Processor uses the sub-processors listed in Annex 3 for the processing of Customer Data. These are deemed to be authorised upon conclusion of this DPA.
  2. Processor may use further sub-processors to process Customer Data subject to the following conditions: 

Processor shall inform Customer at least 30 days before making use of the further sub-processor in written form (e-mail sufficient) to a contact address specified by Customer for this purpose. Unless Customer raises an objection within 14 days, the use of the further sub-processor shall be deemed to have been authorised.

  1. If Customer objects to the use of a further sub-processor Processor shall be entitled, at its discretion, to continue to provide the services without the rejected sub-processor or to terminate the Main Agreement and this DPA.
  2. Processormust obligate each sub-processor by means of a written agreement which imposes on thesub-processor, in substance, the same data protection obligations as the onesimposed on Processor in accordance with this DPA.
  3. Processor shall be obligated to select and use onlythose sub-processors who offer sufficient guarantees that the appropriatetechnical and organisational measures are implemented in such a way that theprocessing of Customer Data is carried out in accordance with the requirementsof the GDPR and this DPA.

6. Rights of data subjects

  1. Processor shall take all reasonable technical and organisational measures to assist Customer in fulfilling its obligation to respond to requests from data subjects to exercise their rights. 
  2. Processor will in particular, within the scope of his possibilities: 
    1. inform Customer without undue delay if a data subject should contact Processor directly with a request to exercise his rights in relation to Customer Data;
    2. provide Customer, upon request, with all information in its possession concerning the processing of Customer Data which Customer requires in order to respond to the request of a data subject and which is not available to Customer himself; 
    3. correct, delete or limit the processing of Customer Data without undue delay at Customer's instruction, insofar as Customer cannot do this himself and this is technically possible for Processor; 
    4. to assist Customer, if necessary, to receive Customer Data processed in Processor's sphere of responsibility – as far as technically possible – in a structured, commonly used and machine-readable format, provided that the data subject has a right to data portability with regard to Customer Data. 

7. Other obligations of Processor to assist Customer

  1. Processor shall notify Customer immediately after becoming aware of any Customer Data breach, in particular incidents which lead to the actual destruction, loss, alteration or unauthorised disclosure of or access to Customer Data. Such notification shall contain a description, if possible, of: 
    1. the nature of the Customer Data breach, specifying, where possible, the data categories and approximate number of data subjects concerned;
    2. the likely consequences of the Customer Data breach; 
    3. the measures taken or proposed by Processor to remedy the Customer Data breach and, where appropriate, measures to mitigate its possible adverse effects.
  2. In the event of any Customer Data breach, Processor shall, without delay, take all necessary and reasonable measures to remedy Customer Data breach and, if necessary, to mitigate its possible adverse effects.
  3. If Customer is obligated to provide information about the processing of Customer Data to a government agency or a third party or to otherwise cooperate with such entity, Processor shall be obligated to support Customer in providing such information or in fulfilling other obligations to cooperate.
  4. Processor shall assist Customer in complying with its obligations under Art. 32 GDPR, to the extent possible considering the information Processor has with respect to Customer’s use of Processor’s services.
  5. In the event that Customer is obligated to inform supervisory authorities and/or data subjects in accordance with Art. 33, 34 GDPR, Processor shall, insofar as this is possible, assist Customer in complying with these obligations at the latter's request. In particular, Processor is obligated to document all Customer Data breaches, including all related facts, in a manner that enables Customer to prove compliance with any relevant statutory reporting obligations.
  6. Processor shall support Customer with the information available to him and assist, within reason, in any data protection impact assessment to be carried out by Customer and, if necessary, subsequent consultations with the supervisory authorities in accordance with Art. 35, 36 GDPR.

8. Data deletion and return

  1. Upon termination of the Main Agreement , Processor shall, upon Customer's instruction, either completely delete all Customer Data or return it to Customer and delete existing copies, unless the law of the European Union or a Member State requires the continued storage of Customer Data. 
  2. However, Processor is entitled to keep backup copies of Customer Data for a period of 30 days, insofar as deletion of Customer Data from these backup copies is not required for technical reasons or with regard to Art. 32 GDPR. For this period, the rights and obligations of the parties under this DPA with regard to the backup copies shall continue to apply in deviation from Section 2.3
  3. Documentation which serves as proof of the orderly and proper processing of Customer Data is to be kept by Processor in accordance with the statutory retention periods beyond the term of this DPA.

9. Audit rights

  1. Processor shall ensure and regularly evaluate that the processing of Customer Data is carried out in accordance with this DPA, the Main Agreement and Customer's instructions.
  2. Processor shall document the implementation of the obligations under this DPA in a suitable manner and shall provide Customer with all necessary evidence of Processor's compliance with its obligations under the GDPR and this DPA at Customer's request.
  3. Customer shall be entitled to audit Processor regularly during the term of the Main Agreement with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures in accordance with Annex 2, either itself or through a qualified auditor subject to appropriate confidentiality obligations; this shall include inspections. Processor shall allow and shall contribute to such audits by taking all reasonable and appropriate measures; inter alia by granting the necessary access rights and by providing all necessary information. 
  4. The audits and inspections shall not, as far as possible, obstruct or unduly burden Processor in his normal business operations. In particular, inspections at Processor's premises without any specific reason should not take place more than once per calendar year and only during Processor's normal business hours. Customer shall notify Processor of inspections in good time in advance and in writing (e-mail sufficient).
  5. In accordance with the provisions of the GDPR, Customer and Processor are subject to public controls by the competent supervisory authority. At the request of Customer, Processor shall provide the supervisory authority with the desired information and shall give the supervisory authority or the persons appointed by it the opportunity to carry out audits, including inspections of Processor. In this context, Processor shall grant the competent supervisory authority the necessary rights of access, information and inspection.

10. Liability

The limitations of liability agreed in the Main Agreement apply accordingly.

11. Miscellaneous

  1. Amendments and subsidiary agreements to this DPA must be made in writing. This also applies to this written form clause.
  2. Agreements on the choice of law and place of jurisdiction from the Main Agreement shall apply accordingly to this DPA.]

Annex 1 - Purpose, nature and extent of data processing, type of data and categories of data subjects

Purpose of the data processing

Access to the Nuco.cloud web application and provision of the Services set out in the Main Agreement.

Nature and scope of data processing 

Automated processing of Customer Data to provide the Services set out in the Main Agreement.

Provision of the Nuco.cloud web application.

Type of data

All data uploaded, downloaded or generated by Customer when using the Services.

Name, email address, password and billing information of Customer and/or its employees.

Categories of data subjects

All data subjects concerned by the data uploaded, downloaded or generated by Customer when using the services.

Employees of Customer

Annex 2 – Technical and organisational measures

Depending on the third-party providers supplying the Services the following additional technical and organisational measures apply to the respective Services:

Hetzner Online GmbH: https://www.hetzner.com/AV/TOM.pdf

Vultr: https://www.vultr.com/legal/eea-gdpr-privacy/

Cudo Ventures Limited: https://www.cudocompute.com/privacy

Data Processing Agreement

This Data Processing Agreement ("DPA") specifies the data protection rights and obligations of the parties in connection with the processing of personal data processed by Iron Eagle Capital GmbH (hereinafter "Processor") on behalf of "Customer" under the contract based on the General Terms and Conditions, the applicable Service Specific Terms and (if applicable) the Third Party Provider Terms (hereinafter "Main Agreement") concluded between the parties. 

  1. Scope of application

When providing the services in accordance with the Main Agreement, Processor processes personal data which Customer has made available for purpose of providing the services and in respect of which Customer acts as controller in the sense of data protection law ("Customer Data"). In the event of contradictions between this DPA and provisions from other agreements, in particular from the Main Agreement, the provisions of this DPA shall take precedence.

Subject matter and scope of the processing / Customer’s authority to issue instructions

  1. Processor will process the Customer Data exclusively on behalf of Customer and in accordance with Customer's instructions, unless Processor is legally required to process such data under the law of the European Union or a Member State. In such a case, Processor shall inform Customer of these legal requirements prior to processing, unless the law in question prohibits such information on important grounds of public interest. 
  2. The processing of Customer Data by Processor shall be carried out exclusively in the nature, to the extent, and for the purposes specified in Annex 1 to this DPA; the processing shall only concern the types of personal data and categories of data subjects specified therein. 
  3. The duration of the processing corresponds to the term of the Main Agreement. 
  4. Processor is allowed to process Customer Data or have Customer Data processed by sub-processors outside the European Economic Area ("EEA") in accordance with Section 5 of this DPA if the requirements of Articles 44 to 48 GDPR are fulfilled, if an exception under Art. 49 GDPR applies or if the transfer outside the EEA is expressly requested or initiated by Customer. 
  5. The instructions are set out in the Main Agreement. Customer is entitled to issue further instructions regarding the nature, scope, purposes and means of processing Customer Data only where such instructions are required by the laws of the European Union or a Member State, or by court or administrative order.]
  6. Instructions shall be in writing (e-mail sufficient). Customer will confirm oral instructions in writing or by e-mail.
  7. Processor shall inform Customer immediately if, in its opinion, an instruction infringes this DPA, the GDPR or other data protection provisions of the European Union or the Member States. Processor is entitled to suspend the execution of such an instruction until Customer confirms the instruction in writing (e-mail sufficient). If Customer insists on the execution of an instruction despite the concerns expressed by Processor, Customer shall indemnify and hold harmless Processor from and against any and all damages and costs incurred by Processor as a result of the execution of Customer's instruction. Processor shall inform Customer of any damages and costs asserted against Processor, shall not acknowledge any claims of third parties without the consent of Customer and shall, in Processor's discretion, either conduct the defense in co-ordination with Customer or leave it to Customer.  
  8. Requirements for personnel
    1. Processor shall obligate all personnel processing Customer Data to maintain confidentiality, unless they are subject to appropriate statutory confidentiality obligations. 
    2. Processor shall ensure that all personnel under his authority who have access to Customer Data only process this data in accordance with this DPA and Customer's instructions, unless they are required to process Customer Data under the law of the European Union or the Member States.
  9. Security of processing
    1. Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organisational measures to ensure a level of security for Customer Data appropriate to the risk. 
    2. Prior to the beginning of the processing of Customer Data, Processor shall in particular implement the technical and organisational measures specified in Annex 2 to this DPA and maintain them for the duration of the Main Agreement and ensure that the processing of Customer Data is carried out in accordance with these measures.
    3. Customer shall verify the technical and organisational measures implemented by Processor, in particular whether they are also sufficient with regard to circumstances of data processing not known to Processor.
    4. Since the technical and organisational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Annex 2. If Processor makes significant changes to the measures set out in Annex 2, it shall inform Customer thereof in advance.
  10. Use of sub-processors
    1. Processor uses the sub-processors listed in Annex 3 for the processing of Customer Data. These are deemed to be authorised upon conclusion of this DPA.
    2. Processor may use further sub-processors to process Customer Data subject to the following conditions: 

Processor shall inform Customer at least 30 days before making use of the further sub-processor in written form (e-mail sufficient) to a contact address specified by Customer for this purpose. Unless Customer raises an objection within 14 days, the use of the further sub-processor shall be deemed to have been authorised.

  1. If Customer objects to the use of a further sub-processor Processor shall be entitled, at its discretion, to continue to provide the services without the rejected sub-processor or to terminate the Main Agreement and this DPA.
  2. Processor must obligate each sub-processor by means of a written agreement which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on Processor in accordance with this DPA.
  3. Processor shall be obligated to select and use only those sub-processors who offer sufficient guarantees that the appropriate technical and organisational measures are implemented in such a way that the processing of Customer Data is carried out in accordance with the requirements of the GDPR and this DPA.
  1. Rights of data subjectssome text
    1. Processor shall take all reasonable technical and organisational measures to assist Customer in fulfilling its obligation to respond to requests from data subjects to exercise their rights. 
    2. Processor will in particular, within the scope of his possibilities: 
  1. inform Customer without undue delay if a data subject should contact Processor directly with a request to exercise his rights in relation to Customer Data;
  2. provide Customer, upon request, with all information in its possession concerning the processing of Customer Data which Customer requires in order to respond to the request of a data subject and which is not available to Customer himself; 
  3. correct, delete or limit the processing of Customer Data without undue delay at Customer's instruction, insofar as Customer cannot do this himself and this is technically possible for Processor; 
  4. to assist Customer, if necessary, to receive Customer Data processed in Processor's sphere of responsibility – as far as technically possible – in a structured, commonly used and machine-readable format, provided that the data subject has a right to data portability with regard to Customer Data. 
  1. Other obligations of Processor to assist Customersome text
    1. Processor shall notify Customer immediately after becoming aware of any Customer Data breach, in particular incidents which lead to the actual destruction, loss, alteration or unauthorised disclosure of or access to Customer Data. Such notification shall contain a description, if possible, of: 
  1. the nature of the Customer Data breach, specifying, where possible, the data categories and approximate number of data subjects concerned;
  2. the likely consequences of the Customer Data breach; 
  3. the measures taken or proposed by Processor to remedy the Customer Data breach and, where appropriate, measures to mitigate its possible adverse effects.
  1. In the event of any Customer Data breach, Processor shall, without delay, take all necessary and reasonable measures to remedy Customer Data breach and, if necessary, to mitigate its possible adverse effects.
  2. If Customer is obligated to provide information about the processing of Customer Data to a government agency or a third party or to otherwise cooperate with such entity, Processor shall be obligated to support Customer in providing such information or in fulfilling other obligations to cooperate.
  3. Processor shall assist Customer in complying with its obligations under Art. 32 GDPR, to the extent possible considering the information Processor has with respect to Customer’s use of Processor’s services.
  4. In the event that Customer is obligated to inform supervisory authorities and/or data subjects in accordance with Art. 33, 34 GDPR, Processor shall, insofar as this is possible, assist Customer in complying with these obligations at the latter's request. In particular, Processor is obligated to document all Customer Data breaches, including all related facts, in a manner that enables Customer to prove compliance with any relevant statutory reporting obligations.
  5. Processor shall support Customer with the information available to him and assist, within reason, in any data protection impact assessment to be carried out by Customer and, if necessary, subsequent consultations with the supervisory authorities in accordance with Art. 35, 36 GDPR.
  1. Data deletion and returnsome text
    1. Upon termination of the Main Agreement , Processor shall, upon Customer's instruction, either completely delete all Customer Data or return it to Customer and delete existing copies, unless the law of the European Union or a Member State requires the continued storage of Customer Data. 
    2. However, Processor is entitled to keep backup copies of Customer Data for a period of 30 days, insofar as deletion of Customer Data from these backup copies is not required for technical reasons or with regard to Art. 32 GDPR. For this period, the rights and obligations of the parties under this DPA with regard to the backup copies shall continue to apply in deviation from Section 2.3
    3. Documentation which serves as proof of the orderly and proper processing of Customer Data is to be kept by Processor in accordance with the statutory retention periods beyond the term of this DPA.
  2. Audit rights some text
    1. Processor shall ensure and regularly evaluate that the processing of Customer Data is carried out in accordance with this DPA, the Main Agreement and Customer's instructions.
    2. Processor shall document the implementation of the obligations under this DPA in a suitable manner and shall provide Customer with all necessary evidence of Processor's compliance with its obligations under the GDPR and this DPA at Customer's request.
    3. Customer shall be entitled to audit Processor regularly during the term of the Main Agreement with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures in accordance with Annex 2, either itself or through a qualified auditor subject to appropriate confidentiality obligations; this shall include inspections. Processor shall allow and shall contribute to such audits by taking all reasonable and appropriate measures; inter alia by granting the necessary access rights and by providing all necessary information. 
    4. The audits and inspections shall not, as far as possible, obstruct or unduly burden Processor in his normal business operations. In particular, inspections at Processor's premises without any specific reason should not take place more than once per calendar year and only during Processor's normal business hours. Customer shall notify Processor of inspections in good time in advance and in writing (e-mail sufficient).
    5. In accordance with the provisions of the GDPR, Customer and Processor are subject to public controls by the competent supervisory authority. At the request of Customer, Processor shall provide the supervisory authority with the desired information and shall give the supervisory authority or the persons appointed by it the opportunity to carry out audits, including inspections of Processor. In this context, Processor shall grant the competent supervisory authority the necessary rights of access, information and inspection.
  3. Liability

The limitations of liability agreed in the Main Agreement apply accordingly.

  1. Miscellaneoussome text
    1. Amendments and subsidiary agreements to this DPA must be made in writing. This also applies to this written form clause.
    2. Agreements on the choice of law and place of jurisdiction from the Main Agreement shall apply accordingly to this DPA.]
  1. Annex 1 - Purpose, nature and extent of data processing, type of data and categories of data subjects

Purpose of the data processing

Access to the Nuco.cloud web application and provision of the Services set out in the Main Agreement.

Nature and scope of data processing 

Automated processing of Customer Data to provide the Services set out in the Main Agreement.

Provision of the Nuco.cloud web application.

Type of data

All data uploaded, downloaded or generated by Customer when using the Services.

Name, email address, password and billing information of Customer and/or its employees.

Categories of data subjects

All data subjects concerned by the data uploaded, downloaded or generated by Customer when using the services.

Employees of Customer

  1. Annex 2 – Technical and organisational measures

Depending on the third-party providers supplying the Services the following additional technical and organisational measures apply to the respective Services:

Hetzner Online GmbH: https://www.hetzner.com/AV/TOM.pdf

Vultr: https://www.vultr.com/legal/eea-gdpr-privacy/

Cudo Ventures Limited: https://www.cudocompute.com/privacy

Data Processing Agreement

This Data Processing Agreement ("DPA") specifies the data protection rights and obligations of the parties in connection with the processing of personal data processed by Iron Eagle Capital GmbH (hereinafter "Processor") on behalf of "Customer" under the contract based on the General Terms and Conditions, the applicable Service Specific Terms and (if applicable) the Third Party Provider Terms (hereinafter "Main Agreement") concluded between the parties. 

  1. Scope of application

When providing the services in accordance with the Main Agreement, Processor processes personal data which Customer has made available for purpose of providing the services and in respect of which Customer acts as controller in the sense of data protection law ("Customer Data"). In the event of contradictions between this DPA and provisions from other agreements, in particular from the Main Agreement, the provisions of this DPA shall take precedence.

Subject matter and scope of the processing / Customer’s authority to issue instructions

  1. Processor will process the Customer Data exclusively on behalf of Customer and in accordance with Customer's instructions, unless Processor is legally required to process such data under the law of the European Union or a Member State. In such a case, Processor shall inform Customer of these legal requirements prior to processing, unless the law in question prohibits such information on important grounds of public interest. 
  2. The processing of Customer Data by Processor shall be carried out exclusively in the nature, to the extent, and for the purposes specified in Annex 1 to this DPA; the processing shall only concern the types of personal data and categories of data subjects specified therein. 
  3. The duration of the processing corresponds to the term of the Main Agreement. 
  4. Processor is allowed to process Customer Data or have Customer Data processed by sub-processors outside the European Economic Area ("EEA") in accordance with Section 5 of this DPA if the requirements of Articles 44 to 48 GDPR are fulfilled, if an exception under Art. 49 GDPR applies or if the transfer outside the EEA is expressly requested or initiated by Customer. 
  5. The instructions are set out in the Main Agreement. Customer is entitled to issue further instructions regarding the nature, scope, purposes and means of processing Customer Data only where such instructions are required by the laws of the European Union or a Member State, or by court or administrative order.]
  6. Instructions shall be in writing (e-mail sufficient). Customer will confirm oral instructions in writing or by e-mail.
  7. Processor shall inform Customer immediately if, in its opinion, an instruction infringes this DPA, the GDPR or other data protection provisions of the European Union or the Member States. Processor is entitled to suspend the execution of such an instruction until Customer confirms the instruction in writing (e-mail sufficient). If Customer insists on the execution of an instruction despite the concerns expressed by Processor, Customer shall indemnify and hold harmless Processor from and against any and all damages and costs incurred by Processor as a result of the execution of Customer's instruction. Processor shall inform Customer of any damages and costs asserted against Processor, shall not acknowledge any claims of third parties without the consent of Customer and shall, in Processor's discretion, either conduct the defense in co-ordination with Customer or leave it to Customer.  
  8. Requirements for personnel
    1. Processor shall obligate all personnel processing Customer Data to maintain confidentiality, unless they are subject to appropriate statutory confidentiality obligations. 
    2. Processor shall ensure that all personnel under his authority who have access to Customer Data only process this data in accordance with this DPA and Customer's instructions, unless they are required to process Customer Data under the law of the European Union or the Member States.
  9. Security of processing
    1. Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organisational measures to ensure a level of security for Customer Data appropriate to the risk. 
    2. Prior to the beginning of the processing of Customer Data, Processor shall in particular implement the technical and organisational measures specified in Annex 2 to this DPA and maintain them for the duration of the Main Agreement and ensure that the processing of Customer Data is carried out in accordance with these measures.
    3. Customer shall verify the technical and organisational measures implemented by Processor, in particular whether they are also sufficient with regard to circumstances of data processing not known to Processor.
    4. Since the technical and organisational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Annex 2. If Processor makes significant changes to the measures set out in Annex 2, it shall inform Customer thereof in advance.
  10. Use of sub-processors
    1. Processor uses the sub-processors listed in Annex 3 for the processing of Customer Data. These are deemed to be authorised upon conclusion of this DPA.
    2. Processor may use further sub-processors to process Customer Data subject to the following conditions: 

Processor shall inform Customer at least 30 days before making use of the further sub-processor in written form (e-mail sufficient) to a contact address specified by Customer for this purpose. Unless Customer raises an objection within 14 days, the use of the further sub-processor shall be deemed to have been authorised.

  1. If Customer objects to the use of a further sub-processor Processor shall be entitled, at its discretion, to continue to provide the services without the rejected sub-processor or to terminate the Main Agreement and this DPA.
  2. Processor must obligate each sub-processor by means of a written agreement which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on Processor in accordance with this DPA.
  3. Processor shall be obligated to select and use only those sub-processors who offer sufficient guarantees that the appropriate technical and organisational measures are implemented in such a way that the processing of Customer Data is carried out in accordance with the requirements of the GDPR and this DPA.
  1. Rights of data subjectssome text
    1. Processor shall take all reasonable technical and organisational measures to assist Customer in fulfilling its obligation to respond to requests from data subjects to exercise their rights. 
    2. Processor will in particular, within the scope of his possibilities: 
  1. inform Customer without undue delay if a data subject should contact Processor directly with a request to exercise his rights in relation to Customer Data;
  2. provide Customer, upon request, with all information in its possession concerning the processing of Customer Data which Customer requires in order to respond to the request of a data subject and which is not available to Customer himself; 
  3. correct, delete or limit the processing of Customer Data without undue delay at Customer's instruction, insofar as Customer cannot do this himself and this is technically possible for Processor; 
  4. to assist Customer, if necessary, to receive Customer Data processed in Processor's sphere of responsibility – as far as technically possible – in a structured, commonly used and machine-readable format, provided that the data subject has a right to data portability with regard to Customer Data. 
  1. Other obligations of Processor to assist Customersome text
    1. Processor shall notify Customer immediately after becoming aware of any Customer Data breach, in particular incidents which lead to the actual destruction, loss, alteration or unauthorised disclosure of or access to Customer Data. Such notification shall contain a description, if possible, of: 
  1. the nature of the Customer Data breach, specifying, where possible, the data categories and approximate number of data subjects concerned;
  2. the likely consequences of the Customer Data breach; 
  3. the measures taken or proposed by Processor to remedy the Customer Data breach and, where appropriate, measures to mitigate its possible adverse effects.
  1. In the event of any Customer Data breach, Processor shall, without delay, take all necessary and reasonable measures to remedy Customer Data breach and, if necessary, to mitigate its possible adverse effects.
  2. If Customer is obligated to provide information about the processing of Customer Data to a government agency or a third party or to otherwise cooperate with such entity, Processor shall be obligated to support Customer in providing such information or in fulfilling other obligations to cooperate.
  3. Processor shall assist Customer in complying with its obligations under Art. 32 GDPR, to the extent possible considering the information Processor has with respect to Customer’s use of Processor’s services.
  4. In the event that Customer is obligated to inform supervisory authorities and/or data subjects in accordance with Art. 33, 34 GDPR, Processor shall, insofar as this is possible, assist Customer in complying with these obligations at the latter's request. In particular, Processor is obligated to document all Customer Data breaches, including all related facts, in a manner that enables Customer to prove compliance with any relevant statutory reporting obligations.
  5. Processor shall support Customer with the information available to him and assist, within reason, in any data protection impact assessment to be carried out by Customer and, if necessary, subsequent consultations with the supervisory authorities in accordance with Art. 35, 36 GDPR.
  1. Data deletion and returnsome text
    1. Upon termination of the Main Agreement , Processor shall, upon Customer's instruction, either completely delete all Customer Data or return it to Customer and delete existing copies, unless the law of the European Union or a Member State requires the continued storage of Customer Data. 
    2. However, Processor is entitled to keep backup copies of Customer Data for a period of 30 days, insofar as deletion of Customer Data from these backup copies is not required for technical reasons or with regard to Art. 32 GDPR. For this period, the rights and obligations of the parties under this DPA with regard to the backup copies shall continue to apply in deviation from Section 2.3
    3. Documentation which serves as proof of the orderly and proper processing of Customer Data is to be kept by Processor in accordance with the statutory retention periods beyond the term of this DPA.
  2. Audit rights some text
    1. Processor shall ensure and regularly evaluate that the processing of Customer Data is carried out in accordance with this DPA, the Main Agreement and Customer's instructions.
    2. Processor shall document the implementation of the obligations under this DPA in a suitable manner and shall provide Customer with all necessary evidence of Processor's compliance with its obligations under the GDPR and this DPA at Customer's request.
    3. Customer shall be entitled to audit Processor regularly during the term of the Main Agreement with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures in accordance with Annex 2, either itself or through a qualified auditor subject to appropriate confidentiality obligations; this shall include inspections. Processor shall allow and shall contribute to such audits by taking all reasonable and appropriate measures; inter alia by granting the necessary access rights and by providing all necessary information. 
    4. The audits and inspections shall not, as far as possible, obstruct or unduly burden Processor in his normal business operations. In particular, inspections at Processor's premises without any specific reason should not take place more than once per calendar year and only during Processor's normal business hours. Customer shall notify Processor of inspections in good time in advance and in writing (e-mail sufficient).
    5. In accordance with the provisions of the GDPR, Customer and Processor are subject to public controls by the competent supervisory authority. At the request of Customer, Processor shall provide the supervisory authority with the desired information and shall give the supervisory authority or the persons appointed by it the opportunity to carry out audits, including inspections of Processor. In this context, Processor shall grant the competent supervisory authority the necessary rights of access, information and inspection.
  3. Liability

The limitations of liability agreed in the Main Agreement apply accordingly.

  1. Miscellaneoussome text
    1. Amendments and subsidiary agreements to this DPA must be made in writing. This also applies to this written form clause.
    2. Agreements on the choice of law and place of jurisdiction from the Main Agreement shall apply accordingly to this DPA.]
  1. Annex 1 - Purpose, nature and extent of data processing, type of data and categories of data subjects

Purpose of the data processing

Access to the Nuco.cloud web application and provision of the Services set out in the Main Agreement.

Nature and scope of data processing 

Automated processing of Customer Data to provide the Services set out in the Main Agreement.

Provision of the Nuco.cloud web application.

Type of data

All data uploaded, downloaded or generated by Customer when using the Services.

Name, email address, password and billing information of Customer and/or its employees.

Categories of data subjects

All data subjects concerned by the data uploaded, downloaded or generated by Customer when using the services.

Employees of Customer

  1. Annex 2 – Technical and organisational measures

Depending on the third-party providers supplying the Services the following additional technical and organisational measures apply to the respective Services:

Hetzner Online GmbH: https://www.hetzner.com/AV/TOM.pdf

Vultr: https://www.vultr.com/legal/eea-gdpr-privacy/

Cudo Ventures Limited: https://www.cudocompute.com/privacy

This Data Processing Agreement ("DPA") specifies the data protection rights and obligations of the parties in connection with the processing of personal data processed by Iron Eagle Capital GmbH (hereinafter "Processor") on behalf of "Customer" under the contract based on the General Terms and Conditions, the applicable Service Specific Terms and (if applicable) the Third Party Provider Terms (hereinafter "Main Agreement") concluded between the parties.

  1. Scope of application

When providing the services in accordance with the Main Agreement, Processor processes personal data which Customer has made available for purpose of providing the services and in respect of which Customer acts as controller in the sense of data protection law ("Customer Data"). In the event of contradictions between this DPA and provisions from other agreements, in particular from the Main Agreement, the provisions of this DPA shall take precedence.

  1. Subject matter and scope of the processing / Customer’s authority to issue instructionssome text
    1. Processor will process the Customer Data exclusively on behalf of Customer and in accordance with Customer's instructions, unless Processor is legally required to process such data under the law of the European Union or a Member State. In such a case, Processor shall inform Customer of these legal requirements prior to processing, unless the law in question prohibits such information on important grounds of public interest.
    2. The processing of Customer Data by Processor shall be carried out exclusively in the nature, to the extent, and for the purposes specified in Annex 1 to this DPA; the processing shall only concern the types of personal data and categories of data subjects specified therein.
    3. The duration of the processing corresponds to the term of the Main Agreement.
    4. Processor is allowed to process Customer Data or have Customer Data processed by sub-processors outside the European Economic Area ("EEA") in accordance with Section 5 of this DPA if the requirements of Articles 44 to 48 GDPR are fulfilled, if an exception under Art. 49 GDPR applies or if the transfer outside the EEA is expressly requested or initiated by Customer.
    5. The instructions are set out in the Main Agreement. Customer is entitled to issue further instructions regarding the nature, scope, purposes and means of processing Customer Data only where such instructions are required by the laws of the European Union or a Member State, or by court or administrative order.]
    6. Instructions shall be in writing (e-mail sufficient). Customer will confirm oral instructions in writing or by e-mail.
    7. Processor shall inform Customer immediately if, in its opinion, an instruction infringes this DPA, the GDPR or other data protection provisions of the European Union or the Member States. Processor is entitled to suspend the execution of such an instruction until Customer confirms the instruction in writing (e-mail sufficient). If Customer insists on the execution of an instruction despite the concerns expressed by Processor, Customer shall indemnify and hold harmless Processor from and against any and all damages and costs incurred by Processor as a result of the execution of Customer's instruction. Processor shall inform Customer of any damages and costs asserted against Processor, shall not acknowledge any claims of third parties without the consent of Customer and shall, in Processor's discretion, either conduct the defense in co-ordination with Customer or leave it to Customer.  
  2. Requirements for personnelsome text
    1. Processor shall obligate all personnel processing Customer Data to maintain confidentiality, unless they are subject to appropriate statutory confidentiality obligations.
    2. Processor shall ensure that all personnel under his authority who have access to Customer Data only process this data in accordance with this DPA and Customer's instructions, unless they are required to process Customer Data under the law of the European Union or the Member States.
  3. Security of processingsome text
    1. Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organisational measures to ensure a level of security for Customer Data appropriate to the risk.
    2. Prior to the beginning of the processing of Customer Data, Processor shall in particular implement the technical and organisational measures specified in Annex 2 to this DPA and maintain them for the duration of the Main Agreement and ensure that the processing of Customer Data is carried out in accordance with these measures.
    3. Customer shall verify the technical and organisational measures implemented by Processor, in particular whether they are also sufficient with regard to circumstances of data processing not known to Processor.
    4. Since the technical and organisational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Annex 2. If Processor makes significant changes to the measures set out in Annex 2, it shall inform Customer thereof in advance.
  4. Use of sub-processorssome text
    1. Processor uses the sub-processors listed in Annex 3 for the processing of Customer Data. These are deemed to be authorised upon conclusion of this DPA.
    2. Processor may use further sub-processors to process Customer Data subject to the following conditions:

Processor shall inform Customer at least 30 days before making use of the further sub-processor in written form (e-mail sufficient) to a contact address specified by Customer for this purpose. Unless Customer raises an objection within 14 days, the use of the further sub-processor shall be deemed to have been authorised.

  1. If Customer objects to the use of a further sub-processor Processor shall be entitled, at its discretion, to continue to provide the services without the rejected sub-processor or to terminate the Main Agreement and this DPA.
  2. Processor must obligate each sub-processor by means of a written agreement which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on Processor in accordance with this DPA.
  3. Processor shall be obligated to select and use only those sub-processors who offer sufficient guarantees that the appropriate technical and organisational measures are implemented in such a way that the processing of Customer Data is carried out in accordance with the requirements of the GDPR and this DPA.
  1. Rights of data subjectssome text
    1. Processor shall take all reasonable technical and organisational measures to assist Customer in fulfilling its obligation to respond to requests from data subjects to exercise their rights.
    2. Processor will in particular, within the scope of his possibilities:
  1. inform Customer without undue delay if a data subject should contact Processor directly with a request to exercise his rights in relation to Customer Data;
  2. provide Customer, upon request, with all information in its possession concerning the processing of Customer Data which Customer requires in order to respond to the request of a data subject and which is not available to Customer himself;
  3. correct, delete or limit the processing of Customer Data without undue delay at Customer's instruction, insofar as Customer cannot do this himself and this is technically possible for Processor;
  4. to assist Customer, if necessary, to receive Customer Data processed in Processor's sphere of responsibility – as far as technically possible – in a structured, commonly used and machine-readable format, provided that the data subject has a right to data portability with regard to Customer Data.
  1. Other obligations of Processor to assist Customersome text
    1. Processor shall notify Customer immediately after becoming aware of any Customer Data breach, in particular incidents which lead to the actual destruction, loss, alteration or unauthorised disclosure of or access to Customer Data. Such notification shall contain a description, if possible, of:
  1. the nature of the Customer Data breach, specifying, where possible, the data categories and approximate number of data subjects concerned;
  2. the likely consequences of the Customer Data breach;
  3. the measures taken or proposed by Processor to remedy the Customer Data breach and, where appropriate, measures to mitigate its possible adverse effects.
  1. In the event of any Customer Data breach, Processor shall, without delay, take all necessary and reasonable measures to remedy Customer Data breach and, if necessary, to mitigate its possible adverse effects.
  2. If Customer is obligated to provide information about the processing of Customer Data to a government agency or a third party or to otherwise cooperate with such entity, Processor shall be obligated to support Customer in providing such information or in fulfilling other obligations to cooperate.
  3. Processor shall assist Customer in complying with its obligations under Art. 32 GDPR, to the extent possible considering the information Processor has with respect to Customer’s use of Processor’s services.
  4. In the event that Customer is obligated to inform supervisory authorities and/or data subjects in accordance with Art. 33, 34 GDPR, Processor shall, insofar as this is possible, assist Customer in complying with these obligations at the latter's request. In particular, Processor is obligated to document all Customer Data breaches, including all related facts, in a manner that enables Customer to prove compliance with any relevant statutory reporting obligations.
  5. Processor shall support Customer with the information available to him and assist, within reason, in any data protection impact assessment to be carried out by Customer and, if necessary, subsequent consultations with the supervisory authorities in accordance with Art. 35, 36 GDPR.
  1. Data deletion and returnsome text
    1. Upon termination of the Main Agreement , Processor shall, upon Customer's instruction, either completely delete all Customer Data or return it to Customer and delete existing copies, unless the law of the European Union or a Member State requires the continued storage of Customer Data.
    2. However, Processor is entitled to keep backup copies of Customer Data for a period of 30 days, insofar as deletion of Customer Data from these backup copies is not required for technical reasons or with regard to Art. 32 GDPR. For this period, the rights and obligations of the parties under this DPA with regard to the backup copies shall continue to apply in deviation from Section 2.3
    3. Documentation which serves as proof of the orderly and proper processing of Customer Data is to be kept by Processor in accordance with the statutory retention periods beyond the term of this DPA.
  2. Audit rights some text
    1. Processor shall ensure and regularly evaluate that the processing of Customer Data is carried out in accordance with this DPA, the Main Agreement and Customer's instructions.
    2. Processor shall document the implementation of the obligations under this DPA in a suitable manner and shall provide Customer with all necessary evidence of Processor's compliance with its obligations under the GDPR and this DPA at Customer's request.
    3. Customer shall be entitled to audit Processor regularly during the term of the Main Agreement with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures in accordance with Annex 2, either itself or through a qualified auditor subject to appropriate confidentiality obligations; this shall include inspections. Processor shall allow and shall contribute to such audits by taking all reasonable and appropriate measures; inter alia by granting the necessary access rights and by providing all necessary information.
    4. The audits and inspections shall not, as far as possible, obstruct or unduly burden Processor in his normal business operations. In particular, inspections at Processor's premises without any specific reason should not take place more than once per calendar year and only during Processor's normal business hours. Customer shall notify Processor of inspections in good time in advance and in writing (e-mail sufficient).
    5. In accordance with the provisions of the GDPR, Customer and Processor are subject to public controls by the competent supervisory authority. At the request of Customer, Processor shall provide the supervisory authority with the desired information and shall give the supervisory authority or the persons appointed by it the opportunity to carry out audits, including inspections of Processor. In this context, Processor shall grant the competent supervisory authority the necessary rights of access, information and inspection.
  3. Liability

The limitations of liability agreed in the Main Agreement apply accordingly.

  1. Miscellaneoussome text
    1. Amendments and subsidiary agreements to this DPA must be made in writing. This also applies to this written form clause.
    2. Agreements on the choice of law and place of jurisdiction from the Main Agreement shall apply accordingly to this DPA.]

Annex 1 - Purpose, nature and extent of data processing, type of data and categories of data subjects

Purpose of the data processing

Access to the Nuco.cloud web application and provision of the Services set out in the Main Agreement.

Nature and scope of data processing

Automated processing of Customer Data to provide the Services set out in the Main Agreement.

Provision of the Nuco.cloud web application.

Type of data

All data uploaded, downloaded or generated by Customer when using the Services.

Name, email address, password and billing information of Customer and/or its employees.

Categories of data subjects

All data subjects concerned by the data uploaded, downloaded or generated by Customer when using the services.

Employees of Customer

Annex 2 – Technical and organisational measures

Depending on the third-party providers supplying the Services the following additional technical and organisational measures apply to the respective Services:

Hetzner Online GmbH: https://www.hetzner.com/AV/TOM.pdf

Vultr: https://www.vultr.com/legal/eea-gdpr-privacy/

Cudo Ventures Limited: https://www.cudocompute.com/privacy

Annex 3 – Sub-processors

Name

Nature of the service

Hetzner Online GmbH

Third-party provider (if applicable)

The Constant Company, LLC.

Third-party provider (if applicable)

Cudo Ventures Limited

Third-party provider (if applicable)

Join our community for the latest updates

Summarize nuco.cloud’s unique position, the growing demand for cloud computing, and how nuco.cloud is poised to meet this demand on a global scale.

Join our Telegram GroupFollow us on X

info@nuco.cloud

nuco.cloud SKYNET
nuco.cloud PRO
nuco.cloud GO
What sets us apart
Whitepaper
Roadmap
News
Tokenomics
Exchanges
Team
Contact
Discord
Telegram Group
Telegram Channel
X
LinkedIn
Youtube
Whitepaper
Risk Warnings
Privacy Policy
Legal Notice