Try Free
Contact Us

Data Processor Addendum

This Data Processor Addendum (the “Addendum”) is a general contractual module incorporated into CarbonCloud General Terms of Service (“T&C”). It applies where CarbonCloud processes Personal Data on behalf of an Account Holder acting as Controller. In case of conflict between this Addendum and the T&C regarding the Processing of Personal Data, this Addendum shall prevail.

1. Definitions

1.1 Capitalised terms inherited from the T&C shall have the same meaning herein.

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1.3 Additionally, for the purpose of this Addendum, the following definitions shall apply:

“Account Holder Personal Data” shall mean any Personal Data Processed on behalf of Account Holder pursuant to or in connection with the Agreement.

“Data Protection Laws” shall mean EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

“Data Transfer” shall mean (i) a transfer of Account Holder Personal Data from the Account Holder to a Sub-Processor; or (ii) an onward transfer of Account Holder Personal Data from a Sub-Processor to a Sub-Sub-Processor, or between two establishments of a Sub-Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).

“EEA” shall mean the European Economic Area.

“EU Data Protection Laws” shall mean EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

2. Processing of Account Holder Personal Data

2.1 The Account Holder hereby instructs CarbonCloud to process Account Holder Personal Data solely for the purpose of providing the Services, in accordance with the Agreement, this Addendum, and the documented processing instructions set out in Appendix A.

2.2 CarbonCloud shall:

  • comply with all applicable Data Protection Laws in the Processing of Account Holder Personal Data; and
  • not Process Account Holder Personal Data other than on the relevant Account Holder’s documented instructions.

2.3 Each party acknowledges that it acts as an independent data controller for Personal Data it processes for its own purposes (e.g. billing, user administration, or contractual records). This Addendum only governs Processing where CarbonCloud acts as a processor on behalf of the Account Holder.

3. CarbonCloud Personnel

3.1 CarbonCloud shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Sub-Processor who may have access to the Account Holder Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Account Holder Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Sub-Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CarbonCloud shall in relation to the Account Holder Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, CarbonCloud shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Subprocessing

5.1 CarbonCloud is entitled to hire the Sub-Processor(s) listed in Appendix B.

5.2 CarbonCloud is entitled to hire new Sub-Processor and to replace existing Sub-Processors.

5.3 When CarbonCloud intends to hire a new subprocessor or replace an existing one, CarbonCloud shall verify the Sub-Processor’s capacity and ability to meet their obligations in accordance with the Data Protection Legislation. CarbonCloud shall notify the Controller in writing of:

  • the Sub-Processor’s name, corporate identity number and head office (address and country),
  • which type of data and categories of Data Subjects are being processed, and
  • where the Personal Data will be processed.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, CarbonCloud shall assist the Account Holder by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Account Holder obligations, as reasonably understood by Account Holder, to respond to requests to exercise Data Subject rights under the Data Protection Laws. CarbonCloud is entitled to reasonable compensation for such work.

6.2 CarbonCloud shall:

  • as soon as possible notify Account Holder if it receives a request from a Data Subject under any Data Protection Law in respect of Account Holder Personal Data; and
  • ensure that it does not respond to that request except on the documented instructions of Account Holder or as required by Applicable Laws to which CarbonCloud is subject, in which case CarbonCloud shall to the extent permitted by Applicable Laws inform Account Holder of that legal requirement before the Sub-Processor responds to the request.

7. Personal Data Breach

7.1 CarbonCloud shall notify Account Holder without undue delay upon CarbonCloud becoming aware of a Personal Data Breach affecting Account Holder Personal Data, providing Account Holder with sufficient information to allow the Account Holder to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 CarbonCloud shall co-operate with the Account Holder and take reasonable commercial steps as are directed by Account Holder to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Impact Assessment and Prior Consultation

8.1 Data Protection Impact Assessment and Prior Consultation CarbonCloud shall provide reasonable assistance to the Account Holder with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Account Holder reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Account Holder Personal Data by, and taking into account the nature of the Processing and information available to, the Sub-Processors. CarbonCloud is entitled to reasonable compensation for such work.

9. Deletion or Return of Account Holder Personal Data

9.1 In the event that the Account Holder has requested a correction or deletion as a result of incorrect Processing by CarbonCloud, CarbonCloud shall take appropriate measures, without undue delay, no later than thirty (30) days from the date on which CarbonCloud received the required information from the Account Holder. When the Account Holder has requested deletion, CarbonCloud may only perform Processing of the Personal Data in question as a part of the correction or deletion process.

9.2 CarbonCloud shall promptly and in any event within 90 days of the date of termination of the Agreement involving the Processing of Account Holder Personal Data (the “Termination Date”), delete and procure the deletion of all copies of those Account Holder Personal Data.

10. Audit Rights

10.1 Subject to this section 10, CarbonCloud shall make available to the Account Holder on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by the Account Holder or an auditor mandated by the Account Holder in relation to the Processing of the Account Holder Personal Data by the Sub-Processors.

10.2 Information and audit rights of the Account Holder only arise under section 10.1 to the extent that this Addendum does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law. CarbonCloud is entitled to reasonable compensation for work related to audit.

11. Data Transfer

11.1 CarbonCloud may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Account Holder. If personal data processed under this Addendum is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

12. Liability for Damages in Connection with the Processing

12.1 In the event that compensation for damages in relation to Processing is payable to the Data Subject, through a legally binding judgement or settlement, due to a violation of this Addendum, Instructions and/or applicable provision of the Data Protection Legislation, Article 82 of GDPR is applicable.

12.2 Fines in accordance with Article 83 of GDPR shall be paid by the party to this Addendum that has been levied such a fee.

12.3 If either party becomes aware of circumstances that could be detrimental to the other party, the first party shall immediately inform the other party of this and work actively with the other party to prevent and minimise the damage or loss.

12.4 Notwithstanding any of the provisions of the Agreement, items 12.1 and 12.2 of this Addendum take precedence over other rules regarding the allocation between the parties of claims regarding the Processing.

13. General Terms

13.1 Confidentiality. Each Party must keep this Addendum and information it receives about the other Party and its business in connection with this Addendum (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

  • disclosure is required by law;
  • the relevant information is already in the public domain.

13.2 Notices shall follow the provision of the Agreement.

13.3 Additions and amendments to this Addendum must be made in writing and signed by both parties.

13.4 If either party becomes aware that the other party is acting in violation of this Addendum and/or Instructions, the first party shall inform the other party without delay of the actions in question. The party is then entitled to suspend the performance of its obligations pursuant to this Addendum until such time as the other party has declared that the actions have ceased, and the explanation has been accepted by the party that made the complaint.

14. Governing Law and Jurisdiction

14.1 This Addendum shall be governed by the same law and subject to the same dispute resolution mechanism as set out in the General Terms of Service (T&C).

Appendix A: Account Holder’s Processing Instructions

This Appendix forms part of the Data Processing Addendum (the “Addendum”) and sets out the Account Holder’s documented instructions for the Processing of Personal Data by CarbonCloud in its capacity as data processor.

1. Purpose and Scope of the Processing

1.1 CarbonCloud shall process Account Holder Personal Data solely for the purpose of enabling access to and use of the Services, including:

  • Creating user accounts for authorized users of the Account Holder;
  • Inviting suppliers or third-party users to create accounts where such access is configured by the Account Holder;
  • Providing technical support, routine platform maintenance, backups, and ensuring service availability.

2. Categories of Personal Data Processed

2.1 The Personal Data processed under the Agreement may include the following:

  • Name
  • Email address

2.2 Such data may be input manually by the Account Holder or transferred by technical integration between the Account Holder’s systems and the Services.

3. Categories of Data Subjects

3.1 The Processing may involve Personal Data relating to:

  • Employees of the Account Holder
  • Consultants or authorized representatives of the Account Holder
  • Employees or consultants of supplier organizations onboarded via the Account Holder

4. Special Processing Requirements

4.1 Account Holder Personal Data shall be deleted or anonymized within ninety (90) days following termination of the Agreement, unless a longer retention period is required under applicable law.

4.2 Backups and log files containing such data must be purged in accordance with CarbonCloud’s retention policy unless otherwise instructed by the Account Holder.

5. Security Measures

5.1 CarbonCloud shall implement the technical and organizational security measures described in Section 4 of the Addendum.

6. Logging Requirements

6.1 CarbonCloud shall maintain audit logs of all access, and changes made, to Account Holder Personal Data.

6.2 Such logs shall record the identity of the user or system, timestamp, type of change, and the affected data.

6.3 Logs shall be retained for no longer than fourteen (14) days, unless otherwise required for security or legal compliance purposes.

7. Data Transfers to Third Countries

7.1 Transfers of Personal Data to third countries (outside the EU/EEA) may occur in accordance with Section 11 of the Addendum and shall be subject to appropriate safeguards under Chapter V of the GDPR (e.g. Standard Contractual Clauses).

Appendix B: Approved Sub-processors

This Appendix forms part of the Data Processing Addendum (the “Addendum”) and lists the third-party Sub-Processors authorized by CarbonCloud to process Account Holder Personal Data in connection with the delivery of the Services. Each Sub-Processor is contractually bound to meet equivalent data protection and security obligations as those set out in the Addendum.

1. Approved Subprocessors

Sub-Processor Country of Establishment / Processing Purpose of Processing
Auth0 (part of Okta, Inc.) United Kingdom Identity and authentication services, including login, user session handling, and technical support related to user access.

2. Processing Scope and Restrictions

2.1 The above Sub-Processor is authorized to process Account Holder Personal Data only to the extent necessary for the provision of the Services and only in accordance with the Addendum.

3. Notice and Updates

3.1 CarbonCloud shall provide prior written notice of any intended addition or replacement of Sub-Processors, in accordance with Section 5 of the Addendum. The Account Holder may object to such changes on reasonable data protection grounds.

The climate intelligence platform.

Sign up for our newsletter

We sometimes deliver low-fat email content with a no-spam pledge and no strings attached. May we interest you in free solution samples to the climate challenges in the food industry?

    SUPPORT
    SOLUTIONS
    RESOURCES
    CONTACT US
    hello@carboncloud.com

    Aschebergsgatan 44, 411 31 Gothenburg,
    Västra Götaland, SE

    Instagram Linkedin Facebook

    © CarbonCloud All Rights Reserved