Changes

Date: 14th April 2025

Change Type: Amendment

Summary of changes

Change in Clause 7(b)(iii) – Sub-processors

• Removed specific due diligence on sub-processors' data retention and deletion practices and clarified the application of third-party provider data retention policies.

Change in Clause 15(b) – General Terms

• Clarified that only the Processor can assign, transfer, or subcontract obligations under the DPA, removing the ability for either party to propose updates or modifications.
• Clarified that while no separate consent from the Customer shall be required, the Customer retains the right to object and terminate the affected Services in accordance with Clause 16.b.

Deleted Clause 15(c) – General Terms

• No variation of the DPA will be valid or binding unless it is recorded in writing and signed by or on behalf of both parties.

Change in Clause 15(g) - General Terms

• 'email or public notice' changed to 'email and public notice'.

Change in Clause 16(d) - Modification of this DPA

• Clarified that continued use of the Services after the effective date of any update constitutes acceptance of the updated DPA, unless there is an ongoing dispute or active negotiations under Clause 16.b, in which case such continued use shall not be deemed acceptance until the dispute or negotiations are resolved.

Clause Removed: Section 4.2.ii

• As agreements for SaaS, IaaS, and PaaS environments are entered into directly between the Customer and the third-party provider, Critical Cloud is not responsible for data retention in those environments. Clause 4.2.ii, which previously stated "Data stored in third-party SaaS and PaaS environments shall be deleted according to the respective provider’s data retention policies," has been removed.

Date: 4th April 2025

Change Type: Amendment

Summary of changes

1. Section 7 (Sub-processors) updated for clarity, consistency, and precision. Confirmed flow-down of DPA obligations, clarified liability for Sub-processors, and aligned notification process with Clause 16. Language restructured into consistent sub-clauses.

2. Section 11 (Return and Deletion of Personal Data) revised for clarity and structure. Clarifies that both Critical Cloud and its Sub-processors must comply, refines retention conditions to cover legal requirements only, and confirms the Customer’s right to request written certification of compliance.

3. Clause 15.b changed to allow either party to propose updates and require customer notification (not consent) for assignments or subcontracting.

4. Clause 15.c removed to eliminate conflict with Clause 17, which governs the DPA modification process.

5. New clause added for Modification of this DPA and inserted as Clause 16. The previous Clause 16 (Governing Law and Jurisdiction) has been renumbered to Clause 17 for structural consistency.

6. Clause 16 (Modification of this DPA) sets out a 30-day notice period and rationale for material changes, includes a process for Customer objections and good faith discussions, and clarifies termination, data handling, and refund terms. Restructured into sub-clauses for clarity.

7. Clause 14 (Liability). Updated to refer to the “MSA” instead of “the Agreement” for clarity.

8. Notices clause updated to reflect that all notices under the DPA must be sent by email. Postal delivery is no longer supported. Deemed receipt clarified, and alignment with Clause 16 and Clause 7 confirmed.

9. Section 12 (Audits) updated to require 30 days’ written notice and justification for audits. Clarified that audit rights are limited to once every 12 months, unless required by a Supervisory Authority or triggered by a suspected material Personal Data Breach.

10. Clause 8 (Data Subject Rights) updated to clarify that Critical Cloud and its Sub-processors will only assist with or respond to Data Subject requests based on the Customer’s documented instructions.