Layer 1
Data Processing Agreement

Data Processing Agreement

DPA

RESTRICTED

This Data Processing Agreement (DPA) forms part of the Master Services Agreement (MSA) between Critical Cloud Limited ("Critical Cloud", "we", "us", "our") and the entity identified in the applicable Order Form ("Customer", "you", "your").

This DPA applies automatically to any Customer upon execution of an Order Form, without the need for additional signatures. The processing of Personal Data under this DPA shall be carried out in accordance with the terms of the MSA and this DPA.

  1. 1.Background
    1. a.Critical Cloud provides cloud support and related services (the “Services”) to the Customer under the MSA and associated Order Forms.
    2. b.This DPA governs the processing of Personal Data by Critical Cloud on behalf of the Customer in connection with the Services.
    3. c.In the event of a conflict between this DPA and the MSA or Order Forms, the terms of this DPA shall prevail with respect to data protection and processing obligations.
  2. 2.Definitions
    1. a.In this DPA, the following words are defined
    2. b."Addendum"
      1. i.the International Data Transfer Addendum to the EU Standard Contractual Clauses available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (as amended or updated from time to time).
    3. c."Affiliate"
      1. i.any entity that directly or indirectly controls, or is controlled by, or is under common control with the subject entity. 'Control' for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
    4. d."Data Protection Law"
      1. i.all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom applicable to the Processing of Personal Data under the Agreement, including, but not limited to EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; and
      2. ii.to the extent applicable, the data protection or privacy laws of any other country.
    5. e."EU Standard Contractual Clauses"
      1. i.Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), as may be replaced or superseded by the European Commission.
    6. f."GDPR"
      1. i.Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the EU GDPR); and
      2. ii.the EU GDPR as implemented or adopted under the laws of the United Kingdom (UK GDPR) (General Data Protection Regulation).
    7. g."Personnel"
      1. i.in relation to a party, those of its employees, workers, agents, consultants, contractors, sub-contractors, representatives or other persons employed or engaged by that party on whatever terms.
    8. h."Sub-processor"
      1. i.any entity (whether or not an Affiliate of Critical Cloud, but excluding Critical Cloud's Personnel) appointed by or on behalf of Critical Cloud to process Personal Data on behalf of the Customer under this DPA.
    9. i."Working Day"
      1. i.any day, other than a Saturday, Sunday, or public holiday in England and Wales.
  3. 3.Terms such as “Data Subject”, “Processing”, “Personal Data”, “Controller”, and “Processor”, "Supervisory Authority" and "Personal Data Breach" shall have the same meaning as ascribed to them in the Data Protection Law.
  4. 4.In this DPA unless the context requires a different interpretation
    1. a.the singular includes the plural and vice versa;
    2. b.references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this DPA;
    3. c.a reference to a person includes firms, companies, government entities, trusts and partnerships;
    4. d.'including' is understood to mean 'including without limitation';
    5. e.reference to any statutory provision includes any modification or amendment of it;
    6. f.the headings and sub-headings do not form part of this DPA; and
    7. g.'writing' or 'written' will include fax and email unless otherwise stated.
  5. 5.Processing Customer Personal Data
    1. a.For the purpose of Data Protection Law, the Customer shall be the Controller and Critical Cloud shall be the Processor.
    2. b.Critical Cloud and each Critical Cloud Affiliate shall:
      1. i.comply with all applicable Data Protection Law in the Processing of Customer Personal Data; and
      2. ii.only Process Personal Data on the Customer's documented instructions, unless Processing is required by any applicable law to which Critical Cloud is subject (in which case, Critical Cloud shall, to the extent permitted by applicable law, inform the Customer of such legal requirement before undertaking the Processing).
    3. c.Critical Cloud and each Critical Cloud Affiliate shall take reasonable steps to ensure the reliability of Personnel who have access to the Personal Data, ensuring in each case that such Personnel is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they Process the Personal Data in compliance with all applicable law and only for the purpose of delivering the Services under the Agreement.
  6. 6.Security
    1. a.Critical Cloud will establish data security in relation to the Processing of Personal Data under this DPA. The measures to be taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of the Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons must be taken into account. Such measures may include, as appropriate:
      1. i.the pseudonymisation and encryption of Personal Data;
      2. ii.the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      3. iii.the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
      4. iv.a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
    2. b.In assessing the appropriate level of security, Critical Cloud shall take into account any risks that are presented by the Processing, in particular, from a Personal Data Breach.
    3. c.Critical Cloud has laid down the technical and organisational measures in Schedule 2 of this DPA. Technical and organisational measures are subject to technical progress and further development. In this respect, Critical Cloud may implement alternative adequate measures from time to time, provided they do not reduce the overall level of protection afforded to the Customer. Where such measures are implemented, Critical Cloud will notify the Customer in writing.
  7. 7.Sub-Processors
    1. a.The Customer authorises Critical Cloud and its Affiliates to engage the Sub-processors listed in Schedule 3 (if any), as well as any new Sub-processors, in accordance with the provisions of this Section 7.
    2. b.For each Sub-processor, Critical Cloud or its Affiliate shall:
      1. i.conduct appropriate due diligence prior to engaging the Sub-processor to ensure it can provide the level of protection required under this DPA and the Agreement;
      2. ii.enter into a written agreement with the Sub-processor that imposes obligations substantially similar to those in this DPA and meets the requirements of Article 28(3) of the UK GDPR;
      3. iii.conduct appropriate due diligence to ensure that sub-processors adhere to relevant data retention and deletion obligations as outlined in this DPA;
      4. iv.remain fully liable to the Customer for the performance of the Sub-processor’s obligations as if performed by Critical Cloud itself.
    3. c.Critical Cloud and its Affiliates may continue using Sub-processors already engaged as of the Effective Date of this DPA, provided they meet the obligations set out in Section 7(b) as soon as reasonably practicable.
    4. d.The Processor shall maintain an up-to-date list of Sub-processors in Schedule 3 and shall provide Customers with at least thirty (30) days’ prior notice of any intended addition via email and public notice on its website, in accordance with Clause 16. If a Customer reasonably believes that the engagement of a new Sub-processor would materially impact its compliance with applicable Data Protection Laws, it may terminate the affected Services by providing written notice within the 30-day period. Such termination will apply only to the relevant Services. Continued use of the Services after the notice period will constitute acceptance of the new Sub-processor.
  8. 8.Data Subject Rights
    1. a.Taking into account the nature of the Processing, Critical Cloud and each Critical Cloud Affiliate shall assist the Customer in implementing appropriate technical and organisational measures, insofar as possible and only on the Customer’s documented instructions, to support the Customer’s obligation to respond to requests for exercising Data Subjects’ rights under the Data Protection Law.
    2. b.Critical Cloud shall:
      1. i.promptly (and in any event, within 24 hours) notify the Customer if it (or any of its Sub-processors) receives a request from a Data Subject in relation to Personal Data Processed under this DPA; and
      2. ii.not respond to any such request directly, except as required by applicable law or expressly authorised in the Customer’s documented instructions; and
      3. iii.fully cooperate with and assist the Customer, on documented instruction only, in responding to such requests in accordance with Data Protection Law.
  9. 9.Personal Data Breaches
    1. a.Critical Cloud shall:
      1. i.notify the Customer without undue delay (in any event, no later than 72 hours) upon becoming aware of any Personal Data Breach affecting the Personal Data Processed by Critical Cloud under this DPA;
      2. ii.provide sufficient information to enable the Customer to evaluate the impact of such Personal Data Breach and to meet any obligations on the Customer to report the Personal Data Breach to a Supervisory Authority and/or notify the affected Data Subjects in accordance with the Data Protection Law;
      3. iii.provide the Customer with such assistance as the Customer may reasonably request; and
      4. iv.cooperate with the Customer and take such reasonable commercial steps (as directed by the Customer) to assist in the evaluation, investigation, mitigation and remediation of each such Personal Data Breach.
  10. 10.Data Protection Impact Assessment and Prior Consultation
    1. a.Critical Cloud and each Critical Cloud Affiliate shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent authorities which the Customer considers necessary pursuant to Articles 35 and 36 of the UK GDPR.
    2. b.Such assistance from Critical Cloud shall be limited, in each case, to the Processing of Personal Data under this DPA.
  11. 11.Return and Deletion of Personal Data
    1. a.If the Customer terminates the Agreement due to changes in this DPA, Critical Cloud and its Sub-processors shall retain Customer Personal Data only for the period necessary to comply with applicable legal or contractual obligations. Upon termination, the Processor shall delete or return Customer Personal Data in accordance with Schedule 4. Customers must request data retrieval within thirty (30) days of termination; otherwise, the data will be securely deleted.
    2. b.Critical Cloud and its Sub-processors may retain Customer Personal Data only to the extent required by applicable law and solely for the duration and purpose mandated by such law. Where permitted, Critical Cloud shall notify the Customer of the legal basis for such retention and shall maintain the confidentiality of the retained data. Retained data must not be processed for any purpose other than compliance with the applicable legal requirement.
    3. c.Upon request, the Customer may require Critical Cloud and its Sub-processors to provide written certification confirming compliance with their obligations under this section, including the secure return or deletion of Customer Personal Data.
  12. 12.Audits
    1. a.Critical Cloud and each Critical Cloud Affiliate shall make available to the Customer, upon written request, all information reasonably necessary to demonstrate compliance with this DPA.
    2. b.Critical Cloud shall allow for and contribute to audits, including inspections, by the Customer (or any auditor mandated by the Customer), solely for the purpose of verifying Critical Cloud’s compliance with its obligations under this DPA.
    3. c.The Customer (or its mandated auditor) must provide at least thirty (30) days’ prior written notice of any audit and include a reasonable description of the scope, objectives, and justification for the audit request, including any specific compliance concerns being investigated. Audits shall be conducted during normal business hours, in a manner that minimises disruption to Critical Cloud’s operations, and subject to reasonable confidentiality and security measures.
    4. d.Audit rights may be exercised no more than once in any twelve (12) month period during the term of the Agreement and for a period of three (3) years following its termination or expiry, unless:
      1. i.required by a Supervisory Authority; or
      2. ii.the Customer reasonably believes a material Personal Data Breach has occurred.
  13. 13.Restricted Transfers
    1. a.For the purposes of this section entitled 'Restricted transfers', a 'Restricted Transfer' is an onward transfer of Personal Data from Critical Cloud (or a Sub-Processor) to a Sub-Processor, in each case, where such transfer would be prohibited by Data Protection Law in the absence of a defined appropriate safeguard (e.g. the EU Standard Contractual Clauses and the Addendum). Personal Data may be processed in the following jurisdictions: United Kingdom (UK), European Economic Area (EEA), United States, Australia and Canada and any other jurisdictions explicitly agreed upon. The Processor shall maintain an up-to-date record of data storage locations and provide this information upon request.
    2. b.Subject to the subsequent clause, Critical Cloud (the 'data exporter') and/or each Sub-processor as appropriate (the 'data importer'), will enter into module 3 of the EU Standard Contractual Clauses and the Addendum in respect of any Restricted Transfer.
    3. c.The preceding clause shall not apply to a Restricted Transfer unless its effect, together with other reasonably practical compliance steps (which do not include obtaining consent from Data Subjects) is to allow the Restricted Transfer to take place without breach of applicable Data Protection Law.
  14. 14.Liability
    1. a.Nothing in this DPA limits or excludes either party's liability for death of personal injury caused by its negligence, or fraud or fraudulent misrepresentation.
    2. b.Subject to the preceding clause, the total liability of either party to the other for any non-compliance with this DPA shall be subject to any limitation regarding monetary damages set forth in the Agreement.
  15. 15.General Terms
    1. a.Except in respect of any provision of this DPA that expressly or by implication is intended to come into or continue in force on or after the expiry or termination of the Agreement, this DPA shall be coterminous with the Agreement.
    2. b.The Processor may assign, transfer, or subcontract its obligations under this DPA, provided that (i) the Customer is notified of such assignment, transfer, or subcontracting in a timely manner, and (ii) the level of data protection required under this DPA is maintained. While no separate consent from the Customer shall be required, the Customer retains the right to object and terminate the affected Services in accordance with Clause 16.b.
    3. c.The Contracts (Rights of Third Parties) Act 1999 does not apply to the DPA and no third party has any right to enforce or rely on any provision of the DPA.
    4. d.Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
    5. e.If any court or competent authority finds that any provision (or part) of the DPA is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of the DPA will not be affected.
    6. f.Any notice to be delivered under this DPA must be in writing and delivered by email to the email address last notified by the receiving party. A notice sent by email will be deemed received at the time of transmission, provided that no bounceback or error message is received.
    7. g.Notices sent in connection with Clause 16 (Modification of this DPA) or Clause 7 (Sub-processors) may be delivered via email and public notice on Critical Cloud’s website, as specified in those clauses.
  16. 16.Modification of this DPA
    1. a.The Processor may update this DPA from time to time, provided that it notifies Customers at least thirty (30) days in advance of any material changes via email and public notice on its website. Material changes include, but are not limited to, changes to sub-processing arrangements, security measures, or data transfer mechanisms, along with a brief explanation of the rationale for such changes.
    2. b.If a Customer reasonably believes a material change adversely affects its rights under applicable Data Protection Laws, it may raise written objections within the 30-day notice period. The parties will engage in good faith discussions to address the concern. If no resolution is reached, the Customer may terminate the affected Services by providing written notice before the effective date of the change.
    3. c.Upon termination under this clause, the Processor will ensure the secure return or deletion of Customer Personal Data in accordance with Schedule 4. The Processor is entitled to payment for Services rendered up to the termination date and will refund any prepaid fees for Services not provided due to termination.
    4. d.Continued use of the Services after the effective date of any update constitutes acceptance of the updated DPA, unless there is an ongoing dispute or active negotiations under Clause 16.b, in which case such continued use shall not be deemed acceptance until the dispute or negotiations are resolved.
  17. 17.Governing Law and Jurisdiction
    1. a.This DPA will be governed by and interpreted according to the law of England and Wales and all disputes arising under the DPA (including non-contractual disputes or claims) shall be subject to the exclusive jurisdiction of the English and Welsh courts.

Schedule 1:

Processing Activities

This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) UK GDPR. The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and this DPA.

1. Subject Matter of Processing

Critical Cloud processes Personal Data in connection with providing cloud support and automation services under the MSA and associated Order Forms.

2. Nature and Purpose of Processing

Critical Cloud processes Personal Data for the purpose of:

  • Delivering, maintaining, and optimising cloud-based services.
  • Providing customer support, troubleshooting, and incident management.
  • Facilitating service-related communications and notifications.
  • Improving system performance through monitoring and analytics.
  • Ensuring security and compliance of hosted data.

3. Categories of Data Subjects

The Personal Data processed relates to the following categories of Data Subjects:

  • Employees and contractors of the Customer.
  • End users of the Customer’s services.
  • Business contacts provided by the Customer.

4. Types of Personal Data Processed

Critical Cloud processes the following types of Personal Data:

  • Name, job title, and contact details (email, phone number).
  • Authentication and security credentials (e.g., usernames, access logs).
  • System usage data (logs, IP addresses, and device identifiers).
  • Communications with support teams (e.g., chat transcripts, emails).
  • Any additional data provided by the Customer as part of service interactions.

Note: Critical Cloud does not process special categories of Personal Data (e.g., health, biometric, or financial data) unless explicitly agreed upon in writing.

5. Duration of Processing

  • Critical Cloud shall retain and process Personal Data for the duration of the MSA and active Order Forms.
  • Upon termination, Personal Data shall be deleted or returned as per Schedule 4 unless retention is required by applicable law.

6. Processing Operations

Critical Cloud will perform the following processing operations:

  • Collection: Receiving Personal Data from the Customer to provide the agreed services.
  • Storage: Securely hosting Personal Data in SaaS and PaaS environments.
  • Use: Accessing Personal Data for service delivery, analysis, and monitoring.
  • Sharing: Transmitting Personal Data to authorised sub-processors listed in Schedule 3.
  • Deletion: Removing Personal Data upon termination of services or upon Customer request.

Schedule 2:

Technical and Organisational Measures


1. Information Security Program

Critical Cloud shall implement and maintain an Information Security Management System (ISMS) aligned with industry best practices, aligned with ISO 27001 principles, ensuring the confidentiality, integrity, and availability of Personal Data. This includes, but is not limited to:

  • Regular security risk assessments.
  • Defined security policies reviewed annually.
  • A formal incident response plan.

2. Access Control and Authentication

Critical Cloud shall enforce access control policies to ensure that only authorised personnel have access to Personal Data:

  • Role-based access control (RBAC) and least privilege principles.
  • Multi-factor authentication (MFA) for system access.
  • Regular reviews and audits of access permissions.

3. Encryption and Data Protection

Critical Cloud shall ensure the encryption of Personal Data both in transit and at rest using industry-standard encryption protocols:

  • AES-256 encryption for data storage.
  • TLS 1.2 or higher for data transmission.
  • Encrypted backups stored securely.

4. Network and System Security

Critical Cloud shall maintain robust security measures to protect against unauthorised access and cyber threats:

  • Firewalls and intrusion detection/prevention systems (IDS/IPS) where applicable.
  • Regular penetration testing and vulnerability scanning.
  • Cloud-native security tools to monitor and enforce security policies.

5. Data Integrity and Availability in SaaS and PaaS Environments

To ensure the availability and integrity of Personal Data across SaaS and PaaS platforms, Critical Cloud shall:

  • Rely on built-in redundancy and disaster recovery capabilities of cloud providers.
  • Use automated backups and versioning provided by SaaS/PaaS platforms.
  • Implement cloud-based monitoring tools to detect anomalies and ensure service uptime.
  • Ensure data portability and secure API integrations to prevent vendor lock-in.

6. Cloud-Based Security Measures

Since Critical Cloud exclusively uses SaaS and PaaS solutions, physical security is managed by third-party cloud service providers. To ensure compliance, Critical Cloud shall:

  • Select SaaS and PaaS providers with industry-leading security certifications (e.g., ISO 27001, SOC 2, GDPR compliance).
  • Conduct vendor security reviews to assess compliance with data protection standards.
  • Enforce secure identity management through Single Sign-On (SSO) and privileged access controls.
  • Ensure that data is processed and stored in compliant jurisdictions per applicable regulations.

7. Security Training and Awareness

Critical Cloud shall ensure that all employees handling Personal Data:

  • Undergo annual security training.
  • Are informed of their obligations under applicable Data Protection Laws.
  • Adhere to a formal confidentiality agreement.

8. Incident Response and Breach Notification

Critical Cloud shall maintain an incident response plan and notify the Customer of security incidents without undue delay:

  • Immediate investigation of any suspected data breach.
  • Notification within 24 hours if Personal Data is compromised.
  • Collaboration with the Customer on remedial actions.

9. Sub-Processor Security

Critical Cloud shall ensure that any sub-processors processing Personal Data:

  • Comply with equivalent security standards.
  • Sign a Data Processing Agreement (DPA) with appropriate safeguards.
  • Undergo regular security audits.

Commitment to Continuous Improvement

Critical Cloud acknowledges that security threats evolve continuously and commits to ongoing review and enhancement of security measures to ensure compliance with the latest industry standards and legal requirements

Schedule 3:

Sub-Processors

The Customer agrees that Critical Cloud may sub-contract certain obligations under this DPA to the following Sub-processors:

Sub-Processor name

Country

Description

Datadog, Inc.

Germany

Cloud-based monitoring

HubSpot, Inc.

United States, Ireland

Customer relationship management (CRM) and marketing automation

Softr

United States

No-code platform for internal tools and customer portals

Typeform S.L.

Spain

Online form and survey data collection



Schedule 4:

Data Retention and Deletion

1. Retention Period

  • Personal Data will be retained for the duration of the MSA and any active Order Forms.
  • Upon termination of services, Critical Cloud shall retain Personal Data only as long as required by applicable laws and regulatory obligations.

2. Deletion and Return of Data

  • Upon written request by the Customer, Critical Cloud shall delete or return all Personal Data within 30 days of service termination.
  • Critical Cloud shall certify the completion of data deletion upon request.

3. Exceptions for Legal Compliance

  • If any applicable laws or regulations require the retention of certain data, Critical Cloud shall retain only the minimum necessary Personal Data for the required period.
  • Personal Data retained for compliance purposes shall not be further processed for any other reason.

4. Secure Data Disposal

  • Personal Data shall be permanently deleted from all systems, including backups, using secure erasure methods.
  • Critical Cloud shall ensure that any sub-processors handling Personal Data comply with the same deletion and retention standards.