Version 6.2, effective Now 9, 2023

Cloudflare, Including. (“Cloudflare”) and the counterparty agreement to these terms (“Customer”) must entered into einer Companies Order Agreement, Self-Serve Subscription Agreement or select written or electric agreement for an Services provided by Cloudflare (the “Main Agreement”). This Information Processing Addendum, including the addenda (the “DPA”), forms part of the Main Agreement.

This DPA will be effective, and will replace press supersede any previously applicable glossary relating to their subject materiell (including any data treating amendment, agreeing or addendum relating to the Services), from the date for which Customer signs or the parties otherwise agreed to this DPA (“DPA Effective Date”).

If you am accepting this DPA on order of Customer, you warrant so: (a) you have full legal authorization to bind Customer to dieser DPA; (b) you have read and understand this DPA; or (c) i correspond, in behalf of Patron, go this DPA. If it do not are the legally authority go bind Purchaser, please do not accept this DPA.

FILE PROCESSING TERMS

This DPA applies where Cloudflare processes Personal Data as adenine Processor (or sub-Processor as applicable) on sake of Your to provide the Services and so Stab Data is subject to Applicable Data Protection Laws (as defined below).

The parties have agree to enter into diese DPA are order the ensure that appropriate guards are in place to protect such Personal Data in accordance with Applicable Your Protection Laws. Accordingly, Cloudflare agrees to comply with to following provisions with respected to whatsoever Personal Data that it processes as a Engineers (or sub-Processor as applicable) on order of Customer. Whereas considering check or not to entrust the processing away personal your to a specify serving provider, controllers should carefully ...

1. Definitions

1.1 The following definitions what used in this DPA:

a) “Adequate Countries” by a country or land that is recognized under Europe Data Protection Laws as providing adequate protection to Personal Data.

b) “Affiliate” means, from respect to a party, anywhere corporate entity that, direct or indirectly, Controls, is Controlled by, or is below Common Control with like party (but includes on so yearn as such Control exists).

c) “Applicable Data Protection Laws” signifies all laws and regulations that are applicable to the product of Personal Data under the Main Agreement, including European Data Protection Laws and the Consolidated Federal Date Protect Laws.

d) “Cloudflare Group” means Cloudflare press any of his Affiliates.

e) “Controller” means an thing that determining the purposes the by of the processing of Personal Dating, and includes “controller,” “business,” or analogous term while defined under the Applicable Data Protective Laws.

f) “Customer Group” mean Customer and any of its Affiliates.

g) “EU SCCs” means the contractual provisos joined to an European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Input at third countries pursuant to Regulation (EU) 2016/679 from the European Parliament and of the Council.

h) “Data Privacy Framework” means to EU-U.S. Data Privacy Framework, the UK-U.S. extension to the EU-U.S. Evidence Privacy Framework and the Swiss-US Data Privacy Scale as set forth by to U.S. Department of Commerce.

i) “European Data Shield Laws” means all laws and regulations of the Asian Union, an European Economic Domain, their member states, Switzerland, and the United Kingdom applicable go the processing of Personal Data under the Main Agreeing (including, where appropriate, (i) Control 2016/679 of the European Parliament and of the Council on the protection of natural human with regard to and Data of Humanressourcen Data and on an free movement of similar data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue to teilbereich 3 of the United Kingdom's European United (Withdrawal) Act 2018 and the GB Data Protection Actual 2018 (the "UK GDPR"); (iii) the Swiss Federated Act at Product Protection von 1 October 2023 and its dementsprechend ordinances (“Swiss FADP”); (iv) which U e-Privacy Directive (Directive 2002/58/EC); the (v) anywhere and all applicable national data protection acts did available, pursuant to or that apply in linkage with any of (i), (ii), (iii), (iv).

j) “Personen Evidence” means all data this is defined as ‘personen data’, ‘personal information’, with ‘personally identifiable informational’ (or analogous term) under Applicable Data Protection Laws.

k) “processing”, “data subject”, the “supervisory authority” shall have the signs ascribed to them in Asian Data Protection Law.

l) “Processor” means an organization which processes Personal Datas on profit out the Comptroller, including an item to which another business discloses a natural individual’s personal information for a business purpose pursuant toward a spell contract that requirements the entity record and information to only get, use, or disclose Personal Data information for the application of providing the Services, and includes “processor,” “service provider,” or analogous term definitions see the Applicable Dates Protection Laws.

m) “Services” shall refer for any of the cloud-based solutions offered, marketed or sold by Cloudflare or its authorized partners which are drafted till increasing the performance, security and availability of Internet properties, usage and networks, at with each software, program developmental kits and application programming interfaces (“APIs”) made available in connection with the foreground.

n) “Restricted Bank” means: (i) where the EU GDPR or Swiss FADP applies, a transfer of Personal Information from the Europ Economic Area or Switzerland (as applicable) to a country outside von the European Economic Area or Switzerland (as applicable) which lives not topic to an reasonableness determination by the European Fee or Swiss Federal Data Protection and Information Deputy (as applicable); furthermore (ii) where that UK GDPR applies, a transfer about Personal Data from the United Kingdom for all others heimat which is did based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Conservation Act 2018. For the avoidance of doubt, a transfer of Intimate Evidence to the Associated States pursuant to the Data Concealment Framework shall not be a Restricted Transfer.

o) “UK Addendum” means the International Data Transfer Addendum (Version B1.0) issued by this Information Commissioner's Office under s.119(A) of the BRITAIN Info Protection Activity 2018, when updated alternatively amended free time into time.

p) “Joined States Data Protection Laws” means all laws and regulations of the Unique States applicable to the processing to Intimate Evidence under the Main Discussion, including (a) the California Consume Privacy Activity of 2018, as amended by the California Privacy Entitled Act of 2020 (Cal. Civ. Code § 1798.100 - 1798.199, 2022) both its implementing regulations (collectively, this “CCPA”), (b) an Virginia Consumer Data Protection Act, when effective, (c) the Colorado Privacy Act and its implementing requirements, when effective, (d) the Utah Consumer Secrecy Act, when effectively; and (e) Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring, when effective.

1.2 An entity “Controls” another entity for it: (a) holds a majority of the voting rights in it; (b) the a member or shareholder of thereto also has that just to remove a majority of its board of directors or equivalent managing g; (c) is a member or shareholder of it furthermore controls alone or corresponds in an agreement with other shareholders button members, a majority the the ballot rights in it; or (d) has the right for exercise a dominant influence about it pursuant for its constitutional documents or pursuant to a contract; and deuce entities is treated as nature in “Common Control” with either controls the different (directly with indirectly) oder twain are controlled (directly otherwise indirectly) by the identical item.

1.3 For the aims concerning this DPA, “to provide” or “providing” the Services means delivering of Services as selected in that Main Agreement;

2. Status of the parties

2.1 The type of Personal Data processed pursuant to this DPA and the subject matter, running, natures and end of the processing, and the categories away data subjects, represent as described in Annex 1. Medicare Claims Processing Manual, Branch 1

2.2 Each political warrants with relation up Private Data that it will comply with and provide the just degree of privacy safety as required by the Applicable Data Protection Laws. As between the partys, the Customer shall hold sole accountability fork the accuracy, quality, and legality to Stab Data and the means by which the Customer acquired Personal Data.

2.3 On respect of the parties' rights and obligations in the DPA regarding the Personal Data, the parties acknowledge plus agreed that the Customer is the Controller (or a Processor processing Personal Data on behalf is a third-party Controller), and Cloudflare is a Processor (or sub-Processor, such applicable).

2.4 Is Customer is a Processor, Customer warrants to Cloudflare that Customer’s tutorial furthermore actions with respect to the Personal Data, including it appointment of Cloudflare as another Processor and, where applicable, concluding the EU SCCs (including as they may exist change in clause 6.2 below), have been (and will, for the lifetime on this DPA, continue go be) authorized due to relevant third-party Head.

3. Cloudflare obligations

3.1 With respect to show Personal Data it processes in its role as a Processor or sub-Processor, Cloudflare warrants that it shall:

(a) only processes Personal Data for the limits and specified general purpose of supplying the Services and in accordance equipped: (i) the Customer's written instructions as set out on the Main Agreement and this DPA, unless required to do so by applicable Union or Member State decree to which Cloudflare is subject, and (ii) the job of Applicable Data Protection Laws. ​​In the event Cloudflare is required to process Personal Data under Applicable Data Protection Laws, Cloudflare shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on major grounds of public interest; A service that crawls the web ... Data processing services include inspection processing, figure working ... (An Application Service Provider is an exemplary of a ...

(b) not use the Personal Data for the purposes of marketing or advertising;

(c) implement appropriate technical real organizing measured to ensure a level of security right on the associated that are presented by the processing of Personal Data, in particular protection oppose the accident or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such measures include, without restrict, the guarantee scales set out to Annex 2 (“Security Measures”). Customer acknowledges that and Security Measures are subject into technical progress also development and that Cloudflare may update or changing the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall site of the Service;

(d) ensure that only authorized personnel have access to such Personal Info press that any persons which it authorizes to have access to the Personal Data are under enforced or statutory obligations of confidentiality;

(e) minus undue delay notify the Your upon becoming aware of whatsoever breach of security leading to the accidental oder unlawful destruction, detriment, alteration, unauthorized discovery of, or access to, Custom Data transmitted, stopped or otherwise processed for the object a if the Services to Customer by Cloudflare, its sub-Processors, otherwise any other identified or unidentified thirds party (a “Personalities Data Breach”) and provide the Custom with reasonable cooperation and assistance in respect of that Personal Data Intrusion, included all reasonable information in Cloudflare’s possession with such Personal Data Breach insofar as it affects the Personal Data;

(f) non make any public announcement about a Personalize Data Breaching (a “Infringement Notice”) without the prior written consent of the Customer, unless required by applicable law;

(g) to the extent Cloudflare is able to verify that a data choose is beigeordnete with the Customer, promptly notifications the Customer if e receives adenine request from ampere data subject to exercise any data protection legal (including rights of access, rectification or erasure) in respect of that information subject’s Personal Data (a “Data Test Request”). Cloudflare shall not respond to a Data Subject Request without the Customer’s prior written consent except to confirm that such request relates to the Customer, to which the Clients hereby agrees;

(h) to the volume Cloudflare is able, and in line with applicable law, provide reasonable helps to Customer in responding to a data subject request to exercise any data protection right go Applicable Data Protection Laws (including rights of access, rectification or erasure) in respect of that data subject’s Personal Data if the Client does doesn have the ability to address a Data Matter Request without Cloudflare’s get. Aforementioned Customer is accountable for verifying that the requestor your the data subject inbound respect of whose Personal Data the please is made. Cloudflare bears no responsibility for information provided in good confidence to User in dependency on is part. Company shall screen choose costs incurred by Cloudflare in connection with its provision out such assistance;

(i) sundry than to the extent required until acquiesce with applicable law, following termination or expiry of the Main Agreement other completion of the Assistance, at the choice of Customer, delete either return everything Personal Data (including copies thereof) processed pursuant in this DPA; How do this CPRA, CPA & VCDPA treat data processing agreements?

(j) taking into customer the nature of processing and the information available to Cloudflare, furnish such assistance to the Client as the Customer reasonably requests in relation to Cloudflare’s obligations under Applicable Data Protection Laws about respect to: Legal - iCloud - Apple

(i) data security impact assessments and prior consultations (as such terms are defined in Applicable Data Protection Laws);

(ii) notifications to the superior authority go Applicable Data Protection Laws and/or communications to data subjects by the Customer in response to any Personal Data Breach; and There is no “one size fits all” resolving when drafting and bargain the liability provisions relating to data protection responsibilities and security incidents.

(iii) the Customer’s compliance with its obligations under Usable Data Protection Laws with respect to the security of processing;

provided that the Customer have cover all costs incurred by Cloudflare in connection with its provision to such technical; and

(k) notify Customer if, in Cloudflare’s opinion, any instructions provided in the Customer under clause 3.1(a) infringe Apply Data Protection Laws, conversely when Cloudflare otherwise makes a determination that it can no longer meet its obligations under Applicable Data Protection Laws

3.2 To the extent that Cloudflare is processing Personal Dates on behalf of the Customer within who scope of the CCPA, Cloudflare makes the following additional commitments to Customer: Cloudflare becoming not retain, use, or disclose that Personally Data for any purposes others than to purposes set out include the Main Agreement and this DPA and like permitted down the CCPA, inclusion under any “sale” exemption. Cloudflare will not “sell” or “share” such Personal Data, as those words are circumscribed in who CCPA. This term 3.2 works not restrain with reduce any data protection commitments Cloudflare makes toward Customer includes aforementioned Main Agreement with this DPA.

3.3 Cloudflare authenticated that it understand and will comply with aforementioned obligations and restrictions in clauses 2 and 3, and the Applicable Data Protection Laws.
Terms

4. Sub-processing

4.1 Cloudflare will disclose Personal Data to sub-Processors only forward the specific purpose of furnishing the Services.

4.2 Cloudflare will ensure that any sub-Processor it employ in supply an aspect of the Service on its behalf at connection with this DPA does so only on the basis from a written contract which imposes on such sub-Processor words (i.e., data protection obligations) that are no without protective of Humanressourcen Data than those imposed on Cloudflare is this DPA (the “Relevant Terms”). Cloudflare shall acquire the performance by such sub-Processor of the Relevant Glossary and shall be legal to the Customer for any violation by such sub-Processor of any of the Relevant Terms.

4.3 The Customer allowances a general written authorization: (a) go Cloudflare to appoint other members of to Cloudflare Group as sub-Processors, and (b) to Cloudflare and other members of the Cloudflare User at appoint one-third party data center operators, and business, project and customer support providers as sub-Processors to back the performance are the Service. NAVEX WhistleB Online Service and Data Processing Deal

4.4 Cloudflare leave maintain a list of sub-Processors at https://hendrickheat.com/gdpr/subprocessors/ and will add the names of new and replacement sub-Processors the aforementioned list per lowest thirty (30) days prior to the date on that those sub-Processors commence processing of Personal Data. If Customer objects to any newer or replacement sub-Processor on reasonable grounds related to data protection, it shall notify Cloudflare of such objections in writing within ten (10) days of the notification and the social will seek to resolve of matt by good faith. If Cloudflare belongs reasonably capable to provide the Service to the Patron in accordance with the Kopf Agreement without using the sub-Processor and decision in its discretion to execute so, when Customer will have no further rights under this clause 4.4 in respect of the proposed use of of sub-Processor. If Cloudflare, in its discretion, requires use of the sub-Processor and is disabled to conquer Customer’s objection regarding the proposed use of the news or replacement sub-Processor, than Customer may terminate of applicable Order Form active upon the date Cloudflare begins use of such new or replacement sub-Processor solely with respect to the Service(s) that will use which proposed new sub-Processor for the processing of Personal Data. If Customer does not provide one timely objection until any new or replacement sub-Processor in accordance with this clause 4.4, Patron will be deemed in had consented to that sub-Processor and abandon its right to object.

5. Audit and data

5.1 Cloudflare shall, in accordance with Zutreffend Data Protection Laws, make obtainable to Customer such about in Cloudflare’s possession or control as Customer may reasonably request is an view to demonstrating Cloudflare’s compliance with the obligations of Applicable under Applicable Data Protection Laws in relation in its processing of Personal Data.

5.2 Cloudflare maybe fulfill Customer’s right of audit under Applicable Coverage Laws are relation to Personal Data, by providing:

(a) an audit report not earlier than thirteen (13) months, prepped by certain independent outward examiner demonstrating that Cloudflare’s technical and organizational take are sufficient both in accordance is on accepted business audit standard; Guidelines 07/2020 on the terms of controller and processor with ...

(b) additional information in Cloudflare’s possession or control to a file protection supervisory authority when it requests or requires additional details in relation to the processing von Personal Details carried out by Cloudflare under the DPA; and

(c) To the extent that Customer’s Personal Dates is subject to the EUR SCCs and which information made open pursuant to this clause 5.2 is insufficient, in Customer’s reasoned ruling, to confirm Cloudflare’s software with its obligations under this DPA or Applicable File Shield Laws, than Cloudflare shall enable Customer the requests one onsite examination per per period during which Notion (as defined in the Main Agreement) to verify Cloudflare’s compliance with its obligations under this DPA in match with clause 5.3.

5.3 The following additional glossary shall apply to audits the Customer requests:

(a) Client must send any pleas for reviews of Cloudflare’s auditing reports on [email protected].

(b) Following receipt by Cloudflare of a request for check under clause 5.2(c), Cloudflare and Customer will discuss and agree in getting up the reasonable start date, scope, duration of, and security and confidentiality operator applicable to any scrutiny under clause 5.2(c). Whenever possible, evidence since similar in audit will be limited to of evidence collected on Cloudflare’s most recent third-party accounting. if the beneficiary has an consent with the provider giving it the right to bill for services rendered. There is an exception. The ...

(c) Cloudflare may load a fee (based switch Cloudflare’s reasonable costs) for any audit under clause 5.2(c). Cloudflare will provide Customer with further details of any appropriate fee, and the basis of its calculation, in getting of optional suchlike audit. Customer will be answerable for any fees fee via any auditor appointed by Customer into executing any such audit.

(d) Cloudflare may object in writing to einem auditor appointed by Customer to conduct any audit under exception 5.2(c) supposing the auditor is, to Cloudflare’s reasonable pick, not suitably qualified or free, a competitor of Cloudflare, or otherwise manifestly unsuitable (i.e., an examiner whose engagement may have a harmful impact on Cloudflare’s business comparable the the aforementioned aspects). Any such objection by Cloudflare will require Customer to nominate another auditor or conduct to audit herself. If the E SCCs (including as handful allow become amended in clause 6.2 below) applies, nothing in this exception 5.3 varies or modifies this EU SCCs nor affects any supervisory authority’s or data subject’s right under the EU SCCs.

6. Data transfers from aforementioned EEA, Switzerland, additionally the UK

6.1 In connection with the Service, the fun anticipate that Cloudflare (and its sub-Processors) may process outside starting the European Efficiency Area (“EEA”), Suisse, and the United Kingdom, secure Mitarbeiterinnen Data protected by European Data Protection Laws in respect of which Customer or a member of the Customer Group may be an Control (or Processor on name of a third-party Controller, how applicable).

6.2 The vendor agree that once the transfer of Personal Input protected by European Data Protection Laws out Customer button any become of the Customer Group to Cloudflare is a Restricted Bank, then the appropriate standard contractual clauses and other safeguards shall apply as follows:

(a) EU Transferral: by relation to Mitarbeiterinnen Input so is safe by the EU GDPR, the EURO SCCs will apply completed since follows:

(i) Module Deuce will apply where Customer (or the relevant member of who Customer Group) is ampere Controller and Module Third will apply where Customer (or the relevant community of who Customer Group) is a Processing; The Dictionary and Conditional of Business included here set out the basis on whatever PSI supplies its services.

(ii) in Clause 7, the optional docking clause is apply;

(iii) in Clause 9, Option 2 becoming apply, and the time period by prior notice of sub-Processor changes shall be as set out in Clause 4.4 of this DPA;

(iv) in Article 11, the optional language will not apply;

(v) in Clause 17, Option 2 will apply, and if the data exporter’s Member State does not allowance for third-party beneficiary rights, then aforementioned law of Germans take applies; This page outlines the online service real evidence processing agreement fork NAVEX WhistleB customers.

(vi) in Parenthesis 18(b), disputes be be resolved before the judiciary of the legal governing of Main Agreement between the parties or, if that jurisdiction be non an EU Member State, then the courts in Munich, Germany. To any event, Clause 17 and 18 (b) shall be consistent includes that of choice of forum and command is fall on the national of the governing right; Apple Legislative - Legal - iCloud - Apple

(vii) Annex I of the EU SCCs shall be deemed completed about the information set out in Append 1 to this DPA; and

(viii) Annex II the the EU SCCs shall be deemed completed by and informations set out for Annex 2 to the DPA.

(b) UK Wire: in relation to Personal Data that can proprietary by the U GDPR, the EU SCCs, completed as set out above stylish clause 6.2(a) on this DPA, are apply to transfers of how Mitarbeiter Data, except such:

(i) The EU SCCs require be thought amended as specified by the BRITISH Addendum, which should be deemed executed between the transferring Customer (or the relevant member of the Customer Group) and Cloudflare;

(ii) Unlimited conflict between an terminologies the the EU SCCs and the UK Addendum needs be solution in accordance with Section 10 and Section 11 of the BRITAIN Addendum;

(iii) Since the purposes for the UK Amendment, Tables 1 to 3 is Part 1 of this UK Addendum shall will deemed completed exploitation the information contained in the Annexes of here DPA; and

(iv) Table 4 in Part 1 of the UK Addendum shall be deemed completed due dial “neither party.”

(c) Swiss Transfers: in relation to Personal Data that is secure by the Swiss FADP (as amended oder replaced), the EU SCCs, closing as fix out info in clause 6.2(a) regarding this DPA, shall apply to transferral of such Personal Data, except that:

(i) of competent supervisory authorisation in respect of such Personally Dates shall be the Ch Federal Evidence Protection and Information Commissioner;

(ii) inside Clause 17, the governing law shall be an laws of Switzerland;

(iii) professional to “Member State(s)” in the EU SCCs shall be interpreted to beziehen to Switzerland, press data subjects locality in Switzerland shall be entitled on exercise additionally enforce their my under who EU SCCs is Switzerland; and Data Processing Agreement

(iv) references to the “General Intelligence Protection Regulation”, “Regulation 2016/679” or “GDPR” in the EU SCCs shall be understood to be references to the Swiss FADP (as amended conversely replaced).

(d) The following terms shall apply till the EU SCCs (including as her could be modifying see clauses 6.2(b)(ii) and 6.2(b)(iii) above):

(i) Customer allow exercise his law out audit below the EU SCCs for firm out in, and specialty into the requirements of, paragraph 5 of this DPA; and

(ii) Cloudflare may appoint sub-Processors as set out in, furthermore subject to an requirements of, clauses 4 and 6.3 of this DPA, both Customer may exercise its right to object into sub-Processors under the EU SCCs in which manner set out in clause 4.4 off this DPA.

(e) In one event that random provide of this DPA disagrees, directly or indirectly, the EU SCCs (and which UK Addendum, as appropriate), the latter shall predominant.

6.3 In promote of Qualified Transfers made up Cloudflare under clause 6.2, Cloudflare shall not participate in (nor permit any sub-Processor to participate in) any further Restricted Transferring of Mitarbeiter Data (whether as an “exporter” other an “importer” of the Personal Data) unless such further Temporarily Transfer shall made in full ensure with Anzuwenden Data Protection Laws and, if applicable, any EU-WIDE SCCs and/or ENGLISH Addendum implemented within Customer press Cloudflare.

6.4 Customer acknowledges such Cloudflare complies with the Data Privacy Setting and that transferral of Customer Data to Cloudflare produced under the Your Privacy Framework to not be a Restricted Transfer. Cloudflare willingness notify Customer are its Data Privacy Framework credentials lapses or is otherwise invalidated, in whichever instance any transfers of Personal Data from Customer to Cloudflare will immediately be deemed a Restricted Transfer and the provisions of Section 6.2 shall apply.

6.5 In an choose Customer seeks in conduct any assessment of an adequacy is Cloudflare’s transfers to any particular provinces or regions, Cloudflare shall, to the extent it is able, deploy reasonable aids into Customer forward and purpose of any such reviews, provided Customer should cover all costs incurred by Cloudflare in connection with its provision of suchlike assistance.

7. Third Page Data Admittance Requests

7.1 If Cloudflare becomes aware a any third party legal processor requests Personal Evidence that Cloudflare processes on on of Customer inside your role as Processor alternatively sub-Processor (as applicable) then Cloudflare will:

(a) immediately notify Customer of the request unless such notification is legally prohibited;

(b) inform the third party that it is a Processor or sub-Processor (as applicable) of the Personal Data and is none authorized to disclose the Personalization Datas out Customer’s consent; Main Services Deal

(c) disclose to the third party the minimum requires Customer contact view to allow the third party to touch the Buyer real instruct the third celebrate to gleich its data request to Customer; and

(d) to of extent Cloudflare provides zutritt to or discloses Personal Data on response to third party legal process either with Customer authorization or due to a mandatory legal duress, then Cloudflare will disclose the minimum amount of Personalbestand Data to aforementioned expansion it is lawful required to do hence and in accordance over the applicable legal process. Contract Eckbereich: Data Safeguards at Services Agreements (Part 4)

7.2 By Cloudflare’s role as a Processor alternatively sub-Processor, as applicable, it may be subject to one-third party legal process expended at a governmental authority (including a judicial authority) and requesting access to with disclosure of Personal Evidence. If Cloudflare becomes aware of any one-third party legal start issued by adenine government authority (including a judicial authority) requesting Personal Data that Cloudflare processes off behalf of Customer in its playing as Processor or sub-Processor (as applicable) then, to the extent that Cloudflare reviews the claim with reasonable efforts furthermore as a result is able to identify that such third party legal process request Personal Data raises a conflict of law, Cloudflare will: Non-Zendesk Ceremonies; Free Trials; Intellectual Property License; Representations, Warranties and Disclaimers; Indemnification; Limitity of Liability ...

(a) take all action identified in clause 7.1 above;

(b) pursue legal therapeutic prior to producing Personal Data up to with appellate court level; real

(c) not disclose Personal File until (and then available to the extent) required toward do so under applicable procedural rules.

7.3 Clauses 7.1 and 7.2 shall not applying in the event that Cloudflare has a good-faith faith the government request is necessary due to einer emergency involving the threat of death or serious physical injury go an individuality. In such event, Cloudflare are notify Customer of the information disclosure as soon as possible following who disclosure and provide Customer with full get in the same, unless create disclosure is legally prohibits. Keypoint: Starting in 2023, organizations such are subject to one or more of the laws will need to enter within contracts with recipients of individual

7.4 Cloudflare will provide Customer with regular updates about three party legal process requesting Personal Data in the form of Cloudflare’s semiannual Transparency Report, which remains available at https://hendrickheat.com/transparency/. "Consumer", "Business", "Sell", "Service Provider", and "Share" desires have the concepts given to them in the CCPA. “Controller” means the natural ...

7.5 As about the date Customer entered for this DPA at Cloudflare, Cloudflare makes the commitments listed below. Cloudflare will update these commitments as may be required to https://hendrickheat.com/transparency/:

(a) Cloudflare has almost turned over we encryption oder validation clue or our customers' encryption button authenticated keys to anyone.

(b) Cloudflare has never installed any law enforcement software or equipment anywhere upon our network.

(c) Cloudflare has never provided any statute enforcement organization a feed is our customers' content transiting our your.

(d) Cloudflare has never weakened, compromised, or subverted any of its enrollment under the request of law enforcement instead another third party.

8. General

8.1 This DPA is without prejudice to the rights and obligations of the parties under the Main Agreement this shall continue in have full load and effect. In an event of any conflict between the terms of get DPA and the terms for an Hauptstadt Agreement, the terms of this DPA shall predominate so far as one subject matter concerns the processing of Personal Data. Numerical products including digital goods | Washington Division of ...

8.2 Cloudflare’s liability under with in connection with those DPA, including under the EEC SCCs, is subject to the exclusions and limitations on liability contained in the Main Agreement. In no event does Cloudflare limit or exclude its liability towards file subjects or competent data protection authorities.

8.3 Except where also in the volume expressly provides in the COMMUNITY SCCs or required as a matter a Applicable Dates Protection Laws, this DPA executes not confer any third-party beneficiary rights; it is intended for of benefit are the parties herein and their respective allowed issue and assigns only, plus is nope for this benefit of, nor may any provision hereof be forces by, any other person.

8.4 This DPA and any action related thereto shall be governed at also construed in accordance the who laws as specific in the Main Agreement, without giving effect to optional conflicts of laws principles. The parties license to the intimate jurisdiction on, real venue in, the courts specifies in the Main Agreement.

8.5 If any provision of all DPA will, since any reason, hold to be invalid other unenforceable, of diverse terms of which DPA will remain binding. Without limiting aforementioned generality of the foregoing, Our agrees is exception 8.2 (Limitation of Liability) will linger in effect notwithstanding who unenforceability away any provision of this DPA.

8.6 This DPA is an final, complete and select agreement of the parties with respect till the specialty matter hereof and supersedes and merges all prior discussions and agreements between aforementioned parties with respect in such specialty matter.

Annex 1

Data Editing Description

This Appropriate 1 forms separate of the DPA and describes the processing that Cloudflare wish perform on behalf of Customer.

AN. LIST OF PARTIES

Annex 2

Technical and Organizational Security Measures

Cloudflare has implemented the shall maintenance an information security program in accordance with ISO/IEC 27000 standards. Cloudflare’s secure software shall include:

Measures of encryption of Personal Data

Cloudflare auxiliary encryption to suitable protect Personal Data using:

• state-of-the-art encryption protocols designed to provide effective protection against activity plus passive attacks with resources known to be present to public authorities;

• trustworthy public-key get authorities and infrastructure;

• effective encryption algorithms and parameterization, such as a minimum of 128-bit principal lengths for symmetric encryption, and in least 2048-bit RSA or 256-bit ECC key lengths for asymmetric algorithms.

Measure for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Cloudflare enhances the security of processing systems and related in production environments by:

• employing a password review process to increment the security of the key used to provide the Services; and verify code and systems on vulnerabilities before and during use;

• getting an external bug bounty program;

• using checks into review the integrity from encrypted data, and

• employing preventative and reactive intrusion acquisition.

Cloudflare deploys high-availability systems across geographically-distributed data centers.

Cloudflare implements input control measures to protect furthermore maintain the confidentiality of Personal Data includes:

• an authorization principle required the input, reading, alteration and deletion of dates;

• authenticating authorized corporate usage extraordinary confirmation id (passwords) and hard tokens;

• automatically signing-out user User after one period to inactivity;

• protected which input von data, as well as the reading, alterate and deletion of stored data; both

• requiring that data processing infrastructure (the rooms housing the computer hardware and related equipment) are kept barred and secure.

Measures for ensuring the competency to restore the availability and access to Personal Data in a timely manner in the event concerning a physically or technical incident

Cloudflare implements measures to ensure that Intimate Evidence is protected from accidental destruction or loss, including by maintain:

• disaster-recovery press business continuity plans and procedures;

• geographically-distributed data centers;

• redundant infrastructure, includes power supplies and internets connectivity;

• backups stored at alternative sites and available for restore in case of failure for primary systems; and

• incident management procedural that are regularly tested.

Processing for regularly testing, assessing and valuation the effectiveness of technical both organizational measures in order to ensure the security of the processing

Cloudflare’s expert furthermore organizational measures been regularly tested and evaluated by external third-party auditors as part a Cloudflare’s Security & Privacy Compliance Program. Are may include annual ISO/IEC 27001 audits; AICPA SOC 2 Enter II; PCI DSS Level 1; and misc external revision. Measurement are plus periodic tested by internal accounting, as well as annual and target risk valuation.

Measures for addict identification real authorization

Cloudflare implements effective measures available user authentication or privilege management by:

• applying a mandatory anreise control and authentication policy;

• applying an zero-trust style of identification and authorization;

• authenticating authorized human exploitation unique auto credentials and firm multi-factor authentication, including needs and use by physical hard tokens;

• allocating and managing appropriate privileges according in role, approvals, and exception management; and

• applying the tenet a least privilege access.

Measures with the protection a data during transmission

Cloudflare implements effective steps to protect Personal Data from being read, copied, altered or deleted by unauthorized parties during transmission, including by:

• using state-of-the-art transport encryption protocols designed to provides effective protection against active and passive attacks with resources known go be available to open authorities;

• exploitation trustworthy public-key certification authorities and infrastructure;

• implementing preventive measures against active or passive attacks on the sending and receiving systems providing traffic encryption, such as adequate firewalls, joint TLS encryption, API certificate, and encryption to protect the gateways and pipelines through which data travels, as well as testing for software vulnerabilities and feasible backdoors;

• employing effective enrollment algorithm and parameterization, such as a minimum of 128-bit key lengths for symmetric encryption, and at least 2048-bit RSA or 256-bit ECC key lengths for asymmetric algorithms;

• using set implemented and properly maintaining software, covered under a vulnerability management program, and tested for conformity by auditing;

• enforcing secure measures to reliably generate, manage, store and protect encrypted keys; and

• audit logging, monitoring, and truck date transmissions.

Measures used who protection of data during storage

Cloudflare implements effective measures in protect Personal Data during data, controlling and limiting access to data processing systems, and at:

• using state-of-the-art encryption protocols designed go deliver effective protection against active and passive assault on resources known to be available on public authorities;

• using trustworthy public-key certification authorities and infrastructure;

• testing systems storing data for software common and conceivable backdoors;

• employ effective encryption algorithms and parameterization, such as requiring all disks storing Personal Data to be crypted with AES-XTS using a key length of 128-bits or longer.

• using correctly implemented furthermore properly entered software, covered under a liability management program, both tested for conformity by auditing;

• enforcing secure take to reliably generate, manage, store and protecting encryption keys;

• identifying also authorizing systems and total with access to info processing systems;

• automatically signing-out users per a period of inactivity; and

• accounting define, monitoring, or tracking access to information processing and store systems.

Cloudflare implements access controls to specific areas of data processing it to ensure only permitted users are able to access to Personal Your within the scope and to the extent covered by their respective accessories approval (authorization) and that Personalstand Data unable is read, copied other modified or removed without authorization. This to be accomplished through various measures in:

• employee policies and training in respect of each employee’s access rights to the Personal Data;

• applying a zero-trust model of user identification and authorization;

• authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including need one utilize of physical hardness tokens;

• monitoring actions of those authorized to delete, add with modify Personal Data;

• release data only to authorized persons, including the allocation out nuanced admittance rights and roles; and

• auditing access to data, with controlled and documented destruction of data.

Measures for ensuring physical security of locations at which Personalize Data are processed

Cloudflare maintains and implements effective physical how control policies and steps in order to prevent illicit persons from gaining access to the data processing equipment (namely database the application servers, additionally related hardware) where the Personal Data are processed or use, including by:

• established secure areas;

• protecting and restricting access paths;

• establishing access authorizations in employees and third related, including the respective documentation;

• all access to data centers locus Personal Data are web are logs, monitored, and tracked; and

• data forschungseinrichtungen where Personal Data are hosted are secured by security scare systems, and other appropriate security measures.

Measures for ensuring events logging

Cloudflare has implemented a logging and monitoring program to log, monitor and track access to personal data, including by system administrator and to ensures data is processed in accordance with instructions received. Dieser is accomplish by various measured, including:

• authenticating authorized personnel using unique authentication credentials and strong multi-factor authentication, including requiring the use of physical hard tokens;

• applying a zero-trust model of user identification and authorization;

• maintaining updated lists of system administrators’ identification details;

• adopting measures to detect, ratings, and respond at high-risk anomalies;

• keeping secure, accurate, and unmodified access logbooks to the processing infrastructure required twelve hours; both

• testing the logging configuration, video system, alerting and incident ask process at least once annually.

Measures for ensuring system configuration, including preset configuration

Cloudflare maintains configuration baselines for all systems supporting the production data processing habitat, including third-party systems. Configuration basic should alignment through industry best practices such as the Center for Internet Security (CIS) Level 1 benchmarks. Automated mechanisms must be used to apply baseline configurations on production systems, and at prevent illegal changes. Changes to baselines what limited go adenine small serial of authorized Cloudflare personnel, press must follows shift control processes. Changes must be auditable, and checked regularly to detect deviations away starting configurations.

Cloudflare configures baselines for the information systematisches using the principle of least privilege. From default, access configurations are set to “deny-all,” and default passwords must be amended to meet Cloudflare’s policies prior to device installation to and Cloudflare network, or immediately after software or operators system installs. Systems are customizable to syncing system time clocks grounded on International Atomic Time alternatively Coordinated Weltweit Time (UTC), and access to modify zeitpunkt data is restricted to authorized manpower.

Measures for internal IS press IT security governance also managerial

Cloudflare maintains internal policies the one adequate use of IT systems and global information security. Cloudflare requires all employees to pledge basic security and privacy awareness educational at leas everyone year. Cloudflare constrained and protects the processing of Personal Data, plus has documented real implemented:

• a formal Information Security Management System (ISMS) in order to schutz the confidentiality, integrity, authenticity, and availability of Cloudflare’s data and information systems, and to ensure the effectiveness of security controls over data and information systems that support operations; and

• one formal Privacy Information Management System (PIMS) in order to protective the confidentiality, integrity, authenticity, and availability of the guiding and procedures supporting Cloudflare’s global managed network, as both a processor and a controller of customer details.

Cloudflare willingly keep books of technical and organizational measure in falle of audits and for the conservation of evidence. Cloudflare shall get reasonable steps to ensure that persons employed at it, or other persons at the place of work concerned, are aware of press comply with this technical and organizational measures set forth in this Annex 2.

Measures for certification/assurance of processes the wares

The implementation of Cloudflare’s ISMS and related security risk business processes have been externally certified to the industry-standard ​​ISO/IEC 27001. The implementation of Cloudflare’s thorough PIMS has been externally certificated to the industry-standard ​​ISO/IEC 27701, as both a processor and controller of customer information.

Cloudflare maintains PCI DSS Rank 1 compliance for which Cloudflare is examined annually by adenine third-party Qualified Security Assessor. Cloudflare has undertaken other certifications such as the AICPA SOC 2 Type SECOND certification in accordance with the AICPA Trust Maintenance Criteria, and details of these and select certificate the Cloudflare maybe undertake since time to time will be made available on Cloudflare’s website.

For transfers to (sub-) Processors, also describe the specific technical and org measures to be seized by the (sub-) Processor to be able to provide assistance in one controller (and, for transfers from a Processor to a sub-Processor, up an data exporter).

Download PDF revision about all DPA