Terms of Use

Legal

Acceptable Use Policy

Digital Millennium Copyright Act Policy

Terms of Use

Law Enforcement Request

Ethics and Compliance Helpline

Terms of Use

Download Document
Privacy Statement
 
At cloudfortress®, we are committed to protecting your privacy and complying with applicable data privacy laws.
Personal Data We Collect:
We collect personal data to provide you with our services. This includes:
  • Contact Information: Your name, email address, and phone number.
  • Account Information: Username, password, and security questions.
  • Transaction Data: Payment details necessary for processing orders.
  • Usage Data: Information on how you use our services, including IP addresses, browser types, and interaction logs.
How We Use Your Data:
We use your data to:
  • Provide and manage our services.
  • Communicate with you about your account or services.
  • Improve our services and develop new features.
  • Ensure the security of our systems and detect/prevent fraud.
Data Sharing:
We do not share your personal data with third parties except:
  • When required by law or in response to legal processes.
  • With service providers who assist us in delivering our services, under strict confidentiality agreements.
  • If necessary, to protect the rights, property, or safety of cloudfortress, our users, or the public.
Data Retention:
We retain your personal data only as long as necessary to fulfill the purposes outlined in this statement, or as required by law. Once the data is no longer needed, we securely delete or anonymize it.
Your Rights:
You have the right to:
  • Access the personal data we hold about you.
  • Correct any inaccuracies in your data.
  • Request deletion of your data, subject to legal obligations.
  • Object to or restrict the processing of your data.
  • Withdraw consent for data processing at any time.
To exercise these rights, please contact us at [email protected].
Cookies:
We use cookies to enhance your experience and gather data on how our services are used. You can control your cookie preferences through your browser settings. For more information on our cookie usage, please visit our Cookie Policy.
International Data Transfers:
If you are accessing our services from outside the United States, please note that your data may be transferred to and processed in the United States or other countries where we operate. We ensure that such transfers are conducted in compliance with data protection laws.
 
 
 
 
Data Protection Addendum
 
cloudfortress, LLC Products and Services Data Protection Addendum
Last updated July 2, 2024
Published in English on July 2, 2024. Translations will be published by cloudfortress, LLC when available. These commitments are binding on cloudfortress, LLC as of July 2, 2024.
Introduction:
The parties agree that this cloudfortress, LLC Products and Services Data Protection Addendum (“DPA”) sets forth their obligations with respect to the processing and security of Customer Data, Professional Services Data, and Personal Data in connection with the Products and Services. The DPA is incorporated by reference into the Product Terms and other cloudfortress, LLC agreements. The parties also agree that, unless a separate Professional Services agreement exists, this DPA governs the processing and security of Professional Services Data. Separate terms, including different privacy and security terms, govern Customer’s use of Non-cloudfortress, LLC Products.
In the event of any conflict or inconsistency between the DPA Terms and any other terms in Customer’s volume licensing agreement or other applicable agreements in connection with the Products and Services (“Customer’s agreement”), the DPA Terms shall prevail. The provisions of the DPA Terms supersede any conflicting provisions of the cloudfortress, LLC Privacy Statement that otherwise may apply to processing of Customer Data, Professional Services Data, or Personal Data, as defined herein.
cloudfortress, LLC makes the commitments in this DPA to all Customers with an existing Customer’s agreement. These commitments are binding on cloudfortress, LLC with regard to Customer regardless of (1) the Product Terms that are otherwise applicable to any given Product subscription or license, or (2) any other agreement that references the Product Terms.
Applicable DPA Terms and Updates
Limits on Updates
When Customer renews or purchases a new subscription to a Product or enters into a work order for a Professional Service, the then-current DPA Terms will apply and will not change during Customer’s subscription for that Product or term for that Professional Service. When Customer obtains a perpetual license to Software, the then-current DPA Terms will apply (following the same provision for determining the applicable then-current Product Terms for that Software in Customer’s agreement) and will not change during Customer’s license for that Software.
New Features, Supplements, or Related Software
Notwithstanding the foregoing limits on updates, when cloudfortress, LLC introduces features, offerings, supplements or related software that are new (i.e., that were not previously included with the Products or Services), cloudfortress, LLC may provide terms or make updates to the DPA that apply to Customer’s use of those new features, offerings, supplements, or related software. If those terms include any material adverse changes to the DPA Terms, cloudfortress, LLC will provide Customer a choice to use the new features, offerings, supplements, or related software, without loss of existing functionality of a generally available Product or Professional Service. If Customer does not install or use the new features, offerings, supplements, or related software, the corresponding new terms will not apply.
Government Regulation and Requirements
Notwithstanding the foregoing limits on updates, cloudfortress, LLC may modify or terminate a Product or Professional Service in any country or jurisdiction where there is any current or future government requirement or obligation that (1) subjects cloudfortress, LLC to any regulation or requirement not generally applicable to businesses operating there, (2) presents a hardship for cloudfortress, LLC to continue operating the Product or offering the Professional Service without modification, and/or (3) causes cloudfortress, LLC to believe the DPA Terms or the Product or Professional Service may conflict with any such requirement or obligation.
Electronic Notices
cloudfortress, LLC may provide Customer with information and notices about Products and Services electronically, including via email, through the portal for an Online Service, or through a web site that cloudfortress, LLC identifies. Notice is given as of the date it is made available by cloudfortress, LLC.
Definitions
Capitalized terms used but not defined in this DPA will have the meanings provided in Customer’s agreement. The following defined terms are used in this DPA:
  • “Customer Data” means all data, including all text, sound, video, or image files, and software, that are provided to cloudfortress, LLC by, or on behalf of, Customer through use of the Online Service. Customer Data does not include Professional Services Data.
  • “Data Protection Requirements” means the GDPR, Local EU/EEA Data Protection Laws, and any applicable laws, regulations, and other legal requirements relating to (a) privacy and data security; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
  • “DPA Terms” means the terms in the DPA and any Product-specific terms in the Product Terms that specifically supplement or modify the privacy and security terms in the DPA for a specific Product (or feature of a Product).
  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
  • “Local EU/EEA Data Protection Laws” means any subordinate legislation and regulation implementing the GDPR.
  • “GDPR Terms” means the terms in Attachment 1, under which cloudfortress, LLC makes binding commitments regarding its processing of Personal Data as required by Article 28 of the GDPR.
  • “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • “Product” has the meaning provided in the volume license agreement. For ease of reference, “Product” includes Online Services and Software, each as defined in the volume license agreement.
  • “Products and Services” means Products and Professional Services. Product and Professional Service availability may vary by region and applicability of this DPA to specific Products and Professional Services is subject to the limitations in the Scope section in this DPA.
  • “Professional Services” means the following services: (a) cloudfortress, LLC’s consulting services, consisting of planning, advice, guidance, data migration, deployment and solution/software development services provided under a cloudfortress, LLC Enterprise Services Work Order or, when agreed to in the Project Description, under a Cloud Workload Acceleration Agreement that incorporates this DPA by reference; and (b) technical support services provided by cloudfortress, LLC that help customers identify and resolve issues affecting Products, including technical support provided as part of cloudfortress, LLC Unified Support or Premier Support Services, and any other commercial technical support services.
  • “Professional Services Data” means all data, including all text, sound, video, image files or software, that are provided to cloudfortress, LLC, by or on behalf of a Customer (or that Customer authorizes cloudfortress, LLC to obtain from a Product) or otherwise obtained or processed by or on behalf of cloudfortress, LLC through an engagement with cloudfortress, LLC to obtain Professional Services.
  • “2021 Standard Contractual Clauses” means the standard data protection clauses (processor-to-processor module) between cloudfortress, LLC Ireland Operations Limited and cloudfortress, LLC Corporation for the transfer of personal data from processors in the EEA to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by the European Commission in decision 2021/914/EC, dated 4 June 2021.
  • “Subprocessor” means other processors used by cloudfortress, LLC to process Customer Data, Professional Services Data, and Personal Data, as described in Article 28 of the GDPR.
  • “Supplemental Professional Services” means support requests escalated from support to a Product engineering team for resolution and other consulting and support from cloudfortress, LLC provided in connection with Products or a volume license agreement that are not included in the definition of Professional Services.
General Terms:
cloudfortress, LLC will comply with all laws and regulations applicable to its providing the Products and Services, including security breach notification law and Data Protection Requirements. However, cloudfortress, LLC is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry that are not generally applicable to information technology service providers. cloudfortress, LLC does not determine whether Customer’s data includes information subject to any specific law or regulation. All Security Incidents are subject to the Security Incident Notification terms below.
Customer must comply with all laws and regulations applicable to its use of Products and Services, including laws related to biometric data, confidentiality of communications, and Data Protection Requirements. Customer is responsible for determining whether the Products and Services are appropriate for storage and processing of information subject to any specific law or regulation and for using the Products and Services in a manner consistent with Customer’s legal and regulatory obligations. Customer is responsible for responding to any request from a third party regarding Customer’s use of Products and Services, such as a request to take down content under the U.S. Digital Millennium Copyright Act or other applicable laws.
Data Protection Terms:
  • Scope: The DPA Terms apply to all Products and Services except as described in this section.
  • Nature of Data Processing; Ownership: cloudfortress, LLC will use and otherwise process Customer Data, Professional Services Data, and Personal Data only as described and subject to the limitations provided below (a) to provide Customer the Products and Services in accordance with Customer’s documented instructions and (b) for business operations incident to providing the Products and Services to Customer.
  • Processing to Provide Customer the Products and Services: For purposes of this DPA, “to provide” a Product consists of delivering functional capabilities as licensed, configured, and used by Customer and its users, troubleshooting, and keeping Products up to date and performant, and enhancing user productivity, reliability, efficacy, quality, and security.
  • Processing for Business Operations Incident to Providing the Products and Services to Customer: For purposes of this DPA, “business operations” means the processing operations authorized by customer in this section.
  • Disclosure of Processed Data: cloudfortress, LLC will not disclose or provide access to any Processed Data except: (1) as Customer directs; (2) as described in this DPA; or (3) as required by law.
  • Processing of Personal Data; GDPR: All Personal Data processed by cloudfortress, LLC in connection with providing the Products and Services is obtained as part of either (a) Customer Data, (b) Professional Services Data, or (c) data generated, derived or collected by cloudfortress, LLC, including data sent to cloudfortress, LLC as a result of a Customer’s use of service-based capabilities or obtained by cloudfortress, LLC from locally installed software.
  • Processor and Controller Roles and Responsibilities: Customer and cloudfortress, LLC agree that Customer is the controller of Personal Data and cloudfortress, LLC is the processor of such data, except (a) when Customer acts as a processor of Personal Data, in which case cloudfortress, LLC is a subprocessor; or (b) as stated otherwise in the Product-specific terms or this DPA.
  • Processing Details: The parties acknowledge and agree that the subject-matter of the processing is limited to Personal Data within the scope of the section of this DPA entitled “Nature of Data Processing; Ownership” above and the GDPR.
  • Data Subject Rights; Assistance with Requests: cloudfortress, LLC will make available to Customer, in a manner consistent with the functionality of the Products and Services and cloudfortress, LLC’s role as a processor of Personal Data of data subjects, the ability to fulfill data subject requests to exercise their rights under the GDPR.
  • Records of Processing Activities: To the extent the GDPR requires cloudfortress, LLC to collect and maintain records of certain information relating to Customer, Customer will, where requested, supply such information to cloudfortress, LLC and keep it accurate and up-to-date.
  • Data Security: cloudfortress, LLC will implement and maintain appropriate technical and organizational measures to protect Customer Data, Professional Services Data, and Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • Security Incident Notification: If cloudfortress, LLC becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, Professional Services Data, or Personal Data while processed by cloudfortress, LLC, cloudfortress, LLC will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
  • Data Transfers and Location: Customer Data, Professional Services Data, and Personal Data that cloudfortress, LLC processes on Customer’s behalf may not be transferred to, or stored and processed in a geographic location except in accordance with the DPA Terms and the safeguards provided below in this section.
  • Data Retention and Deletion: At all times during the term of Customer’s subscription or the applicable Professional Services engagement, Customer will have the ability to access, extract and delete Customer Data stored in each Online Service and Professional Services Data.
  • Processor Confidentiality Commitment: cloudfortress, LLC will ensure that its personnel engaged in the processing of Customer Data, Professional Services Data, and Personal Data will process such data only on instructions from Customer or as described in this DPA, and will be obligated to maintain the confidentiality and security of such data even after their engagement ends.
  • Notice and Controls on use of Subprocessors: cloudfortress, LLC may hire Subprocessors to provide certain limited or ancillary services on its behalf. Customer consents to this engagement and to cloudfortress, LLC Affiliates as Subprocessors.
  • Educational Institutions: If Customer is an educational agency or institution to which regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), apply, cloudfortress, LLC acknowledges that for the purposes of the DPA, cloudfortress, LLC is a “school official” with “legitimate educational interests” in the Customer Data and Professional Services Data, as those terms have been defined under FERPA and its implementing regulations, and cloudfortress, LLC agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) on school officials.
  • CJIS Customer Agreement: cloudfortress, LLC provides certain government cloud services (“Covered Services”) in accordance with the FBI Criminal Justice Information Services (“CJIS”) Security Policy (“CJIS Policy”).
  • HIPAA Business Associate: If Customer is a “covered entity” or a “business associate” and includes “protected health information” in Customer Data or Professional Services Data, as those terms are defined under the Health Insurance Portability and Accountability Act of 1996, as amended, and the regulations promulgated thereunder (collectively, “HIPAA”), execution of Customer’s agreement includes execution of the HIPAA Business Associate Agreement (“BAA”).
  • Telecommunication Data: To the extent cloudfortress, LLC is processing traffic, content and other Personal Data in the provision of Products and Services that qualify as telecommunication services under applicable law, specific statutory obligations may apply.
  • California Consumer Privacy Act (CCPA): If cloudfortress, LLC is processing Personal Data within the scope of the CCPA, cloudfortress, LLC makes the following additional commitments to Customer. cloudfortress, LLC will process Customer Data, Professional Services Data, and Personal Data on behalf of Customer and not retain, use, or disclose that data for any purpose other than for the purposes set out in the DPA Terms and as permitted under the CCPA.
  • Biometric Data: If Customer uses Products and Services to process Biometric Data, Customer is responsible for providing notice to data subjects, obtaining consent from data subjects, and deleting the Biometric Data, all as appropriate and required under applicable Data Protection Requirements.
  • Supplemental Professional Services: When used in the sections listed below, the defined term “Professional Services” includes Supplemental Professional Services, and the defined term “Professional Services Data” includes data obtained for Supplemental Professional Services.
  • How to Contact cloudfortress, LLC: If Customer believes that cloudfortress, LLC is not adhering to its privacy or security commitments, Customer may contact customer support or use [email protected].
 
Appendix A – Security Measures
 
cloudfortress, LLC has implemented and will maintain for Customer Data in the Core Online Services and Professional Services Data the following security measures, which in conjunction with the security commitments in this DPA (including the GDPR Terms), are cloudfortress, LLC’s only responsibility with respect to the security of that data.
Domain Practices
Organization of Information Security: cloudfortress has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures. Personnel with access to Customer Data or Professional Services Data are subject to confidentiality obligations. Risk assessments are performed before processing the Customer Data or launching the Online Services and Professional Services.
Asset Management: cloudfortress maintains an inventory of all media on which Customer Data or Professional Services Data is stored. Access to the inventories of such media is restricted to cloudfortress personnel authorized in writing to have such access. Customer Data and Professional Services Data are classified to help identify and restrict access appropriately.
Human Resources Security: cloudfortress informs its personnel about relevant security procedures and their respective roles. Only anonymous data is used in training.
Physical and Environmental Security: cloudfortress limits access to facilities where information systems processing Customer Data or Professional Services Data are located to identified authorized individuals. Records of incoming and outgoing media containing Customer Data or Professional Services Data are maintained.
Communications and Operations Management: cloudfortress maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data or Professional Services Data.
Data Recovery Procedures: Multiple copies of Customer Data and Professional Services Data are maintained, and data recovery procedures are reviewed regularly. Data restoration efforts are logged, including details of the restoration process.
Malicious Software: cloudfortress has anti-malware controls to help avoid unauthorized access to Customer Data and Professional Services Data by malicious software.
Data Beyond Boundaries: Customer Data and Professional Services Data transmitted over public networks are encrypted. Access to media containing this data is restricted.
Service Monitoring: Security personnel verify logs at least every six months and propose remediation efforts if necessary.
Business Continuity Management: cloudfortress maintains emergency and contingency plans for facilities processing Customer Data or Professional Services Data. Redundant storage and data recovery procedures are designed to attempt to reconstruct data in its original state.
 
Appendix B – Data Subjects and Categories of Personal Data
 
Data Subjects:
Data subjects include the Customer’s representatives and end-users including employees, contractors, collaborators, and customers of the Customer. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by cloudfortress, LLC. cloudfortress, LLC acknowledges that, depending on Customer’s use of the Products and Services, Customer may elect to include personal data from any of the following types of data subjects in the personal data:
  • Employees, contractors, and temporary workers (current, former, prospective) of Customer
  • Dependents of the above
  • Customer’s collaborators/contact persons (natural persons) or employees, contractors, or temporary workers of legal entity collaborators/contact persons (current, prospective, former)
  • Users (e.g., customers, clients, patients, visitors, etc.) and other data subjects that are users of Customer’s services
  • Partners, stakeholders, or individuals who actively collaborate, communicate, or otherwise interact with employees of the Customer and/or use communication tools such as apps and websites provided by the Customer
  • Stakeholders or individuals who passively interact with Customer (e.g., because they are the subject of an investigation, research or mentioned in documents or correspondence from or to the Customer)
  • Minors
  • Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.)
Categories of Data:
The personal data that is included in e-mail, documents, and other data in an electronic form in the context of the Products and Services. cloudfortress, LLC acknowledges that, depending on Customer’s use of the Products and Services, Customer may elect to include personal data from any of the following categories in the personal data:
  • Basic personal data (e.g., place of birth, street name, and house number, postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children
  • Authentication data (e.g., username, password or PIN code, security question, audit trail)
  • Contact information (e.g., addresses, email, phone numbers, social media identifiers; emergency contact details)
  • Unique identification numbers and signatures (e.g., Social Security number, bank account number, passport and ID card number, driver’s license number, vehicle registration data, IP addresses, employee number, student number, patient number, signature, unique identifier in tracking cookies or similar technology)
  • Pseudonymous identifiers
  • Financial and insurance information (e.g., insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior, creditworthiness)
  • Commercial information (e.g., history of purchases, special offers, subscription information, payment history)
  • Biometric information (e.g., DNA, fingerprints, iris scans)
  • Location data (e.g., Cell ID, geo-location network data, location by start call/end of the call. Location data derived from the use of wifi access points)
  • Photos, video, and audio
  • Internet activity (e.g., browsing history, search history, reading, television viewing, radio listening activities)
  • Device identification (e.g., IMEI-number, SIM card number, MAC address)
  • Profiling (e.g., based on observed criminal or anti-social behavior, pseudonymous profiles based on visited URLs, click streams, browsing logs, IP-addresses, domains, apps installed, or profiles based on marketing preferences)
  • HR and recruitment data (e.g., declaration of employment status, recruitment information such as curriculum vitae, employment history, education history details, job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details, and location and organizations)
  • Education data (e.g., education history, current education, grades and results, highest degree achieved, learning disability)
  • Citizenship and residency information (e.g., citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit)
  • Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority
  • Special categories of data (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offenses)
  • Any other personal data identified in Article 4 of the GDPR
 
Appendix C – Additional Safeguards Addendum
 
By this Additional Safeguards Addendum to the DPA (this “Addendum”), cloudfortress, LLC provides additional safeguards to Customer for the processing of personal data, within the scope of the GDPR, by cloudfortress, LLC on behalf of Customer and additional redress to the data subjects to whom that personal data relates.
This Addendum supplements and is made part of, but is not in variation or modification of, the DPA.
1. Challenges to Orders:
In the event cloudfortress, LLC receives an order from any third party for compelled disclosure of any personal data processed under this DPA, cloudfortress, LLC shall:
  • Use every reasonable effort to redirect the third party to request data directly from Customer;
  • Promptly notify Customer, unless prohibited under the law applicable to the requesting third party, and, if prohibited from notifying Customer, use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to Customer as soon as possible; and
  • Use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with applicable law of the European Union or applicable Member State law.
If, after the steps described in a. through c. above, cloudfortress, LLC or any of its affiliates remains compelled to disclose personal data, cloudfortress, LLC will disclose only the minimum amount of that data necessary to satisfy the order for compelled disclosure.
2. Indemnification of Data Subjects:
Subject to Sections 3 and 4, cloudfortress, LLC shall indemnify a data subject for any material or non-material damage to the data subject caused by cloudfortress, LLC’s disclosure of personal data of the data subject that has been transferred in response to an order from a non-EU/EEA government body or law enforcement agency in violation of cloudfortress, LLC’s obligations under Chapter V of the GDPR (a “Relevant Disclosure”). Notwithstanding the foregoing, cloudfortress, LLC shall have no obligation to indemnify the data subject under this Section 2 to the extent the data subject has already received compensation for the same damage, whether from cloudfortress, LLC or otherwise.
3. Conditions of Indemnification:
Indemnification under Section 2 is conditional upon the data subject establishing, to cloudfortress, LLC’s reasonable satisfaction, that:
  • cloudfortress, LLC engaged in a Relevant Disclosure;
  • The Relevant Disclosure was the basis of an official proceeding by the non-EU/EEA government body or law enforcement agency against the data subject; and
  • The data subject bears the burden of proof with respect to conditions a. through c.
Notwithstanding the foregoing, cloudfortress, LLC shall have no obligation to indemnify the data subject under Section 2 if cloudfortress, LLC establishes that the Relevant Disclosure did not violate its obligations under Chapter V of the GDPR.
4. Scope of Damages:
Indemnification under Section 2 is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from cloudfortress, LLC’s infringement of the GDPR.
5. Exercise of Rights:
Rights granted to data subjects under this Addendum may be enforced by the data subject against cloudfortress, LLC irrespective of any restriction in Clauses 3 or 6 of the Standard Contractual Clauses. The data subject may only bring a claim under this Addendum on an individual basis, and not part of a class, collective, group or representative action. Rights granted to data subjects under this Addendum are personal to the data subject and may not be assigned.
6. Notice of Change:
cloudfortress, LLC agrees and warrants that it has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from the Customer and its obligations under this Addendum or the 2021 Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this Addendum or the Standard Contractual Clauses, it will promptly notify the change to Customer as soon as it is aware, in which case Customer is entitled to suspend the transfer of data and/or terminate the contract.
 
Attachment 1 – European Union General Data Protection Regulation Terms
 
cloudfortress, LLC makes the commitments in these GDPR Terms to all customers effective May 25, 2018. These commitments are binding upon cloudfortress, LLC with regard to Customer regardless of (1) the version of the Product Terms and DPA that is otherwise applicable to any given Product subscription or license, or (2) any other agreement that references this attachment.
For purposes of these GDPR Terms, Customer and cloudfortress, LLC agree that Customer is the controller of Personal Data and cloudfortress, LLC is the processor of such data, except when Customer acts as a processor of Personal Data, in which case cloudfortress, LLC is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by cloudfortress, LLC on behalf of Customer. These GDPR Terms do not limit or reduce any data protection commitments cloudfortress, LLC makes to Customer in the Product Terms or other agreement between cloudfortress, LLC and Customer. These GDPR Terms do not apply where cloudfortress, LLC is a controller of Personal Data.
Relevant GDPR Obligations: Articles 5, 28, 32, and 33
  1. cloudfortress, LLC supports Customer’s accountability obligations via this DPA and the product documentation provided to Customer, and will continue to do so during the term of Customer’s subscription or the applicable Professional Services engagement pursuant to subsection 3(h) below. (Article 5(2))
  2. cloudfortress, LLC shall not engage another processor without prior specific or general written authorization of Customer. In the case of general written authorization, cloudfortress, LLC shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes. (Article 28(2))
  3. Processing by cloudfortress, LLC shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on cloudfortress, LLC with regard to Customer. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of the Customer are set forth in the Customer’s licensing agreement, including these GDPR Terms. In particular, cloudfortress, LLC shall:
    1. Process the Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which cloudfortress, LLC is subject; in such a case, cloudfortress, LLC shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
    2. Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    3. Take all measures required pursuant to Article 32 of the GDPR;
    4. Respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
    5. Taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
    6. Assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to cloudfortress, LLC;
    7. At the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
    8. Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
  4. Where cloudfortress, LLC engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfill its data protection obligations, cloudfortress, LLC shall remain fully liable to the Customer for the performance of that other processor’s obligations. (Article 28(4))
  5. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and cloudfortress, LLC shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
    1. The pseudonymization and encryption of Personal Data;
    2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    3. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
    4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32(1))
  6. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))
  7. Customer and cloudfortress, LLC shall take steps to ensure that any natural person acting under the authority of Customer or cloudfortress, LLC who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law. (Article 32(4))
  8. cloudfortress, LLC shall notify Customer without undue delay after becoming aware of a Personal Data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to cloudfortress, LLC.
 
 
 
cloudfortress® Customer Subscription Agreement
 
Version 2024.8.2
This cloudfortress® Customer Agreement (the “Agreement”) is between Customer and cloudfortress® and consists of these General Terms, the DPA (“Data Protection Agreement”), the applicable Product Terms and SLAs, and any additional terms cloudfortress® presents when an order is placed. This Agreement takes effect when the Customer accepts it, applies to any order under this Agreement, and supersedes any end-user license agreement that accompanies a Product. The individual who accepts the Agreement represents that they are authorized to enter into this Agreement on behalf of Customer. Capitalized terms have the meanings given under “Definitions.”
General Terms
FOR INDIVIDUAL USERS, ADDITIONAL TERMS UNDER “SUPPLEMENTAL INDIVIDUAL USER TERMS” APPLY.
License to use cloudfortress® Products
  • Licenses for Products: Products are licensed and not sold. Upon cloudfortress®’s acceptance of each order and subject to Customer’s compliance with this Agreement, cloudfortress® grants Customer a nonexclusive and limited license to use the Products ordered as provided in this Agreement. These licenses are solely for Customer’s own use and business purposes and are nontransferable except as expressly permitted under this Agreement or applicable law.
  • Duration of licenses: Online Services and some Software are licensed on a subscription basis for a specified period. Subscriptions expire at the end of the applicable subscription period unless renewed. Some Subscriptions renew automatically until canceled. The Subscription term for Online Services that are billed in arrears based on usage is the same as the billing period unless otherwise specified in the Product Terms. Perpetual Software licenses become perpetual upon payment in full.
  • End Users: The customer will control access to, and use of, the Products by End Users and is responsible for any use of the Products that does not comply with this Agreement.
  • Affiliates: Customer may order Products for use by its Affiliates. If it does, the licenses granted to Customer under this Agreement will apply to such Affiliates, but Customer will have the sole right to enforce this Agreement against cloudfortress®. Customer will remain responsible for all obligations under this Agreement and for its Affiliates’ compliance with this Agreement.
  • Reservation of Rights: cloudfortress® reserves all rights not expressly granted in this Agreement. Products and Services Deliverables are protected by copyright and other intellectual property laws and international treaties. No rights will be granted or implied by waiver or estoppel. Rights to access or use a Product on a device do not give Customer any right to implement cloudfortress® patents or other cloudfortress® intellectual property in the device itself or in any other software or devices.
  • Restrictions: Except as expressly permitted in this Agreement or Product documentation, Customer must not (and is not licensed to):
    • reverse engineer, decompile, or disassemble any Product or Services Deliverable, or attempt to do so (except where applicable law permits despite this limitation);
    • install or use non-cloudfortress® software or technology in any way that would subject cloudfortress®’s intellectual property or technology to any other license terms;
    • work around any technical limitations in a Product or Services Deliverable or restrictions in Product documentation;
    • separate and run parts of a Product or Services Deliverable on more than one device;
    • upgrade or downgrade parts of a Product at different times;
    • transfer parts of a Product separately;
    • distribute, sublicense, rent, lease, or lend any Products or Services Deliverables, in whole or in part, or use them to offer hosting services to a third party.
  • License transfers: Licenses are NOT TRANSFERRABLE. Attempted license transfers that do not comply with this section are void.
  • Customer Eligibility: Customer agrees that if it is purchasing academic, government, or nonprofit Products, Customer meets the respective eligibility requirements; please contact license@cloudfortress.ai for additional information. cloudfortress® reserves the right to verify eligibility and suspend Product use if requirements are not met.
Professional Services
  • Performance of Professional Services: Upon cloudfortress®’s acceptance of each Statement of Services and subject to Customer’s compliance with this Agreement, cloudfortress® will perform the Professional Services ordered as provided in this Agreement and the applicable Statement of Services.
  • Fixes: Each Fix is licensed under the same terms as the Product to which it applies. If a Fix is not provided for a specific Product, any use rights cloudfortress® provides with the Fix will apply.
  • Pre-existing Work: All rights in any computer code or other written materials a party develops or obtains independent of this Agreement (“Pre-existing Work”) will remain the sole property of the party providing it. Each party may use, reproduce, and modify the other party’s Pre-existing Work only as needed to perform obligations related to Professional Services.
  • Services Deliverables: Subject to Customer’s compliance with this Agreement, cloudfortress® grants Customer a non-exclusive, limited license to use and modify the Services Deliverables as provided in this Agreement, including, without limitation, the reservation of rights, restrictions, and license transfer provisions under the section entitled License to use cloudfortress® Products. These licenses are solely for Customer’s own use and business purposes in connection with its use of Products and are nontransferable except as expressly permitted under this Agreement or applicable law.
Non-cloudfortress® Products
Non-cloudfortress® Products are provided under separate terms by the Publishers of such products. Customer will have an opportunity to review those terms prior to placing an order for a Non-cloudfortress® Product through a cloudfortress® online store or Online Service. cloudfortress® is not a party to the terms between Customer and the Publisher. cloudfortress® may provide Customer’s contact information and transaction details to the Publisher. cloudfortress® makes no warranties and assumes no responsibility or liability whatsoever for Non-cloudfortress® Products. Customer is solely responsible and liable for its use of any Non-cloudfortress® Product.
Verifying compliance
  • Verification process: Customer must keep records relating to Products it and its Affiliates use or distribute. At cloudfortress®’s expense, cloudfortress® may verify Customer’s and its Affiliates’ compliance with this Agreement at any time upon 30 days’ notice. cloudfortress® may engage an independent auditor under nondisclosure obligations to perform the verification. Customer must promptly provide any information and documents that cloudfortress® or the auditor reasonably requests related to the verification and visual access to systems running the Products. All information and reports related to the verification process will be Confidential Information and used solely to verify compliance.
  • Remedies for non-compliance: If verification reveals any unlicensed use, Customer must, within 30 days, order sufficient licenses to cover the period of its unlicensed use. Without limiting cloudfortress®’s other remedies, if unlicensed use is 5% or more of Customer’s total use of all Products, Customer must reimburse cloudfortress® for its costs incurred in verification and acquire sufficient licenses to cover its unlicensed use at 125% of the then-current Customer price or the maximum allowed under applicable law, if less.
Data Protection and Processing
cloudfortress® and its Affiliates, and their respective agents and subcontractors, will process Customer Data, Personal Data, and Professional Services Data as provided in this Agreement and the DPA, which is incorporated by reference. Before providing Personal Data to cloudfortress®, Customer will obtain all required consents from third parties (including Customer’s contacts, Partners, distributors, administrators, and employees) under applicable privacy and data protection laws.
Confidentiality
  • Confidential Information: “Confidential Information” is non-public information that is designated “confidential” or that a reasonable person should understand is confidential, including, but not limited to, Customer Data, Professional Services Data, the terms of this Agreement, and Customer’s account authentication credentials. Confidential Information does not include information that (1) becomes publicly available without a breach of a confidentiality obligation; (2) the receiving party received lawfully from another source without a confidentiality obligation; (3) is independently developed; or (4) is a comment or suggestion volunteered about the other party’s business, products, or services.
  • Protection of Confidential Information: Each party will take reasonable steps to protect the other’s Confidential Information and will use the other party’s Confidential Information only for purposes of the parties’ business relationship. Neither party will disclose Confidential Information to third parties, except to its Representatives, and then only on a need-to-know basis under nondisclosure obligations at least as protective as this Agreement. Each party remains responsible for the use of Confidential Information by its Representatives and, in the event of discovery of any unauthorized use or disclosure, must promptly notify the other party. The Product Terms and DPA provide additional terms regarding the disclosure and use of Customer Data.
  • Disclosure required by law: A party may disclose the other’s Confidential Information if required by law, but only after it notifies the other party (if legally permissible) to enable the other party to seek a protective order.
  • Residual information: Neither party is required to restrict work assignments of its Representatives who have had access to Confidential Information. Each party agrees that the use of information retained in Representatives’ unaided memories in the development or deployment of the parties’ respective products or services does not create liability under this Agreement or trade secret law, and each party agrees to limit what it discloses to the other accordingly.
  • Duration of Confidentiality obligation: These obligations apply: (1) for Customer Data, until it is deleted from the Online Services; and (2) for all other Confidential Information, for a period of five years after a party receives the Confidential Information.
Warranties
  • Limited warranties and remedies: To the extent permitted by applicable law, the remedies below are Customer’s sole remedies for breach of the warranties provided in this section, and Customer waives any warranty claims not made during the applicable warranty period.
    • Online Services: cloudfortress® warrants that each Online Service will perform in accordance with the applicable SLA during Customer’s use. Customer’s remedies for breach of this warranty are described in the SLA.
    • Software: cloudfortress® warrants that the Software version that is current at the time Customer acquires it will perform substantially as described in the applicable Product documentation for one year from the date Customer acquires a license for that version. If it does not, and Customer notifies cloudfortress® within the warranty term, cloudfortress® will, at its option, (1) return the amount Customer paid for the Software license or a prorated portion of the applicable subscription fee or (2) repair or replace the Software.
    • Professional Services: cloudfortress® warrants that it will perform Professional Services with the applicable professional standard of care and skill in the industry. If cloudfortress® fails to do so, and Customer notifies cloudfortress® within 90 days from the completion of the work giving rise to the warranty claim, then cloudfortress® will, at its discretion, either re-perform the Professional Services or return the amount Customer paid for them.
  • Exclusions: The warranties in this Agreement do not apply to problems caused by accident, abuse, or use inconsistent with this Agreement or applicable documentation, including failure to meet minimum system requirements. These warranties do not apply to free, trial, preview, or prerelease products, or to components of Products that Customer is permitted to redistribute.
  • Disclaimer: Except for the limited warranties above or as required by applicable law, cloudfortress® provides no other warranties or conditions and disclaims any other express, implied, or statutory warranties and conditions, including warranties and conditions of quality, title, non-infringement, merchantability, and fitness for a particular purpose. Professional Services that are provided without charge are provided “AS IS,” WITHOUT ANY WARRANTY OR CONDITION.
Defense of third-party claims
The parties will defend each other against the third-party claims described in this section and will pay the amount of any resulting adverse final judgment or approved settlement, but only if the defending party is promptly notified in writing of the claim and has the right to control the defense and any settlement of it. The party being defended must provide the defending party with all requested assistance, information, and authority. The defending party will reimburse the other party for reasonable out-of-pocket expenses it incurs in providing assistance. This section describes the parties’ sole remedies and entire liability for such claims.
  • By cloudfortress®: cloudfortress® will defend Customer against any third-party claim to the extent it alleges that a Product or Services Deliverable made available by cloudfortress® for a fee and used within the scope of the license granted under this Agreement (unmodified from the form provided by cloudfortress® and not combined with anything else), misappropriates a trade secret or directly infringes a patent, copyright, trademark, or other proprietary right of a third party. If cloudfortress® is unable to resolve a claim of misappropriation or infringement, it may, at its option, either (1) modify or replace the Product or Services Deliverable with a functional equivalent or (2) terminate Customer’s license and refund any license fees (less depreciation for perpetual licenses), including amounts paid in advance for unused consumption for any usage period after the termination date. cloudfortress® will not be liable for any claims or damages due to Customer’s continued use of a Product or Services Deliverable after being notified to stop due to a third-party claim.
  • By Customer: To the extent permitted by applicable law, Customer will defend cloudfortress® and its Affiliates against any third-party claim to the extent it alleges that: (1) any Customer Data or Non-cloudfortress® Product hosted in an Online Service by cloudfortress® on Customer’s behalf misappropriates a trade secret or directly infringes a patent, copyright, trademark, or other proprietary right of a third party; or (2) Customer’s use of any Product or Services Deliverable, alone or in combination with anything else, violates the law or harms a third party.
Limitation of liability
Subject to the Exclusions, Exceptions and Applicability provisions in subsections e, f, and g, each party’s liability to the other party for each Product or Professional Service provided under this Agreement is limited to direct damages finally awarded, not to exceed an amount determined as follows:
  • Perpetual Licenses: For each Product licensed on a perpetual basis, each party’s maximum, aggregate liability is the amount Customer paid for the applicable licenses.
  • Subscriptions: For each Product licensed on a subscription basis, each party’s maximum, aggregate liability is the total amount of subscription fees Customer paid to use the Product during the 12 months preceding the most recent incident giving rise to the claim(s).
  • Professional Services: For Professional Services, each party’s maximum, aggregate liability is the amount Customer paid for the applicable Professional Services.