Data Processing Agreement

QUIC.cloud Data Processing Agreement

 

Last Updated: April 09, 2024

Valid From: May 10, 2024

 

QUIC Cloud Inc (“QUIC.cloud”, or the “Company”) and the counterparty, herein referred to as the “Customer”, acknowledge their mutual understanding and agreement. The parties confirm that they have entered into a Service Agreement (also referred to as the “Main Agreement”), and this Data Processing Agreement (“DPA”) is an integral component of the aforementioned Main Agreement. By accepting the terms of the Main Agreement, the Customer also accepts the stipulations contained within this DPA. Both documents shall be binding upon the parties in conjunction.

The DPA and the Main Agreement are interdependent and cannot be terminated separately. However, the DPA may be replaced with another valid Data Processing Agreement without terminating the Main Agreement.

 

Definitions

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, phone number, email address, an ID number, location data, etc.

“Controller” means a natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Processor” means a natural or legal person which processes Personal Data on behalf of the Controller.

“European Data” means Personal Data that is subject to the protection of European Data Protection Laws, including data originating from individuals who are in the European Economic Area (EEA).

“California Personal Data” means Personal Data that is subject to the protection of California privacy laws, such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), pertaining to residents of the State of California.

“Customer Data” means all information and materials provided by or on behalf of the Customer, including Personal Data.

“European Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, and their member states, applicable to the processing of Personal Data under the DPA, including the General Data Protection Regulation (GDPR).

“Data Protection Legislation” means all applicable privacy and data protection laws and regulations as may be amended or superseded from time to time.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Personal Data Breach” means a security incident that results in unauthorized access, disclosure, alteration, loss, or destruction of Personal Data.

“Partners” means any third-party companies, such as server providers and network partners, that the Company may engage with at its sole discretion and which may change over time.

“Module Two” and “Module Three” mean, respectively, the part of the Standard Contractual Clauses for data transfers from an EU data controller to a non-EU data processor (Module Two), and from an EU data processor to a non-EU data processor (Module Three).

“Services” means the services provided by QUIC.cloud to the Customer, including but not limited to, services such as content delivery network (CDN), WordPress optimization services, general support, and troubleshooting.

“Sub-Processor” means a third-party data processor engaged by a Processor who has or will have access to or process personal data from a Controller.

“Standard Contractual Clauses” means legal terms approved by the European Commission to ensure adequate data protection in cross-border data transfers.

 

1. Processing of Personal Data

QUIC.cloud is only to carry out the Services, and only to process the Personal Data received from the Customer:

  • for the purposes of those Services and not for any other purpose;
  • to the extent and in such a manner as is necessary for those purposes; and
  • strictly in accordance with the express written authorization and instructions of the Customer.

The Customer shall retain control of the Personal Data and shall remain responsible for its compliance obligations under the Data Protection Legislation including, but not limited to, providing the required notices and obtaining any required consents, and for any and all processing instructions it gives to QUIC.cloud.

2. Customer Obligations

The Customer acknowledges that the Main Agreement, including this Agreement DPA, represents their comprehensive instructions for the processing of Personal Data. This understanding is based on their use of the Services in alignment with the Main Agreement. However, the Customer retains the right to issue supplementary instructions during the term of the Main Agreement, provided these are in line with the Agreement and are consistent with the lawful and intended use of the Services. 

All supplementary instructions given by the Customer to QUIC.cloud shall be made in writing and shall at all times be in compliance with the Data Protection Legislation and other applicable laws. QUIC.cloud shall act only on written instructions from the Customer unless QUIC.cloud is required by law to do otherwise.

The Customer acknowledges and agrees to be solely responsible for: (i) the accuracy, quality, legality of Customer Data and the method of acquiring Personal Data; (ii) adhering to all transparency and lawfulness requirements under applicable Data Protection Legislation for collecting and using Personal Data, including obtaining necessary consents for marketing; (iii) having the right to transfer or provide Personal Data to the Company for processing as per the Main Agreement (including this DPA); (iv) ensuring that instructions to the Company regarding Personal Data processing are legally compliant; (v) adhering to all relevant laws, including applicable Data Protection Legislation, in relation to email content and practices, and obtaining required consents for email communication. The Customer must promptly inform the Company if it is unable to meet these responsibilities under any applicable Data Protection Legislation.

The Customer must independently evaluate if the data security measures implemented in the Services provided by QUIC.cloud sufficiently fulfill their obligations under relevant Data Protection Legislation. Additionally, the Customer is accountable for securely using the Services, which includes safeguarding the security of Personal Data during its transmission to and from the Services.

3. QUIC.cloud Obligations

QUIC.cloud will process Personal Data only for the purposes outlined in this DPA or as mutually agreed upon within the bounds of the Customer’s lawful instructions, except when and to the extent required by applicable law. QUIC.cloud is not liable for compliance with any Data Protection Legislation specifically applicable to the Customer or the Customer’s industry that does not generally apply to QUIC.cloud.

QUIC.cloud shall promptly comply with any request from the Customer requiring it to amend, transfer, delete, or otherwise dispose of the Personal Data, or to cease, mitigate, or remedy any authorized processing. Furthermore, it shall transfer all Personal Data to the Customer on the Customer’s request in the formats, at the times, and in compliance with the Customer’s written instructions.

If the Company becomes aware that it cannot process Personal Data following the Customer’s instructions due to a legal requirement under any applicable law, it will (i) promptly inform the Customer of that legal requirement when allowed by the applicable law; and (ii) if necessary, stop all processing activities (except for storing and maintaining the security of the affected Personal Data) until the Customer provides new instructions that QUIC.cloud can comply with. If this clause is triggered, the Company will not be held liable to the Customer under the Agreement for any failure to perform the relevant Services until the Customer issues new lawful instructions regarding the Processing.

The Company hereby warrants, represents, and undertakes that all of its personnel (including, but not limited to, its employees, agents, and sub-contractors) that will access the Personal Data are reliable, trustworthy, and are subject to appropriate confidentiality obligations (whether a contractual or statutory duty).

QUIC.cloud will implement and maintain suitable technical and organizational measures to safeguard Personal Data against Personal Data Breaches, as outlined in Annex 2 to this DPA (“Security Measures”). Despite any contrary provisions, QUIC.cloud may alter or update the Security Measures at its discretion, ensuring that such changes do not lead to a significant reduction in the level of protection provided by the Security Measures.

QUIC.cloud will inform the Customer promptly upon becoming aware of any Personal Data Breach. Additionally, QUIC.cloud will provide relevant information about the Personal Data Breach as it becomes available or as reasonably requested by the Customer. Upon the Customer’s request, QUIC.cloud will offer necessary assistance promptly to facilitate the Customer’s notification of relevant Personal Data Breaches to appropriate authorities and/or affected Data Subjects, in accordance with requirements under relevant Data Protection Legislation.

The Company commits to providing the Customer with all reasonably necessary information to prove compliance with this DPA. Additionally, QUIC.cloud will facilitate and support audits, including inspections by the Customer or their designated auditor. This is to ensure adherence to the obligations under this DPA, in accordance with applicable legal requirements. Additionally, upon receiving a written request from the Customer, the Company will supply written replies, treated confidentially, to all reasonable inquiries made by the Customer. These inquiries are aimed at verifying QUIC.cloud’s adherence to this DPA. The Customer may exercise this right once per calendar year, unless there are justifiable reasons to believe that there has been non-compliance with the DPA, in which case the Customer may make further inquiries.

4. Deletion of Personal Data

Upon the termination or expiration of the Services, QUIC.cloud will either delete or return all Customer Data, including Personal Data and its copies, processed under this DPA, unless legally required to retain it. This exclusion also applies to Customer Data archived in our back-up systems, which QUIC.cloud will securely isolate, prevent from any further processing, and delete according to our deletion protocols. The Customer may request to delete their customer account after the subscription ends by contacting info@QUIC.cloud.

QUIC.cloud advises the Customer to retrieve their Customer Data before their subscription concludes. For guidance on this process, the Customer can contact info@QUIC.cloud. QUIC.cloud will offer reasonable assistance in this regard, with the cost to be borne by the Customer.

5. Data Subject Requests

QUIC.cloud offers the Customer various tools to access, amend, erase, or limit Personal Data, aiding in compliance with Data Protection Legislation, including obligations related to fulfilling Data Subject Requests under applicable Data Protection Legislation.

Should the Customer be unable to independently handle a Data Subject Request using the Services, QUIC.cloud will, upon receiving a written request from the Customer, provide reasonable assistance in responding to Data Subject Requests or inquiries from data protection authorities concerning Personal Data Processing under this Agreement. The Customer will cover the commercially reasonable costs incurred by QUIC.cloud for this assistance.

In cases where QUIC.cloud receives a Data Subject Request or communication related to Personal Data processing under this Agreement directly from a Data Subject, it will promptly notify the Customer and direct the Data Subject to address their request to the Customer. The Customer will bear sole responsibility for substantively addressing such Data Subject Requests or communications involving Personal Data.

6. Cross-Border Transfers of Personal Data

The Customer understands and consents that QUIC.cloud may access and process Personal Data globally as needed to deliver the Services in line with the Main Agreement. Specifically, Personal Data may be transferred to and processed by QUIC.cloud in the United States and in other regions where its Partners and Sub-Processors operate. 

In cases where Personal Data is transferred internationally, including to the United States, QUIC.cloud and the Customer will ensure these transfers comply with Data Protection Legislation. This includes taking appropriate safeguards for data protection, such as implementing Standard Contractual Clauses or equivalent measures, to ensure the security and confidentiality of Personal Data, regardless of the location where it is processed or stored.

7. Engagement of Sub-Processors

QUIC.cloud reserves the right to engage sub-processors for various functions, including but not limited to hosting and infrastructure services, as well as customer support and service delivery. The current list of sub-processors is detailed in Annex 3 of this DPA, subject to periodic updates. In the event of the introduction of a new Sub-Processor, the Customer will be notified as soon as practical, and the Customer will have the right to object to any such Sub-Processor within a five (5) day period. 

Upon receiving such an objection, QUIC.cloud and the Customer will engage in a constructive dialogue to address the Customer’s concerns with the aim of finding a mutually agreeable solution. If a satisfactory resolution is not achieved, QUIC.cloud may, at its discretion, choose not to appoint the new Sub-Processor. Alternatively, QUIC.cloud may allow the Customer to either suspend or terminate the Services. This decision will incur no liability to either party, though it does not affect any fees already incurred by the Customer up to the point of suspension or termination.

Furthermore, QUIC.cloud enforces stringent obligations on its Sub-Processors to ensure compliance with this DPA. QUIC.cloud remains accountable for any breach of this DPA by its Sub-Processors, ensuring that the protection and integrity of the Customer’s data is maintained at all times.

8. Severability

Should any provision of this DPA between the Customer and QUIC.cloud be deemed invalid, illegal, or unenforceable by a court of competent jurisdiction, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired thereby. In such an event, the parties agree to replace the invalid, illegal, or unenforceable provision with a valid, legal, and enforceable provision that most closely achieves the original intent and economic effect of the invalid, illegal, or unenforceable provision.

9. Amendments

Any amendments or modifications to this DPA must be made in writing and must be mutually agreed upon by both the Customer and QUIC.cloud. No amendment or modification shall be effective unless it is in writing and signed by duly authorized representatives of both parties.

10. Governing Law and Jurisdiction

Any claim or dispute arising from or in connection with this DPA must be settled by a competent court of the first instance in the same jurisdiction and with the same choice of law as stated in the Main Agreement.

11. Supplementary Provisions for European Data

In the course of processing European Data following the Customer’s instructions, it is acknowledged and agreed that the Customer serves as the Controller (whether directly as the Controller or as a Processor on behalf of another Controller) of European Data, while QUIC.cloud assumes the role of a Processor under the terms of the Agreement.

Data Transfers: QUIC.cloud commits to not transferring European Data to any country or entity that is not acknowledged as offering a sufficient degree of protection for Personal Data, as defined by the European Data Protection Laws. Before any such transfer, QUIC.cloud will ensure compliance with these laws by adopting necessary measures. These measures might include, but are not limited to: (i) transferring the data to an entity that falls under a recognized and suitable framework or other legal transfer mechanism deemed adequate by relevant authorities or courts; (ii) transferring the data to an entity that has obtained authorization for binding corporate rules in line with European Data Protection Laws; or (iii) transferring the data to an entity that has agreed to the Standard Contractual Clauses as established or sanctioned under the applicable European Data Protection Laws.

The Customer recognizes that as part of delivering the Services, QUIC.cloud in the United States is a recipient of European Data. Whenever QUIC.cloud processes European Data within the United States, it commits to adhering to the following: 

(a) Standard Contractual Clauses

In accordance with European Data Protection Laws the Standard Contractual Clauses will be incorporated by reference and form part of the Agreement as follows:

  1. The Customer is identified as the “data exporter” and QUIC Cloud Inc. as the “data importer.”
  2. Module Two terms apply when the Customer is a Controller of European Data, and Module Three terms when the Customer is a Processor of European Data.
  3. The optional docking clause is included in Clause 7.
  4. In Clause 9, Option 2 is selected, and updates about Sub-Processors will be communicated as outlined in the “Engagement of Sub-Processors” section of this DPA.
  5. The optional language in Clause 11 is removed.
  6. For Clauses 17 and 18, the governing law and dispute resolution forum for the Standard Contractual Clauses will follow the “Governing Law and Jurisdiction” section of this DPA, or default to the Republic of Ireland, excluding conflict of laws principles, if the section is not specific.
  7. The Annexes of the Standard Contractual Clauses are completed with the information from the Annexes of this DPA.
  8. The competent supervisory authority will be determined in accordance with GDPR.
  9. If there’s a conflict between the Standard Contractual Clauses and any part of this DPA, the Standard Contractual Clauses will prevail to the extent of the conflict.

By adhering to the responsibilities outlined in the “Engagement of Sub-Processors” segment of this DPA, QUIC.cloud acknowledges that it fulfills its commitments as defined in Section 9 of the Standard Contractual Clauses. In reference to Clause 9(c) of the Standard Contractual Clauses, QUIC.cloud recognizes that there may be constraints on its ability to disclose Sub-Processor agreements. Nevertheless, QUIC.cloud will make reasonable efforts to ensure that any appointed Sub-Processor allows for the disclosure of the Sub-Processor agreement to QUIC.cloud and will provide all feasible information on a confidential basis. The Customer also affirms its understanding and consent to exercise its audit rights in accordance with Clause 8.9 of the Standard Contractual Clauses by instructing QUIC.cloud to comply with the measures detailed in the relevant section of this DPA. QUIC.cloud shall not have any obligation to disclose any information about its Partners as this information is treated as a business secret and is protected under applicable intellectual property laws. 

(b) Alternative Transfer Mechanisms

Should the need arise for QUIC.cloud to implement an alternative data transfer method for European Data, distinct from or in addition to the previously mentioned mechanisms, the said alternative transfer method will be automatically enforced in lieu of the mechanisms delineated within this DPA. This transition will occur provided that the alternative transfer method aligns with the requirements of European Data Protection Laws. Furthermore, QUIC.cloud commits to undertaking any reasonable measures or executing necessary documents to legally endorse the implementation of the aforementioned alternative transfer mechanism.

12. Supplementary Provisions for California Personal Data

When processing California Personal Data as per the instructions of the Customer, the parties mutually acknowledge and consent that the Customer assumes the role of a Business (as defined under the CCPA), while QUIC.cloud acts as a Service Provider (as defined under the CCPA) for the CCPA/CPRA’s intended purposes.

QUIC.cloud certifies that it will Process California Personal Data exclusively as a Service Provider, with the sole objective of fulfilling the Services stipulated in the Main Agreement (referred to as the “Business Purpose”), or as otherwise allowed by the CCPA/CPRA, in accordance with our Privacy Policy.

Furthermore, QUIC.cloud certifies that:

(i) It will refrain from Selling or Sharing California Personal Data.

(ii) It will not Process California Personal Data beyond the direct business relationship between the parties, except when compelled by applicable law.

(iii) It will not merge the California Personal Data contained within Customer Data with personal information obtained from any other source, except for information acquired from another source in connection with its duties as a Service Provider under the Agreement.

The Customer retains the right to implement reasonable and suitable measures to ensure that QUIC.cloud utilizes California Personal Data in alignment with its responsibilities under the CCPA/CPRA. Upon notification, the Customer has the authority to initiate reasonable and suitable actions, as stipulated in the DPA, to halt and address any unauthorized usage of California Personal Data.

The Parties recognize and agree that the transmission of California Personal Data from the Customer to QUIC.cloud does not constitute any form of monetary or other valuable compensation exchanged between them.

 

Annex 1 – Details of Processing

A. List of Parties

Data exporter:

Name: The Customer, as specified by the Customer in any agreement, order form or any other legal document, or in the Customer account. 

Address: The Customer’s address, as specified by the Customer in any agreement, order form or any other legal document, or in the Customer account.

Contact person’s name, position and contact details: The Customer’s contact details, as specified by the Customer in any agreement, order form or any other legal document, or in the customer account.

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Services under the QUIC.cloud Service Agreement.

Role (controller/processor): Controller (either as the Controller; or acting in the capacity of a Controller, as a Processor, on behalf of another Controller).

Data importer:

Name: QUIC Cloud Inc.

Address: 233 Mt. Airy Road 1st Floor, Basking Ridge, New Jersey 07920, United States of America 

Contact person’s name, position and contact details: Lauren Song, Vice-President, lsong@quic.cloud.

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Services under the QUIC.cloud Service Agreement

Role (controller/processor): Processor

B. Description of Transfer

Categories of Data Subjects whose Personal Data is Transferred

The Customer has the discretion to provide Personal Data while utilizing the Services. This may encompass a variety of data, not limited to, but potentially including information about different groups such as contacts, end users, employees, contractors, collaborators, customers, potential clients, suppliers, and subcontractors 

Categories of Personal Data Transferred

The Customer has the discretion to provide Personal Data to the Services, which may include, but is not limited to, various categories of such data as determined by the Customer: 

  1. Contact Information (such as names, addresses, email addresses, phone numbers, etc).
  2. Tax information
  3. Profile information including preferences, interests and browsing history.
  4. Technical information including IP address,usernames, browser type, operation system and version, a list of URLs starting with a referring site, activity on QUIC.cloud platforms, cookies for the web site of QUIC.cloud.
  5. Any other Personal Data submitted by, sent to, or received by the Customer, or its end users, via the Services.
Sensitive Data transferred and applied restrictions or safeguards

The parties do not anticipate the transfer of sensitive data.

Frequency of the transfer

Continuous

Nature of the Processing

Personal Data will be Processed in accordance with the Main Agreement (including this DPA) and may be subject to the following Processing activities: 

  1. Storage and other processing necessary to provide, maintain and improve the Services provided to the Customer; and/or
  2. Disclosure in accordance with the Main Agreement (including this DPA) and/or as compelled by applicable laws.
Purpose of the transfer and further processing

QUIC.cloud will process Personal Data as required to deliver the Services in accordance with the Agreement, and in response to the Customer’s specific instructions during their utilization of the Services.

Period for which Personal Data will be retained

Subject to the “Deletion or Personal Data” section of this DPA, QUIC.cloud will process Personal Data for the duration of the Main Agreement, unless otherwise agreed in writing.

 

Annex 2 – Security Measures

QUIC.cloud implements the following security measures

(a) Access Control at QUIC.cloud

1. Preventing Unauthorized Access:
  • QUIC.cloud uses cloud infrastructure providers for hosting its services and has agreements with vendors to ensure service quality and data protection.
  • The physical security of QUIC.cloud’s product infrastructure is managed by these providers, with stringent security and compliance measures (like SOC 2 Type II and ISO 27001).
  • Users must authenticate themselves before accessing non-public data through QUIC.cloud’s products.
  • QUIC.cloud’s authorization model ensures only authorized users can access specific features and data, with user permissions strictly checked.
2. Preventing Unauthorized Use:
  • QUIC.cloud employs standard network access controls and detection systems for its internal networks.
  • Network access is controlled to prevent unauthorized traffic, using methods like VPCs, security groups, and firewalls.
  • A Web Application Firewall (WAF) is in place to protect customer sites and applications from attacks.
  • QUIC.cloud uses automated tools for static code analysis to check for best practices and flaws.
  • Regular penetration testing is conducted by external experts to identify and address security vulnerabilities.
3. Limitations of Privilege & Authorization Requirements:
  • Only certain QUIC.cloud employees can access products and customer data, primarily for customer support, development, and security purposes.
  • Access is provided on a need basis and is closely monitored.
  • Employees’ access rights are regularly reviewed, especially for high-risk permissions.

(b) Transmission Control

In-Transit: QUIC.cloud uses HTTPS encryption, also known as SSL or TLS, on all login pages and on every customer site hosted on QUIC.cloud products. This ensures secure data transfer using standard industry practices.

At-Rest: QUIC.cloud safeguards user passwords by adhering to industry-standard security practices. Technologies have been implemented to encrypt stored data, ensuring its security even when not being actively accessed.

(c) Input Control

Detection: QUIC.cloud has a system that keeps detailed records of how its system behaves, the traffic it receives, who logs in, and other requests it gets. This system gathers all this information and lets QUIC.cloud’s team know if there’s anything suspicious or out of the ordinary. The team, which includes security, operations, and support staff, is always ready to respond to any issues.

Response and Tracking: QUIC.cloud keeps a detailed record of all security issues, including what happened, when it happened, and how it was resolved. If there’s a suspected or confirmed security problem, the security, operations, or support teams will look into it. They’ll figure out what to do and keep track of their actions. If there’s a confirmed issue, QUIC.cloud will take steps to reduce any harm to the product or risk of information getting out. QUIC.cloud will let customers know about these incidents as per the terms of the agreement.

(d) Availability Management

Infrastructure Uptime: QUIC.cloud aims for at least 99.95% uptime by using reliable methods. They ensure backup for essential services like power, network, and HVAC.

Fault Tolerance: QUIC.cloud has backup and replication plans to protect against major processing failures. They store customer data securely across multiple locations.

Data Replication and Backups: QUIC.cloud ensures data is copied between at least one primary and one secondary database, where possible. They follow standard practices to backup all databases.

Disaster Recovery: QUIC.cloud has disaster recovery plans in place and tests them regularly to keep information safe and available even after major disruptions.

 

Annex 3 – Subprocessors

QUIC.cloud employs sub-processors, including our network partners and other sub-processors, to support the provision of services.


Network Partners:

As this information constitutes a business secret, we are not able to provide a list of our server/networking providers.

We use our server/networking providers to store the data you give us, which is then served via our CDN Network, which you can control via the my.quic.cloud panel, by turning off locations outside of the EU. All traffic would then go through our EU PoPs.

Such Client’s optional management via my.quic.cloud panel shall be deemed as documented instruction from the Client with regard to transfers of data to a third country or an international organization.

We have contracts with each provider, to make sure they adhere to GDPR and all data is maintained with us with strict access policies. All providers are obliged to protect personal data and act in accordance with GDPR. We maintain all our own infrastructure. According to standard industry security practices.

Other Sub Processors:

Detailed information about other Sub-Processors can be found on the QUIC.cloud Sub-Processors Page at https://www.quic.cloud/gdpr-subprocessors. This page is a part of this Data Processing Agreement (DPA).