As a online service provider Cloud Tree will act as Data Processor of its customers hosted website data, databases and emails under their direct control as Data Controller.
This policy sets out CloudTrees Obligations and limitations in terms of data processing.
This policy came into effect on 30th May 2018, or the date the Customer joined CloudTree, which ever is the later.
“The Customer”, as the registered holder of the account with CloudTree, who is the Data Controller
“CloudTree” (CT) who is the Data Processor
- Customer Data means any information relating to an identified or identifiable individual that is provided to the Processor for storage on the hosted environment via websites, emails, scripts set up by the The Customer.
- Data Subject, means the person whose data is, or is to be, processed.
- GDPR means regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- The Customer will use the services provided by CT to host their website, databases and email which may contain personal data of the Data Subject, CT shall have access to the Customer Data in the course of rendering the Services to The Customer.
- Use of the Customer Data by CT shall only be for the purpose of providing Services to The Customer.
- The Customer remains the sole responsible party for the validity of the Customer Data, CT does not act in any way other than to provide the hosting environment for The Customer to operate what ever software, coding, database or otherwise in the day to day storage and processing of the Customer Data.
- The Customer can request the support of CT to correct, amend, delete or block any data under The Customers account. CT shall charge for this service at the current prevailing day rate.
- The Customer can request to review the Security measures taken by CT in relation to the services by giving written notice. As the services are provided “in the cloud” the information on any such measures shall be provided in written form by CT back to The Customer in a reasonable time frame.
- CT shall not amend, view, copy, delete The Customer Data other than to conform with its obligation to provide the Services as set out in the Acceptable Use Policy or by that issued by a valid lawful authority of England and Wales.
- CT shall take all reasonable security steps technical and organisational, to keep confidential The Customer Data and protect against unauthorised or unlawful processing via CT systems.
- The Customer shall remain solely liable for security steps both technical and organisation, to keep confidential The Customer Data via software, websites, database access installed and maintained by The Customer in the provided hosting Environment.
- The Customer remains solely responsible for the provision of adequate back up protection of The Customer Data
- All employees of CT shall be bound by and CT shall ensure adequate training of, to ensure this policy is upheld.
- CT shall inform The Customer within 4 hours of identifying any security breach with relation to The Customer Services.
- In the event that a security breach is identified which has been cause via the customer supplied software, database, website, script hosted by CT reserves the right to immediately suspend The Customers account to protect the Services and hosting environment. CT will work with The Customer to identify the source, but the sole responsibility of plugging the security hole resides with The Customer. CT will assist The Customer on best efforts basis, but any remedial work carried out by CT shall be charged to The Customer. CT shall reserve the right to not unsuspend The Customer account until CT is satisfied no further security risks are present.
- In the event a data breach is identified where the cause is in CT supplied hosting environment CT shall take immediate steps to stop the breach and shall provide full report to The Customer within 24hrs. This report shall include description of the breach, so long as it does not provide information on how to circumvent further security policies, the date and time the breach was identified, steps taken by CT, the information that has been compromised.
- CT shall not back up, export, or copy any of The Customers Data outside of the European Economic Area without prior written approval from The Customer.
- This Data Processing Policy shall remain in force for the term The Customer remains a customer of CT.
- All Customer Data will be erased upon termination of The Customer Account with CT, it is the sole responsibility of The Customer as Data Controller to take any backups prior to termination of their Services from CT.
- This agreement will be governed by the laws of England and Wales.