Data Protection

legal

Website Terms of Use

Terms & Conditions

Data Protection

Privacy Policy

Cookie Policy

Non-Circumvention

Acceptable Use

Fluidstack Companies

This Data Protection Policy is incorporated into the Terms and Conditions and Terms of Supply between the Fluidstack entity listed in your Order (or FLUIDSTACK LIMITED, a company incorporated and registered in England with company number 10985545 and registered address at Third Floor, 20 Old Bailey, London, EC4M 7AN, United Kingdom) (Fluidstack) and the individual or entity named in the Order with Fluidstack (Customer or Third-Party Provider). 

1.Definitions.  

Defined terms in the Terms and Conditions or Terms of Supply apply to this Policy. In addition, in this Data Protection Addendum the following definitions have the meanings given below: 

Applicable Law means applicable laws of the European Union (EU), the European Economic Area (EEA) or any of the EU or EEA's member states from time to time together with applicable laws in the United Kingdom from time to time;

Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

Business Contact Information means the names, mailing addresses, email addresses, and phone numbers regarding the other party's employees or consultants including such information regarding the other party's suppliers and customers, used as part of maintaining its business relationships.

Controller, Data Controller and Data Processor have the meanings given to such terms in Data Protection Laws.

Data Protection Laws means (a) in the United Kingdom: (i) the Data Protection Act 2018; and (ii) the GDPR, and/or any corresponding or equivalent national laws or regulations; (b) in member states of the European Union (EU) and/or European Economic Area (EEA): the GDPR and all relevant EU and EEA member state laws or regulations giving effect to or corresponding with any of the GDPR; and (c) any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time.

Data Protection Losses means all liabilities, including all: (a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and (b) to the extent permitted by Applicable Law: (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; (ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and (iii) the reasonable costs of compliance with investigations by a Supervisory Authority.

Data Subject has the meaning given to that term in Data Protection Laws.

Data Subject Request a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws.

GDPR the General Data Protection Regulation, Regulation (EU) 2016/679.

International Organisation means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

International Recipient (a) any countries outside the United Kingdom and/or the European Economic Area; or (b) any International Organisation(s).

List of Sub-Processors the latest version of the list of Sub-Processors used by Data Processor, as updated and notified to Data Controller by Data Processor from time-to-time, including on its website.

Personal Data has the meaning given to that term in Data Protection Laws.

Personal Data Breach any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data.

Processing has the meanings given to that term in Data Protection Laws (and related terms such as 'process' have corresponding meanings).

Processing Instructions has the meaning given to that term in paragraph 4.1(a).

Processor has the meaning given to that term in Data Protection Laws.

Protected Data means Personal Data in the Customer Data.

Sub-Processor means another Processor engaged by Data Processor for carrying out processing activities in respect of the Protected Data on behalf of Data Controller.

Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.

2. Processor and Controller

  1.  The parties agree that:
    1. for the Protected Data, the Customer will be the Controller and the Third-Party Provider will be the Processor. Nothing in this Data Protection Policy relieves the Customer of any responsibilities or liabilities under any Data Protection Laws; and
    2. to the extent that Customer or Third-Party Provider provides Business Contact Information to Fluidstack, Customer or Third-Party Provider (as applicable) will be the Controller and Fluidstack will be the Processor of that Business Contact Information. Fluidstack may use that Business Contact Information for contract management, payment processing, service offering, and business development purposes related to the Agreement and such other purposes as set out in Fluidstack's Privacy Policy (available at https://www.fluidstack.io/).
  2. In this Data Protection Policy, where Fluidstack, Customer or Third-Party Provider is acting in its capacity as a:
    1. Controller, the obligations and responsibilities of Data Controller will apply to that party (as relevant); or
    2. Processor, the obligations and responsibilities of Data Processor will apply to that party (as relevant).
  3. To the extent the Customer is not sole Controller of any Protected Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct the Data Processor to process the Protected Data in accordance with the Terms and Conditions or Terms of Supply as applicable.
  4. The Data Processor will process Protected Data in compliance with: (a) the obligations of Processors under Data Protection Laws in respect of the performance of its and their obligations under the Terms and Conditions or Terms of Supply; and (b) the Terms and Conditions or Terms of Supply (as applicable).

3. Instructions and details of processing

  1. Insofar as Data Processor processes Protected Data on behalf of Data Controller, Data Processor:
    1. unless required to do otherwise by Applicable Law, will (and will take steps to ensure each person acting under its authority will) process the Protected Data only on and in accordance with Data Controller's documented instructions as set out in this paragraph 3.1 and paragraphs 3.2 and 3.3 (including when making a transfer of Protected Data to any International Recipient), as updated from time to time (Processing Instructions);
    2. if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, will notify Data Controller of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
    3. will promptly inform Data Controller if Data Processor becomes aware of a Processing Instruction that, in Data Processor's opinion, infringes Data Protection Laws, provided that to the maximum extent permitted by mandatory law, Data Processor will have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with Data Controller's Processing Instructions following Data Controller's receipt of that information.
  2. Data Controller acknowledges and agrees that the execution of any computer command to process (including deletion of) any Protected Data made in the use of any of the Services by a customer of Customer will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons). Data Controller will ensure that customers of Customer do not execute any such command unless authorised by Data Controller (and by all other relevant Controller(s)) and acknowledge that if any Protected Data is deleted pursuant to any such command Data Processor is under no obligation to seek to restore it.
  3. Subject to where the contrary appears in Terms and Conditions or Terms of Supply, the processing of the Protected Data by Data Processor under the Terms and Conditions or Terms of Supply will be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in Appendix 1.

4. Technical and organisational measures

Taking into account the nature of the processing, Data Processor will implement and maintain, at its cost and expense, the technical and organisational measures:

  1. in relation to the processing of Protected Data by Data Processor; and 
  2. to assist Data Controller insofar as is possible in the fulfilment of Data Controller's obligations to respond to Data Subject Requests relating to Protected Data, in each case at Data Controller's cost on a time and materials basis in accordance with Data Processor's standard pricing terms, as notified to Data Controller by Data Processor from time-to-time.

5. Using staff and other processors

  1. Data Processor will not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data except in accordance with the Terms and Conditions or Terms of Supply without Data Controller's written authorisation of that specific Sub-Processor (such authorisation not to be unreasonably withheld, conditioned or delayed).
  2. Data Controller authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as updated from time to time.
  3. Data Processor will:
    1. prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under paragraphs 2 to 14 (inclusive) that is enforceable by Data Processor (including those relating to sufficient guarantees to implement appropriate technical and organisational measures);
    2. ensure each such Sub-Processor complies with all such obligations; and
    3. remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own
  4. Data Processor will ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Data Processor will, where practicable and not prohibited by Applicable Law, notify Data Controller of any such requirement before such disclosure).

6. Assistance with compliance and Data Subject rights 

  1. Data Processor will refer all Data Subject Requests it receives to Data Controller without undue delay. Data Controller will pay Data Processor for all work, time, costs and expenses incurred in connection with such activity, calculated on a time and materials basis at the Data Processor's standard pricing terms, as notified to Data Controller by Data Processor from time-to-time.
  2. Data Processor will provide such reasonable assistance as Data Controller reasonably requires (taking into account the nature of processing and the information available to Data Processor) to Data Controller in ensuring compliance with Data Controller's obligations under Data Protection Laws with respect to:
    1. security of processing; 
    2. data protection impact assessments (as such term is defined in Data Protection Laws); 
    3. prior consultation with a Supervisory Authority regarding high risk processing; and 
    4. notifications to the Supervisory Authority and/or communications to Data Subjects by Data Controller in response to any Personal Data Breach,
  3. provided Data Controller will pay Data Processor for all work, time, costs and expenses incurred in connection with providing the assistance in this paragraph 6.2, calculated on a time and materials basis at the Data Processor's standard pricing terms, as notified to Data Controller by Data Processor from time-to-time.

7. International data transfers

  1. Subject to paragraph 7.2, Data Processor will not transfer, or otherwise directly or indirectly disclose, any Protected Data to any International Recipient without the prior written consent of Data Controller except where Data Processor is required to transfer the Protected Data by Applicable Law (and will inform Data Controller of that legal requirement before the transfer, unless those laws prevent it doing so).
  2. Data Controller agrees that Data Processor may transfer any Protected Data for the purposes referred to in paragraph 3.3 to any International Recipient, provided all transfers by Data Processor of Protected Data to an International Recipient (and any onward transfer) will (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of the Terms and Conditions or Terms of Supply will constitute Data Controller's instructions with respect to transfers in accordance with paragraph 3.1(a).
  3. Data Controller acknowledges that due to the nature of cloud services, the Protected Data may also be transferred to other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by customers of Customer. Data Controller acknowledges that Data Processor does not control such processing and Data Controller will ensure that customers of Customer (and all others acting on its behalf) only initiate the transfer of Protected Data to other geographical locations if Appropriate Safeguards are in place and that such transfer is in compliance with all Applicable Laws.

8. Information and audit

  1. Data Processor will maintain, in accordance with Data Protection Laws binding on Data Processor, written records of all categories of processing activities carried out on behalf of Data Controller.
  2. Data Controller may by written notice to Data Processor request information regarding Data Processor's compliance with the obligations placed on it under this Data Protection Addendum. On receipt of such request Data Processor will provide Data Controller (or auditors mandated Data Controller) with a copy of the latest third-party certifications and audits to the extent made generally available to its customers. Such copies are confidential to the Data Processor and will be Data Processor' Confidential Information for the purposes of the Terms and Conditions or Terms of Supply.
  3. Data Processor will, on request by Data Controller, in accordance with Data Protection Laws, make available to Data Controller such information as is reasonably necessary to demonstrate Data Processor's compliance with its obligations under this Data Protection Addendum and Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by Data Controller (or another auditor mandated by Data Controller) for this purpose provided:
    1. such audit, inspection or information request is reasonable, limited to information in Data Processor's (or any Sub-Processor's) possession or control and is subject to Data Controller giving Data Processor reasonable prior notice of such audit, inspection or information request; 
    2. the parties (each acting reasonably and consent not to be unreasonably withheld or delayed) will agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which Data Controller or third party auditor will comply (including to protect the security and confidentiality of other customers, to ensure Data Processor is not placed in breach of any other arrangement with any other customer and so as to comply with the remainder of this paragraph 8.3); 
    3. all costs of such audit or inspection or responding to such information request will be borne by Data Controller, and Data Processor's costs, expenses, work and time incurred in connection with such audit or inspection will be reimbursed by Data Controller on a time and materials basis in accordance with Data Processor's standard pricing terms, as notified to Data Controller by Data Processor from time to time; 
    4. Data Controller's rights under this paragraph 8.3 may only be exercised once in any consecutive 12-month period, unless otherwise required by a Supervisory Authority or if Data Controller (acting reasonably) believes Data Processor is in breach of this Data Protection Addendum; 
    5. Data Controller will promptly (and in any event within three Business Days) report any non-compliance identified by the audit, inspection or release of information to Data Processor; 
    6. Data Controller will ensure that all information obtained or generated by Data Controller or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure required by Applicable Law);
    7. Data Controller will ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of Data Processor and each Sub-Processor; and 
    8. Data Controller will ensure that each person acting on its behalf in connection with such audit or inspection (including the personnel of any third party auditor) will not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in the control or possession of Data Processor or any Sub-Processor whilst conducting any such audit or inspection.

9. Breach notification

  1. In respect of any Personal Data Breach involving Protected Data, Data Processor will, without undue delay:
    1. notify Data Controller of the Personal Data Breach; and 
    2. provide the Data Controller with details of the Personal Data Breach.

10. Deletion of Protected Data and copies

Following the end of the provision of the Services (or part) (as applicable) relating to the processing of Protected Data, Data Processor will dispose of Protected Data in accordance with its obligations under Terms and Conditions or Terms of Supply. Data Processor will have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Protected Data undertaken in accordance with the Terms and Conditions or Terms of Supply.

11. Compensation and claims

  1. Subject to the Terms and Conditions or Terms of Supply, Data Processor will be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with the Terms and Conditions or Terms of Supply:
    1. only to the extent caused by the processing of Protected Data under the Terms and Conditions or Terms of Supply and directly resulting from Data Processor's breach of the Terms and Conditions or Terms of Supply; and 
    2. in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of the Terms and Conditions or Terms of Supply by Data Controller (including in accordance with paragraph 3.1(c)).
  2. If a party receives a compensation claim from a person relating to processing of Protected Data in connection with the Terms and Conditions or Terms of Supply or the Services, it will promptly provide the other party with notice and full details of such claim. The party with conduct of the action will:
    1. make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which will not be unreasonably withheld or delayed); and 
    2. consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under the Terms and Conditions or Terms of Supply for paying the compensation.
  3. The parties agree that Data Controller will not be entitled to claim back from Data Processor any part of any compensation paid by Data Controller in respect of such damage to the extent that Data Controller is liable to indemnify or otherwise compensate Data Processor in accordance with the Terms and Conditions or Terms of Supply.
  4. This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
    1. to the extent not permitted by Applicable Law (including Data Protection Laws); and 
    2. that it does not affect the liability of either party to any Data Subject.

12.Data Controller obligations

  1. Data Controller will ensure that it, its Affiliates and, where applicable, its customers will at all times comply with:
    1. all Data Protection Laws in connection with the processing of Protected Data, the use of the Cloud Services (and each part) and the exercise and performance of its respective rights and obligations under the Terms and Conditions or Terms of Supply, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and 
    2. the terms of the Terms and Conditions or Terms of Supply.
  2. Data Controller warrants, represents and undertakes, that at all times:
    1. all Protected Data (if processed in accordance with the Agreement) will comply in all respects, including in terms of its collection, storage and processing, with Data Protection Laws; 
    2. the Protected Data is accurate and up to date; 
    3. it will establish and maintain adequate security measures to safeguard Protected Data in its possession or control from unauthorised access and copying and maintain complete and accurate backups of all Protected Data provided to Data Processor (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by Data Processor or any other person; and 
    4. all instructions given by it to the Data Processor in respect of Personal Data will at all times be in accordance with Data Protection Laws.

13. Survival

  1. This Data Protection Addendum (as updated from time to time) will survive termination (for any reason) or expiry of the Terms and Conditions or Terms of Supply and continue until no Protected Data remains in the possession or control of Data Processor or any Sub-Processor, except that paragraphs 10 to 13 (inclusive) will continue indefinitely.

Appendix 1  - Data processing details 

Subject-matter of processing: 

Performance of respective rights and obligations under the Terms and Conditions or Terms of Supply and delivery and receipt of the Services under the Terms and Conditions or Terms of Supply. 

Duration of the processing: 

Until the earlier of final termination or final expiry of the Terms and Conditions or Terms of Supply, except as otherwise expressly stated in the Terms and Conditions or Terms of Supply. 

Nature and purpose of the processing: 

Processing in accordance with the rights and obligations of the parties under the Terms and Conditions or Terms of Supply; processing as reasonably required to provide the Services; and/or processing as initiated, requested or instructed by Customer in a manner consistent with the Terms and Conditions or Terms of Supply. 

Type of Personal Data: 

Includes any types of Protected Data uploaded to the cloud infrastructure. 

Categories of Data Subjects: 

Includes any Data Subject about whom Protected Data is uploaded to the cloud infrastructure. 

Special categories of Personal Data

Not applicable.

Signup for our newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Product

Company

©2024 Fluidstack All Rights Reserved.