Effective Date: ____ 2022
This Data Processing Agreement (the “DPA”) forms part of the Terms and Conditions
(the “Agreement”) between the Customer and Nimbus and governs processing of personal data by Nimbus in the course of use of the Website and the Product by the Customer. The purpose of this DPA is to ensure compliance with Article 28(3) and (4) of GDPR and art. 59(5) and (6) of UK Data Protection Act 2018.
1. PARTIES’ RELATIONSHIP AND ROLES
1.2. The Customer will act as a controller, and Nimbus will act as a processor with respect to processing of the Data Provided in the Customer Content and, to the extent such data are processed by Nimbus on behalf of the Customer, the personal data referred to in section 220.127.116.11.
1.3. Sections 4, 5, and 7 of this DPA apply only with regard to the processing of the data in which Nimbus acts as a data processor.
1.4. Nimbus undertakes to:
a) implement appropriate technical and organizational measures, including the measures referred to in art. 32 GDPR and art. 66 UK Data Protection Act 2018, in such a manner that processing will meet the requirements of Data Protection Laws, and
b) ensure the protection of the rights of the data subjects.
This DPA becomes effective upon the Customer’s acceptance of the Agreement and continue in effect until the Agreement is terminated.
3. DETAILS OF PROCESSING
3.1. Subject matter and nature of the processing. The Customer Personal Data are processed by Nimbus in the course of provision of the Website and the Product for use by the Customer.
3.2. Types of Personal Data Processed and Transferred. Frequency of the transfer. The types of Customer Personal Data include:
3.2.1. Submitted Data, i.e. information provided by the Customer and the users:
18.104.22.168. name, email address, password, country, name of the user’s team or enterprise, the user’s role in team or enterprise, and an optional profile photo. Such information may be received by Nimbus directly from the Customer, the user or upon the user’s consent when a user registers and logs in using his/her Google, Facebook, or Apple account;
22.214.171.124. when users fill in the fields on the Website or in the Product or communicate with Nimbus in other forms, the users may provide us with information such as email address, phone number, information in their messengers (statuses, etc.) or mailing address. Nimbus may also collect the information contained in messages or attachments that the users may send to us, as well as other information the users choose to provide, and that may be associated with such communications;
126.96.36.199. when a Customer purchases a subscription to the Website or the Product, Nimbus may collect payment information, which allows the Customers to pay for the subscription. Nimbus may engage business partners, service providers, contractors or agents processing payments.
3.2.2. Usage Data that Nimbus automatically collects when a user visits, uses or navigates the Website or the Product. The Usage Data may include:
188.8.131.52. the information about a user’s computer or mobile device. The examples of such information are device information, user settings, MAC address, internet protocol (IP) address, the information about the software (browser type and version, operating system), language settings, mobile network information, mobile carrier, mobile advertising and other unique identifiers, device location, location information (including inferred location based off of your IP address), mobile operating system, type and version of mobile browser, URL-links;
184.108.40.206. pages that a user visits before, during and after using the Website or the Product, information about how a user uses the Website and Product, such as the time the user enters and exits the Website or start to use the Product, the search queries in the search tools on the Website; information about the links you click; date, time and URL addresses of the web pages you access and other similar, technical information, such as Internet speed. Information Nimbus collects may be associated with accounts and other devices;
220.127.116.11. the data (including the cookie files, pixel tags, web beacons) we collect via the internet statistics services such as Google Analytics, AppMetrica, etc.
3.2.3. Personal Data received from other sources, including third parties and publicly available sources which help Nimbus to update, expand, and analyze the Website and the Product; prevent or detect fraud; process payments; or analyze how the Website and Services are used (the “Third-Party Data”). The Third-Party Data may include without limitation the data from analytics providers (e.g., Google).
3.2.4.The content uploaded or created by the Customer or through the Customer Accounts on the Website or in the Product may include other types of personal data as may be defined by the Customer or users of the Customer Accounts (“Data Provided in the Customer Content”).
Submitted Data, Usage Data and Third-Party Data together are the Customer Account Data.
The categories of the data transferred include data comprising the Submitted Data, Usage Data, and the Data Provided in the Customer Content.
The Submitted Data are transferred upon registration of the Customer Accounts, and may be updated by the users, or when a user communicates with Nimbus. The Usage Data are collected upon each user’s session. The Customer determines the frequency of the transfer of the Data Provided in the Customer Content.
The Customer shall ensure that the Customer Personal Data do not contain:
3.2.5. any information that falls under special categories of data under the Data Protection Laws, including information regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data or data concerning health of a natural person, or data concerning a natural person’s sex life or sexual orientation, personal data relating to criminal convictions and offences or related security measures or treated as such.
3.2.6. financial information (e.g. credentials to any financial accounts or tax return data);
3.2.7. national identification number or any other identifier of general application (e.g. social security numbers);
3.2.8. passwords for online accounts (other than passwords necessary to access the Website and the Product);
3.2.9. any payment card information or cardholder data subject to the Payment Card Industry Data Security Standard;
3.2.10. personal data of children, including, without limitation, all information about children under 14 years of age.
3.3. Data Subjects. Data subjects to whom the Customer Personal Data relate may include the Customer, actual or prospective officers, employees, suppliers, clients, consultants, and contractors of the Customer. Customer Account Data relate to the Customer, the natural persons using the Website or the Product on behalf of the Customer whom the Customer invited to use the Website or the Product.
3.4. Duration and the period for which the personal data will be retained. The duration of the data processing under this DPA is until termination of the Agreement. The Customer Personal Data shall be retained longer than as follows:
|Data category ||Retention period
|Submitted Data ||until termination of the Agreement, unless and to the extent applicable law requires us to keep some of the data for a longer period; back-up copies are deleted upon expiration of 7 days after account termination
|Usage Data: ||
|IP-address ||until the end of the web session of the user
|other data||60 days
|Third-Party Data||5 years
|Data Provided in the Customer Content ||until termination of the Agreement; back-up copies are deleted upon expiration of 7 days after account termination
3.5. Purpose of the data transfer and further processing.
3.5.1. The purpose of the Customer Personal Data transfer and further processing under this DPA is provision of the Website and the Product for use by the Customer.
4.1. Customer hereby gives a general authorization to Nimbus to engage other processors (the “sub-processor”) for processing of the Customer Personal Data under this DPA, provided:
4.1.1. Each of the sub-processors enters into a written agreement with Nimbus regarding processing of the Customer Personal Data that imposes on such sub-processor the same data protection obligations as this DPA imposes on Nimbus; and
4.1.2. Nimbus remains liable to the Customer for the performance of each of the sub-processor’s obligations regarding the Customer Personal Data.
4.2. The list of the sub-processors currently engaged by Nimbus is available at [URL]. Nimbus shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors by updating the list of the sub-processers at the URL indicated above 10 days before addition or replacement of any sub-processor (unless maintaining the usual level of service or data security considerations require an urgent replacement of a sub-processor, in which case notification shall be made as soon as practicable). Within 10 days after publication of changes to the list of the sub-processors the Customer may submit a legitimate objection, accompanied by the explanation of its reasonable grounds. The Customer may request the information necessary to exercise the right to object, and Nimbus shall promptly provide such information. The parties shall work in good faith to resolve objections of the Customer, and if no solution is found within 30 days after the objection is submitted, either of the parties may terminate the Agreement by an immediate notice to the other party.
5.1. Nimbus shall process the personal data as agreed in the Agreement, this DPA, or according to the documented instructions from the Customer acknowledged by Nimbus, including with regard to transfers of personal data to a third country or an international organization.
5.2. Nimbus shall inform the Customer if, in the opinion of Nimbus, instructions given by the Customer with respect to processing of the Customer Personal Data infringe the Data Protection Laws or if Nimbus otherwise seeks to process Customer Personal Data in a manner that is inconsistent with Customer’s instructions. The parties shall work in good faith in resolving the issue, and unless otherwise instructed by the Customer, Nimbus may cease all or some processing of the Customer Personal Data pursuant to the instruction in question.
6. SECURITY OF THE PROCESSING
6.1. Nimbus shall implement technical and security measures listed in Annex I to this DPA to ensure the security of the Customer Personal Data. In assessing the appropriate level of security, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
6.2. Nimbus shall grant access to the Customer Personal Data to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of Agreement. Nimbus shall ensure that persons authorized to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3. Upon termination or expiration of this DPA Nimbus shall delete the Customer Personal Data (except for back-up or archival copies) unless applicable law requires storage of the Customer Account Data. Prior to such deletion, Nimbus may provide the Customer with a possibility to export the Customer Personal Data.
7.1. The Parties shall be able to demonstrate compliance with this DPA.
7.2. Nimbus shall deal promptly and adequately with inquiries from the Customer about the processing of data in accordance with this DPA.
7.3. Nimbus shall make available to the Customer all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from the Data Protection Laws. If Nimbus is precluded from disclosure by applicable law, a duty of confidentiality, or any other obligation owed to a third party, then Nimbus may redact the information before its disclosure to the Customer.
7.4. At the Customer’s request, Nimbus shall also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Customer may take into account relevant certifications held by Nimbus. The Customer may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of Nimbus and shall be carried out with a 20-days prior notice, which shall specify the scope, timing, and duration of the audit.
7.5. The Customer shall reimburse Nimbus for the costs and expenses incurred by Nimbus in connection with such audit, including for any time spent at a reasonable reimbursement rate that shall be agreed by the Customer and Nimbus before the commencement of the audit.
7.6. Any audit must be: (i) conducted during regular business hours; (ii) carried out in a manner that does not interfere with normal operation of business; and (iii) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of the data protection authority. The Customer shall promptly notify Nimbus of any non-compliance with this DPA discovered during the course of an audit, and Nimbus shall use commercially reasonable efforts to address it.
7.7. The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.
8. DATA SUBJECTS REQUESTS
8.1. Nimbus shall, upon Customer’s request and taking into account the nature of the processing of the Customer Personal Data, use commercially reasonable efforts to assist Customer in responding to requests from data subjects exercising their rights under Data Protection Laws. If a data subject sends a request relating to Customer Personal Data directly to Nimbus, then Nimbus shall notify the Customer of such request within 10 days of receiving such request. Nimbus shall not respond to the request itself, unless authorized to do so by the Customer.
8.2. The Customer shall reimburse Nimbus for the costs and expenses incurred by Nimbus in connection with assistance in connection with data subject requests, including for any time spent at a reasonable reimbursement rate.
8.3. Nimbus will not be liable under the Agreement for any claim brought by a data subject arising from any action or omission by Nimbus, to the extent that such action or omission resulted from Customer’s instructions or from Customer’s failure to comply with its obligations under applicable law.
9. DATA BREACH
9.1. In the event of a Data Breach, Nimbus shall cooperate with and assist the Customer in compliance with the Customer’s obligations under Data Protection Laws regarding communication of the Data Breach to the competent authorities and the data subject, where applicable, taking into account the nature of processing and the information available to Nimbus.
9.2. In the event of a Data Breach concerning Customer Personal Data, Nimbus shall notify the Customer without undue delay after having become aware of the Data Breach. Such notification shall contain, at least:
9.2.1. a description of the nature of the Data Breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
9.2.2. the details of a contact point where more information concerning the Data Breach can be obtained;
9.2.3. likely consequences of the Data Breach and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Any such notification is not an acknowledgement of fault or responsibility.
9.3. In the event of a Data Breach, Nimbus shall assist the Customer in collection of information that shall be included in such a notification, including:
9.3.1. the nature of the personal data including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
9.3.2. the likely consequences of the Data Breach;
9.3.3. the measures taken or proposed to be taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.4. Where, and insofar as, it is not possible to provide all information described in sections 9.2 and 9.3 at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
10. IMPACT ASSESSMENT AND ASSISTANCE TO THE CUSTOMER
Nimbus shall, at the Customer’s expense, assist the Customer in ensuring compliance with the following obligations, taking into account the nature of processing under this DPA and the information available to Nimbus:
a) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a “data protection impact assessment”) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
b) the obligation to consult the competent supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Customer to mitigate the risk;
c) the obligation to ensure that the Customer Personal Data is accurate and up to date, by informing the Customer without delay if Nimbus becomes aware that the personal data it is processing is inaccurate or has become outdated;
d) the obligations regarding security of processing and assessment of the appropriate level of security.
11. CROSS-BORDER TRANSFER OF DATA
11.1. The Customer authorized Nimbus to transfer the Customer Personal Data to any country.
11.2. When the transfer of Customer Personal Data from Customer to Nimbus or from Nimbus to any of its sub-processors is a EU Restricted Transfer, it shall be subject to EU SCC which are incorporated herein by reference completed as follows:
11.2.3. in Clause 7, the optional docking clause will apply;
11.2.4. in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in section 4.2 of this DPA;
11.2.5. in Clause 11, the Option will not apply;
11.2.6. in Clause 17, Option 1 will apply, and the EU SCC will be governed by the laws of Ireland;
11.2.7. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
11.2.8. Annex I of the EU SCC shall be deemed completed with the information set out in Annex II to this DPA and in section 3 of this DPA; and
11.2.9. Annex II of the EU SCC shall be deemed completed with the information set out in Annex I to this DPA.
11.3. When the transfer of Customer Personal Data from Customer to Nimbus or from Nimbus to any of its sub-processors is a UK Restricted Transfer, it shall be subject to EU SCC completed as provided for in clause 11.2 above, modified by IDT Addendum completed as follows:
11.3.1. Table 1 shall be deemed completed with the information set out in Annex II to this DPA;
11.3.2. Table 2 shall be deemed completed with the information set out in section 14.1 h) and section 11.2;
11.3.3. Table 3, section Annex 1A: List of Parties shall be deemed completed with the information set out in Annex II to this DPA;
11.3.4. Table 3, Annex 1B: Description of Transfer shall be deemed completed with the information set out in section 3 of this DPA;
11.3.5. Table 3, Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data shall be deemed completed with the information set out in Annex I to this DPA;
11.3.6. Annex III: List of Sub processors (Modules 2 and 3 only) shall be deemed completed with the list of sub-processors referred to in section 4.2 of this DPA;
11.3.7. In Table 4, the options “Importer” and “Exporter” shall be deemed chosen by the parties.
12.1. If and to the extent this DPA conflicts with the Agreement, this DPA shall prevail.
12.2. The EU SCC shall prevail over this DPA in connection with EU Restricted Transfers.
12.3. The EU SCC amended by the IDT Addendum shall prevail over this DPA in connection with the UK Restricted Transfers.
13. GOVERNING LAW AND JURISDICTION
13.1. The choice of law and jurisdiction contained in the Agreement shall apply to this DPA with the exceptions provided for the EU SCC and IDT Addendum as they are incorporated into this DPA.
14.1. The terms in this DPA have the following meaning:
a) “Customer” means a Customer as defined in the Agreement that uses the Website and the Product for processing personal data otherwise than in the course of a purely personal or household activity.
b) “Customer Accounts” means user accounts managed by the Customer
c) “Customer Account Data” means the Customer Personal Data relating to Customer Accounts. The types of data the Customer Account Data may include are described in clause 3.2 of this DPA.
d) “Customer Personal Data” means any personal data processed by Nimbus in the course of use of the Website and the Product by the Customer and Customer Accounts, whether relating to the Customer itself, its employees, contractors or other data subjects and whether provided to Nimbus by the Customer or other parties.
e) “Data Protection Laws” mean all laws, regulations and court orders which apply to the processing of personal data in the European Economic Area (EEA), the United Kingdom (UK), and the United States (US), including GDPR and UK Data Protection Act 2018.
f) “Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the Customer Personal Data.
g) “EU Restricted Transfer” means, where and to the extent processing of the Customer Personal Data is subject to GDPR, a transfer of the Customer Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission, whether such transfer is a direct or an onward transfer.
h) “EU SCC” means Standard Contractual Clauses approved by the European Commission Implementing Decision 2021/914 of 4 June 2021 (as amended from time to time).
i) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
j) “IDT Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018, effective from 21 March 2022
k) “UK Restricted Transfer” means where and to the extent processing of the Customer Personal Data is subject to UK Data Protection laws, a transfer of the Customer Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, whether such transfer is direct or an onward transfer.
14.2. All other terms, capitalized or not, are used in the meanings ascribed to them in the Agreement and in the Data Protection Laws.
14.3. This DPA shall not be interpreted in a way that runs counter to the rights and obligations provided for in the Data Protection Laws or in a way that prejudices the fundamental rights or freedoms of the data subjects.
ANNEX I – TECHNICAL AND ORGANIZATIONAL MEASURES
Description of the technical and organisational measures implemented by the Processor(s) / Data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
1. Measures of pseudonymisation and encryption of personal data
Nimbus encrypts data in transit via TLS 1.2, and at rest using the AES-256 algorithm.
2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services include:
a) Access to production systems is through VPN and using unique accounts and role-based access within operational and corporate environments. Authorization requests for access are regularly tracked and logged on. Access for employees is disabled upon termination of employment or change of role. Access to critical and production resources requires multi-factor authentication (MFA). Strong passwords are required. The passwords are encrypted in transit and at rest and are never stored in clear text.
b) All members of Nimbus team undergo mandatory security training, covering data protection, confidentiality, social engineering, password policies and overall security responsibilities. Each member Nimbus personnel is legally bound by industry-standard confidentiality provisions. NDAs with third parties are required. Networks are separated based on trust levels.
3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Nimbus has processes in place to ensure detection of and timely response to security incidents, as well as data recovery procedures to help restore timely access to personal data following an incident.
4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Nimbus performs annual penetration tests for all components of the Website and the Product.
Nimbus maintains security incident management policies and procedures. In case of any unauthorized disclosure of the Customer Personal Data by Nimbus or its sub-processors Nimbus notifies the impacted Customers without undue delay.
5. Measures for user identification and authorisation
Access to the Website and the Product by Nimbus personnel is uniquely identifiable, logged and monitored. Access to back-end infrastructure is protected by multiple layers of authentication including requiring unique identifiers, strong passwords, and multi-factor authentication.
6. Measures for the protection of data during transmission
Nimbus employs TLS 1.2 encryption for Customer Personal Data in transit from the user’s browser to the Website and/or the Product.
7. Measures for the protection of data during storage
All Customer instances are logically separated. Any attempt to access data outside allowed domain boundaries are prevented and logged. Nimbus implements measures to ensure that executable uploads, code, or unauthorized actors are not permitted to access unauthorized data, including one Customer accessing data of another Customer.
8. Measures for ensuring physical security of locations at which personal data are processed
Sub-processors are responsible for physical security of the data centers and are under contractual obligation to implement adequate physical security measures. Only authorized personnel have access to secure areas. Physical facilities are designed to withstand adverse weather and other natural conditions reasonably predictable in the area; are secured by 24/7 guards and controlled access on a time-bound basis. All data centers are equipped with back-up power supply to ensure power is available to maintain operations in the event of an electrical failure for critical and essential loads in the facility. Further information about security provided by AWS is available from the AWS Cloud Trail.
9. Measures for ensuring events logging
Nimbus logs authorization requests by personnel to privileged spaces. The Website and the Product log user activities including logins, configuration changes, deletions and updates. They are automatically written to audit logs in internal systems. Internal logs capture timestamps, IP addresses, login/logouts, and errors. These logs are only internally available and available for security investigations upon request.
10. Measures for ensuring system configuration, including default configuration
Nimbus monitors changes to the Website and the Product to ensure they comply with Nimbus Change Management Policy and follow privacy by default principle. Nimbus tracks all changes to the Website and the Product in a change management system to mitigate the risk of undetected changes.
11. Measures for internal IT and IT security governance and management
Nimbus has internal information security policies and procedures which are communicated to Nimbus personnel. Nimbus conducts information security training upon hire and thereafter on a regular basis. The information security specialist reports to the senior leadership and is authorised to take necessary actions to establish, implement and manage information security measures.
12. Measures for certification/assurance of processes and products
Nimbus conducts penetration testing by a reputable third party on a regular basis to ensure that any vulnerabilities are timely detected and adequate security measures and controls are in place.
13. Measures for ensuring data minimisation
Data is collected and processed in accordance with stated purposes, access is restricted in accordance with roles and requirements for job responsibilities.
14. Measures for ensuring data quality
Nimbus has procedures in place that allow data subjects to exercise their privacy rights (including a right to amend and update information).
15. Measures for ensuring limited data retention
Compliance with data retention limitations is ensured by automatic deletion of data. Nimbus will immediately delete a Customer account upon its termination, and backup data is deleted within 7 days of account termination.
16. Measures for ensuring accountability
Nimbus maintains records of processing activities and performs privacy impact assessments, when applicable, in connection with the Website and the Product.
17. Measures for allowing data portability and ensuring erasure
Nimbus provides the Customers with possibility to export all Customer Personal Data from their workspace in either HTML, markdown or PDF format. Nimbus has a process which allows data subjects to exercise their privacy rights (e.g., right of erasure or right to data portability).
ANNEX II – DESCRIPTION OF THE PROCESSING
Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: Customer as specified at subscription to the Website and/or the Product and set out in the Customer account.
Address: Address of the Customer as specified at subscription to the Website and/or the Product and set out in the Customer account.
Official registration number (if any) (company number or similar identifier): as specified at subscription to the Website and/or the Product and set out in the Customer account.
Contact person’s name, position and contact details including email: Contact person as specified at subscription to the Website and/or the Product and set out in the Customer account.
Activities relevant to the data transferred under these Clauses: Processing to carry out the Services pursuant to the Agreement entered into between Customer and Nimbus.
Signature and date: This DPA, EU SCC and IDT Addendum shall automatically be deemed executed when the Customer agrees to the Agreement. If this DPA is introduced after the Customer agrees to the Agreement, then this DPA, EU SCC and IDT Addendum shall be deemed executed when the Customer [accepts this DPA].
Role (controller/processor): Controller
Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]
Name: Nimbus Web Inc
Address: 6815 Euclid Ave, Cleveland OH 44103
Official registration number (if any) (company number or similar identifier): Delaware Division of Corporations file No. 5605425; Ohio license (foreign for profit corporation) No. 202112400386
Contact person’s name, position and contact details including email:
Name: Pavel Sher
General inquires: firstname.lastname@example.org
Legal inquires: email@example.com
Contact Phone: (216) 438-1917 (Note: any promotional phone calls won’t be responded)”
Activities relevant to the data transferred under these Clauses: Processing to carry out the Services pursuant to the Agreement entered into between Customer and Nimbus.
Signature and date: This DPA, EU SCC and IDT Addendum shall automatically be deemed executed when Customer agrees to the Agreement.
controller with respect to processing of Customer Account Data for the purposes described in section 3.5.2 of this DPA;
processor with respect to other processing of the Customer Personal Data under this DPA.
Competent Supervisory authority: [Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)]
Where GDPR applies, the Irish Data Protection Commissioner’s Office.
Where the UK data protection laws apply, the UK Information Commissioner’s Office.