DAI CloudPH Data Processing Addendum
This Data Processing Addendum (“DPA”) is incorporated into and forms part of the applicable End-User License Agreement or DAI CloudPH Subscription SaaS Agreement (the “Agreement”) between the Subscriber and Doña Alejandra Incorporated CloudPH (“DAI CloudPH”). This DPA reflects the parties’ agreement with respect to the Processing of Personal Data (as defined below) to ensure compliance with the requirements of Data Protection Laws. This DPA will control with respect to the subject matter herein in the event of any conflict with the Agreement. This DPA includes the Standard Contractual Clauses, which are incorporated by reference below.
Definitions. Capitalized terms used herein and not otherwise defined in this DPA shall have the meaning set forth in the Agreement:
“Data Controller” means the entity that determines the purposes and means of Processing Personal Data (in this case, Subscriber).
“Data Exporter” means Subscriber or its Affiliate who transfers the Personal Data out of the Republic of the Philippines;
“Data Importer” means DAI CloudPH or its Affiliate who receives Personal Data from other countries;
“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller (in this case, DAI CloudPH).
“Data Protection Laws” means any data protection laws and regulations applicable to a party and its respective Processing of Personal Data under the Republic Act No. 10173 otherwise known as Data Privacy Act of the Philippines.
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any Subscriber Data that is protected as “personal data”, “personal information”, or the like under Data Protection Laws that is processed by DAI CloudPH as a Data Processor in connection with the Service.
“Processing”, “Processes”, or “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, or alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
“Sub-processor” means any third-party Data Processor that Processes Personal Data for DAI CloudPH.
“Subscriber” means the entity procuring the Hosting, Cloud Server, SaaS, VPS, and/or Cloud Storage Services under the Agreement.
“Subscriber Data Incident” means a confirmed breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed in environments controlled by DAI CloudPH or its Sub-processors.
Processing of Personal Data. Subscriber controls the categories of Data Subjects and any Personal Data Processed under this Agreement, the details of which are set out in Annex I. DAI CloudPH has no knowledge of, or control over, the specific Personal Data that Subscriber provides for Processing in the course of the Services. Subscriber is solely responsible for: (a) the accuracy, quality, and legality of the Subscriber Data and the means by which it acquired the Subscriber Data; and (b) ensuring that its submission of Personal Data to DAI CloudPH and instructions for the Processing of Personal Data comply with Data Protection Laws. DAI CloudPH is not responsible determining if Subscriber’s Processing instructions are compliant with applicable law; however DAI CloudPH will inform Subscriber without delay if, in DAI CloudPH’s opinion, Subscriber’s instructions violate Data Protection Laws, and DAI CloudPH shall not be required to comply with such instructions. Taking into account the nature of the Processing, Subscriber agrees that it is unlikely that DAI CloudPH would become aware of Personal Data Processed by DAI CloudPH is inaccurate or outdated. To the extent DAI CloudPH becomes aware of such inaccurate or outdated data, DAI CloudPH will inform the Subscriber.
Processing Instructions. DAI CloudPH will Process Personal Data on behalf of and in accordance with Subscriber’s lawful documented instructions. For these purposes, Subscriber instructs DAI CloudPH to Process Personal Data to (i) perform the Services in accordance with the Agreement (including this DPA and all documents incorporated into the Agreement) and (ii) to comply with Subscriber’s other reasonable instructions communicated to DAI CloudPH to the extent those instructions are consistent with the Agreement (“Permitted Purposes“). The parties agree that the Agreement (including this DPA) sets out Subscriber’s complete and final instructions to DAI CloudPH in relation to the Processing of Personal Data and Processing outside the scope of these instructions (if any) shall require prior written agreement between the parties. Apart from such Processing, DAI CloudPH will not Process Personal Data to or for third parties unless required to do so by applicable law; if such a requirement arises DAI CloudPH will make reasonable efforts to inform Subscriber in advance of the required Processing, unless such notice is prohibited by law.
Data Subject Requests. DAI CloudPH shall, to the extent legally permitted and where the Subscriber is identified or identifiable from the request, promptly notify Subscriber if DAI CloudPH receives a request from a Data Subject seeking to exercise any of its rights under Data Protection Law in connection with the Processing of Personal Data, including rights of access, rectification, restriction, erasure, data portability, objection (“Data Subject Request”). In addition, to the extent Subscriber does not have the ability to address a Data Subject Request because it does not have custody or control of the necessary information technology systems (and DAI CloudPH does) and taking into account the nature of the Processing, DAI CloudPH shall provide Subscriber with commercially reasonable assistance (including by appropriate technical and organizational measures, in so far as is possible) to enable Subscriber to respond to a Data Subject Request. To the extent Subscriber requires any additional assistance, Subscriber shall be responsible and will indemnify DAI CloudPH for any costs arising from DAI CloudPH providing such assistance.
DAI CloudPH Personnel. DAI CloudPH shall ensure its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, are subject to a duty of confidentiality (whether contractual or statutory) and that they will only Process Personal Data for the Permitted Purposes. DAI CloudPH shall ensure that access to Personal Data is limited to those personnel who require access to perform services or Process Personal Data in accordance with the Agreement.
Sub-processors. Subject to compliance with this paragraph, Subscriber expressly authorizes DAI CloudPH to use Sub-processors, including the following Sub-processors (the “Sub-processor List”):
- Amazon Web Services
- Google Cloud
- Microsoft Azure
- Any other DAI CloudPH Affiliates
DAI CloudPH shall ensure that:
(a) Sub-processors shall be bound by a written agreement, including data protection and security measures, no less protective of Personal Data than the Agreement and this DPA; (b) DAI CloudPH shall be liable for any breach of this DPA caused by an act, error or omission of its Sub-processors to the extent DAI CloudPH would have been liable had such breach been caused by DAI CloudPH; and (c) DAI CloudPH will notify Subscriber in writing if it adds a new Sub-processor to the Sub-processor List at least thirty (30) days in advance. If within thirty (30) days of receipt of such notice, Subscriber objects, in writing, to DAI CloudPH’s appointment of a new Sub-processor on reasonable grounds relating to data protection, the parties will discuss such concerns in good faith with a goal of achieving resolution, failing which Subscriber may terminate the Agreement and this DPA without further liability upon written notice to DAI CloudPH. Upon request, DAI CloudPH will provide an up-to-date Sub-processor List.
Security. DAI CloudPH shall implement and maintain appropriate technical and organizational safeguards designed to protect the confidentiality, integrity, and security of Subscriber Data, including protection from Subscriber Data Incidents, as further described in Annex II of this DPA (“Security Measures“). DAI CloudPH may update the Security Measures from time to time, provided that any updates shall not materially diminish the overall security of Subscriber Data. DAI CloudPH shall notify Subscriber without undue delay after becoming aware of Subscriber Data Incident. DAI CloudPH shall make reasonable efforts to identify the cause of such Subscriber Data Incidents and take steps it deems necessary and reasonable to remediate the cause of such incidents to the extent doing so is within DAI CloudPH’s control. To the extent that a Subscriber Data Incident is caused by Subscriber, its affiliates, or users, the Subscriber will be responsible for any costs DAI CloudPH incurred while meeting these Security obligations.
Data Protection Impact Assessments. Upon Subscriber’s request, DAI CloudPH shall provide Subscriber with reasonable cooperation and assistance to the extent needed for Subscriber to fulfil its obligations to conduct a data protection impact assessment related to Subscriber’s use of the Service, but only where Subscriber does not have access to relevant information that is only available from DAI CloudPH. To the extent required by applicable law, in connection with the tasks in this section, DAI CloudPH will provide reasonable assistance to Subscriber in cooperation, or prior to consultation, with any Supervisory Authority.
Return or deletion of Subscriber Data: Upon termination or expiry of the Agreement, on Subscriber’s written request DAI CloudPH shall delete all Personal Data in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent DAI CloudPH is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which data DAI CloudPH shall securely isolate and protect from any further processing and delete in accordance with its deletion practices, except to the extent required by applicable law.
Data Transfers. Where Subscriber makes a Restricted Transfer of Personal Data to DAI CloudPH, then the Standard Contractual Clauses shall be deemed incorporated into and form an integral part of this DPA as follows:
- Personal Data protected by the Republic Act No. 10173 otherwise known as Data Privacy Act of the Philippines.
- If there is any conflict between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
- The Standard Contractual Clauses shall be governed by the laws of the Republic of the Philippines and disputes shall be resolved before the competent Philippine courts in Quezon City, Metro Manila.
Audit. DAI CloudPH shall permit Subscriber (or its appointed third party auditors) to audit DAI CloudPH’s compliance with this DPA, and shall make available to Subscriber all information reasonably necessary for Subscriber (or its third-party auditors) to conduct such audit. Subscriber will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Subscriber believes a further audit is necessary due to a Subscriber Data Incident suffered by DAI CloudPH. In the event that DAI CloudPH is regularly audited against ISO 27001, SSAE 18 SOC 1, 2 and 3, and/or PCI standards, as applicable, by independent third party auditors, DAI CloudPH shall supply a summary copy of its audit report(s) to Subscriber upon request, which reports shall be subject to the confidentiality provisions of the Agreement.
Annexes on the following pages…
ANNEX 1 – DATA PROCESSING DESCRIPTION
This Annex forms part of the DPA and describes the processing that DAI CloudPH will perform on behalf of the Subscriber.
A. LIST OF PARTIES
Controller(s) / Data exporter(s):
Name: | Subscriber, as defined in the Subscription Hosting, Cloud Server, SaaS, VPS, and/or Cloud Storage Services Agreement (“Agreement”) |
Address: | As set out in the Agreement and applicable Order Forms. |
Contact person’s name, position and contact details: | The administrator contacts registered by the Subscriber when creating an account with DAI CloudPH. |
Activities relevant to the data transferred under these Clauses: | Subscriber (data exporter) will use DAI CloudPH ‘s (data importer’s) Hosting, Cloud Server, SaaS, VPS, and/or Cloud Storage platform for personnel management purposes. |
Signature and date: | This Annex 1 shall be deemed executed upon execution of the Agreement. |
Role (controller/processor): | Controller |
Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]
Name: | DAI CloudPH |
Address: | #30 Timog AvenueGround Floor ESNA Building, Quezon City, Metro Manila, 1103 |
Contact person’s name, position and contact details: | DAI CloudPH’s legal counsel with the responsibility for privacy can be contacted at [email protected]. |
Activities relevant to the data transferred under these Clauses: | DAI CloudPH‘s (data importer) is a provider of a cloud-based Hosting, Cloud Server, SaaS, VPS, and/or Cloud Storage platform. |
Signature and date: | This Annex 1 shall be deemed executed upon execution of the Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: | The Data Exporter may submit Personal Data to the Service, the extent of which is determined and controlled by the Data Exporter in its sole discretion. |
Categories of personal data transferred: | The Data Exporter may submit Personal Data to the DAI CloudPH Service, the extent of which is determined and controlled by the Data Exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:• First and last name |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | The Data Exporter may submit special categories of Personal Data to the DAI CloudPH Service, the extent of which is determined and controlled by the Data Exporter in its sole discretion, and which may include, but is not limited to the following categories of sensitive Personal Data:
|
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | Continuous for the duration of the DAI CloudPH Service. |
Nature of the processing: | The provision of the DAI CloudPH Service to Subscriber in accordance with the Agreement. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | Data processing will be for the term specified in the Agreement. For the term of the Agreement, and for a reasonable period of time after the expiry or termination of the Agreement, the Data Importer will provide the Data Exporter with access to, and the ability to export, the Data Exporter’s Personal Data Processed pursuant to the Agreement, following which the Personal Data will be deleted. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | The nature and duration of the processing are as set out above and in the Agreement.
|
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority in accordance with the applicable law: | The competent supervisory authority will be determined in accordance with the applicable law. |
Annex II – TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
1. As a Hosting, Cloud Server, Software as a Service (SaaS), VPS, and/or Cloud Storage Service provider, DAI CloudPH’s approach to information security is a risk management imperative we share with our customers.
2. Our information security program is designed to be consistent with internationally accepted standards and involves a layered, defense-in-depth approach to protecting the confidentiality, integrity, and, availability of systems and data, deploying administrative, technical, and physical controls.
3. Our System/Software Solutions are designed and developed pursuant to secure software development lifecycle processes, for example, strict control over access to source code, rigorous code review and testing, and securely segregated development, test, and production environments.
4. We require our entire team to review and certify compliance with a comprehensive set of information security policies, which we then monitor and enforce.
5. We provide regular training to raise awareness regarding cyber security and data privacy issues and strive to maintain a corporate culture where employees are vigilant for cyber-threats and prepared for cyber security incidents.
6. We provide our customers with the security benefits that come with the most advanced cloud computing infrastructure. Aside from the formidable infrastructure security, DAI CloudPH has architected its services so that customer environments are securely segregated. Administrative access to DAI CloudPH’s services is strictly limited to a small number of DAI CloudPH personnel on the basis of “need to know” and “least privilege” and requires the use of Multi-Factor Authentication.
7. These DAI CloudPH employees, as well as those who support customers and may need to access customer databases for support purposes, can only do so through encrypted channels via a DAI CloudPH IP address. This means that DAI CloudPH’s access to a customer database for support purposes requires a connection through either a DAI CloudPH physical facility or office or the DAI CloudPH VPN, which uses TLS 1.2 or IPSEC. The data associated with such activity is logged by our security personnel.
8. Availability of customer data is ensured through a system of backups, daily, weekly, monthly, and quarterly. The backups are encrypted as well as regularly tested. Retention of the various backups is scheduled to provide recovery under multiple different scenarios and varying historical timing implications.
9. DAI CloudPH uses leading-edge technology to ensure that the person who is trying to access your company’s data is exactly who they say they are. For example, user logins can be limited to specific IP addresses, which means that no one without a recognizable IP address will be able to access the system. A variety of password protection measures can be put in place as well. You can decide how often users are prompted to change their passwords. Password complexity requirements can help ensure only difficult-to-crack passwords are chosen. Even one-time password and single-sign-on solutions can be installed, which means a unique multi-factor method of access is required to gain access at every log-in attempt.
10. DAI CloudPH allows customers to control user access to their data, functions, and features that are necessary to the user’s role using a role-based access control approach.
11. DAI CloudPH offers data encryption as the main feature. DAI CloudPH uses the same encryption technology that protects financial institutions as well as the United States military. Sensitive fields such as credit card and social security numbers within your SQL databases are encrypted. For internal systems Advanced Encryption Standard (AES) 128, 192, or 256-bit encryption. External access to DAI CloudPH portal is via TLS 1.2.
12. DAI CloudPH has a fully staffed, highly trained, 24/7 security operations centre already. It’s their responsibility to monitor and protect your data.
DAI CloudPH Data Processing Addendum
This Data Processing Addendum (“DPA”) is incorporated into and forms part of the applicable End-User License Agreement or DAI CloudPH Subscription SaaS Agreement (the “Agreement”) between the Subscriber and Doña Alejandra Incorporated CloudPH (“DAI CloudPH”). This DPA reflects the parties’ agreement with respect to the Processing of Personal Data (as defined below) to ensure compliance with the requirements of Data Protection Laws. This DPA will control with respect to the subject matter herein in the event of any conflict with the Agreement. This DPA includes the Standard Contractual Clauses, which are incorporated by reference below.
Definitions. Capitalized terms used herein and not otherwise defined in this DPA shall have the meaning set forth in the Agreement:
“Data Controller” means the entity that determines the purposes and means of Processing Personal Data (in this case, Subscriber).
“Data Exporter” means Subscriber or its Affiliate who transfers the Personal Data out of the Republic of the Philippines;
“Data Importer” means DAI CloudPH or its Affiliate who receives Personal Data from other countries;
“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller (in this case, DAI CloudPH).
“Data Protection Laws” means any data protection laws and regulations applicable to a party and its respective Processing of Personal Data under the Republic Act No. 10173 otherwise known as Data Privacy Act of the Philippines.
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any Subscriber Data that is protected as “personal data”, “personal information”, or the like under Data Protection Laws that is processed by DAI CloudPH as a Data Processor in connection with the Service.
“Processing”, “Processes”, or “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, or alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
“Sub-processor” means any third-party Data Processor that Processes Personal Data for DAI CloudPH.
“Subscriber” means the entity procuring the Hosting, Cloud Server, SaaS, VPS, and/or Cloud Storage Services under the Agreement.
“Subscriber Data Incident” means a confirmed breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed in environments controlled by DAI CloudPH or its Sub-processors.
Processing of Personal Data. Subscriber controls the categories of Data Subjects and any Personal Data Processed under this Agreement, the details of which are set out in Annex I. DAI CloudPH has no knowledge of, or control over, the specific Personal Data that Subscriber provides for Processing in the course of the Services. Subscriber is solely responsible for: (a) the accuracy, quality, and legality of the Subscriber Data and the means by which it acquired the Subscriber Data; and (b) ensuring that its submission of Personal Data to DAI CloudPH and instructions for the Processing of Personal Data comply with Data Protection Laws. DAI CloudPH is not responsible determining if Subscriber’s Processing instructions are compliant with applicable law; however DAI CloudPH will inform Subscriber without delay if, in DAI CloudPH’s opinion, Subscriber’s instructions violate Data Protection Laws, and DAI CloudPH shall not be required to comply with such instructions. Taking into account the nature of the Processing, Subscriber agrees that it is unlikely that DAI CloudPH would become aware of Personal Data Processed by DAI CloudPH is inaccurate or outdated. To the extent DAI CloudPH becomes aware of such inaccurate or outdated data, DAI CloudPH will inform the Subscriber.
Processing Instructions. DAI CloudPH will Process Personal Data on behalf of and in accordance with Subscriber’s lawful documented instructions. For these purposes, Subscriber instructs DAI CloudPH to Process Personal Data to (i) perform the Services in accordance with the Agreement (including this DPA and all documents incorporated into the Agreement) and (ii) to comply with Subscriber’s other reasonable instructions communicated to DAI CloudPH to the extent those instructions are consistent with the Agreement (“Permitted Purposes“). The parties agree that the Agreement (including this DPA) sets out Subscriber’s complete and final instructions to DAI CloudPH in relation to the Processing of Personal Data and Processing outside the scope of these instructions (if any) shall require prior written agreement between the parties. Apart from such Processing, DAI CloudPH will not Process Personal Data to or for third parties unless required to do so by applicable law; if such a requirement arises DAI CloudPH will make reasonable efforts to inform Subscriber in advance of the required Processing, unless such notice is prohibited by law.
Data Subject Requests. DAI CloudPH shall, to the extent legally permitted and where the Subscriber is identified or identifiable from the request, promptly notify Subscriber if DAI CloudPH receives a request from a Data Subject seeking to exercise any of its rights under Data Protection Law in connection with the Processing of Personal Data, including rights of access, rectification, restriction, erasure, data portability, objection (“Data Subject Request”). In addition, to the extent Subscriber does not have the ability to address a Data Subject Request because it does not have custody or control of the necessary information technology systems (and DAI CloudPH does) and taking into account the nature of the Processing, DAI CloudPH shall provide Subscriber with commercially reasonable assistance (including by appropriate technical and organizational measures, in so far as is possible) to enable Subscriber to respond to a Data Subject Request. To the extent Subscriber requires any additional assistance, Subscriber shall be responsible and will indemnify DAI CloudPH for any costs arising from DAI CloudPH providing such assistance.
DAI CloudPH Personnel. DAI CloudPH shall ensure its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, are subject to a duty of confidentiality (whether contractual or statutory) and that they will only Process Personal Data for the Permitted Purposes. DAI CloudPH shall ensure that access to Personal Data is limited to those personnel who require access to perform services or Process Personal Data in accordance with the Agreement.
Sub-processors. Subject to compliance with this paragraph, Subscriber expressly authorizes DAI CloudPH to use Sub-processors, including the following Sub-processors (the “Sub-processor List”):
- Amazon Web Services
- Google Cloud
- Microsoft Azure
- Any other DAI CloudPH Affiliates
DAI CloudPH shall ensure that:
(a) Sub-processors shall be bound by a written agreement, including data protection and security measures, no less protective of Personal Data than the Agreement and this DPA; (b) DAI CloudPH shall be liable for any breach of this DPA caused by an act, error or omission of its Sub-processors to the extent DAI CloudPH would have been liable had such breach been caused by DAI CloudPH; and (c) DAI CloudPH will notify Subscriber in writing if it adds a new Sub-processor to the Sub-processor List at least thirty (30) days in advance. If within thirty (30) days of receipt of such notice, Subscriber objects, in writing, to DAI CloudPH’s appointment of a new Sub-processor on reasonable grounds relating to data protection, the parties will discuss such concerns in good faith with a goal of achieving resolution, failing which Subscriber may terminate the Agreement and this DPA without further liability upon written notice to DAI CloudPH. Upon request, DAI CloudPH will provide an up-to-date Sub-processor List.
Security. DAI CloudPH shall implement and maintain appropriate technical and organizational safeguards designed to protect the confidentiality, integrity, and security of Subscriber Data, including protection from Subscriber Data Incidents, as further described in Annex II of this DPA (“Security Measures“). DAI CloudPH may update the Security Measures from time to time, provided that any updates shall not materially diminish the overall security of Subscriber Data. DAI CloudPH shall notify Subscriber without undue delay after becoming aware of Subscriber Data Incident. DAI CloudPH shall make reasonable efforts to identify the cause of such Subscriber Data Incidents and take steps it deems necessary and reasonable to remediate the cause of such incidents to the extent doing so is within DAI CloudPH’s control. To the extent that a Subscriber Data Incident is caused by Subscriber, its affiliates, or users, the Subscriber will be responsible for any costs DAI CloudPH incurred while meeting these Security obligations.
Data Protection Impact Assessments. Upon Subscriber’s request, DAI CloudPH shall provide Subscriber with reasonable cooperation and assistance to the extent needed for Subscriber to fulfil its obligations to conduct a data protection impact assessment related to Subscriber’s use of the Service, but only where Subscriber does not have access to relevant information that is only available from DAI CloudPH. To the extent required by applicable law, in connection with the tasks in this section, DAI CloudPH will provide reasonable assistance to Subscriber in cooperation, or prior to consultation, with any Supervisory Authority.
Return or deletion of Subscriber Data: Upon termination or expiry of the Agreement, on Subscriber’s written request DAI CloudPH shall delete all Personal Data in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent DAI CloudPH is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which data DAI CloudPH shall securely isolate and protect from any further processing and delete in accordance with its deletion practices, except to the extent required by applicable law.
Data Transfers. Where Subscriber makes a Restricted Transfer of Personal Data to DAI CloudPH, then the Standard Contractual Clauses shall be deemed incorporated into and form an integral part of this DPA as follows:
- Personal Data protected by the Republic Act No. 10173 otherwise known as Data Privacy Act of the Philippines.
- If there is any conflict between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
- The Standard Contractual Clauses shall be governed by the laws of the Republic of the Philippines and disputes shall be resolved before the competent Philippine courts in Quezon City, Metro Manila.
Audit. DAI CloudPH shall permit Subscriber (or its appointed third party auditors) to audit DAI CloudPH’s compliance with this DPA, and shall make available to Subscriber all information reasonably necessary for Subscriber (or its third-party auditors) to conduct such audit. Subscriber will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Subscriber believes a further audit is necessary due to a Subscriber Data Incident suffered by DAI CloudPH. In the event that DAI CloudPH is regularly audited against ISO 27001, SSAE 18 SOC 1, 2 and 3, and/or PCI standards, as applicable, by independent third party auditors, DAI CloudPH shall supply a summary copy of its audit report(s) to Subscriber upon request, which reports shall be subject to the confidentiality provisions of the Agreement.
Annexes on the following pages…
ANNEX 1 – DATA PROCESSING DESCRIPTION
This Annex forms part of the DPA and describes the processing that DAI CloudPH will perform on behalf of the Subscriber.
A. LIST OF PARTIES
Controller(s) / Data exporter(s):
Name: | Subscriber, as defined in the Subscription Hosting, Cloud Server, SaaS, VPS, and/or Cloud Storage Services Agreement (“Agreement”) |
Address: | As set out in the Agreement and applicable Order Forms. |
Contact person’s name, position and contact details: | The administrator contacts registered by the Subscriber when creating an account with DAI CloudPH. |
Activities relevant to the data transferred under these Clauses: | Subscriber (data exporter) will use DAI CloudPH ‘s (data importer’s) Hosting, Cloud Server, SaaS, VPS, and/or Cloud Storage platform for personnel management purposes. |
Signature and date: | This Annex 1 shall be deemed executed upon execution of the Agreement. |
Role (controller/processor): | Controller |
Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]
Name: | DAI CloudPH |
Address: | #30 Timog AvenueGround Floor ESNA Building, Quezon City, Metro Manila, 1103 |
Contact person’s name, position and contact details: | DAI CloudPH’s legal counsel with the responsibility for privacy can be contacted at [email protected]. |
Activities relevant to the data transferred under these Clauses: | DAI CloudPH‘s (data importer) is a provider of a cloud-based Hosting, Cloud Server, SaaS, VPS, and/or Cloud Storage platform. |
Signature and date: | This Annex 1 shall be deemed executed upon execution of the Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: | The Data Exporter may submit Personal Data to the Service, the extent of which is determined and controlled by the Data Exporter in its sole discretion. |
Categories of personal data transferred: | The Data Exporter may submit Personal Data to the DAI CloudPH Service, the extent of which is determined and controlled by the Data Exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:• First and last name |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | The Data Exporter may submit special categories of Personal Data to the DAI CloudPH Service, the extent of which is determined and controlled by the Data Exporter in its sole discretion, and which may include, but is not limited to the following categories of sensitive Personal Data:
|
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | Continuous for the duration of the DAI CloudPH Service. |
Nature of the processing: | The provision of the DAI CloudPH Service to Subscriber in accordance with the Agreement. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | Data processing will be for the term specified in the Agreement. For the term of the Agreement, and for a reasonable period of time after the expiry or termination of the Agreement, the Data Importer will provide the Data Exporter with access to, and the ability to export, the Data Exporter’s Personal Data Processed pursuant to the Agreement, following which the Personal Data will be deleted. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | The nature and duration of the processing are as set out above and in the Agreement.
|
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority in accordance with the applicable law: | The competent supervisory authority will be determined in accordance with the applicable law. |