With the introduction of new European Union (EU) legislation, due in May 2018, regarding the collection, storage and processing of personal data, Cloud9 Software (C9S) has been working to ensure that the Intelligentcontract.com service is compliant in advance of its introduction. The General Data Protection Regulation (GDPR) is due for introduction across the EU in May 2018 and places additional obligations on Data Processors of personal data.
At Cloud9 Software we take these obligations very seriously. We have produced this short summary paper to outline how we will fulfil our GDPR (as Data Processor) Obligations. Below are the key GDPR obligations for data processors and how C9S fulfils each.
Establish a representative in the EU, if the organisation is not located within the EU (in accordance with Article 27)
Cloud9 Software Limited is a business registered and located in the United Kingdom. Cloud9 Software is wholly owned subsidiary of Datix (Holdings) Limited As of January 1st 2021, the United Kingdom is located outside the EU.
Datix ( Holdings ) Limited hereby designates and appoints Data Priva Limited T/A GDPREP.ORG (‘GDPREP.ORG’) as its duly authorised EU Representative pursuant to Article 27 of the General Data Protection Regulation (the ‘GDPR ‘) (EU) 2016/679 of the European Parliament and of the Council dated 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Each of our customers that reside outside the EU must nominate a representative that resides within the EU. This can be done by any administrator (including the key user) of the Intelligentcontract account navigating to the Configuration menu. There is a section named "Data Protection". In this section, you are able to nominate the name and contact details of your EU Representative.
Only Act on the written instructions of the controller (Article 29)
We commit to only complete any data related actions with the written instructions from the nominated key user for each customer account. This instruction will be accepted either electronically (email, helpdesk ticket response) or in written form. If the key user is no longer available at the customer organisation, we provide an offline process for the nomination of a new key user. Please contact support for more information about this process.
Implement and Comply with an Adequate Data Processing Agreement (DPA)
C9S has re-worked the terms of service and privacy policy associated with the service and introduced a GDPR compliant data processing agreement (DPA) associated to the terms of service and privacy policy. We explicitly name our sub-data processors. All versions of our terms of service are GDPR compliant from September 2017 onwards. The latest versions can be found here:
Our terms of service: https://www.intelligentcontract.com/en-gb/terms-and-conditions/
Our Privacy Policy: https://www.intelligentcontract.com/en-gb/privacy-policy/
Our data processing agreement: https://www.intelligentcontract.com/en-gb/data-processing-agreement/
Our list of data processors: https://www.intelligentcontract.com/en-gb/sub-processors/
Nominate a data protection officer in accordance with Article 37
Cloud9 Software Limited has nominated Paul Darlow (Director) as our Data Protection Officer. He can be contacted by email ([email protected]).
Each of our customers must nominate a data protection officer. The data protection officer will be notified if there is an incident. This can be done by any administrator (including the key user) of the Intelligentcontract account navigating to the Configuration menu. There is a section named "Data Protection". In this section you are able to nominate the name and contact details of your data protection officer.
Restrict the appointment of sub-data processors (Article 28.2)
We maintain a list of Sub-data processors that support the intelligentcontract.com service. As part of the terms of service, the data processing agreement details the current list of sub-processes. The current list of data sub-processors can be found here: https://www.intelligentcontract.com/en-gb/sub-processors/
If C9S add a new data sub-processor we will notify the key user and the nominated data protection officer (which may be the same person) of each account by email of the details (country of operation, purpose and name of service/organisation) of the new data sub-processor. Each customer has the right to not accept any new data processor and they will be able to terminate their use of the service.
Keep a Record of Processing activities in accordance with Article 30.2
Cloud9 Software is obligated to keep records relating to the processing of data as part of the intelligentcontract.com service. Specifically, we maintain:
- the name and contact details of the key user and the data protection officer for each customer; and
- A list of third countries (i.e. our sub-processors' locations) that personal data may be transferred to
Co-operate with the Supervisory Authorities (such as the ICO) in accordance with Article 31
We are committed to fulfilling our data processing obligations under the GDPR rules. As such we commit to cooperate and comply with all instructions issued by a GDPR supervisory authority.
Implement Adequate Data Security in accordance with Article 32
In addition to security processes (both physical and electronic) offered by our hosting partner (Amazon Web Services), Cloud9 Software has active Data Security Policies and Procedures. This includes our Business Continuity Plan. On an annual basis, all key staff are required to undertake Data Security training. As part of this annual session we also take the Opportunity to review the policies and procedures and update them if required. A summary of the current security policies and procedures can be found here: https://support.intelligentcontract.com/solution/articles/22000180240-data-security
Notify personal data Breaches to the Data Controller
For each of our customers we maintain the name of the Key user. In addition, we ask our customers to nominate a data protection officer. This may be the same person. In the event that we become aware of a data breach, we will inform both the nominated key user and data protection officer for each customer. We will communicate by email detailing the nature of the data breach and, if we are aware, detail the scope of the breach. We will communicate as soon as practically possible. It is the responsibility of our customers to update C9S if the key user or the data protection officer details we hold (including incorrect email addresses) change.
User Access and Choice
Upon request Cloud9 Software will provide you with information about whether we hold any of your personal information. You may access, correct, request deletion of your personal information, or withdraw provided consent by logging in to your account or by contacting us at [email protected]
Some rights such as rectification or correction of your data can be exercised through your account’s self-service portal.
We will also send you service related email announcements on rare occasions when it is necessary to do so. For instance, if our service is temporarily suspended for maintenance, we might send you an email. You do not have an option to opt out of these emails, which are not promotional in nature.
You may also contact us to confirm if we are processing any information relating to you. We will respond to your request within a reasonable timeframe.
Data Retention
We will retain your information as needed to provide you services. Once your relationship with Cloud9 Software is terminated, we will delete any personal information we hold within a period of 60 days from the date of termination. Even if you close your account with Cloud9 Software, we will still retain and use your information as necessary to comply with our legal obligations, financial or audit requirements, to resolve disputes, and enforce our agreements. However, we will identify your account in our database as “Suspended” or “Cancelled”.
Opt-out Preferences
When you register for an account, we will use your name and email address which you have opted-in to send periodic emails to you of both promotional and transactional in nature. Out of respect for your privacy, you may choose to stop receiving promotional emails by following the unsubscribe instructions included in these emails or you can contact us at [email protected]
Data Portability
Upon request, we will endeavour to provide you with a complete copy of your personal data held or processed by us in a structured, commonly accepted, and machine-readable format. We have provided this as a part of service to download required data whenever needed by the customer themselves.
Third party links
Occasionally, at our discretion, we may include links to our merchant partners (third party products or services) on our website. These third party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.
Testimonials
We display personal testimonials of satisfied customers on our website in addition to other endorsements. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact us at [email protected]
Single Sign-On
You can log in to our website using sign-in services such as Google and office365. These services will authenticate your identity, provide you the option to share certain personal information (such as your name and email address) with us, and to pre-populate our sign up form. Services like sign in with Google and Office365 give you the option to post information about your activities on this website to your profile page to share with others within your network.