Data Processing Agreement

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"), the following terms shall have the meanings set forth below:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
• "Service Agreement" means the underlying agreement between Controller and Processor for the provision of CloudRepo services.
• "Standard Contractual Clauses" (SCCs) means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission.

2. Scope and Purpose of Processing

2.1. The Processor provides cloud-based software artifact and package repository services to the Controller under the Service Agreement. This DPA governs the Processing of Personal Data by the Processor on behalf of the Controller in connection with those services.

2.2. Nature and purpose of Processing: The Processing includes storage, retrieval, and management of software artifacts; user account management; billing and payment processing; and customer support.

2.3. Categories of Data Subjects: Controller's employees, contractors, and other authorized users of the services.

2.4. Types of Personal Data processed:

• Account information (name, email address, company affiliation)
• Usage data (access logs, feature usage, session metadata)
• Billing information (billing contact details, payment method identifiers)
• Support communications (support tickets, chat transcripts, email correspondence)

2.5. Duration of Processing: Processing shall continue for the term of the Service Agreement, unless otherwise specified in this DPA.

3. Obligations of the Data Controller

3.1. The Controller determines the purposes and means of Processing of Personal Data and shall ensure that the Processing of Personal Data under this DPA is lawful under applicable data protection law.

3.2. The Controller is responsible for ensuring that a lawful basis exists for the Processing of Personal Data, including obtaining and managing Data Subject consent where required.

3.3. The Controller shall provide documented instructions to the Processor regarding the Processing of Personal Data. The Service Agreement and this DPA constitute the Controller's initial instructions.

3.4. The Controller shall inform the Processor without undue delay if, in the Controller's opinion, an instruction infringes applicable data protection law.

4. Obligations of the Data Processor

4.1. Processing on instructions. The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.

4.2. Confidentiality. The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. Security measures. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• AES-256 encryption at rest for all stored data
• TLS 1.2+ encryption for all data in transit
• PBKDF2+BLAKE2b-512 password hashing with 50,000 iterations
• Multi-factor authentication (MFA) required for all production system access
• Principle of least privilege for all access controls
• Automated backups with point-in-time recovery
• DDoS protection via AWS Shield Standard

4.4. Sub-processors. The Processor shall not engage another processor without prior written authorization from the Controller, subject to the provisions of Section 5.

4.5. Data Subject requests. The Processor shall assist the Controller for the fulfillment of the Controller's obligations to respond to requests from Data Subjects exercising their rights under applicable data protection law.

4.6. Assistance with compliance. The Processor shall assist the Controller in ensuring compliance with obligations related to security of Processing, notification of Data Breaches, data protection impact assessments, and prior consultation with Supervisory Authorities.

4.7. Deletion or return. Upon termination of the Service Agreement, the Processor shall, at the Controller's election, delete or return all Personal Data to the Controller within 30 days.

4.8. Demonstration of compliance. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits.

5. Sub-processors

5.1. The Controller provides general written authorization for the Processor to engage Sub-processors for the purposes described in this DPA. The current list of Sub-processors is set forth in Annex B and maintained at cloudrepo.io/subprocessors.

5.2. The Processor shall notify the Controller at least 30 days before adding or replacing a Sub-processor.

5.3. The Controller may object to a new or replacement Sub-processor within 14 days of receiving notification.

5.4. If the Controller raises a reasonable objection, the Processor shall use commercially reasonable efforts to make available an alternative solution. If no alternative is available within 30 days, the Controller may terminate the Service Agreement without penalty.

5.5. The Processor shall impose data protection obligations no less protective than those set out in this DPA on each Sub-processor. The Processor remains fully liable for the performance of each Sub-processor's obligations.

6. Data Subject Rights

6.1. The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

6.2. If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller.

6.3. The Processor shall provide reasonable assistance within 10 business days of receiving a request.

7. Data Breach Notification

7.1. The Processor shall notify the Controller without undue delay, and in any event no later than 72 hours, after becoming aware of a Personal Data Breach.

7.2. The notification shall include, to the extent available:

• A description of the nature of the Personal Data Breach
• The name and contact details of the Processor's data protection point of contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach

7.3. Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without undue further delay.

7.4. The Processor shall cooperate in the investigation and remediation of any Personal Data Breach.

8. Data Deletion/Return

8.1. Upon termination or expiration of the Service Agreement, the Processor shall, at the Controller's written election:

• (a) Return all Personal Data to the Controller in a commonly used, machine-readable format; or
• (b) Delete all Personal Data, including all copies thereof.

8.2. The Processor shall complete the deletion or return within 30 days of termination.

8.3. Deletion shall include all copies of Personal Data, except where retention is required by applicable law.

8.4. The Processor shall certify deletion in writing upon the Controller's request.

9. Audit Rights

9.1. The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted by the Controller or by an independent third-party auditor.

9.2. The Processor shall cooperate with reasonable audit requests.

9.3. The Controller shall provide at least 30 days' written notice before conducting an audit.

9.4. Audits shall be limited to once per 12-month period, unless a Personal Data Breach has occurred.

9.5. Audits shall be conducted during normal business hours and in a manner that minimizes disruption.

9.6. The Controller shall bear the costs of the audit, unless the audit reveals material non-compliance.

10. International Data Transfers

10.1. All customer data is stored and processed exclusively in the United States (AWS US-West, N. California).

10.2. The Processor does not transfer Personal Data outside the United States, except as disclosed in Annex B where certain Sub-processors may process limited data categories in the European Union.

10.3. For transfers from the EU/EEA to the United States, the parties agree to the Standard Contractual Clauses (Module Two: Controller to Processor) as adopted by the European Commission Decision (EU) 2021/914.

10.4. The Processor shall ensure that any Sub-processor located outside the EU/EEA provides adequate safeguards for the protection of Personal Data.

11. Term and Termination

11.1. This DPA shall become effective on the Effective Date and shall remain in force for the duration of the Service Agreement.

11.2. Upon termination, the data deletion and return provisions set forth in Section 8 shall apply.

11.3. The following provisions shall survive termination:

• Confidentiality obligations (indefinitely)
• Audit rights (for 12 months following termination)
• Data deletion/return obligations (Section 8)
• Liability provisions (Section 12)
• Any obligations required by applicable law

12. Liability

12.1. Each party's liability under this DPA is subject to the limitations set forth in the Service Agreement.

12.2. The Processor's total aggregate liability shall not exceed the total fees paid by the Controller in the 12 months immediately preceding the event giving rise to the claim.

12.3. Neither party excludes or limits liability for:

• Fraud or fraudulent misrepresentation
• Gross negligence or willful misconduct
• Any liability that cannot be excluded or limited under applicable law

Annex A: Details of Processing

Annex B: Sub-processors

The current list is maintained at cloudrepo.io/subprocessors.