Last Updated: June 9th, 2020
Download a word version here.
This Data Processing Agreement (“DPA”) is made and entered into as of the date of last signature below (“Effective Date”) by and between you, our Customer (hereinafter referred to as “ Customer”, or “Controller”), and us Cloud4WI (referred to as “Processor”). This Data Processing Agreement is a supplement to and made a part of the Customer Terms of Service (“Agreement”).
If you are accepting these Data Processing Agreement on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Data Processing Agreement; (b) you have read and understand these Data Processing Agreement; and (c) you agree, on behalf of Customer, to this Data Processing Agreement. If you do not have the legal authority to bind Customer, please do not accept these Data Processing Terms.
All capitalized terms used in this DPA shall have the meanings given to them below:
"Applicable Data Protection Law": means all applicable international, federal, national and state privacy and data protection laws that apply to the processing of Personal Data that is the subject matter of the DPA (including, where applicable, European Data Protection Law).
"Controller": means the entity that determines the purposes and means of the processing of Personal Data, and for the purposes of this DPA means Customer.
“Customer” means in the case of an individual accepting this Agreement on his or her own behalf, such individual, or in the case of an individual accepting the Master Service Agreement on behalf of a company or other legal entity, the company or other legal entity for which such individual is accepting this Agreement, and Affiliates of that company or entity (for so long as they remain Affiliates) which have entered into Order Forms with the intention of making use of Cloud4Wi Services at one or more of its venues.
"Data Subject": means the identified or identifiable person to whom Personal Data related.
“Documentation” means the applicable documentation at https://support.cloud4wi.com which includes Cloud4Wi’s Policies and Agreements, as updated from time to time.
"European Data Protection Law": means: (i) prior to 25 May 2018, the EU Data Protection Directive 95/46/EC, and any applicable national implementation of it; and (ii) on and after 25 May 2018, the EU General Data Protection Regulation 2016/679 ("GDPR") and any applicable national laws made under the GDPR.
"Personal Data" (“Data”): means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processor": means an entity that processes Personal Data on behalf of the Controller, and for the purposes of this DPA means Cloud4Wi.
"Service" (“Services”): means any product or service provided by the Processor to the Customer pursuant to the DPA and the Agreement.
The definitions not present have the same meaning as in the General Data Protection Regulation of 2016/679.
- GENERAL DATA PROTECTION OBLIGATIONS
2.1 Relationship of the Parties: As between the Parties, Customer is the Controller and appoints Cloud4WI as a Processor to process the Personal Data described in section 1.4.
2.2 Purpose limitation: Processor shall process the Data as a Processor only for the purposes described in Annex 1 and strictly in accordance with the documented instructions of the Customer (the "Permitted Purpose") and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Cloud4Wi.
Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Cloud4Wi shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing.
2.3 International transfers of Data: Processor shall, at all times provide, an adequate level of protection for the Data, wherever processed, in accordance with the requirements of Applicable Data Protection Law. Processor shall not process or transfer any Data originating from the European Economic Area (EEA) in or to a territory which has not been designated by the European Commission as providing an adequate level of data protection unless it has first obtained Customer's prior written consent.
2.4 Confidentiality of processing: The Processor shall keep strictly confidential all Personal Data that it processes on behalf of Customer. The Processor shall ensure that any person that it authorises to process the Data (including the Processor's staff, agents and subcontractors) (each an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Processor shall ensure that only Authorised Persons will have access to, and process, the Data, and that such access and processing shall be limited to the extent strictly necessary to achieve the Permitted Purpose. Processor accepts responsibility for any breach of this DPA caused by the act, error or omission of an Authorised Person.
2.5 Security: Processor shall implement appropriate technical and organisational measures to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, unauthorized alteration, unauthorised disclosure of, or unauthorized access to the Data. At a minimum, such measures shall include the security measures identified in Annex 2 to this DPA.
Customer acknowledges that the Service is not intended or designed for the Processing of Sensitive Information, and the Customer agrees not to provide any Sensitive Information through the Service.
2.6 Subcontracting: Controller consents to Processor engaging third party sub-Processors, including Certified Partners of Processor, to process the Data provided that:
- Processor will provide to Customer an up-to-date list of its then-current sub-Processors upon request; the list is also published online at https://cloud4wi.zendesk.com/hc/en-us/articles/360003452492
- Processor provides at least thirty (30) days' prior written notice of the addition or removal of any sub-Processor (including the categories of Data processed, details of the processing it performs or will perform, and the location of such processing).
In all cases, Processor shall impose the data protection terms on any sub-Processor it appoints that at a minimum meets the requirements provided for by this DPA and Processor shall remain fully liable for any breach of this DPA that is caused by an act, error or omission of its sub-Processor.
2.7 Cooperation and individuals' rights: To the extent permitted by Applicable Law, Processor shall provide reasonable and timely assistance to Customer to enable Customer to respond to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from an individual, regulator, court or other third party in connection with the processing of the Data. In the event that any such communication is made directly to Processor, Processor shall instruct such individual to contact Customer directly.
2.8 Data Protection Impact Assessment: If Processor believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of individuals, it shall promptly inform Customer of the same. Processor shall provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
2.9 Security incidents: Upon becoming aware of a Security Incident, Processor shall inform Customer without undue delay (and, in any event, within 32 hours) and shall provide such timely information and cooperation as Customer may require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timeliness required by) Applicable Data Protection Law and relevant contractual obligations owed by Customer to its subscribers. Processor shall cooperate with Customer in taking all appropriate measures and actions as are necessary to remedy or mitigate the effects of the Security Incident, shall manage and modify its systems to remedy or mitigate such Security Incident and the likelihood of future similar Security Incidents, and shall keep Customer informed of all developments in connection with the Security Incident. Processor shall not notify any third parties of a Security Incident affecting the Data unless and to the extent that: (a) Customer has agreed to such notification, and/or (b) notification is required to be made by Processor under Applicable Data Protection Laws.
2.10 Deletion or return of Data: Upon termination or expiry of the DPA, Processor shall (at Customer's request) destroy all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing); provided, however, that customer data (including Data) may be retained on backup for a period of up to eighteen (18) months for legal and compliance purposes. Notwithstanding the foregoing, Processor shall not reduce the security measures at any time until such Data is permanently deleted.
2.11 Audit: Processor shall permit Customer (or its appointed third-party auditors) to audit Processor's compliance with this DPA, and shall make available to Customer all information, systems and staff necessary for Customer (or its third-party auditors) to conduct such audit. Processor acknowledges that Customer (or its third-party auditors) may enter its premises for the purposes of conducting this audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Processor's operations. Customer will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Customer believes a further audit is necessary due to a Security Incident suffered by Processor. Processor shall also respond to any written audit questions submitted to it by Customer.
2.12 Indemnity: Processor (the "Indemnifying Party") shall defend and fully indemnify Customer from and against all loss, harm, cost (including reasonable attorney's fees), fines, expense, and liability that Customer may suffer or incur arising as a result of Processor's breach or non-compliance with this DPA. The foregoing shall be subject to the indemnification procedures set forth in the Agreement.
2.13 General cooperation to remediate: In the event that Applicable Data Protection Law, or a data protection authority or regulator, provides that the transfer or processing of Personal Data under this DPA is no longer lawful or otherwise permitted, then the Parties shall agree to remediate the processing (by amendment to this DPA or otherwise) to the extent practical in order to meet the necessary standards or requirements. If Processor is unable to remediate the processing, then Customer will be entitled to terminate the DPA (and any other agreement between the Parties relating to the provision of services by Processor to Customer) without penalty.
3.1 The obligations placed upon the Processor under this DPA shall survive so long as Processor and/or its sub-Processors Process Personal Data on behalf of Customer.
DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Controller Personal Data
The subject matter and duration of the Processing of the Controller Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Controller Personal Data
Cloud4Wi will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Service Documentation, and as further instructed by Customer in its use of the Services.
The categories of Data Subject to whom the Controller Personal Data relates
The Customer may collect Personal Data with the Service, the extent of which is determined and controlled by Customer, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Prospects, customers, visitors, subscribers of the Customer (who are natural persons)
- Employees, agents, advisors or business partners of the Customer
- Customer's users authorized by the Customer to use the Service
The types of Personal Data to be Processed
The Customer may collect and submit Personal Data of Users and Subscribers to the Processor, the extent of which is determined and controlled by Customer on its sole discretion, depending also on services products, licenses, and subscriptions purchased by the Customer, and which may include, but is not limited to, the following categories of Personal Data:
- Demographic and contact data (including but not limited to name, title, email address, phone number) as well as other identification data (ex. passport number, identifiers of other services)
- Details of devices used to connect to WiFi service (including device identifier, device model, device operating system)
- WiFi usage and activity data (such as location and duration of each WiFi connection)
- Location data (such as the history of visited locations)
The Customer may also submit content to Service which may include other Personal Data and special categories of data, the extent of which is determined and controlled by the Customer in its sole discretion.
DESCRIPTION OF THE TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
This Annex 2 includes the description of the technical and organizational security measures implemented by the Data Processor.
Cloud4Wi currently observes the security practices described in this Annex 2. Notwithstanding any provision to the contrary otherwise agreed to by data exporter, Cloud4Wi may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in this DPA.
- a) Access Control
- i) Preventing Unauthorized Product Access
Outsourced processing: Cloud4Wi hosts its Service with outsourced cloud infrastructure providers. Additionally, Cloud4Wi maintains contractual relationships with vendors in order to provide the Service in accordance with this DPA. Cloud4Wi relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: Cloud4Wi hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: Cloud4Wi implemented a uniform password policy for its customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Cloud4Wi’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key
- ii) Preventing Unauthorized Product Use
Cloud4wi implements industry standard access controls and detection capabilities for the internal networks that support its products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: Cloud4Wi implemented a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Security reviews of code stored in Cloud4Wi’s source code repositories is performed, checking for coding best practices and identifiable software flaws.
Penetration testing: Cloud4wi maintains relationships with industry recognized penetration testing service providers for four annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
iii) Limitations of Privilege & Authorization Requirements
Product access: A subset of Cloud4Wi’s employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are performed periodically. Employee roles are reviewed at least once every six months.
Background checks: All Cloud4Wi employees undergo a background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
- b) Transmission Control
In-transit: Cloud4Wi makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for every Splash Page hosted on the Cloud4Wi products. Cloud4Wi HTTPS implementation uses industry standard algorithms and certificates.
At-rest: Cloud4Wi stores user passwords following policies that follow industry standard practices for security. With effect 25 May 2018, Cloud4Wi has implemented technologies to ensure that stored data is encrypted at rest.
- c) Input Control
Detection: Cloud4Wi designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities.Cloud4Wi personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Cloud4Wi maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Cloud4Wi will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If Cloud4Wi becomes aware of unlawful access to Customer data stored within its products, Cloud4Wi will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Cloud4Wi is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Cloud4Wi deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form Cloud4Wi selects, which may include via email or telephone.
- d) Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power and network.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
Cloud4Wi’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Cloud4Wi operations in maintaining and updating the product applications and backend while limiting downtime.