Personal Data Processing Addendum

 

Effective Date: January 1, 2025

 

This Personal Data Processing Addendum (“DPA”) forms an integral part of any contract, service order, or terms of service (the “Agreement”) entered into between the Client (the “Data Controller”) and Cloud Sited Solutions S.A. de C.V. (the “Data Processor”).

 

1. Definitions “Applicable Data Protection Law” means all data protection and privacy laws and regulations that are applicable to the processing of Personal Data under this DPA, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Mexican Federal Law on the Protection of Personal Data Held by Private Parties.

 

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller.

 

“Subprocessor” means any third party engaged by the Processor to carry out Personal Data processing activities.

​

​

2. Scope and Functions

 

The Controller determines the purposes and means of processing Personal Data.

 

The Processor will process Personal Data exclusively in accordance with documented instructions from the Controller.

 

 

3. Obligations of the Processor

 

The Processor undertakes to: Process Personal Data only to provide the Services established in the Contract. Implement appropriate technical and organizational measures to protect Personal Data.

 

Ensure that persons authorized to process Personal Data are subject to confidentiality obligations. Assist the Controller in responding to requests from data subjects.

 

Assist the Controller in fulfilling the obligations set forth in Articles 32 to 36 of the GDPR (security, breach notification, impact assessments).

 

Delete or return Personal Data upon termination of the Contract, unless there is a legal obligation to retain it.

 

Provide the Controller with the information necessary to demonstrate compliance with this DPA and enable audits in accordance with Clause 9.

​

​

​

4. Subprocessors

 

The Processor may engage Subprocessors. The Processor undertakes to:

 

Maintain an updated list of Subprocessors, available upon request.

 

Inform the Controller of any planned changes to the engagement or replacement of Subprocessors.

 

Require Subprocessors to have contractual obligations equivalent to those set forth in this DPA.

 

 

​

5. International Transfers

 

The Processor will not transfer Personal Data outside the European Economic Area or Mexico unless:

 

Appropriate safeguards are implemented (e.g., Standard Contractual Clauses), and Such transfers comply with Applicable Data Protection Law.

 

 

 

6. Security Measures

 

The Processor has implemented and maintains security measures that include, but are not limited to:

 

Encryption of Personal Data in transit and at rest.

 

Access controls and authentication mechanisms.

 

Security monitoring and periodic vulnerability testing.

 

Backups and disaster recovery plans.

​

​

​

7. Data Subject Rights

 

The Processor will promptly notify the Controller if it receives a request to exercise rights from a data subject and will cooperate with the Controller to address such request.

 

​

​

8. Data Breaches

 

The Processor will notify the Controller without undue delay after becoming aware of a Personal Data Breach.

 

​

​

9. Audit Rights

 

The Controller may, with reasonable notice and no more than once every twelve (12) months (unless required by a Supervisory Authority or Applicable Law), audit the Processor's compliance with this DPA.

 

​

 

10. Liability

 

Liability arising from this DPA will be subject to the limitations and exclusions of liability set forth in the Agreement.

​

​

​

11. Applicable Law

 

This DPA shall be governed by the same law and jurisdiction applicable to the Agreement.

 

 

 

Annex 1 – Processing Details

 

Subject Matter Provision of Services under the Agreement Duration of Processing During the term of the Agreement plus the retention period required by applicable law Nature and Purpose Hosting, support, maintenance, and related services Types of Personal Data Names, email addresses, user IDs, telephone numbers, and other data provided by the Controller Categories of Data Subjects Employees, customers, and end users of the Controller

 

Annex 2 – Subprocessors

 

The updated list of Subprocessors is available upon request by emailing: admin@cloudsitedsolutions.com Formalization This DPA is incorporated by reference into any Agreement entered into between the parties.

 

To be valid, it must be executed and signed by both parties.

 

If you are a current customer and would like to sign this DPA, please contact us at: admin@cloudsitedsolutions.com

 

Contact Information

Cloud Sited Solutions S.A. de C.V.

CIRCUITO VALLE DORADO MANZANA A 6 1 LOTE 5 LOMA DE VALLE ESCONDIDO 52937, ATIZAPÁN DE ZARAGOZA, State of Mexico, Mexico

Email: admin@cloudsitedsolutions.com

Website: www.cloudsitedsolutions.com

​