1. Introduction and Scope
- This Data Processing Addendum (“DPA”) is an addendum to the Terms of Service (“Terms”). All provisions of the Terms apply to and are incorporated into this DPA, but if there is a conflict between this DPA and any provisions in the Terms, then the provisions of this DPA shall control.
- This DPA only applies to Customers if and to the extent (a) Closrr Processes Customer Personal Data (defined below) for or on behalf of the Customer pursuant to the Agreement (b) and the Data Protection Laws apply to such Customer Personal Data.
- Updates to the DPA. We reserve the right to amend to this DPA at any time at our sole discretion. If we modify this DPA, we will provide notice of such changes by revising the date at the top of this DPA. Your continued use of our Services following notification of changes will constitute your acceptance of such changes. Please periodically review this DPA and check for any updates.
2. Definitions
Capitalized terms which are not defined in this DPA shall have the meaning provided elsewhere in the Agreement. In addition, the following defined terms apply solely with respect to this DPA.
- “Controller”, “Processor”, “Data Subject”, “Processing”, “Personal Data”, and “Personal Data Breach” shall have the meanings ascribed to them in Data Protection Laws.
- “Customer Personal Data” means any End User Personal Data subject to the Data Protection Laws that Customer provides, transfers, or makes accessible to Closrr in connection with the Services.
- “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), the UK Data Protection Act 2018 and the UK GDPR, the Swiss Data Protection Act, any applicable national implementing legislation of such laws, and in each case, as amended, replaced, or superseded from time to time.
3. Roles of the Parties
- The Customer is the Controller and Closrr is the Processor with respect to Customer Personal Data. Closrr shall only Process Customer Personal Data in accordance with the Customer’s documented instructions, which include the provisions of the Agreement, unless otherwise required to comply with any Data Protection Laws. We will inform you if, in our opinion, your instructions violate the Data Protection Laws.
- Customers and Closrr shall comply with the Data Protection Laws. The Customer shall obtain any required authorizations, consents, releases, or permissions, and provide all required privacy notices, regarding the Customer’s Personal Data. For the avoidance of doubt, the Customer shall have sole responsibility for the accuracy, quality, and legality of all Customer Personal Data and the bases on which it is collected from the Data Subject.
4. Nature, Purpose, and Duration of Processing
- Closrr will Process Customer Personal Data as necessary to perform the Services – which is generally limited to passive hosting of Customer Applications and related support – or to protect Closrr’s legal rights, for the duration of the Agreement, unless otherwise agreed upon in writing.
- Customer’s transfer of Customer Personal Data to Closrr in connection with the Services is determined and controlled by the Customer in its sole discretion.
- Closrr may Process the following categories of Customer Personal Data: any Personal Data collected, used, or otherwise Processed from End Users of Customer Applications.
- Closrr may Process Customer Personal Data from the following categories of Data Subjects: End Users of Customer Applications.
5. Cross-border Transfers
- You choose the Amazon Web Services (AWS) data center(s) where your Customer Applications will be hosted. You acknowledge, agree, and understand that (a) all of your Customer Personal Data will be automatically transferred and stored in the Google data center you choose, and (b) Customer Personal Data may be transferred from the European Economic Area (“EEA”), the United Kingdom, or Switzerland to the country where the Google data center is located, depending on your choice.
- Closrr and AWS have agreed to the https://aws.amazon.com/blogs/security/aws-and-eu-data-transfers-strengthened-commitments-to-protect-customer-data/. For additional information, see AWS’ commitments regarding cross-border transfers in the “International Data Transfer” section here: https://aws.amazon.com/compliance/gdpr-center/.
- The Customer authorizes the transfer of Customer Personal Data to any jurisdiction outside the EEA, including the United States, for the purpose of providing the Services. As the controller and/or exporter of Customer Personal Data, the Customer is responsible for ensuring that any such transfers comply with the Data Protection Laws.
6. Sub-processors
- Closrr engages third-party subcontractors that Process Customer Personal Data (“Sub-processors“) for the purposes of providing the Services. A current list of Sub-processors is available in Appendix A of Closrr’s online DPA, located here: https://closrr.com/legal/data-processing-addendum/ (the “Sub-processor List”). The customer authorizes Closrr to engage these Sub-processors for the purpose of providing the Services.
- Closrr may update the Sub-processor List from time to time, and such updates shall be the sole means of providing notice of Sub-processor changes to the Customer. The customer is responsible for regularly checking and reviewing the Sub-processor List. Customer’s failure to object in writing to a new Sub-processor within fourteen (14) days of Closrr’s posting of the new Sub-processor on the Sub-processor List shall constitute Customer’s authorization of the new Sub-processor.
- If Closrr determines in its sole discretion that it cannot reasonably accommodate Customer timely objection to a Sub-processor, upon notice from Closrr, Customer may choose to terminate the Agreement pursuant to the termination provisions in the Terms of Service, which shall be Customer’s sole and exclusive remedy.
- Closrr shall impose obligations on its Sub-processors that are the same as or substantially equivalent to those set out in this DPA by way of written contract. Closrr shall not be liable to the Customer for the Sub-processors’ performance of its data protection obligations with respect to Customer Personal Data.
7. Security and Impact Assessments
- Closrr shall ensure that its personnel are subject to binding obligations of confidentiality with respect to Customer Personal Data.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Closrr shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
- Taking into account the nature of Processing and the information available to Closrr, Closrr shall assist the Customer in ensuring compliance with Customer’s obligations under the Data Protection Laws with respect to security, impact assessments, and consultations with supervisory authorities or regulators.
8. Personal Data Breach
- Taking into account the nature of Processing and the information available to Closrr, Closrr shall assist the Customer in ensuring compliance with Customer’s obligations under the Data Protection Laws with respect to a Personal Data Breach.
- In the event of a discovered Personal Data Breach, Closrr shall provide prompt notice to Customer’s technical and account contacts using those means established for routine account-related communications.
- Our notice shall include the following information to the extent it is reasonably available to Closrr at the time of the notice, and Closrr shall update its notice as additional information becomes reasonably available: (a) the dates and times of the Personal Data Breach; (b) the basic facts that underlie the discovery of the Personal Data Breach, or the decision to begin an investigation into a suspected Personal Data Breach, as applicable; (c) a description of the Customer Personal Data involved in the Personal Data Breach, either specifically, or by reference to the data set(s), and (d) the measures planned or underway to remedy or mitigate the vulnerability giving rise to the Personal Data Breach.
9. Data Subject Requests
- Taking into account the nature of the Processing, Closrr shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights under the Data Protection Laws.
- Closrr will promptly notify Customer if we receive a request from a Data Subject to invoke their rights with respect to Customer Personal Data, unless otherwise prohibited by applicable law; and, except to the extent required by applicable law, we will not independently take any action in response to a request from a Data Subject without Customer’s prior written instruction.
10. Audit and Inspection
- Subject to and conditioned on a written confidentiality and non-disclosure agreement, Closrr shall provide Customer with information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA.
- Any audits shall be (i) subject to and conditioned on reasonable advance written notice, not less than sixty (60) days, to Closrr; (ii) subject to and conditioned on a written confidentiality and non-disclosure agreement and a detailed written audit plan reviewed and pre-approved by Closrr; (iii) limited to once every three (3) calendar years; (iv) at Customer’s sole cost and expense; (v) limited in scope and purpose to evaluate a specifically identified suspected failure by Closrr to comply with the provisions of this DPA and only after Customer has exhausted all other reasonable means as determined by Closrr; and (vi) in the virtual or physical presence of a Closrr representative without unreasonably disrupting Closrr’s business operations.
11. Deletion or Return of Customer Personal Data
Upon proper termination of the Agreement and at the written direction of the Customer, Closrr shall take reasonable measures to delete Customer Personal Data or return Customer Personal Data and copies thereof to the Customer, subject to applicable laws or other Closrr obligations requiring the continued storage of the Customer Personal Data by Closrr.
Appendix A
List of Sub-processors
- Cloudflare: We use Cloudflare to secure and improve the performance of the Services.
- Amazon Web Services: We use Amazon Web Services to host and secure Customer Applications and store data related to Customer Applications.
- Google Workspace: We use Google Workspace applications to process email communication and manage online documents.
- Freshworks: We use Freshworks to communicate with our customers and provide support.
- AWS SES: AWS SES is an SMTP provider that sends transactional emails from Customer Applications.
- Migrate Guru: Our Migrations team may use Migrate Guru to migrate Customer Applications for Customer subscribed to managed WordPress hosting plans, with Customer permission.