This document (“the Data Processing Agreement”) sets out the terms and conditions of the Processing of Cloud Happy Personal Data by us.

In this Data Processing Agreement, “we”, “us”and “our” refers to CLOUD HAPPY PTY LTD ABN 26 603 035 972 (Cloud Happy), and “you” and “your” refers to a Cloud Happy client, being a user of Cloud Happy.

By using Cloud Happy or by otherwise indicating your assent, you accept and agree to this Data Processing Agreement.

The terms used in this Data Processing Agreement are defined below or the GDPR.

Cloud Happy Personal Data is any personal data regarding an identified or identifiable natural person, which are or will be Processed by us in any way whatsoever in the context of the use of Cloud Happy by you, any of your organisations, employees, agents or contractors authorised or deemed to be authorised by you to use Cloud Happy.

Contracted Processor means us or a Subprocessor.

Data Breach is a security breach within the meaning of Article 4.12 of the GDPR.

Data Protection Laws means any applicable data protection or privacy laws of any country, and includes EU Data Protection Laws.

Data Subject is the person to whom Cloud Happy Personal Data pertains.

EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

Terms of Service means our terms of service into which this Data Processing Agreement is incorporated.

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Parties means us and you.

Processing is any activity or combination of activities involving personal data, in any event including the collecting, recording, organising, storing, updating, amending, accessing, consulting, using, providing by way of forwarding, distributing or any other form of supplying, compiling, linking, as well as safeguarding, deleting or destroying of data (“Process”, “Processes” and “Processed” shall have the same meaning).

Subprocessor means any person (including any third party, but excluding our employees, contractors or advisors) appointed by us or on our behalf to Process Cloud Happy Personal Data.

Supervisory Authority means an independent public authority which is established by a European Union member state pursuant to Article 51 of the General Data Protection Regulation.

2.1 Role of the parties

The parties agree that in relation to the Processing of Cloud Happy Personal Data:

• a. you are the controller;
• b. we are the Processor;
• c. we may engage Subprocessors in accordance with clause 3 of this Data Processing Agreement; and
• d. users, your organisations, employees, agents or contractors using Cloud Happy and providing Cloud Happy Personal Data are Data Subjects.

2.2 Our obligations

• a. We will comply with the applicable Data Protection Laws in the Processing of Cloud Happy Personal Data.
• b. We will not Process Cloud Happy Personal Data other than on your documented instructions unless Processing is required by the Data Protection Laws to which the relevant Contracted Processor is subject, in which case to the extent permitted by law, we will inform you of that legal requirement before the relevant Processing of that Cloud Happy Personal Data.
• c. We will only Process Cloud Happy Personal Data to the extent necessary to provide Cloud Happy and any related services to you, organisations, employees, agents or contractors in accordance with the Agreement.
• d. We will only Process Cloud Happy Personal Data on and in accordance with your instructions. We will not Process Cloud Happy Personal Data for our own benefit, for the benefit of any third party, or for our own purposes or advertising purposes or other purposes, unless required by any Data Protection Laws.
• e. We will immediately inform you regarding any changes to Cloud Happy or the performance of our services, so that you may monitor compliance between these new arrangements and Data Protection Laws.
• f. Annexure 1 to this Data Processing Agreement sets out certain information regarding our Processing of the Cloud Happy Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws).  Nothing in Annexure 1 (including as amended pursuant to this clause 2.2) confers any right or imposes any obligation on any party to this Data Processing Agreement.

2.3 Your obligations

• a. You, as a Cloud Happy client and on behalf of each of your organisations, employees, agents or contractors authorised or deemed to be authorised by you to use Cloud Happy, instruct us (and authorise us to instruct each Subprocessor) to Process Cloud Happy Personal Data.
• b. You warrant and represent that you are and will at all relevant times remain duly and effectively authorised to give the instruction set out in clause 2.3(a) on behalf of each of organisations, employees, agents or contractors authorised or deemed to be authorised by you to use Cloud Happy.
• c. You must, in your use of Cloud Happy, Process and otherwise deal with Cloud Happy Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, your instructions for the Processing of Cloud Happy Personal Data must comply with Data Protection Laws.
• d. You have sole responsibility for the accuracy, quality, and legality of Cloud Happy Personal Data and the means by which Cloud Happy Personal Data are collected.

3.1 You authorise us to appoint (and permit each Subprocessor appointed in accordance with this clause 3 to appoint) Subprocessors in accordance with this clause 3.
3.2 We may continue to use those Subprocessors already engaged by us as at the date of this Agreement, subject to us in each case as soon as practicable meeting the obligations set out in clause 3.4.

3.3 We will give you prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 5 days of receipt of that notice, you notify us in writing of any objections (on reasonable grounds) to the proposed appointment, we will not appoint (or disclose any Cloud Happy Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by you and you have been provided with a reasonable written explanation of the steps taken.

3.4 With respect to each Subprocessor, we will:

• a. before the Subprocessor first Processes Cloud Happy Personal Data (or, where relevant, in accordance with clause 3.3), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Cloud Happy Personal Data required by the Terms of Service;
• b. ensure that the arrangement between on the one hand us and the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Cloud Happy Personal Data as those set out in this Data Processing Agreement and meet the requirements of Article 28(3) of the GDPR; and
• c. provide you for review such copies of the Contracted Processors’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Data Processing Agreement) as you may request from time to time.

3.5 We will ensure that each Subprocessor performs the obligations under clause 2.2, as they apply to Processing of Cloud Happy Personal Data carried out by that Subprocessor, as if it were party to this Data Processing Agreement in our place.

4.1 We will implement appropriate technical and organisational measures to secure Cloud Happy Personal Data against loss or any form of unlawful Processing.

4.2 Taking into account the state of the art and the costs of their implementation, these measures guarantee an appropriate security level given the risks associated with Processing and the nature of the Cloud Happy Personal Data to be protected. The measures are, in part, aimed at preventing unnecessary collection and further Processing.

4.3 We will record the measures in writing and will ensure that the security as referred to in this clause meet the security requirements under the GDPR.

4.4 On request, we shall immediately provide you with all reasonable information relating to the security of Cloud Happy Personal Data.

5.1 We will notify you (and any other party if required by law) without undue delay upon us or any Subprocessor becoming aware of a personal Data Breach affecting Cloud Happy Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the personal Data Breach under the Data Protection Laws.

5.2 We will co-operate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such personal Data Breach.

6.1 We will, to the extent permitted by the Data Protection Laws, promptly notify you if we receive a request from a Data Subject under any Data Protection Laws in respect of Cloud Happy Personal Data, including any request to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”).

6.2 Taking into account the nature of the Processing, we will assist you by taking appropriate technical and organisational measures, insofar as this is possible, to assist you to perform your obligation to respond to a Data Subject Request under any Data Protection Laws.

6.3 To the extent that you do not have the ability to address a Data Subject Request, we will, upon you request, provide commercially reasonable efforts to assist you in responding to such Data Subject Request, to the extent we are permitted to do so under the Data Protection Laws and the response to such Data Subject Request is required under the Data Protection Laws.

6.4 To the extent permitted by law, you will be responsible for any costs arising from our assistance.

We will provide you with commercially reasonable assistance with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which you reasonably consider to be required of you by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Laws, in each case solely in relation to Processing of Cloud Happy Personal Data by, and taking into account the nature of the Processing and information available to the Contracted Processors.

8.1 We will retain Cloud Happy Personal Data to the extent required by law and only to the extent and for such period as required by law and always provided that we will use our reasonable endeavours to ensure the confidentiality of all such Cloud Happy Personal Data and to ensure that such Cloud Happy Personal Data is only retained as necessary for the purpose(s) specified in the laws requiring its storage and for no other purpose.

8.2 We will not retain Cloud Happy Personal Data made available to us any longer than is necessary:

• a. for the performance of the Agreement; or
• b. to comply with any of our obligations at law.

9.1 Subject to clause 9.2, we will allow for and contribute to audits, including inspections, by you or an auditor mandated by you relation to the Processing of the Cloud Happy Personal Data by the Contracted Processors.

9.2 You must give us reasonable notice of any audit or inspection to be conducted under clause 9.1 and you must make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Contracted Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:

a. to any individual unless he or she produces reasonable evidence of identity and authority;

b. outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and you have given notice to us that this is the case before attendance outside those hours begins; or

c. for the purposes of more than one audit or inspection, in respect of each Contracted Processor, in any calendar year, except for any additional audits or inspections which:

i. you reasonably consider necessary because of genuine concerns as to our compliance with this Agreement; or

ii. you are required or requested to carry out by Data Protection Laws, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory,

where you have identified its concerns or the relevant requirement or request in its notice to us of the audit or inspection.

9.3 The costs of the audit upon request under clause 9.1 will be borne by you.

9.4 If it is established during an audit that we have failed to comply with this Data Processing Agreement, we will take all reasonably necessary measures to ensure compliance in the future.

All Processing of personal data in connection with Cloud Happy or any related services performed by us or on our behalf, including any Third Parties engaged by us, will take place within Singapore, Australia and (if required) the European Union (EU) or in countries that guarantee an appropriate level of protection in accordance with the Data Protection Laws

11.1 If we receive a request or order from a Supervisory Authority, government agency or investigation, prosecution or national security agency to provide (access to) personal data, we will immediately notify you.

11.2 When handling the request or order, we will (to extent permitted by the Data Protection Laws) comply with your instructions and cooperate with you, as reasonably required.

12.1 We will fully cooperate, in so far as possible, so that you may comply with your legal obligations in the event that a Data Subject exercises its rights under the GDPR or other applicable Data Protection Laws.

12.2 If a Data Subject contacts us directly in relation to any matter under any Data Protection Laws, we will advise them to address any such request to you, with a request for further instructions.

12.3 Our privacy policy, available at here and to all Data Subjects upon request, is incorporated into this Agreement. It includes the following information:

• a. our name and contact details;
• b. the purposes for which personal data are Processed by us;
• c. the categories of personal data Processed by us;
• d. any third party to whom personal data are made accessible;
• e. the countries where personal data are collected and Processed; and
• f. the Data Subject’s rights to access, correct and delete personal data.

To the extent permitted by law, our Liability under this Data Processing Agreement is subject to the ‘limitation of liability’ provisions of the Agreement, and any reference in such provisions to our liability means our aggregate liability under the Agreement and the Data Processing Agreement together.

14.1 If a change in Cloud Happy Personal Data to be Processed or a risk analysis of the Processing of Cloud Happy Personal Data gives reason to do so, upon your first request, we will consult with you on amending the arrangements made in the Data Processing Agreement.

14.2 The arrangements to be newly made must be recorded in writing and form part of the Data Processing Agreement prior to their application.

14.3The changes can never have the effect that you cannot comply with the Data Protection Laws.

15.1 Subject to any surviving rights and obligations, this Data Processing Agreement will automatically terminate upon termination of the Terms of Service.

15.2 In the event of termination of the Terms of Service for any reason, we will assist you (at your cost, which shall not exceed the reasonable cost incurred by us) to ensure that all or part of the Cloud Happy Personal Data made available for you, by you or on your behalf in the context of Cloud Happy (as determined by you), is either destroyed, returned to you or the Data Subjects, or made available to another service provider, as required by you and to the extent permitted by law.

15.3 Provisions which, by their nature, are intended to continue to apply after termination of this Data Processing Agreement, will continue to apply after termination of this Data Processing Agreement. These include but are not limited to provisions concerning confidentiality, indemnity and limitation of liability, and applicable law.

You may contact us in relation to any privacy or data processing concerns using the contact details set out below:
Email: hello@cloudhappy.io

This Annexure 1 includes certain details of the Processing of Cloud Happy Personal Data as required by Article 28(3) GDPR.

Subject matter, nature, purpose and duration of the Processing of Cloud Happy Personal Data

The subject matter, nature, purpose and duration of the Processing of the Cloud Happy Personal Data are set out in the Agreement.

The types of Cloud Happy Personal Data to be Processed

You may submit Cloud Happy Personal Data to Cloud Happy, the extent of which is determined and controlled by the you in your sole discretion, and which may include, but may not be limited to, the following categories of personal data:

• First and last name;
• Title;
• Date of birth;
• Contact information;
• Residence and mailing information;
• Other types of information as set out in our Privacy Policy; and
• Any other personal data collected by you and provided to us.

The categories of Data Subject to whom the Cloud Happy Personal Data relates

You may submit Cloud Happy Personal Data to Cloud Happy, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to personal data relating to the following categories of Data Subjects:

• Cloud Happy clients;
• employees of a Cloud Happy client;
• consultants of a Cloud Happy client;
• contractors of a Cloud Happy client;
• agents of a Cloud Happy client; and/or
• third parties with whom a Cloud Happy client conducts business, or about whom a Cloud Happy client obtains information in the course of and for the purpose of conducting business

The obligations and rights of a Cloud Happy client

The obligations and rights of a Cloud Happy client are set out in the body of the Data Processing Agreement.