Announcing: new features every week.

Legal

Data Processing Addendum

Effective

Acme Cloud Data Processing Addendum

Last updated: 4 March 2026

This Data Processing Addendum ("DPA") forms part of the Acme Cloud Terms of Service or other written agreement (the "Agreement") between Acme Cloud, Inc. ("Acme Cloud", "we", "us") and the customer entity that has accepted the Agreement ("Customer", "you"). This DPA reflects the parties' agreement on the Processing of Personal Data in connection with the Acme Cloud services (the "Services). Where there is any conflict between this DPA and the Agreement on the subject of data protection, this DPA prevails.

1. Introduction and Scope

Acme Cloud provides cloud collaboration and workflow automation Services that involve the Processing of Personal Data on behalf of Customer. This DPA applies whenever Acme Cloud Processes Personal Data that is subject to the Data Protection Laws and that Customer or its Authorized Users submit to, store in, or generate through the Services.

This DPA is intended to allocate the parties' respective responsibilities for such Processing, to document the technical and organizational measures Acme Cloud maintains, and to set out the terms on which Acme Cloud engages Subprocessors. It applies to all Acme Cloud environments, including production, staging, and sandbox tenants, unless a separate written arrangement states otherwise.

By entering into the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates. For the purposes of this DPA only, the term "Customer" includes such Authorized Affiliates.

2. Definitions

Capitalized terms not defined in this DPA have the meaning given in the Agreement. For the purposes of this DPA:

  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Supervisory Authority" have the meanings given in the applicable Data Protection Laws.
  • "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation, the UK GDPR, and applicable U.S. state privacy laws.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed.
  • "Subprocessor" means any third party engaged by Acme Cloud to Process Personal Data on behalf of Customer.
  • "Standard Contractual Clauses" or "SCCs" means the clauses annexed to European Commission Implementing Decision (EU) 2021/914.

3. Roles of the Parties

The parties acknowledge and agree that with respect to the Processing of Customer Personal Data, Customer acts as Controller, Acme Cloud acts as Processor, and Acme Cloud may engage Subprocessors in accordance with Section 8. Where Customer itself acts as a Processor on behalf of a third-party Controller, Acme Cloud acts as a Subprocessor.

Party Role Primary responsibility
Customer Controller (or Processor) Determines the purposes and means of Processing; ensures a lawful basis exists
Acme Cloud Processor (or Subprocessor) Processes Personal Data only on documented instructions
Acme Cloud Subprocessors Sub-processor Processes Personal Data under flow-down obligations

Each party is responsible for complying with the obligations applicable to it under the Data Protection Laws in respect of its role.

4. Details of the Processing

The subject matter, duration, nature, and purpose of the Processing, together with the categories of Personal Data and Data Subjects, are described below and, where more detail is required, in Annex I to this DPA.

Element Description
Subject matter Provision of the Acme Cloud Services to Customer
Duration The term of the Agreement plus any retention period described in Section 13
Nature and purpose Hosting, storage, collaboration, workflow automation, and support
Categories of Data Subjects Customer's Authorized Users, employees, contractors, and end contacts
Categories of Personal Data Identification and contact data, account credentials, content submitted to the Services, usage and log data

Acme Cloud does not intentionally collect Special Categories of Personal Data through the Services, and Customer agrees not to submit such data except where expressly supported under the Agreement.

5. Customer Instructions

Acme Cloud will Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. The Agreement, this DPA, and Customer's use and configuration of the Services constitute Customer's complete and final documented instructions to Acme Cloud.

If Acme Cloud is required by applicable law to Process Customer Personal Data other than on Customer's instructions, Acme Cloud will inform Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest. Acme Cloud will notify Customer if, in its opinion, an instruction infringes the Data Protection Laws, although Acme Cloud is not obligated to conduct a legal review of the adequacy of Customer's instructions.

6. Confidentiality

Acme Cloud will ensure that any person it authorizes to Process Customer Personal Data is subject to an appropriate duty of confidentiality, whether a contractual or statutory obligation. Acme Cloud restricts access to Customer Personal Data to personnel who require access to provide the Services and support, and grants such access on a least-privilege, need-to-know basis.

7. Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, Acme Cloud implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk. These measures include:

  • Encryption of Personal Data in transit over public networks and at rest in production storage;
  • Logical access controls, role-based permissions, and multi-factor authentication for administrative access;
  • Network segmentation, firewalling, and intrusion detection across production environments;
  • Regular vulnerability scanning, patch management, and independent penetration testing;
  • Secure software development practices, including code review and dependency monitoring;
  • Business continuity and disaster recovery procedures with defined recovery objectives;
  • Logging and monitoring of access to Personal Data and periodic review of those logs.

Acme Cloud may update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection afforded to Customer Personal Data during the term of the Agreement.

8. Subprocessing

Customer provides a general authorization for Acme Cloud to engage Subprocessors to Process Customer Personal Data in connection with the provision of the Services. Acme Cloud maintains a current list of Subprocessors, including their name, location, and the Processing activity performed, and makes that list available through its subprocessor page or on request.

Acme Cloud imposes data protection obligations on each Subprocessor that are no less protective than those in this DPA, and remains liable to Customer for the performance of each Subprocessor's obligations. Acme Cloud will give Customer prior notice of the addition or replacement of any Subprocessor, and Customer may object on reasonable data-protection grounds within the notice period described on the subprocessor page.

9. Assistance with Data Subject Rights

Taking into account the nature of the Processing, Acme Cloud will assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer's obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws. Where the Services provide self-service functionality that allows Customer to retrieve, correct, restrict, or delete Personal Data, Customer will use that functionality in the first instance. If a Data Subject contacts Acme Cloud directly regarding Personal Data Processed on Customer's behalf, Acme Cloud will, where legally permitted, promptly forward the request to Customer and will not respond to the request itself except on Customer's instructions.

10. Personal Data Breach Notification

Acme Cloud will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification will describe, to the extent then known and reasonably available, the nature of the breach, the likely consequences, and the measures taken or proposed to address it. Acme Cloud will make reasonable efforts to provide this notification within seventy-two (72) hours of confirming the breach.

Acme Cloud's notification of, or response to, a Personal Data Breach will not be construed as an acknowledgment by Acme Cloud of any fault or liability with respect to the breach.

11. Data Protection Impact Assessments

Taking into account the nature of the Processing and the information available to Acme Cloud, Acme Cloud will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under the Data Protection Laws, solely in relation to the Processing of Customer Personal Data by Acme Cloud.

12. International Data Transfers

Customer authorizes Acme Cloud to transfer Customer Personal Data to, and Process it in, countries other than the country in which it was collected, including the United States, subject to appropriate safeguards. Where such transfers are subject to the Data Protection Laws of the European Economic Area, the United Kingdom, or Switzerland, the parties agree that the Standard Contractual Clauses are incorporated into this DPA by reference and apply to such transfers, with the modules and options selected in Annex II.

Where the SCCs apply, in the event of any conflict between the SCCs and this DPA, the SCCs prevail.

13. Return and Deletion of Personal Data

Upon termination or expiry of the Agreement, Acme Cloud will, at Customer's election, delete or return Customer Personal Data, and delete existing copies unless applicable law requires continued storage. Customer may export its Personal Data using the Services' export functionality during the term and for a period of thirty (30) days following termination, after which Acme Cloud will delete Customer Personal Data from production systems within the timeframe described in its retention documentation, excluding copies retained in routine backups which are deleted in the ordinary course.

14. Audits and Inspections

Acme Cloud will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. To satisfy this obligation, Acme Cloud may make available third-party certifications and audit reports, such as SOC 2 Type II reports, and will respond to reasonable security questionnaires. Any on-site audit will be conducted no more than once per year, on reasonable prior notice, during business hours, and subject to confidentiality obligations, unless a Supervisory Authority or Data Protection Law requires otherwise.

15. Liability, Term, and General

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA takes effect on the date Customer accepts the Agreement and continues until Acme Cloud has ceased all Processing of Customer Personal Data. If any provision of this DPA is held invalid or unenforceable, the remaining provisions continue in full force and effect.

Product updates in your inbox

Monthly changelog. No spam.