Legal
Data Processing Addendum
Effective
Acme Cloud Data Processing Addendum
Version 2.0 — effective 15 June 2026
This Data Processing Addendum ("DPA") supplements and forms part of the Acme Cloud Terms of Service or other master agreement (the "Agreement") between Acme Cloud, Inc. ("Acme Cloud") and the customer that has accepted the Agreement ("Customer"). This Version 2.0 replaces and supersedes any prior version of the DPA as of its effective date. It governs Acme Cloud's Processing of Personal Data on Customer's behalf when Customer uses the Acme Cloud services (the "Services"). In the event of a conflict between this DPA and the Agreement regarding data protection, this DPA controls.
Part A — Framework
A.1 How this DPA is organized
This DPA is arranged in three parts. Part A sets out the framework, defined terms, and the roles of the parties. Part B describes Acme Cloud's operational commitments as a Processor, including security, subprocessing, and assistance obligations. Part C addresses the lifecycle of Personal Data, covering breach handling, international transfers, retention, deletion, and audits. Annexes referenced in this DPA are incorporated by reference.
A.2 Defined terms
Capitalized terms not defined here carry the meaning given in the Agreement or in the applicable Data Protection Laws. In this DPA:
- "Data Protection Laws" means all privacy and data protection laws applicable to a party's Processing under the Agreement, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection, and applicable U.S. state privacy statutes.
- "Customer Personal Data" means Personal Data that Acme Cloud Processes on Customer's behalf under the Agreement.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
- "Subprocessor" means a third party engaged by Acme Cloud to Process Customer Personal Data.
- "Data Privacy Framework" or "DPF" means the EU-U.S. Data Privacy Framework and its UK Extension and Swiss-U.S. counterpart, as administered by the U.S. Department of Commerce.
A.3 Roles and allocation of responsibility
For Customer Personal Data, Customer is the Controller and Acme Cloud is the Processor; where Customer is itself a Processor, Acme Cloud is a Subprocessor. The following table summarizes the allocation.
| Party | Role | Core obligation |
|---|---|---|
| Customer | Controller / Processor | Establishes purposes, means, and lawful basis; issues instructions |
| Acme Cloud | Processor / Subprocessor | Processes only on documented instructions; safeguards the data |
| Engaged Subprocessors | Subprocessor | Bound by flow-down terms at least as protective as this DPA |
Each party is independently responsible for compliance with the obligations that the Data Protection Laws impose on its role.
A.4 Documented instructions
Acme Cloud Processes Customer Personal Data only on Customer's documented instructions, which comprise the Agreement, this DPA, and Customer's configuration and use of the Services. Acme Cloud will inform Customer if it believes an instruction violates the Data Protection Laws, and will notify Customer before Processing on any basis required by law that departs from Customer's instructions, unless legally prohibited from doing so.
Part B — Operational commitments
B.1 Confidentiality of personnel
Acme Cloud ensures that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and receive data protection training relevant to their role. Access is provisioned on a least-privilege basis and revoked promptly when no longer required.
B.2 Security program
Acme Cloud maintains a documented information security program with technical and organizational measures appropriate to the risk. The program includes at least the following controls:
- Encryption of Customer Personal Data in transit and at rest using industry-standard algorithms;
- Identity and access management with role-based permissions and enforced multi-factor authentication for privileged accounts;
- Segregation of production networks, perimeter and host-based protection, and continuous intrusion monitoring;
- A vulnerability management program covering scanning, risk-based remediation, and at least annual independent penetration testing;
- A secure development lifecycle incorporating peer code review, dependency and secrets scanning, and change management;
- Resilience measures including redundant infrastructure, backups, and a tested disaster recovery plan with defined recovery objectives;
- Centralized logging, alerting, and periodic review of access to Customer Personal Data.
Acme Cloud may evolve these controls over time but will not materially degrade the overall level of security during the term.
B.3 Subprocessors
Customer grants Acme Cloud a general authorization to engage Subprocessors. Acme Cloud publishes a current list of Subprocessors identifying each one's name, location, and Processing role, and provides a mechanism for Customer to subscribe to change notifications. Before adding or replacing a Subprocessor, Acme Cloud will give Customer at least thirty (30) days' prior notice. Customer may object on reasonable data-protection grounds within that notice period; if the parties cannot resolve the objection, Customer may terminate the affected Service as its sole remedy. Acme Cloud imposes data protection terms on each Subprocessor that are at least as protective as this DPA and remains responsible for its Subprocessors' performance.
B.4 Assistance to Customer
Taking into account the nature of the Processing, Acme Cloud will assist Customer, by appropriate technical and organizational measures and insofar as reasonably possible, with: (a) responding to requests from Data Subjects to exercise their rights; and (b) Customer's obligations to carry out data protection impact assessments and prior consultations with Supervisory Authorities. Where the Services offer self-service tools to access, correct, restrict, export, or delete Customer Personal Data, Customer will use them first. If a Data Subject approaches Acme Cloud directly, Acme Cloud will forward the request to Customer where legally permitted and will act only on Customer's instructions.
Part C — Data lifecycle
C.1 Personal Data Breach notification
Acme Cloud will notify Customer without undue delay, and in any event within forty-eight (48) hours, after confirming a Personal Data Breach affecting Customer Personal Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate volume of data and Data Subjects affected, the likely consequences, and the remedial measures taken or planned. Acme Cloud will provide reasonable updates as further information becomes available. A notification is not, and will not be construed as, an admission of fault or liability by Acme Cloud.
C.2 International transfers
Customer authorizes Acme Cloud to transfer and Process Customer Personal Data in countries other than the country of collection, including the United States. Acme Cloud self-certifies under, and commits to comply with, the EU-U.S. Data Privacy Framework, together with its UK Extension and the Swiss-U.S. Data Privacy Framework, in respect of Customer Personal Data received in reliance on the DPF. To the extent the DPF does not apply to a given transfer, the parties rely on the Standard Contractual Clauses, which are incorporated into this DPA by reference with the modules and options set out in the transfers Annex. Where both mechanisms could apply, the DPF governs unless it is invalidated or suspended, in which case the Standard Contractual Clauses apply automatically.
C.3 Retention, return, and deletion
During the term, Customer may access and export Customer Personal Data at any time using the Services' export tools. Following termination or expiry of the Agreement, Customer may continue to export Customer Personal Data for a period of sixty (60) days. After that period, Acme Cloud will, at Customer's written election, delete or return Customer Personal Data and delete remaining copies, except where retention is required by applicable law. Personal Data residing in routine, time-limited backups is deleted on the standard backup expiry cycle rather than on demand.
| Stage | Availability of data |
|---|---|
| During term | Full self-service access and export |
| 0–60 days after termination | Export remains available |
| After 60 days | Deleted or returned at Customer's election, subject to legal holds |
| Backups | Purged on the ordinary backup rotation |
C.4 Audits
Acme Cloud will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits mandated by Customer. Acme Cloud satisfies this obligation primarily through third-party certifications and audit reports (such as SOC 2 Type II) and by responding to reasonable security questionnaires. On-site audits are limited to once per twelve-month period on reasonable prior notice during business hours, except where a Supervisory Authority or Data Protection Law requires greater frequency or scope.
C.5 General
Liability under this DPA is subject to the limitations and exclusions in the Agreement. This DPA remains in effect until Acme Cloud has ceased all Processing of Customer Personal Data. If any provision is found unenforceable, the remainder continues in effect, and the parties will replace the affected provision with a valid one that achieves its intent as closely as possible.