a) These Standard Contractual Clauses (the Clauses) aim to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), regarding the protection of natural persons with respect to the processing and free movement of personal data.
b) The controllers and processors listed in Annex I have agreed to these Clauses to comply with Article 28(3) and (4) of GDPR.
c) These Clauses apply to the processing of personal data as detailed in Annex II.
d) Annexes I to IV form an integral part of these Clauses.
e) These Clauses do not exempt the controller from other obligations under GDPR.
f) These Clauses alone do not ensure compliance with international transfer obligations as per Chapter V of GDPR.
a) The Parties commit not to alter these Clauses except for adding or updating information in the Annexes.
b) This does not prevent the inclusion of these standard contractual clauses in a broader contract or the addition of other clauses or safeguards, provided they do not contradict or undermine these Clauses or the fundamental rights of data subjects.
a) Terms used in these Clauses that are defined in GDPR will have the same meaning as in the Regulation.
b) These Clauses must be interpreted in the context of GDPR provisions.
c) These Clauses shall not be construed in a manner that conflicts with GDPR rights and obligations or compromises data subjects' fundamental rights.
If there is a conflict between these Clauses and other agreements between the Parties, these Clauses shall prevail.
a) Any entity not initially part of these Clauses may, with all Parties' consent, join as a controller or processor by completing and signing Annex I.
b) Once Annex I is completed and signed, the new entity becomes a Party to these Clauses with corresponding rights and obligations.
c) The new entity will not have rights or obligations from the Clauses for periods before it became a Party.
Details of processing operations, including categories of personal data and processing purposes, are specified in Annex II.
a) The processor will only process personal data following the controller's documented instructions, unless required by EU or Member State law. The processor will inform the controller of such legal requirements unless prohibited by law. Subsequent instructions must be documented.
b) The processor will inform the controller if it believes an instruction infringes GDPR or other data protection laws.
The processor will only process personal data for the purposes specified in Annex II, unless further instructions are received from the controller.
Processing will only occur for the duration specified in Annex II.
a) The processor will implement the technical and organizational measures specified in Annex III to ensure data security, including protection against data breaches. The appropriate security level will be determined based on the processing's nature, scope, context, and purposes, as well as the risk to data subjects.
b) Access to personal data will be limited to personnel necessary for the contract's implementation, management, and monitoring. Personnel authorized to process the data must commit to confidentiality.
If processing involves sensitive data (e.g., racial or ethnic origin, political opinions, religious beliefs, genetic data, etc.), specific restrictions and additional safeguards will be applied.
a) The Parties must demonstrate compliance with these Clauses.
b) The processor must promptly and adequately respond to the controller's inquiries regarding data processing compliance.
c) The processor will provide the controller with necessary information to demonstrate compliance with these Clauses and GDPR. The processor will permit and contribute to audits of processing activities.
d) The controller may choose to conduct the audit or mandate an independent auditor. Audits may include inspections at the processor’s premises and must be conducted with reasonable notice.
e) The Parties will make information related to compliance, including audit results, available to competent supervisory authorities upon request.
a) The processor has the controller’s general authorization to engage sub-processors from an agreed list. The processor must inform the controller in writing of any changes to this list at least one month in advance, allowing time for objections.
b) The processor must ensure sub-processors are bound by the same data protection obligations.
c) Upon request, the processor must provide the controller with a copy of the sub-processor agreement, redacted to protect business secrets or confidential information.
d) The processor remains fully responsible for sub-processor performance.
e) The processor must agree on a third-party beneficiary clause with the sub-processor, allowing the controller to terminate the sub-processor contract if the processor ceases to exist or becomes insolvent.
a) Data transfers to third countries or international organizations by the processor will only occur on documented instructions from the controller and in compliance with Chapter V of GDPR.
b) The controller agrees that when engaging sub-processors involving data transfers under Chapter V of GDPR, compliance can be ensured using standard contractual clauses adopted by the Commission, provided conditions are met.
a) The processor will notify the controller of any data subject requests without responding to them unless authorized.
b) The processor will assist the controller in responding to data subject requests and complying with obligations under GDPR, including data protection impact assessments and consultations with supervisory authorities.
c) The processor will assist the controller in ensuring data accuracy and compliance with Article 32 of GDPR.
d) Appropriate technical and organizational measures for assistance are specified in Annex III.
In the event of a data breach, the processor will assist the controller in complying with GDPR obligations regarding breach notification.
The processor will assist the controller in notifying supervisory authorities and data subjects of a breach and in gathering necessary information for the notification.
The processor will notify the controller of a breach without undue delay, including details of the breach, contact points for more information, likely consequences, and measures taken to address the breach.
Additional elements for breach notification are set out in Annex III.
a) If the processor breaches these Clauses, the controller may suspend data processing until compliance is restored or terminate the contract.
b) The controller may terminate the contract if processing is suspended for over a month, if the processor is in substantial or persistent breach, or fails to comply with binding decisions from competent authorities.
c) The processor may terminate the contract if the controller insists on instructions that infringe legal requirements.
d) Upon termination, the processor will delete or return all personal data to the controller, certifying deletion unless law requires storage.
The party to the Terms of Service with Trantor Ventures or its Affiliate.
Address: The Data Exporter’s address.
Name: As provided by the Data Controller.
Signature and Accession Date: By using the Services to transfer personal data to the Data Processor, the Data Controller is deemed to have signed this Annex 1.
Address: Tallinn, Kesklinna linnaosa, Tornimäe tn 3 // 5 // 7, 10145, Estonia
Name: Trantor Ventures OÜ
Contact: help@cleon1.com
Signature and Accession Date: The Data Processor is deemed to have signed this Annex 1 on the transfer of personal data by the Data Controller.
The first type of data collected is general and non-specific, referred to as "Non-personal Information." This data, which does not reveal your identity, is gathered through your interaction with the Services and may include:
a) Technical details from your device, such as browser type, operating system, language preference, time of access, and referring domain, to improve Services and user experience.
b) Data on how you use the Services, including log files, timestamps, and alerts, for troubleshooting, research, and analytics.
c) Information processed to remove personal identifiers, resulting in anonymized or de-identified data, which can be handled and shared without restriction for any purpose.
The second type of information is personal and identifiable, collected through specific interactions with the Services:
a) Data on activities, such as pages visited and general location information (excluding precise geographic locations).
b) Personal details like full name, email address, and phone number when registering for Services. Payment information is handled by trusted third-party providers.
c) Basic information from your social network profile when connected with our Site or Services, including name, address, email, and contacts, in compliance with platform policies.
d) Voluntary information provided through communications, transactions, or sharing additional details through our Services.
To ensure data security as per Article 32 of GDPR, our organization implements a comprehensive set of technical and organizational measures, considering the nature, scope, context, and purposes of processing activities, and the risks to data subjects.
Robust encryption methods, such as bcrypt with a cost of 14 rounds, for password security.
Pseudonymisation techniques, like anonymized logging with user IDs, to protect privacy.
Secure, Virtual Private Cloud (VPC) connected databases to safeguard against unauthorized access and ensure data availability and integrity.
Regular unit and integration testing and continuous evaluation of technical measures to ensure ongoing security effectiveness.
Secure user identification and authorization, including session cookies (JWT) signed with HMAC using SHA256 algorithm.
Role-Based Access Control (RBAC) for appropriate access management.
Data transmissions secured via HTTPS/SSL tunnels to ensure confidentiality and integrity.
Data at rest protected with AES encryption for high security.
Data hosting provider DigitalOcean complies with SOC 2 and ISO 27001 standards for physical security.
Comprehensive access logs, including IP addresses, user IDs, actions taken, and roles, encrypted at rest and retained for one year.
Rigorous data registry ensuring collection and processing align with data minimization principles.
Strict data retention policies with creation and expiration dates for each data set, balancing compliance with legal and regulatory requirements.
Sub-processors required to implement technical and organizational measures, including encryption and adherence to data minimization and retention policies.
Cleon1 collaborates with third-party entities to perform specific activities in relation to Cleon1 Services.
Under GDPR, third-party service providers engaged by Cleon1 to process personal data on behalf of Cleon1 Users are considered sub-processors.
We mandate these service providers to commit contractually to safeguard the security and confidentiality of the personal data they process for us.
| Name | Data | Purpose of Processing | Country |
|---|---|---|---|
| fly.io | Cleon1 Users' data | Cloud service provider | USA |
| Hotjar | Cleon1 Users' names, location data (country, region, city), product usage information (page views, clicks, browsing behavior), browser and device details | Website and product analytics | EU |
| Cleon1 Users' data | Website and product analytics | USA | |
| Slack | Cleon1 Users' data | Internal communication platform | USA |
| Stripe | Cleon1 Users' payment data | Payment processor | USA |
| Make | Cleon1 Users' data | Workflow automations | EU |