These terms (the “Data Processing Terms”) are incorporated in full into each Order between Vorboss Limited, a company incorporated in England and Wales (company number 05678571), with Registered Office 10 Exchange Square, London, United Kingdom, EC2A 2BR (“Vorboss”) and the counterparty detailed in the Order (the “Customer”) (each a “Party” and together “Parties”). Capitalised terms not defined in these Data Processing Terms shall have the meaning set out in the General Terms where applicable.

1. SCOPE OF THESE DATA PROCESSING TERMS

1.1 A Customer or its end users may provide data to Vorboss under or through the Services (“Customer Data”). That Customer Data may include Personal Data (“Customer Personal Data”).

1.2 These Data Processing Terms apply to the Processing of Customer Personal Data that is subject to Data Protection Law under any Agreements between the Parties.

1.3 The following definitions shall apply in these Data Processing Terms:

(A) Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018 (as defined below));

(B) Data Protection Law: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (“DPA 2018”); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of Personal Data (including the privacy of electronic communications); and

(C) UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.4 Terms such as “Process”, “Processing”, “Personal Data”, “Personal Data Breach” “Data Subject”, “Data Controller” and “Data Processor” shall have the meaning ascribed to them in the Data Protection Law.

1.5 Vorboss may act as Data Controller in respect of certain Personal Data provided by Customer to Vorboss. This includes, for example, account information (such as usernames, email addresses and billing information) that Customer provides to Vorboss in connection with the creation and administration of Customer’s account. These Data Processing Terms do not apply where Vorboss Processes such data as Data Controller.

1.6 Schedule 1 describes the subject matter, duration, nature and purpose of the Processing and the Personal Data categories and Data Subject types in respect of which Vorboss may Process the Customer Personal Data.

2. ROLES AND RESPONSIBILITIES

2.1 Customer is the Data Controller of the Customer Personal Data covered by these Data Processing Terms. The Customer will determine the scope, purposes and manner by which the Customer Personal Data may be accessed or Processed by Vorboss.

2.2 Vorboss provides many of its customers with computing infrastructure as a service (“IaaS”). In such cases, Customer has the flexibility to choose how to use the IaaS and, for example, what data to Process on the infrastructure. In such cases, Vorboss will be unaware whether the IaaS is being used to Process Personal Data. In such cases, Vorboss will not be able to ascertain the basis for any Processing or how the IaaS is used.  

2.3 Customer will:

(A) comply with its obligations as a Data Controller under Data Protection Law in how it Processes Customer Personal Data and when giving instructions to Vorboss;

(B) provide notice and/or obtain all consents and rights necessary for Vorboss to Process Customer Personal Data under the Agreements and provide the Services, and will ensure it keeps a record of these; and

(C) immediately give notice to Vorboss of any revocation of consent or similar related to Customer Personal Data covered by these Data Processing Terms.

2.4 Vorboss is the Data Processor. Vorboss shall only Process Client Personal Data for the Authorised Purposes (as defined below) and on the documented instructions of Customer, unless Vorboss is required by applicable laws to otherwise Process that Client Personal Data. Where Vorboss relies on applicable laws as the basis for Processing Client Personal Data, Vorboss shall notify Customer of this before performing the relevant Processing unless those applicable laws prohibit Vorboss from so notifying Customer on important grounds of public interest.

2.5 Vorboss will Process the Customer Personal Data only for the following purposes (“Authorised Purposes”):  

(A) to perform Services in accordance with the Agreements;

(B) to perform any of the steps necessary for the Services; and

(C) to comply with any other lawful and reasonable written instructions from Customer that are consistent with the Agreements.

2.6 Where Vorboss is unable to Process Customer Personal Data under clause 2.4 because of a legal obligation (including under Data Protection Law), Vorboss shall inform Customer unless the law prohibits this.  

3. CONFIDENTIALITY

3.1 Without prejudice to the existing contractual confidentiality arrangements between the Parties, Vorboss shall ensure any person authorised by Vorboss to Process Customer Personal Data has signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.  

4. SECURITY

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, Vorboss and Customer shall implement appropriate technical and organisational measures to ensure a level of security of the processing of Customer Personal Data appropriate to the risk. These measures shall include as appropriate: (a) the measures referred to in Article 32(1) of the UK GDPR; and (b) the measures further detailed in Schedule 2.

4.2 In assessing the appropriate level of security account shall be taken in particular of all the risks that are presented by Processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorised or unlawful storage, Processing, access or disclosure of Customer Personal Data.

4.3 Where Vorboss provides IaaS to Customer, Customer will be responsible for the requirements set out in clause 4.1 within the IaaS provided.

4.4 Vorboss will maintain records of its security standards and certifications. Upon Customer’s written request, Vorboss will provide (on a confidential basis) copies of relevant external certifications, audit report summaries and/or other documentation as reasonably required by Customer to satisfy it of compliance with these Data Processing Terms. Vorboss shall in addition provide responses to Customer’s reasonable written questions relating to information security as necessary to confirm compliance with these Data Processing Terms.

4.5 Customer acknowledges that security measures are constantly being improved and Vorboss may update these measures and the related policies, provided that these do not reduce the overall security of Customer’s Services.

5. TRANSFER

5.1 Vorboss will not transfer any Customer Personal Data outside the European Economic Area without Customer’s written authorisation.

5.2 Where such consent is granted, Vorboss may only Process, or permit the Processing, of the Customer Personal Data outside the European Economic Area under the following conditions:

(A) Vorboss is Processing the Personal Data in a territory which is subject to adequacy regulations under Data Protection Law that the territory provides adequate protection for the privacy rights of individuals; or

(B) Vorboss participates in a valid cross-border transfer mechanism under Data Protection Law, so that Vorboss (and, where appropriate, Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR; or

(C) the transfer otherwise complies with Data Protection Law (for example, where Customer has consented to it or there is a specific exception which applies under Data Protection Law).

5.3 If any Personal Data transfer between Customer and Vorboss requires execution of standard contractual clauses (“SCCs”) in order to comply with Data Protection Law, the Parties will complete all relevant details in, and execute, the SCCs adopted by the Commissioner (or other relevant supervisory authorities or regulators) from time to time, and take all other actions required to legitimise the transfer.

6. INCIDENT MANAGEMENT

6.1 Where Vorboss provides IaaS to Customer, Vorboss will not review the Customer Data to determine whether any Customer Data affected by any Personal Data Breach has any particular legal requirements. Customer will be solely responsible for reviewing the affected Customer Data and fulfilling any notification or other requirements.  

6.2 Vorboss shall, upon becoming aware of a Personal Data Breach affecting Customer’s Services:

(A) without undue delay notify Customer about the Personal Data Breach; and

(B) at all times cooperate with Customer, and shall follow Customer’s reasonable instructions relating to the Personal Data Breach, to enable Customer to perform a thorough investigation into the Personal Data Breach, to formulate a correct response, and to take suitable further steps in respect of the Personal Data Breach.

7. SUB-PROCESSORS

7.1 Vorboss will not subcontract any of its Service-related activities consisting (partly) of the Processing of Personal Data or requiring Customer Personal Data to be Processed by any third party without the prior written authorisation of Customer.

7.2 Vorboss will ensure that any sub-processor is bound by materially the same data protection obligations contained in these Data Processing Terms and must, in particular, ensure that the sub-processor meets the requirements of Data Protection Law.

7.3 Even if authorised under clause 7.1, Vorboss shall remain responsible for ensuring that the sub-processor’s Processing of Customer Personal Data meets these Data Processing Terms.  

8. RETURN OR DESTRUCTION OF PERSONAL DATA

8.1 This clause 8 shall apply where Customer Personal Data no longer needs to be Processed by Vorboss because: (a) the Agreements or any Order has been terminated; and/or (b) all purposes for the Processing of Customer Personal Data in relation to the Services have been fulfilled.  

8.2 Customer may make a written request for Vorboss to delete, destroy or (at Customer’s request) return all Customer Personal Data to Customer and delete, destroy or return any existing copies, unless the law requires storage. Vorboss shall in such cases notify within 25 Business Days that this clause has been complied with.  

8.3 Where Customer does not make a request under clause 8.2 within 30 days, Vorboss will delete or destroy all Customer Data in accordance with applicable law. Vorboss will complete this as soon as reasonably practicable and within a maximum period of 180 days, unless the law requires storage.  

8.4 Where Vorboss provides IaaS to Customer, Customer shall be solely responsible for deleting Customer Personal Data from within the IaaS provided, or alternatively instructing Vorboss to delete or destroy the entire relevant IaaS Service (e.g. the virtual machine containing any Customer Personal Data).

8.5 Customer shall be responsible for exporting any Customer Data that it wishes to retain before clause 8.1 applies.

9. ASSISTANCE TO DATA CONTROLLER

9.1 Vorboss shall, taking into account the nature of processing and the information available, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Law.

9.2 Vorboss shall assist Customer in meeting Customer’s compliance obligations under Data Protection Law, taking into account the nature of Vorboss’ Processing and the information available to Vorboss, including in relation to security, breach notifications, impact assessments and consultations with the Commissioner (or other relevant supervisory authorities or regulators) under Data Protection Law.

9.3 Vorboss shall make available to Customer all information necessary to demonstrate compliance with Customer’s obligations under Data Protection Law and allow for reasonable audits by Customer, or by Customer’s designated auditor, for this purpose on reasonable written notice.

10. LIABILITY AND INDEMNITY

10.1 Vorboss indemnifies Customer and holds Customer harmless against all claims arising in connection with a breach of these Data Processing Terms by Vorboss.  

10.2 Customer indemnifies Vorboss and holds Vorboss harmless against all claims arising in connection with a breach of these Data Processing Terms by Customer.

11. DURATION AND TERMINATION

11.1 These Data Processing Terms shall come into effect on the Commencement Date of the Order into which the Data Processing Terms are incorporated, and shall remain in force for the duration of that Order.

11.2 Termination or expiry of these Data Processing Terms shall not discharge Vorboss from its confidentiality obligations under clause 3.

12. MISCELLANEOUS

12.1 In the event of any inconsistency between these Data Processing Terms and any other terms in the Agreements in relation to those matters covered by clause 1.2, these Data Processing Terms shall prevail.

12.2 As set out in the General Terms, the Agreements shall be governed by and interpreted in accordance with the laws of England, the courts of England shall have exclusive jurisdiction to settle any disputes (including non-contractual disputes) arising out of or in connection with the Agreements, and the Parties hereby submit to the exclusive jurisdiction of the English courts.

13. SCHEDULE 1: SUBJECT MATTER AND DETAILS OF PROCESSING

13.1 Subject matter: Vorboss Services provided to Customer, including compute, storage and content delivery on the Vorboss network.

13.2 Duration of Processing: As per clause 11.

13.3 Purpose of Processing: For the Authorised Purposes (as defined above).

13.4 Categories of Personal Data: As per clauses 1.1 and 1.2.

13.5 Data Subjects: Data Subjects include individuals about whom Customer Personal Data is provided to Vorboss.

14. SCHEDULE 2: SECURITY MEASURES

14.1 Vorboss takes security extremely seriously and maintains security policies and procedures that are assessed and regularly audited against ISO 27001 and covering all areas related to Processing Customer Data.  

14.2 Physical Access Control: All Customer Data storage locations are monitored with CCTV and physical access controlled through a restricted list of named individuals.

14.3 Data and Administrative Access: Authentication, credential management, and privilege control systems restrict administrative access to systems to a limited number of authorised personnel.

14.4 Vorboss further has specific policies, within scope of its ISO 27001 certification, addressing the following areas:

(A) Removable Devices Policy defining requirements, encryption standards and limitations on use.  

(B) Disposal of Media and Equipment Policy detailing the process for securely wiping, degaussing and physically destroying (as applicable) media and equipment after use.  

(C) Use of Cryptographic Controls Policy setting out encryption usage, PKI, and transport encryption.

(D) Password Policy governing the generation, strength, storage and rotation of passwords, PINs and cryptographic private keys.

(E) Backup and Antivirus Policy dictating the usage of antivirus and anti-malware protection and detailing backup policy.

(F) Information Security Events, Reporting and Investigation Procedure detailing the process to be followed upon discovery of any actual or perceived system weaknesses or breaches.

‍