Data Processing Addendum

Last updated: February 2, 2026

1. Introduction and Scope

This Data Processing Addendum ("DPA") supplements and forms part of the Terms of Service between Cloud Path Strategies, LLC ("Processor," "we," "us," or "our") and the customer ("Controller," "you," or "your") who uses our services.

This DPA applies to the extent that we process Personal Data on your behalf in connection with the services we provide to you. This DPA is intended to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable privacy laws.

This DPA may be updated from time to time as our services evolve. We will notify you of material changes to this DPA.

2. Definitions

For purposes of this DPA, the following terms have the meanings set forth below:

  • "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
  • "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
  • "Data Subject" means the natural person to whom Personal Data relates.
  • "Data Protection Laws" means all applicable laws and regulations relating to the processing, privacy, and use of Personal Data, including GDPR and other applicable privacy laws.
  • "Subprocessor" means any third party engaged by Processor to process Personal Data on behalf of Controller in connection with the services.

3. Roles of the Parties

The parties acknowledge and agree that with regard to the processing of Personal Data:

  • You are the Controller of Personal Data that you provide to us or that we process on your behalf in connection with the services.
  • We are the Processor of such Personal Data, processing it only on your documented instructions and in accordance with this DPA and applicable Data Protection Laws.
  • Each party will comply with its respective obligations under applicable Data Protection Laws.

We will process Personal Data only in accordance with your documented instructions, this DPA, and applicable Data Protection Laws. We will not process Personal Data for any purpose other than as necessary to provide the services to you, unless required by applicable law.

4. Processing Details

The details of processing are as follows:

  • Subject Matter: The processing of Personal Data in connection with the services provided by Processor to Controller.
  • Duration: The term of this DPA shall be coterminous with the term of the Terms of Service, unless earlier terminated in accordance with the terms herein.
  • Nature of Processing: Processing operations may include collection, storage, retrieval, use, transmission, and deletion of Personal Data as necessary to provide the services.
  • Purpose of Processing: Processing is performed for the purpose of providing, operating, and maintaining the services in accordance with the Terms of Service.

The specific categories of Personal Data and Data Subjects are determined by Controller based on Controller's use of the services. We process Personal Data only as necessary to provide the services and in accordance with Controller's instructions.

5. Data Types and Data Subjects

The types of Personal Data and categories of Data Subjects processed under this DPA depend on how Controller uses our services. Personal Data may include, but is not limited to:

  • Contact information (e.g., names, email addresses)
  • Account information and credentials
  • Content and data that Controller submits or processes through the services
  • Usage data and metadata related to Controller's use of the services

Data Subjects may include Controller's employees, customers, end users, or other individuals whose Personal Data Controller processes through the services.

6. Security Measures

We implement commercially reasonable technical and organizational measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

Technical Measures

  • Encryption of data in transit and at rest, where commercially reasonable
  • Access controls and authentication mechanisms
  • Regular security assessments and monitoring
  • Network security and firewall protection
  • Secure data backup and recovery procedures

Organizational Measures

  • Employee training on data protection and security
  • Confidentiality obligations for personnel with access to Personal Data
  • Incident response and breach notification procedures
  • Regular review and update of security policies and procedures

We reserve the right to update our security measures from time to time as our services evolve and as commercially reasonable security practices develop. We do not guarantee that our security measures will prevent all security incidents.

7. Subprocessors

We may engage Subprocessors to assist in providing the services. We will:

  • Ensure that Subprocessors are bound by data protection obligations that are substantially similar to those set forth in this DPA
  • Remain responsible for Subprocessors' compliance with this DPA
  • Notify you of any intended changes concerning the addition or replacement of Subprocessors

You may object to the appointment of a new Subprocessor by notifying us in writing within thirty (30) days of our notice. If you object, we will work with you in good faith to address your concerns. If we are unable to resolve your concerns, you may terminate the affected services in accordance with the Terms of Service.

A current list of Subprocessors, if any, may be provided upon request. This list may be updated from time to time as our services evolve.

8. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area ("EEA") or other jurisdictions where Data Protection Laws may differ from those in your jurisdiction.

Where such transfers occur, we will ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses ("SCCs") approved by the European Commission or other competent authority
  • Other transfer mechanisms recognized under applicable Data Protection Laws

By using our services, you consent to such transfers and the use of appropriate safeguards as described herein. We will provide details of specific transfer mechanisms upon request.

9. Assistance with Data Subject Rights

We will assist you in responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing

We will provide commercially reasonable assistance to enable you to respond to such requests. You are responsible for verifying the identity of Data Subjects making requests and for determining the appropriate response to such requests in accordance with applicable Data Protection Laws.

If we receive a request directly from a Data Subject, we will forward the request to you and will not respond directly to the Data Subject unless required by applicable law.

10. Breach Notification

We will notify you without undue delay after becoming aware of a Personal Data breach that affects Personal Data processed under this DPA. Our notification will include, to the extent known:

  • A description of the nature of the breach
  • The categories and approximate number of Data Subjects and Personal Data records concerned
  • The likely consequences of the breach
  • The measures we have taken or propose to take to address the breach

We will provide reasonable assistance to you in connection with any breach notification obligations you may have under applicable Data Protection Laws.

You are responsible for notifying relevant supervisory authorities and Data Subjects of any breach, as required by applicable Data Protection Laws.

11. Audits and Compliance

Upon reasonable written request, we will provide you with information reasonably necessary to demonstrate our compliance with this DPA, subject to appropriate confidentiality obligations.

You may request an audit of our compliance with this DPA, subject to the following conditions:

  • Audits must be conducted during normal business hours and with reasonable advance notice
  • Audits must not unreasonably interfere with our business operations
  • You are responsible for the costs of any audit
  • Audits must be conducted in accordance with appropriate confidentiality obligations

We may satisfy audit requests by providing certifications, attestations, or other documentation from qualified third parties, where commercially reasonable.

12. Term and Termination

This DPA shall remain in effect for as long as we process Personal Data on your behalf in connection with the services, unless earlier terminated in accordance with the Terms of Service.

Upon termination of the services, we will, at your option, either:

  • Return all Personal Data to you in a commonly used, machine-readable format, or
  • Delete all Personal Data, unless we are required by applicable law to retain it

This obligation does not apply to Personal Data that we are required to retain by applicable law or that we have archived on backup systems, which we will securely isolate and protect from further processing, except as required by applicable law.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service, without regard to its conflict of law provisions.

To the extent that this DPA addresses matters subject to GDPR or other EU data protection laws, those laws shall apply. Any disputes arising out of or relating to this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.

14. Contact Information

If you have any questions about this Data Processing Addendum or our data processing practices, please contact us at:

Cloud Path Strategies, LLC

Email: support@CloudPathStrategies.com