Visit EthicPagesData Processing Agreement
Last updated: January 15, 2026
Data Processing Agreement
Document owner: Chief Privacy Officer (CPO) and General Counsel Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Annual, and upon changes to data protection law or processing activities Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com
Definitions
| Term | Definition |
|---|---|
| Applicable Data Protection Law | All laws and regulations relating to the processing of Personal Data applicable to the parties, including GDPR, UK GDPR, LGPD, CCPA/CPRA, and other jurisdictional requirements |
| Controller | The party that determines the purposes and means of Processing Personal Data |
| Customer Personal Data | Personal Data Processed by Acme Cloud on behalf of Customer pursuant to the Agreement |
| Data Exporter | The party transferring Personal Data to a third country |
| Data Importer | The party receiving Personal Data from a Data Exporter |
| Data Subject | The identified or identifiable natural person to whom Personal Data relates |
| DPIA | Data Protection Impact Assessment as required by GDPR Article 35 |
| DPO | Data Protection Officer appointed pursuant to GDPR Articles 37-39 |
| EEA | European Economic Area (EU member states plus Iceland, Liechtenstein, Norway) |
| GDPR | Regulation (EU) 2016/679 (General Data Protection Regulation) |
| Instructions | Customer's documented instructions regarding Processing of Customer Personal Data |
| Personal Data | Any information relating to an identified or identifiable natural person |
| Personal Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data |
| Processing | Any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.) |
| Processor | The party that Processes Personal Data on behalf of the Controller |
| SCCs | Standard Contractual Clauses for international data transfers adopted by the European Commission |
| Security Measures | Technical and organizational measures to protect Personal Data |
| Sensitive Personal Data | Special categories of Personal Data under GDPR Article 9, including health data, biometric data, racial/ethnic origin, religious beliefs, and similar categories under other laws |
| Subprocessor | A third party engaged by Acme Cloud to Process Customer Personal Data |
| Supervisory Authority | The data protection authority with jurisdiction over a party's Processing activities |
| UK GDPR | The retained EU law version of the GDPR as incorporated into UK law |
| UK IDTA | UK International Data Transfer Agreement |
Scope and Applicability
1.1 Agreement Incorporation
This Data Processing Agreement ("DPA") forms part of the Terms of Service or other agreement between Acme Cloud, Inc. ("Acme Cloud") and Customer governing Customer's use of Acme Cloud services (the "Agreement"). This DPA applies to all Processing of Customer Personal Data by Acme Cloud in connection with the Agreement.
1.2 Order of Precedence
In the event of conflict, the following order of precedence applies:
| Precedence Level | Document | Purpose |
|---|---|---|
| 1 (Highest) | SCCs/UK IDTA Appendices | Mandatory data transfer terms |
| 2 | This DPA | Data protection terms |
| 3 | Agreement | General service terms |
| 4 | Privacy Policy | Acme Cloud controller processing |
1.3 Scope of Processing
This DPA applies when Acme Cloud Processes Customer Personal Data:
| Processing Activity | Covered by DPA | Acme Cloud Role |
|---|---|---|
| Platform data storage and processing | Yes | Processor |
| Customer support with data access | Yes | Processor |
| Analytics on customer usage (aggregated) | No (anonymized) | Controller |
| Account management and billing | No | Controller |
| Security monitoring | Yes | Processor |
| Backup and disaster recovery | Yes | Processor |
1.4 Data Processing Details
| Category | Details |
|---|---|
| Subject matter | Providing the Acme Cloud SaaS platform services |
| Duration | Term of the Agreement plus data retention period |
| Nature of Processing | Collection, storage, organization, retrieval, use, transmission, deletion |
| Purpose | Performing services under the Agreement |
| Types of Personal Data | As determined by Customer (see Annex I) |
| Categories of Data Subjects | As determined by Customer (see Annex I) |
Controller and Processor Roles
2.1 Role Determination
| Processing Context | Customer Role | Acme Cloud Role | Governing Terms |
|---|---|---|---|
| Customer Personal Data in platform | Controller | Processor | This DPA |
| Customer employee/user data | Controller | Processor | This DPA |
| Acme Cloud account data | Data Subject | Controller | Privacy Policy |
| Marketing interactions | Data Subject | Controller | Privacy Policy |
| Aggregated/anonymized analytics | N/A | Controller | Privacy Policy |
2.2 Joint Controller Scenarios
Where Acme Cloud and Customer are Joint Controllers for specific Processing activities:
| Activity | Respective Responsibilities | Documentation |
|---|---|---|
| Customer support (with PII access) | Customer: data accuracy; Acme Cloud: secure handling | Support terms |
| Collaborative troubleshooting | Customer: authorization; Acme Cloud: limited use | Support ticket |
| Shared analytics for improvement | Customer: consent; Acme Cloud: anonymization | Analytics addendum |
2.3 Processor Obligations Matrix
| GDPR Article | Requirement | Acme Cloud Implementation |
|---|---|---|
| Art. 28(3)(a) | Process only on documented instructions | Section 3.1 |
| Art. 28(3)(b) | Personnel confidentiality | Section 3.3 |
| Art. 28(3)(c) | Security measures | Section 4 |
| Art. 28(3)(d) | Subprocessor conditions | Section 5 |
| Art. 28(3)(e) | Data subject rights assistance | Section 6 |
| Art. 28(3)(f) | Breach notification assistance | Section 7 |
| Art. 28(3)(g) | DPIA and prior consultation assistance | Section 6.4 |
| Art. 28(3)(h) | Deletion or return | Section 8 |
| Art. 28(3)(h) | Audit and inspection | Section 9 |
Processing Instructions and Restrictions
3.1 Customer Instructions
Acme Cloud shall Process Customer Personal Data only in accordance with:
3.1.1. The documented instructions set forth in this DPA and the Agreement 3.1.2. Additional written instructions provided by Customer through authorized channels 3.1.3. As required by Applicable Data Protection Law (with notice to Customer where permitted)
| Instruction Type | Communication Method | Authorization Level |
|---|---|---|
| Standard processing | Agreement and DPA | Incorporated |
| Configuration changes | Platform settings | Account administrator |
| Additional instructions | Signed addendum | Authorized signatory |
| Urgent instructions | Email to designated contact | Verified administrator |
3.2 Instruction Conflicts
If Acme Cloud believes an instruction violates Applicable Data Protection Law:
Step 1: Notification 1.1. Acme Cloud promptly notifies Customer of the concern 1.2. Notification includes specific legal basis for concern 1.3. Acme Cloud may suspend execution pending resolution
Step 2: Resolution 2.1. Parties discuss and attempt to resolve concern 2.2. Customer may modify instruction 2.3. If unresolved, parties may escalate to counsel
Step 3: Documentation 3.1. Resolution documented in writing 3.2. Modified instructions incorporated 3.3. Acme Cloud resumes processing per resolution
3.3 Personnel Confidentiality
Acme Cloud ensures that personnel authorized to Process Customer Personal Data:
| Requirement | Implementation | Verification |
|---|---|---|
| Confidentiality commitment | Employment agreements with confidentiality | HR records |
| Security training | Annual security awareness training | Training records |
| Need-to-know access | Role-based access controls | Access reviews |
| Background checks | Pre-employment screening (where permitted) | HR records |
| Ongoing obligations | Confidentiality survives termination | Employment terms |
3.4 Processing Restrictions
Acme Cloud shall not:
| Prohibition | Exception |
|---|---|
| Sell Customer Personal Data | None |
| Share for cross-context behavioral advertising | None |
| Use for Acme Cloud's own commercial purposes | Aggregated/anonymized analytics |
| Retain longer than necessary | Legal obligation, dispute resolution |
| Process Sensitive Personal Data without authorization | BAA for PHI, explicit customer instruction |
| Transfer to third countries without safeguards | Approved transfer mechanisms |
Security Measures
4.1 Technical and Organizational Measures
Acme Cloud implements Security Measures appropriate to the risk, including:
| Security Domain | Measures | Verification |
|---|---|---|
| Access control | Role-based access, MFA, JIT provisioning | Access reviews, audit logs |
| Encryption | AES-256 at rest, TLS 1.2+ in transit | Technical configuration |
| Network security | VPC isolation, WAF, DDoS protection | Architecture review |
| Monitoring | SIEM, 24/7 SOC, anomaly detection | SOC 2 report |
| Incident response | Documented IR plan, tabletop exercises | IR records |
| Business continuity | Backup, replication, DR procedures | DR test results |
| Vulnerability management | Scanning, patching, penetration testing | Scan reports |
| Physical security | AWS data center controls | AWS SOC 2 |
4.2 Security Measures by Data Sensitivity
| Data Classification | Security Measures Applied |
|---|---|
| Standard Personal Data | Base security measures (Section 4.1) |
| Sensitive Personal Data | Enhanced access controls, field-level encryption |
| Protected Health Information | BAA controls, HIPAA safeguards, audit logging |
| Payment Card Data | PCI DSS controls, tokenization |
| Children's Data | Parental consent verification, enhanced deletion |
4.3 Security Documentation
Acme Cloud maintains documentation of Security Measures:
| Document | Availability | Update Frequency |
|---|---|---|
| Security Overview | Public (Trust Center) | Quarterly |
| Encryption Standards | Public (Trust Center) | Annual |
| SOC 2 Type II Report | Under NDA | Annual |
| Penetration Test Summary | Under NDA | Annual |
| Technical Security Whitepaper | Upon request | Annual |
4.4 Security Certifications
| Certification | Scope | Status | Renewal |
|---|---|---|---|
| SOC 2 Type II | Security, Availability, Confidentiality | Active | Annual |
| ISO 27001 | ISMS | In progress | Annual surveillance |
| CSA STAR | Cloud security | Planned | Annual |
Subprocessors
5.1 General Authorization
Customer provides general authorization for Acme Cloud to engage Subprocessors, subject to the conditions in this Section 5. The current list of Subprocessors is available at /subprocessor-list.
5.2 Subprocessor Requirements
Acme Cloud ensures each Subprocessor:
| Requirement | Verification | Ongoing |
|---|---|---|
| Contractual obligations equivalent to this DPA | Contract review | Contract monitoring |
| Appropriate Security Measures | Security assessment | Annual reassessment |
| Compliance with Applicable Data Protection Law | Due diligence | Compliance monitoring |
| Personnel confidentiality | Contract terms | Contract monitoring |
| Audit rights | Contract terms | As needed |
5.3 Subprocessor Notification Process
Step 1: Advance Notice 1.1. Acme Cloud provides thirty (30) days' advance notice of new Subprocessors 1.2. Notice includes Subprocessor name, location, and processing description 1.3. Notice sent via email to designated privacy contact
Step 2: Customer Review 2.1. Customer reviews proposed Subprocessor 2.2. Customer may request additional information 2.3. Acme Cloud provides reasonable information for assessment
Step 3: Objection Process 3.1. Customer may object in writing within notice period 3.2. Objection must state reasonable grounds related to data protection 3.3. Parties negotiate in good faith to resolve objection
Step 4: Resolution 4.1. Acme Cloud may: address concerns, offer alternative, or proceed 4.2. If unresolved, Customer may terminate affected services without penalty 4.3. Termination right is Customer's exclusive remedy
5.4 Subprocessor Categories
| Category | Examples | Processing Activity | Location |
|---|---|---|---|
| Infrastructure | AWS, Cloudflare | Hosting, CDN, security | US, EU |
| Support tools | Intercom, Zendesk | Customer support | US |
| Analytics | PostHog, Mixpanel | Product analytics | US, EU |
| Communication | SendGrid, Twilio | Transactional messaging | US |
| Security | CrowdStrike, Datadog | Security monitoring | US |
5.5 Subprocessor Liability
Acme Cloud remains liable to Customer for Subprocessor performance. If a Subprocessor fails to fulfill data protection obligations, Acme Cloud shall be liable as if Acme Cloud had failed to fulfill such obligations directly.
Data Subject Rights
6.1 Rights Assistance
Acme Cloud assists Customer in responding to Data Subject requests:
| Right | GDPR Article | Acme Cloud Assistance | Response Timeline |
|---|---|---|---|
| Access | Art. 15 | Provide data export, search capability | 5 business days |
| Rectification | Art. 16 | Self-service correction, API access | 5 business days |
| Erasure | Art. 17 | Deletion tools, confirmation | 10 business days |
| Restriction | Art. 18 | Processing restriction flags | 5 business days |
| Portability | Art. 20 | Machine-readable export | 5 business days |
| Objection | Art. 21 | Processing cessation tools | 5 business days |
| Automated decisions | Art. 22 | Human review capability | 5 business days |
6.2 Request Handling Process
Step 1: Request Receipt 1.1. Customer receives Data Subject request 1.2. Customer verifies Data Subject identity 1.3. Customer determines request validity and scope
Step 2: Acme Cloud Notification 2.1. If request relates to Customer Personal Data in Acme Cloud platform, Customer notifies Acme Cloud 2.2. Notification includes verified request details 2.3. Acme Cloud acknowledges within one (1) business day
Step 3: Acme Cloud Assistance 3.1. Acme Cloud provides requested assistance per Section 6.1 3.2. Customer compiles and provides response to Data Subject 3.3. Acme Cloud documents assistance provided
6.3 Direct Requests to Acme Cloud
If Acme Cloud receives a Data Subject request directly:
| Action | Timeline | Documentation |
|---|---|---|
| Redirect to Customer (if identifiable) | 3 business days | Request log |
| Inform Data Subject of redirect | 3 business days | Response record |
| Notify Customer (if identifiable) | 3 business days | Notification record |
| Respond if Customer unidentifiable | Per GDPR timelines | Response record |
6.4 DPIA and Consultation Assistance
Where Customer is required to conduct a DPIA or consult with a Supervisory Authority, Acme Cloud provides:
| Assistance Type | Scope | Timeline |
|---|---|---|
| Processing description | Nature, scope, context, purposes | 10 business days |
| Security documentation | Technical and organizational measures | 5 business days |
| Risk assessment input | Acme Cloud's risk analysis | 10 business days |
| Supervisory consultation | Participation as reasonably requested | Reasonable cooperation |
Personal Data Breach Notification
7.1 Breach Detection and Response
Acme Cloud maintains breach detection and response capabilities:
| Capability | Implementation | Coverage |
|---|---|---|
| Real-time monitoring | SIEM, anomaly detection | 24/7 |
| Incident response team | Trained IR personnel | 24/7 on-call |
| Forensic capability | Internal + external forensics | As needed |
| Communication procedures | Documented notification procedures | Tested annually |
7.2 Customer Notification
Upon becoming aware of a Personal Data Breach affecting Customer Personal Data, Acme Cloud shall:
Step 1: Initial Notification (within 48 hours) 1.1. Notify Customer of the breach 1.2. Provide initial information available at time of notification 1.3. Designate communication contact
Step 2: Detailed Information (as available) 2.1. Nature of the breach 2.2. Categories and approximate number of Data Subjects affected 2.3. Categories and approximate number of records affected 2.4. Likely consequences of the breach 2.5. Measures taken or proposed to address the breach
Step 3: Ongoing Updates 3.1. Provide updates as investigation proceeds 3.2. Respond to reasonable Customer inquiries 3.3. Coordinate on regulatory communications
7.3 Breach Notification Content
| Information Element | Initial Notification | Subsequent Updates |
|---|---|---|
| Date/time of breach discovery | Required | If refined |
| Nature of breach | High-level description | Detailed description |
| Data categories affected | If known | Confirmed list |
| Data subjects affected | Approximate number | Refined number |
| Containment actions | Immediate steps | Comprehensive steps |
| Root cause | Preliminary | Confirmed |
| Remediation plan | Initial plan | Updated plan |
| Acme Cloud contact | Name and contact info | Updates if changed |
7.4 Customer Obligations
Customer remains responsible for:
| Obligation | Acme Cloud Support |
|---|---|
| Supervisory Authority notification | Information for notification |
| Data Subject notification | Information for notification |
| Regulatory response | Cooperation, documentation |
| Determining notification necessity | Legal assessment input |
Data Retention and Deletion
8.1 Retention During Agreement
During the Agreement term, Acme Cloud retains Customer Personal Data:
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Active account data | Account lifetime | Account termination |
| Deleted data (soft delete) | 30 days | Automatic permanent deletion |
| Backup data | 90 days rolling | Automatic rotation |
| Audit logs | 7 years | Automatic deletion |
| Support tickets with PII | 3 years | Automatic deletion |
8.2 Post-Termination Handling
Upon Agreement termination or expiration:
Step 1: Data Export Period (30 days) 1.1. Customer may export Customer Personal Data via platform tools 1.2. Acme Cloud provides reasonable export assistance 1.3. Data remains accessible in read-only mode
Step 2: Deletion (after export period) 2.1. Acme Cloud deletes Customer Personal Data from production systems 2.2. Deletion completed within 30 days of export period end 2.3. Customer notified of deletion completion
Step 3: Backup Purge (90 days after deletion) 3.1. Customer Personal Data purged from backups 3.2. Purge occurs through normal backup rotation 3.3. Accelerated purge available upon request (additional fee may apply)
8.3 Deletion Exceptions
Acme Cloud may retain Customer Personal Data beyond standard periods:
| Exception | Duration | Customer Notification |
|---|---|---|
| Legal hold | Duration of hold | Where legally permitted |
| Dispute resolution | Duration of dispute | Upon dispute initiation |
| Regulatory requirement | Per regulation | Where legally permitted |
| Anonymized for analytics | Indefinite | N/A (no longer Personal Data) |
8.4 Deletion Certification
Upon Customer request, Acme Cloud provides written certification of deletion:
| Certificate Element | Content |
|---|---|
| Deletion scope | Customer Personal Data deleted |
| Deletion date | Date of final deletion |
| Deletion method | Cryptographic erasure, physical destruction |
| Exceptions | Any data retained per Section 8.3 |
| Authorized signature | Acme Cloud privacy officer |
Audit Rights
9.1 Audit Methods
Customer may verify Acme Cloud's compliance through:
| Method | Availability | Cost |
|---|---|---|
| SOC 2 Type II report | Upon request (under NDA) | No charge |
| Security questionnaire completion | Annual | No charge |
| Penetration test executive summary | Upon request (under NDA) | No charge |
| Additional certifications | Upon availability | No charge |
| Customer-conducted audit | Per Section 9.2 | Customer's cost |
9.2 On-Site Audit Procedures
If Customer requires an on-site audit:
Step 1: Audit Request 1.1. Customer provides thirty (30) days' written notice 1.2. Notice includes proposed scope, timing, and auditors 1.3. Acme Cloud confirms or proposes alternatives within ten (10) days
Step 2: Audit Planning 2.1. Parties agree on audit plan 2.2. Auditors execute confidentiality agreements 2.3. Acme Cloud prepares relevant documentation
Step 3: Audit Execution 3.1. Audit conducted during normal business hours 3.2. Acme Cloud personnel available for interviews 3.3. Access to relevant systems and documentation provided
Step 4: Audit Completion 4.1. Auditor provides draft findings to Acme Cloud 4.2. Acme Cloud may provide factual corrections 4.3. Final report shared with Customer and Acme Cloud
9.3 Audit Limitations
| Limitation | Rationale |
|---|---|
| One audit per year (absent breach) | Operational efficiency |
| 30 days' advance notice | Preparation time |
| Business hours only | Minimize disruption |
| No access to other customer data | Confidentiality |
| Acme Cloud confidential information protected | Trade secrets |
| Auditor confidentiality required | Information protection |
International Data Transfers
10.1 Transfer Mechanisms
For transfers of Customer Personal Data outside the EEA, UK, or Switzerland:
| Transfer Route | Primary Mechanism | Supplementary Measures |
|---|---|---|
| EEA to US | EU-US Data Privacy Framework | TIA completed |
| EEA to other third countries | SCCs (2021) | TIA, encryption |
| UK to US | UK Extension to DPF | TIA completed |
| UK to other third countries | UK IDTA | TIA, encryption |
| Switzerland to US | Swiss-US DPF | TIA completed |
10.2 Standard Contractual Clauses
The EU SCCs (Commission Decision 2021/914) are incorporated by reference:
| SCC Module | Application | Parties |
|---|---|---|
| Module 2 (Controller to Processor) | Customer Personal Data | Customer (exporter), Acme Cloud (importer) |
| Module 3 (Processor to Processor) | Subprocessor transfers | Acme Cloud (exporter), Subprocessor (importer) |
SCC configuration:
| Clause | Selection |
|---|---|
| Clause 7 (Docking) | Included |
| Clause 9 (Subprocessors) | Option 2 (general authorization) |
| Clause 11 (Redress) | Option (independent dispute resolution) not selected |
| Clause 17 (Governing Law) | Ireland |
| Clause 18 (Forum) | Ireland |
10.3 Transfer Impact Assessment
Acme Cloud maintains Transfer Impact Assessments for US transfers:
| Assessment Element | Acme Cloud Position |
|---|---|
| US legal framework | EO 14086, FISA 702, law enforcement access |
| Acme Cloud's experience | No national security orders to date |
| Technical measures | Encryption at rest and in transit, access controls |
| Contractual measures | SCCs, DPA commitments |
| Organizational measures | Data minimization, access limitation |
| Overall assessment | Effective level of protection maintained |
10.4 Customer Cooperation on Transfers
Where Customer requires additional transfer documentation:
| Document Type | Acme Cloud Provision | Timeline |
|---|---|---|
| SCC annexes completion | Pre-populated, Customer review | 5 business days |
| TIA supporting documentation | Available upon request | 10 business days |
| Subprocessor transfer details | Subprocessor list with locations | Current list |
| UK IDTA tables | Pre-populated for UK customers | 5 business days |
CCPA/CPRA Addendum
11.1 Applicability
This section applies where Customer is a "Business" and Acme Cloud is a "Service Provider" under the California Consumer Privacy Act, as amended by the CPRA.
11.2 Service Provider Certification
Acme Cloud certifies that it:
| Requirement | Acme Cloud Compliance |
|---|---|
| Processes Personal Information only for documented business purposes | Yes - per Agreement |
| Does not sell or share Personal Information | Certified |
| Does not retain, use, or disclose for purposes other than Agreement | Certified |
| Does not combine with data from other sources (except as permitted) | Certified |
| Will notify if unable to comply | Committed |
11.3 CPRA-Specific Obligations
| CPRA Requirement | Acme Cloud Implementation |
|---|---|
| Right to Delete assistance | Deletion tools, assistance per Section 6 |
| Right to Correct assistance | Correction tools, assistance per Section 6 |
| Right to Know assistance | Export tools, assistance per Section 6 |
| Opt-out of sale/sharing | N/A (not selling/sharing) |
| Limit sensitive PI use | Process only per instructions |
| Security measures | Section 4 measures |
| Subcontractor obligations | Flow-down requirements to subcontractors |
Framework Mapping Appendix
GDPR Article 28 Compliance Matrix
| Art. 28 Requirement | DPA Section | Implementation |
|---|---|---|
| 28(1) - Sufficient guarantees | Section 4 | Security measures, certifications |
| 28(2) - Subprocessor engagement | Section 5 | Prior authorization, equivalent terms |
| 28(3)(a) - Documented instructions | Section 3.1 | Instruction framework |
| 28(3)(b) - Confidentiality | Section 3.3 | Personnel obligations |
| 28(3)(c) - Security measures | Section 4 | Technical and organizational measures |
| 28(3)(d) - Subprocessor conditions | Section 5 | Contract requirements |
| 28(3)(e) - Data subject rights | Section 6 | Assistance procedures |
| 28(3)(f) - Breach assistance | Section 7 | Notification and cooperation |
| 28(3)(g) - DPIA assistance | Section 6.4 | Information provision |
| 28(3)(h) - Deletion/return | Section 8 | Post-termination procedures |
| 28(3)(h) - Audit cooperation | Section 9 | Audit rights |
ISO 27701 Control Mapping
| ISO 27701 Control | DPA Section | Implementation |
|---|---|---|
| 7.2.1 - Purpose identification | Section 1.4 | Processing details |
| 7.2.2 - Lawful basis | Agreement | Customer's responsibility |
| 7.4.1 - Collection limitation | Section 3.4 | Processing restrictions |
| 7.4.5 - Retention | Section 8 | Retention and deletion |
| 7.5 - Sharing | Section 5 | Subprocessor management |
| 8.2 - Controller conditions | Section 2 | Role determination |
| 8.3 - Joint determination | Section 2.2 | Joint controller scenarios |
| 8.4 - Subprocessor conditions | Section 5 | Subprocessor requirements |
| 8.5 - International transfers | Section 10 | Transfer mechanisms |
Annexes
Annex I: Processing Description
| Element | Description |
|---|---|
| Subject matter | Provision of Acme Cloud SaaS platform services |
| Duration | Term of Agreement plus data retention period |
| Nature of Processing | Storage, organization, retrieval, transmission, deletion |
| Purpose | Delivering compliance management services |
| Categories of Data Subjects | Customer employees, customer customers, partners (as determined by Customer) |
| Types of Personal Data | Name, email, employment information, compliance data (as determined by Customer) |
| Sensitive Data | As uploaded by Customer (BAA required for PHI) |
Annex II: Technical and Organizational Measures
Detailed security measures are documented in /security-overview and /encryption-standards.
Annex III: Subprocessor List
Current subprocessor list is maintained at /subprocessor-list.
Related Trust Center documents
privacy policy, subprocessor list, security overview, encryption standards, data retention, terms of service
Document revision history
| Version | Date | Author | Summary of changes |
|---|---|---|---|
| 1.0 | 2024-06-01 | Legal & Compliance | Initial Trust Center publication |
| 2.0 | 2025-03-15 | GRC Program | SOC 2 Type II alignment refresh; expanded subprocessors |
| 2.5 | 2025-09-01 | Security Engineering | Encryption standards update; ISO 27001 mapping |
| 3.0 | 2026-01-15 | Trust Center Program | Full procurement-grade expansion; 34-document set |
Contact
Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA
| Channel | Use case | |
|---|---|---|
| Trust & procurement | trust@acmecloud.com | Security questionnaires, trust reviews |
| Security | security@acmecloud.com | Incidents, vulnerabilities, control questions |
| Privacy | privacy@acmecloud.com | DSRs, privacy assessments |
| Legal | legal@acmecloud.com | Contractual, DPA, legal notices |