This Data Processing Agreement (“DPA”) between Customer (the Controller”) and ABC Commerce Ltd. t/a Cloda (Company Registration No. 681244) (“the Processor”) reflects the parties’ agreement with regard to the Processing of Personal Data for the provision of services within this Agreement.

  1. Definitions

In this Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly: 

“Sub-processor” means any Data Processor (including any third party) appointed by the Processor to process Controller Personal Data.

“Process/Processing/Processed”, “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Special Categories of Personal Data” and any further definition not included under this Agreement or the Contracts shall have the same meaning as in EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”).

“Data Protection Laws” means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”), The Data Protection Acts 1988 – 2018 and any further applicable data protection laws.

“Erasure” means the removal or destruction of Personal Data such that it cannot be recovered or reconstructed.

“EEA” means the European Economic Area.

“Third country” means any country outside EU/EEA, except where that country is the subject of a valid adequacy decision by the European Commission on the protection of Personal Data in Third Countries.

“Controller Personal Data” means the data described in Section 2 and any other Personal Data processed by Processor on behalf of the Controller pursuant to or in connection with the provision of the Services.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data transmitted, stored or otherwise processed.

“Services” means the services to be supplied by the Processor to the Controller.

  1. Background


  • This Agreement governs the provision of services related to Cloda, the conversational sales platform provided by the Processor, and any related services
  • The Data Subjects whose Personal Data is being Processed as part of this Agreement includes the Controller’s customers.
  • The Personal Data processed within the Services provided by the Data Processor includes name, email address, postal address, postcode and phone number.


  1. Obligations and Rights of the Controller


  • Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.
  • The above measures shall be reviewed and updated where necessary. Where proportionate in relation to processing activities, the measures referred to in 3.1 shall include the implementation of appropriate data protection policies by the Controller.


  1. Data Processing


  • The Processor may, in line with the Services included within this Agreement, process Controller Personal Data on behalf of the Controller as per the terms of this Agreement. The Processor agrees to comply with provisions below in respect of all Controller Personal Data.
  • The Processor shall maintain all the technical and organisational measures necessary to comply with the requirements set forth in this Agreement.


  1. Processing of Controller Personal Data


  • The Processor shall only process personal data received from the Controller on documented instructions of the Controller (unless required by law to process personal data without such instructions) including in respect of international data transfers.
  • The Processor shall adhere to technical and organisational measures to ensure a level of security appropriate to the risk to the Data Subject represented by the processing.
  • The Processor shall ensure that all Controller Personal Data available to the Processor during the processing remains confidential at all times.
  • The Data Processor shall assist the Data Controller in the compliance of its obligations pursuant to Article 32 (Security of Data Processing), Articles 33 and 34 (Notification of Data Breaches) and Articles 35 and 36 (Data Protection Impact Assessments) of the GDPR.
  • Upon termination of the provision of the Services, the Data Processor shall return to the Controller in a commonly used machine-readable format, and securely delete existing copies of Controller Personal Data unless copies of the Personal Data need to be retained for compliance with the Data Processor’s statutory obligations. In cases where the Processor is required to securely delete Personal Data, the Processor should make available proof of same if requested to do so by the Controller.
  • The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and the Processor shall allow for and contributes to audits conducted by the Controller or a third party on the Controller’s behalf.
  • The Processor shall notify the Controller in writing via email to the Customer’s email as soon as possible but no later than 24 hours after becoming aware of any accidental, unauthorised, or unlawful destruction, loss, alteration, or disclosure of, or access to, Controller Personal Data (“Security Breach”).  Such notification shall include
  • a detailed description of the Security Breach,
  • the type of data that was the subject of the Security Breach and
  • the identity of each affected person (or, where not possible, the approximate number of data subjects and of Personal Data records concerned).

The Processor shall communicate to the Controller in such notification

  • the name and contact details of the Processor’s Data Protection Officer or other point of contact where more information can be obtained;
  • a description of the likely consequences of the Security Breach;
  • a description of the measures taken or proposed to be taken by the Processor to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects; and additionally in such notification or thereafter,
  • as soon as such information can be collected or otherwise becomes available, any other information the Controller may reasonably request relating to the Security Breach.
    • Transfers of Controller Personal Data to a third country or an international organisation shall only be undertaken on the direct instruction of the Data Controller save where the Data Processor is required to do so by law; in which case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
    • The Processor shall not sub-contract or outsource any Processing of Personal Data to any other person or entity, (“Sub-Processor”) unless and until the proposed sub-processor has been notified to the Data Controller in writing and the Data Controller has been afforded the opportunity to object to such processing prior to the processing taking place. Any sub-processors engaged by the Processor shall be governed by an Agreement with the Processor subject to the same data protection obligations as the Processor as set out in this Agreement. The Processor at all times remains directly liable to the Controller for the performance of a sub-processor’s data protection obligations.
    • The Processor shall be directly liable for any damage caused by the Processing of Personal Data under this Agreement in circumstances where the Processor has not complied with obligations in the GDPR specifically directed to Processors, or where it has acted outside, or contrary to lawful instructions of the Controller.

This Agreement shall be governed by the laws of Ireland and the parties hereby submit to the exclusive jurisdiction of the Irish Courts.