Legal

Data Transfer Addendum

Last updated:

This Data Transfers Addendum ("DTA") is incorporated by reference into the data processing agreement between the User and Kamasi, Inc. ("VCloud"). Any capitalized terms not defined here have the meanings given to them in your DPA or Agreement.

Order of Precedence

If more than one Data Transfer Mechanism could apply to a transfer of Personal Data, VCloud and the User agree that the transfer will be subject to one Data Transfer Mechanism only, according to the following order of precedence:

  1. The Data Privacy Framework
  2. The EEA Standard Contractual Clauses (SCCs) or the UK IDTA, as applicable

Data Privacy Framework

VCloud is self-certified under the EU–US Data Privacy Framework. When User transfers Personal Data originating from the EEA, the UK, or Switzerland to VCloud in the United States, VCloud will receive the Personal Data under the Data Privacy Framework.

VCloud will notify User without undue delay if its self-certification is withdrawn, terminated, revoked, or otherwise invalidated, in which case an alternative Data Transfer Mechanism will apply.

EU Standard Contractual Clauses

Module 1 (Controller to Controller), Module 2 (Controller to Processor), and Module 3 (Processor to Processor) of the EEA SCCs apply to transfers by User to VCloud of Personal Data subject to DP Law in the EEA and processed under User's DPA.

Module 1 — Controller to Controller

Applies when User acts as a Data Controller transferring Personal Data to VCloud acting as an independent Data Controller.

Module 2 — Controller to Processor

Applies when User acts as a Data Controller and VCloud processes Personal Data solely on User's behalf and instructions.

Module 3 — Processor to Processor

Applies when User itself acts as a Data Processor on behalf of its own Data Controllers, and VCloud acts as a Sub-Processor.

UK International Data Transfer Addendum

The UK IDTA applies to transfers by User to VCloud of Personal Data subject to DP Law in the United Kingdom. The IDTA supplements the EEA SCCs as adapted in this DTA.

Personal Data Transfers from Switzerland

The EEA SCCs, adapted as follows, apply to transfers subject to the Swiss Federal Act on Data Protection (FADP):

  • References to "Member State" will not exclude data subjects in Switzerland from suing for their rights in Switzerland.
  • The Swiss Federal Data Protection and Information Commissioner acts as the competent supervisory authority to the extent Swiss FADP governs the transfer.

Supplemental Security Clauses

  • Encryption — Personal Data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • FISA 702 — VCloud will resist, to the extent permitted by law, any request under Section 702 of the Foreign Intelligence Surveillance Act.
  • Legal challenges — VCloud will use reasonably available legal mechanisms to challenge any demands for data access through national security processes.
  • Notification — VCloud will notify User of any binding legal demand for Personal Data, unless prohibited by law.
  • DPO oversight — VCloud's Data Protection Officer maintains oversight of all international data transfer practices.

Operation of the EEA SCCs

Instructions

The DPA and the Agreement constitute User's complete and final instructions for Processing of Personal Data. Additional instructions must be agreed separately in writing.

Audit Rights

User exercises its audit right under Clause 8.9 of the SCCs by instructing VCloud to comply with the audit measures described in the DPA.

Sub-processor Agreements

Upon request, VCloud will provide copies of Sub-processor agreements, with commercial information redacted, as required under Clause 9(c) of the applicable SCCs module.

Limitation of Liability

To the greatest extent permitted by law, the limitations and exclusions of liability in the Agreement apply to the EEA SCCs.

Personal Data Transfers from Brazil

The Brazilian Standard Contractual Clauses (Brazilian SCCs) apply to the transfer of Personal Data subject to the Brazilian General Data Protection Law (LGPD) from Brazil to a third country without an adequacy decision from the Brazilian National Data Protection Authority (ANPD).

Contact

For questions about this Data Transfer Addendum, contact privacy@vcloud.app.