Media Management
Broadcast Management
Support
Resources
About
DPA - Header image

AGREEMENT ON COMMISSIONED DATA PROCESSING

September 2020 (Last updated: September 11, 2020)


Contractual Parties

This Agreement on Commissioned Data Processing (hereinafter referred to as "DP Agreement") is entered into between Vidispine AB, Kista Alléväg 3, 164 55 Kista, Sweden (hereinafter referred to as the “Contractor” or “Vidispine”) and the client, who has registered for the Vidinet Portal under https://www.vidinet.net/register by accepting the Terms of Service for Vidinet SaaS, available under https://www.vidinet.net/terms (hereinafter referred to as the „Client”).


1. PREAMBLE

This DP Agreement regulates the obligations of the contracting parties in connection with the processing of personal data on behalf of the Client by the Contractor within the framework of the Main Contract. This DP Agreement replaces previous data protection agreements between the parties.


2. DEFINITIONS

The terms used in this DP Agreement correspond to the definitions of the GDPR, unless otherwise specified. Client’s Data shall exclusively mean personal data which, in connection with the Main Contract, has either been provided to the Contractor by the Client or collected by the Contractor exclusively for the Client on the Client's behalf. Main Contract means the agreement for access to the Vidinet Portal, a cloud based platform which provides various software-as-a-service products and the usage of such software-as-a-service products, for which Client has registered under https://www.vidinet.net/register and has accepted the Terms of Service for Vidinet SaaS, available under https://www.vidinet.net/terms. TOM are technical and organizational measures listed at the URL specified in Appendix TOM (as amended from time to time). Processing category means the categorization of processing operations carried out by the Contractor on behalf of the Client, the definition of which is given in the Appendix TOM.


3. OBJECT AND DURATION OF PROCESSING; NATURE, PURPOSE AND MEANS OF PROCESSING; NATURE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

3.1 The respective civil law assignment by the Client is regulated in the Main Contract itself. Modalities (e.g. object, duration, type, purpose, means, categories of data) of order processing in the context of the Main Contract are set out in the Appendix Concretization of Processing (as amended from time to time). The present DP Agreement including its Appendix TOM forms a concrete DP Agreement together with the (respective) Appendix Concretization of Processing and forms a contractual unit with the underlying Main Con-tract. For the sake of clarification, the parties note that the 'Concretization of Processing' may summarize similar operations (e.g. similar processing).

3.2 Within the scope of the performance of the Main Contract and in compliance with the provisions of these General Terms and Conditions and this DP Agreement, the Contractor shall be entitled to carry out all necessary processing steps with regard to the Client's Data (e.g. duplication of data for loss protection, creation of log files, intermediate files and work areas) insofar as this does not lead to a content modification of the Client's Data.


4. OBLIGATION OF THE CONTRACTOR TO FOLLOW INSTRUCTIONS

4.1 The Contractor is a Processor as defined by Article 4 No. 8 GDPR and may only process the Client's Data within this DP Agreement and for the purposes of the Main Contract, including these General Contract Terms and Conditions and the Client's instructions, unless he is legally obliged to process them. In this case, the Contractor shall notify the Client of these legal requirements in writing or by e-mail (writing), unless the law in question prohibits such notification because of an important public interest.

4.2 Instructions are documented instructions of the Client directed at a specific processing of the Client's Data by the Contractor. They are initially determined by the Main Contract and the DP Agreement and can then be changed, supplemented or replaced by the Client by a single instruction (single instruction). The instructions of the Client must always be given in writing or by Client’s use of the Services (including the admin dashboard and other functionality of the Service); in exceptional cases verbal instructions given must be confirmed by the Client immediately in writing. The Contractor's activities on the basis of instructions that go beyond the contractually agreed scope of services of the Main Contract shall be treated as requests for changes. 

4.3  Persons authorized to issue instructions on the part of the Client and persons authorized to receive instructions on the part of the Contractor shall be notified to the other party. The respective party shall immediately inform the other party of any change of this person in writing.

4.4 The Contractor shall not be obliged under substantive law to inspect instructions issued by the Client. However, if the Contractor is of the opinion that an instruction of the Client violates data protection provisions, he shall inform the Client without delay. In this respect, the Contractor shall be entitled to suspend the execution of the relevant instruction until the Client has confirmed or amended it (at least in writing). If the Client adheres to the instructions given and if the Contractor considers that the implementation of such instructions continues to require the Contractor to act unlawfully, the Contractor shall be entitled not to carry out the processing.


5. DUTIES OF THE CONTRACTOR

5.1 Within his area of responsibility, the Contractor shall meet TOM to adequately protect the Client's Data, which ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with this order processing in the long term and have the ability to quickly restore the availability of the Client's Data and access to them in the event of a physical or technical incident. The data protection concept described in Appendix TOM (published at www.arvato-systems.com/TOM-en) represents the selection of the technical and organizational measures by the Contractor in accordance with the risk determined by him, taking into account the data protection objectives in accordance with the state of the art and in particular taking into account his own IT systems and processing methods. The Client has checked these data security measures offered by the Contractor in the Appendix TOM and assumes responsibility for ensuring that they are sufficient for Client's Data at the time of conclusion of the contract.

5.2 The Contractor reserves the right to change the TOM agreed upon, unless the level of protection laid down therein is undershot.

5.3 The Contractor has established a procedure to regularly review the effectiveness of the TOM and to ensure the security of the processing.

5.4 The Contractor guarantees that the employees involved in processing the Client's Data and other persons working for the Contractor shall only process these data in accordance with the instructions of the Client, unless they are legally obliged to process them. The Contractor further guarantees that the persons employed by him to process the Client's Data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. This obligation continues to exist even after termination of the contract.

5.5 The Contractor shall inform the Client without delay if he becomes aware of any violations of the protection of Client's Data. In this case, the Contractor may temporarily and at his own discretion take appropriate measures within his area of responsibility to protect the Client's Data and to mitigate possible adverse consequences. The Contractor shall inform the Client as soon as possible of any measures taken by him.

5.6 The contact person of the Contractor for any data protection questions that may arise is named in the Appendix Concretization of Processing.

5.7 The Contractor shall keep a list of processing activities in accordance with Article 30 para. 2 GDPR. He is authorized to make the list concerning this DP Agreement available to a supervisory authority at its request or the contracting authority can request this list from the Contractor if a supervisory authority so requests or if the contracting authority carries out audits or certifications.

5.8 The Contractor shall assist the Client, taking into account the nature of the processing and the information available to it, in complying with the obligations of the Client set out in Articles 32 to 36 GDPR.

5.9 Should the Client’s Data be endangered by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the Client shall be informed immediately by the Contractor, unless the law in question prohibits such notification due to an important public interest. The Contractor shall immediately inform the third party that the sovereignty and "ownership of the data" lies solely with the Client.


6. DUTIES OF THE CLIENT

6.1 The Client is the controller in the sense of the GDPR. Within the framework of these General Terms and Conditions, he shall bear undivided responsibility for compliance with the statutory provisions of the data protection laws, in particular for the legality of the transfer of data to the Contractor and for the legality of data processing. The Client is responsible for fulfilling the obligations set out in Articles 32 to 36 of the GDPR.

6.2 The Client shall inform the Contractor immediately and completely if he detects errors or irregularities with regard to data protection regulations during the examination of the order results.

6.3 The contact person of the Client for data protection issues is named in the Appendix Con-cretization of the Processing. 

6.4 The Client shall provide the Contractor with all information required by the Contractor for the maintenance of the record of categories of processing activities in accordance with Article 30 para. 2 GDPR.

6.5 The Client shall be responsible for evaluating and assessment of the effectiveness of the TOM agreed in order to guarantee the security of the processing. Insofar as the Client does not consider the TOM to be sufficient to guarantee the security of the processing (e.g. new risk assessment of the Client), the parties shall agree on corresponding changes and their commercial effects and implement them on the basis of a corresponding written change agreement (if the parties have agreed on a change procedure in the Main Contract, this shall apply). 

6.6 In the event of a claim against the Contractor by a data subject or a body named in Article 80 GDPR with regard to any claims pursuant to Articles 79 or 82 GDPR, the Client undertakes to support the Contractor in defending the claims. In this context, the Contractor shall be entitled to disclose details of the General Contract Terms, data processing and instructions of the Client to third parties for the purpose of defending these claims or for exculpation pursuant to Article 82 para. 3 GDPR.


7. PROTECTION OF RIGHTS OF DATA SUBJECTS

7.1 With regard to this DP Agreement, the Client is responsible for safeguarding the rights of the data subjects provided for in Chapter III of the GDPR. 
Insofar as the Contractor's cooperation is necessary for the protection of the rights of the data subjects (in particular with regard to information request, correction, blocking or erasure) by the Client, the Contractor shall support the Client upon request. The same applies to the provision of information.

7.2 If a data subject contacts the Contractor with the assertion of data protection rights regu-lated in the GDPR, the Contractor shall refer the data subject to the Client if it is possible to assign the inquiry of the data subject to the Client according to the information provided by the data subject.


8. SUBCONTRACTORS

8.1 The Client agrees that the Contractor may involve third parties ("subcontractors") in the performance of its contractually agreed services for the Client and the related processing of data, insofar as the requirements of Paragraph 8.2 and 8.3 are guaranteed.
Approval will be granted for the involvement of a company affiliated with the Contractor pursuant to §§ 15ff. AktG within the Arvato Systems Group (listed at www.arvato-systems.com/Subprocessors).
The subcontractors used for the Client at the time of the conclusion of the contract are named in the (respective) Appendix "Concretization of Processing". 
The Contractor shall inform the Client of any further subcontractors and any intended commissions of further subcontractors. Information on subcontractors appointed by the Contractor shall be sent to the person authorized to issue instructions (see Appendix "Concretization of Processing") of the Client or via publication on the website listed in the Appendix "Concretization of Processing".
The Client may object to changes of subcontractors for important data protection reasons to the person authorized to receive instructions (at least in writing). If no objection is made within a reasonable period of time, consent to the amendment shall be deemed to have been given. If there is an important data protection reason and an amicable solution between the parties is not possible, the Contractor may terminate the Main Contract and the DP Agreement for an important reason.

8.2 The Contractor shall subject the subcontractors commissioned by him to the same contractual data protection obligations to which he himself is subject in accordance with this DP Agreement.

8.3 If necessary, the Contractor shall conclude contracts with subcontractors on the basis of EU Standard Contractual Clauses, taking into account Article 44 et seq. GDPR. If and to the extent that data is collected and/or used by the subcontractor outside the EU, or of the EEA, the Client hereby authorizes the Contractor to conclude the EU Standard Contractual Clauses Controller to Processor on behalf of the Client with the subcontractor in such a way that either (i) the Client joins EU Standard Contractual Clauses existing between the subcontractor (as Processor) and the Contractor (as Controller) and acquires the same rights as the Contractor under the EU Standard Contractual Clauses, or (ii) the contracting authority concludes EU Standard Contractual Clauses directly with the subcontractor and the Contractor enters into it, so that the latter acquires the same rights in this respect as the Client under the EU Standard Contractual Clauses.

8.4 If the subcontractor does not comply with his data protection obligations, the Contractor shall be liable to the Client for compliance with the obligations of that subcontractor as for his own fault.


9. EVIDENCE FROM THE CONTRACTOR, INSPECTIONS

9.1 The Contractor shall prove to the Client compliance with the obligations laid down in this DP Agreement by submitting appropriate certificates (e.g. ISO 27001) or by submit-ting/performing a self-audit or a self-assessment.

9.2 If, in individual cases, further inspections or checks required under data protection law should be necessary by the Client or an independent external auditor commissioned by the Client, whose name is communicated to the Contractor in good time in advance, (e.g. if the Client has reasonable doubts about a self-audit submitted by the Contractor or in case of a personal data breach), these will be carried out in the presence of an employee of the Contractor during normal business hours and without disrupting the course of business at the Contractor's premises after registration, taking into account an appropriate lead time (which is usually 4 weeks; unless faster execution is required for data protection reasons). The Contractor may make these inspections or checks dependent on the signing of an appropriate nondisclosure agreement with regard to the data of other Clients and the technical and organizational measures set up. If the inspector commissioned by the Client is in a competitive relationship with the Contractor or its subcontractors, the Contractor can re-fuse an inspection by the inspector. 
The Client may demand an audit to be carried out in accordance with this clause even without a concrete data protection reason. The Client may audit once within a 12-month period, unless mandatory data protection law requires more frequent audits. If more far-reaching regulations for carrying out audits between the parties have been agreed (audit guideline), these must also be taken into account.

9.3 The Client shall provide the Contractor with a copy of the complete audit report in digital form. In particular, the Contractor may also provide the audit report to its subcontractors.


10. RETURN AND DELETION OF DATA UPON TERMINATION OF THE MAIN CONTRACT

10.1 After termination of the Main Contract, the Contractor shall, if technically possible and commissioned by the Client, surrender the Client’s Data. Electronically stored data are to be released on request and instruction in a format customary in the market on data carriers, whereby the Client bears the shipping risk, or are to be transmitted in encrypted form online to the Client, whereby the Client bears the transmission risk.

10.2 The Contractor shall delete all electronically stored data of the Client or, in the case of backups or log files, shall ensure that data processing is restricted until the time of deletion. The Contractor shall confirm the deletion in writing to the Client at Client's request.

10.3 Data of the Client which are not stored in electronic form (e.g. data on CDs, paper documents) and which the Client does not wish to be surrendered will be destroyed by the Con-tractor in accordance with data protection regulations. 

10.4 The obligation to surrender or delete does not exist if the Contractor is legally obliged to store or otherwise obliged to store this data.

10.5 The Client must inform the Contractor of the request to delete or surrender the Client’s Data in writing at the latest by the time of completion. If this does not occur, the Contractor will delete all data of the Client after termination of the contract, as far as there are no legal obligations of the Contractor for the storage of this data.

10.6 If the Client wishes the Client’s Data to be stored beyond the end of the contract, this re-quires a separate agreement between the parties. The parties will agree on the respective services and commercial implications and will specify them in a corresponding written amendment agreement (if the parties have agreed on an amendment procedure in the Main Contract, this shall apply).


11. CONTROL RIGHTS OF SUPERVISORY AUTHORITIES OR OTHER SOVEREIGN SUPERVISORY AUTHORITIES OF THE CLIENT; COOPERATION WITH SUPERVISORY AUTHORITIES; LEGAL DISPUTES

11.1 Should a data protection supervisory authority or any other sovereign supervisory authority of the Client carry out an inspection of the Contractor, the provision of Clause 9.2 of the DP Agreement shall apply mutatis mutandis. In this case, it is not necessary to sign a confidentiality agreement.

11.2 The contracting parties shall inform each other immediately of all official enquiries/rulings and procedures, all measures taken by one of the bodies mentioned in Article 80 GDPR (such as complaints, warnings, assertion of claims) and all threatened or ongoing court proceedings relating to the cooperation regulated in this DP Agreement, shall cooperate closely in connection with these enquiries, orders, measures or procedures and shall make all necessary documents and information available to each other. In this context, each party shall be entitled to disclose all information and documents relating to this DP Agreement, including details of data processing, to the supervisory authority responsible for them or to other third parties involved in the case to the extent required from the party's point of view.


12. FINAL PROVISIONS

12.1 If, according to this DP Agreement, the Contractor has to carry out support actions or incur expenses which are not attributable to a misconduct of the Contractor (e.g. individual instructions, expenses within the scope of rights of affected parties, audits), these shall be treated as requests for changes in accordance with the provisions of the Main Contract.

12.2 If no deviating agreements have been made in this DP Agreement, the agreements made between the parties in the Main Contract shall apply. Should individual parts of this DP Agreement be invalid, this shall not affect the validity of the remaining DP Agreement. 

12.3 Amendments and supplements to this DP Agreement and its components must be made in writing (in accordance with eIDAS). This also applies to the waiver of this formal requirement.


13. APPENDICES

The following Appendices constitute components of this DP Agreement

Appendix          TOM published at www.arvato-systems.com/TOM-en

Appendix          Concretization of Processing

Appendix          Specific Terms for Public Cloud Services


APPENDIX CONCRETIZATION OF PROCESSING

1. SUBJECT MATTER, MAIN CONTRACT

This Appendix specifies the modalities of order processing in connection with the Main Contract and is integral part of the DP Agreement. 
The subject matter of processing is to provide the service Vidinet (the Service), available at www.vidinet.net. Vidinet is Contractor’s cloud-based platform and marketplace for providing software-as-a-service products to business clients.
Vidinet is managed via a self-service dashboard (Portal) by the Client to buy and manage all services offered on the Vidinet marketplace and to check his current usage spending at any given time. The Portal enables the Client to subscribe to software applications provided by the Contractor (Software Applications) such as 

  • Vidispine-as-a-Service (VaaS), an API-based media management platform to manage metadata and storage locations about Client’s essence data (e.g. videos, images, etc.) 
  • Vidispine Media or Cognitive Services, services to process essence data like transcoding or analyzing videos without intermediate storage

as fully managed services running on Client’s request on different Public Cloud platforms (Amazon Web Services, Microsoft Azure or Google Cloud Platform) in several physical locations (“regions”) around the globe. Client’s essence data like videos or images remain stored in Client’s storage locations (whether on prem or in the cloud). In order to connect Client’s storage to VaaS Client can subscribe to Vidispine Server Agent (VSA), a downloadable locally to install software. 
Additionally Client may order services provided by third parties at the Vidinet marketplace (Third Par-ty Service) for which different term & conditions (including a different DPA) may apply and which are not covered by this DPA.
 

2. DURATION OF PROCESSING

This DP Agreement shall enter into force with the Main Contract and shall end upon termination of the Main Contract, provided that no obligations beyond this period arise from the provisions of this specification. In view of these obligations, this DP Agreement shall continue to exist until they expire. This provision does not modify the termination rights agreed in the Main Contract.


3. TYPE, PURPOSE AND MEANS OF PROCESSING

The type and means of processing are specified in the Main Contract. Contractor will process Client’s Data for the purpose of providing the Service and giving support to the Client in accordance with the Main Contract and this DP Agreement. 
This includes

  • providing the Portal and Software Applications as a SaaS (including basic processing activities required such as cloud infrastructure, platform services, application management as well as troubleshooting and creating backups for availability), 
  • fulfillment of Client’s support requests,  
  • providing service announcements and personalization of user experience
  • protection, detection and reaction against fraudulent, harmful, unauthorized, or illegal activity. 

4. TYPE OF PERSONAL DATA, CATEGORIES OF DATA SUBJECTS

The Client shall decide exclusively and under his own responsibility which personal data from which data subjects he will have processed by the Contractor. 
The following types of personal data are processed:

  • Administrator account information: information that identifies an Administrator to the Portal such as user name, email address, password, access rights
  •  VaaS User account information: information that identifies Users of the VaaS service such as user name, password and access rights 
  • Log data: information related to transactions (API requests) conducted on the Service by Ad-ministrators or Users such as IP addresses and user name in audit, job, transfer and change logs 
  • Client’s content: to the extent that Client chooses to input personal data as part of Client’s es-sence data like images or videos or metadata of his essence data such as comments or other content or information that Client or Client’s Administrators or Users post to or through the Service.

The following categories of natural persons are affected by this order processing: 
Data subjects include the individuals about whom data is provided to the Contractor via the Service by Client or Client’s Administrators or Users.

5. CONTRACTOR’S PERSON AUTHORIZED TO RECEIVE INSTRUCTIONS (“CONTRACTOR’S AUTHORIZED PERSON”)

The person authorized to receive instructions (role sufficient) on the part of the Contractor is:
Support Manager, CTO, Head of Platform Delivery, Head of R&D and COO.
 

6. CONTACT FOR DATA PROTECTION ISSUES ARISING WITHIN THE SCOPE OF THE CONTRACT ON THE PART OF THE CLIENT 
The contact person for data protection enquiries arising within the scope of the contract on the part of the Client is not named when the contract is concluded. The Client will inform the Contractor of the contact person as soon as possible.

7. CONTACT FOR DATA PROTECTION ISSUES ARISING WITHIN THE SCOPE OF THE CONTRACT ON THE PART OF THE CONTRACTOR
The contact person for data protection enquiries arising within the scope of the contract on the part of the Contractor can be reached via the e-mail address Datenschutz@arvato-systems.de or by calling +49 5241 80-70785.

8. ENGAGEMENT OF SUBCONTRACTORS

At the time of the conclusion of the contract, the Client gives his consent that the partial services de-scribed below are carried out with the involvement of the following subcontractors:

8.1 Amazon Web Services EMEA S.A.R.L., Luxembourg
Description of the partial performance: 
AWS cloud based infrastructure

8.2 Microsoft Ireland Operations Limited, Ireland
Description of the partial performance: 
Microsoft Azure cloud based infrastructure

8.3 Bitmovin Inc., United States
Description of the partial performance: 
Transcoding of media through Bitmovin cloud service

8.4 Further subcontractors that can be used by the Contractor to provide standard services are listed at www.arvato-systems.com/Subprocessors.


9. DETERMINATION OF THE PROCESSING CATEGORY

This DP Agreement is based on the following Processing Categories (multiple answers possible; definitions are given in appendix TOM):

☐    Data Center Arvato Systems          
☐    Business Process Services
☒    Data Center Public Cloud            
☒    Application Management & Services
☐    Data Center Customer            
☒    Platform Services
☐    Workplace Services
☐    Security Operations Center


10. OTHER PROVISIONS FOR PUBLIC CLOUD SERVICES
The Service includes using services of Public Cloud Service Providers commissioned directly by the Contractor. The provisions set out in the appendix "Special Terms and Conditions for Public Cloud Services" shall apply in addition.


APPENDIX SPECIFIC TERMS FOR PUBLIC CLOUD SERVICES

The Contractor provides services to the Client that include the provision of Public Cloud Services (the "Cloud Services") by third party vendors as further subprocessors (the "Cloud Service Provider"). 
This Appendix amends and alters certain provisions of the Data Processing Agreement (DP Agreement) between the Client and the Contractor in respect to the Cloud Services. These changes shall apply to the processing of the Client’s Data by the Cloud Service Provider only in its role as subprocessor. 
In the event of any conflict between the DP Agreement and this Appendix, this Appendix shall prevail.

The following terms apply for services by the subcontractors and Cloud Service Providers AWS EMEA S.A.R.L. or Microsoft Ireland Operations Limited:

1. In addition to Section 4(1) of the DP Agreement (Binding instructions for the Contractor) and Section 6(6) of the DP Agreement (Duties of the Client), the Contractor may allow the Cloud Service Provider to access, use or disclose to any third party the Client's Data as necessary to maintain or provide the Cloud Services or as necessary to comply with the law or a valid and binding order of a governmental, administrative or judicial body (such as a subpoena or court order). If such a governmental, administrative or judicial authority requests the Cloud Service Provider to provide Client’s Data, the Contractor will procure that the Cloud Service Provider will attempt to redirect the governmental, administrative or judicial authority to request such data directly from the Client. As part of this effort, the Cloud Service Provider may provide the Client’s basic contact information to the governmental, administrative or judicial body. If the Contractor is compelled to disclose the Client's Data to a governmental, administrative or judicial authority, then the Cloud Ser-vice Provider will give the Contractor reasonable notice of the demand and the Contractor will for-ward such notice without undue delay unless the Cloud Service Provider or the Contractor are legally prohibited from doing so. If the Standard Contractual Clauses apply, nothing in this Section 2 will change or modify the Standard Contractual Clauses.

2.The Parties agree that, in relation to the Cloud Service Provider, the obligation of the Contractor to impose the same data protection obligations as set out in the DP Agreement on subcontractors pursuant to Section 8(2) of the DP Agreement (Subcontractors) is limited to the obligations as modified in this Appendix. 

3. In respect of the processing of Client’s Personal Data in connection with the Cloud Services only, Section 7 (2) of the DP Agreement shall be replaced by the following:  
“If a Data Subject contacts the Cloud Service Provider in connection with the exercise of any of its rights it may have pursuant to Chapter III of the GDPR (for example, correction, erasure and blocking of data, right to data portability), the Cloud Service Provider shall use commercially reasonable efforts to forward such request or to refer the Data Subject to the Contractor and the Contractor will forward such request to the Client, if, based on the information provided by the Da-ta Subject, the Contractor is able to identify the Client as the person being responsible for responding to such Data Subject’s request.”

4. Section 9 of the DP Agreement (Evidence of Compliance, Audits) and Section 11 (1) of the DP Agreement (Control rights of Supervisory Authorities) shall not apply to the Cloud Services and the processing of Client’s Data by the Cloud Service Provider. The Client is aware that the Cloud Service Provider regularly uses external auditors to verify the security of the physical data centers and other computing environment that it uses in providing the Cloud Services and the processing of the Client's Data. Each audit will result in the generation of an audit report ("Cloud Service Audit Report"), which will be Cloud Service Provider’s confidential information. The Client may request a copy of such a Cloud Service Audit Report so that Client can reasonable verify Cloud Service Provider’s compliance with its obligations under this Appendix. The Client acknowledges that such disclosure of the Cloud Service Audit Report is subject to the prior written approval of the Cloud Service Provider, which may be subject to further conditions, like the Client entering into a NDA with the Cloud Service Provider. If the Standard Contractual Clauses apply, nothing in Section 6 varies or modifies the Standard Contractual Clauses or affects any data exporter’s or supervisory authority’s right under the Standard Contractual Clauses.

5. Section 10 of the DP Agreement (Return and Deletion of Data upon Termination of Contract) shall not apply to the Cloud Services and the processing of the Client's Data by the Cloud Service Provider. For 85 days following the termination date, Client may request from the Contractor on Client's cost to retrieve or delete any remaining Client’s Data from the Cloud Services in line with the terms of the DP Agreement and the Main Contract, unless such retrieval or deletion is prohibited by law, order of a governmental, administrative and judicial or regulatory body or it could subject Cloud Service Provider or the Cloud Service Provider's affiliates to liability under law. After this 85-day period ends, the Cloud Service Provider will initiate the deletion of the Client’s Data, unless such deletion is prohibited by law, order of governmental, administrative, judicial or regulatory authority or it could subject Cloud Service Provider or Cloud Service Provider's affiliates to liability under law. Electronically stored data shall, upon Client’s requests and costs either be returned in a commonly used machine-readable format on an electronic data storage medium or be transferred online to the Client in encrypted form. The risk of loss of and damage to the Client's Data and/or electronic data storage mediums during transport shall be solely borne by the Client. 

6. Section 8(1) of the DP Agreement shall be supplemented as follows: 
"If the Client objects to such engagement/replacement of a Cloud Service Provider or any third party hired by a Cloud Service Provider to provide certain limited or ancillary services for important data protection reasons, and if the parties are not able to reach an amicable solution, the Contrac-tor may terminate the affected Cloud Service of the Main Contract and this DP Agreement for good cause by giving written notice to the Client.”

7. With respect to Appendix TOM of the DP Agreement (Technical and Organizational Measures), the Client acknowledges and agrees that the security measures of the Cloud Service Provider can be found under the following link and that those measures will be updated from time to time:
AWS EMEA S.A.R.L.
https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
Microsoft Ireland Operations Limited
https://www.microsoft.com/en-us/licensing/product-licensing/products