This Data Processing Agreement governs the processing of personal data that LenoIT, operating the Cloud-PBS service, carries out on behalf of its customers. It complements the General Terms and Conditions of Sale and the Privacy Policy, and implements Article 28 of the GDPR.
1. Roles of the parties
For the data that the customer backs up through the service:
- the customer is the data controller: they determine the purposes and means of the processing;
- LenoIT is the data processor: it processes that data on behalf of the customer and on their instructions.
This agreement does not cover the data for which LenoIT is itself the data controller (account data, billing), which is covered by the Privacy Policy.
2. Purpose and duration
LenoIT processes personal data solely to provide the subscribed Cloud-PBS service: hosting, retention and restoration of the customer’s backups. The processing lasts for the duration of the service contract.
3. Description of the processing
- Nature of the processing: storage, retention and restoration of backups.
- Categories of data: any personal data contained in the backups transmitted by the customer. Their nature is determined by the customer alone.
- Categories of data subjects: determined by the customer alone.
When client-side encryption is enabled, LenoIT has no access to the content of the backups.
4. Customer instructions
LenoIT processes the data only on the documented instructions of the customer. The service contract and this agreement constitute those instructions. LenoIT informs the customer if an instruction appears to it to infringe the GDPR.
5. Confidentiality
LenoIT ensures that the persons authorized to process the data commit to keeping it confidential.
6. Security
LenoIT implements the appropriate technical and organizational measures set out in Article 32 of the GDPR: access control, logging, and hosting in professional data centers. Client-side backup encryption is offered so that the customer retains sole control over the content of their data.
7. Sub-processors
The customer authorizes LenoIT to use sub-processors to perform the service. Their list is kept up to date on the GDPR page. LenoIT informs the customer of any change to that list and imposes on those sub-processors the same data protection obligations as in this agreement.
8. Assistance to the customer
As far as possible, LenoIT assists the customer in responding to requests from data subjects exercising their rights, and in meeting its security, breach notification and impact assessment obligations.
9. Data breach
LenoIT notifies the customer of any personal data breach concerning them without undue delay after becoming aware of it, so as to allow the customer to meet its own obligations.
10. Fate of the data at the end of the contract
At the end of the contract, the customer can retrieve their backups for a period of 30 days, under the conditions set out in the General Terms and Conditions of Sale. After that period, LenoIT deletes the data, unless a legal retention obligation applies.
11. Audit
LenoIT makes available to the customer the information needed to demonstrate compliance with Article 28 of the GDPR, and allows audits to be carried out under reasonable conditions agreed between the parties.
12. Data location
The data of customers established in the European Union is processed and stored exclusively within the European Union. See the GDPR page.
13. Contact
For any question regarding this agreement, contact us at .