Data Processing Addendum

Last updated on 11th March 2025

This Data Processing Addendum (DPA) sets out the terms that apply when Your Personal Data is processed by ScreenCloud under the Terms of Service (the “Agreement”). Capitalised terms not defined in this DPA can be found in the Agreement. The DPAs purpose is to ensure such processing is conducted in accordance with Data Protection Laws and respects Your rights where Your Personal Data is processed under the Agreement. A list of ScreenCloud’s Sub-processors can be found at the end of this DPA.

DEFINITIONS

“CCPA” means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations.

“Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data, as defined in the GDPR, the UK GDPR, and has the same meaning as “business,” as that term is defined by the CCPA;

“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller, as defined in the GDPR, the UK GDPR, and has the same meaning as “service provider,” as that term is defined by the CCPA;

“Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data as part of or in connection to with the Services, including, but not limited to (a) the UK GDPR (b) the GDPR, (c) the CCPA, all as may be amended and are in force from time to time.

“Data Subject” means the individual to whom Personal Data relates, as defined in the GDPR, the UK GDPR, and has the same meaning as “consumer” as that term is defined under the CCPA;

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as may be amended from time to time;

“Personal Data” means data about a natural person processed by Data Processor in relation to the provision of the Services under the Agreement, from which that person is identified or identifiable, as defined in the GDPR and the UK GDPR, and has the same meaning as “personal information” as that term is defined under the CCPA;

“Special Category Data” means those categories of data as defined in the GDPR, the UK GDPR and the CCPA as needing extra protection. 

“UK GDPR” means the GDPR as retained in UK Law after UK’s withdrawal from the EU, and as amended and in force from time to time.

1. Roles of the Parties

1.1 The Parties accept and agree that the Services shall include processing of Personal Data. In respect of Customer Personal Data processed by ScreenCloud on Your behalf as part of the Services, the Parties acknowledge that ScreenCloud shall act as Data Processor and You shall act as Data Controller of such Personal Data. The duration of the processing, nature, purpose, as well as types of Personal Data and categories of Data Subjects processed under this DPA are specified in Attachment 1 of this DPA. 

2. Your Obligations

2.1 You shall comply (and shall require that Your personnel comply) with the Data Protection Laws. You warrant and represent that You have an appropriate registration or notification with all and any relevant data protection authorities

2.2 You shall ensure that no data which constitutes “Special Category Data” as defined under Applicable Data Protection Law, is submitted to the Service.

2.3 You shall obtain all necessary consents required to allow ScreenCloud to process Personal Data in accordance with this Agreement. 

3. ScreenCloud Obligations

3.1 ScreenCloud shall comply (and shall require that its personnel comply) with the Data Protection Laws.

3.2 ScreenCloud, as Data Processor of Personal Data under this Agreement on Your behalf, shall in relation to the Personal Data provided by You:

1. act only on Your instructions as set out in this Agreement or as documented elsewhere in writing;
2. process such Personal Data only to the extent, and in such manner, as is necessary for the purposes of this Agreement;
3. ensure that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of such Personal Data and against accidental loss, destruction or alteration to, such Personal Data, taking into account the nature of the Personal Data;
4. operate appropriate technical and organisational security controls under continuous audit in compliance with SOC2 Type 2 Trust Service Criteria for security, confidentiality, privacy and availability to ensure that unauthorised persons do not have access to any equipment used to process such Personal Data or to the Personal Data itself;
5. use reasonable endeavours to ensure the reliability of its staff with access to such Personal Data and ensure that all such staff are under obligations of confidentiality in relation to such Personal Data;
6. provide a response within 30 days of You requesting reasonable assistance to respond to a request or complaint made by a Data Subject in respect of such Personal Data;
7. notify You of a personal data breach of which it is aware without undue delay, but within 72 hours, and shall provide You with reasonable assistance in responding to a personal data breach;
8. notify You if, in its opinion, an instruction given by You breaches the Data Protection Laws; and
9. on termination of this Agreement or the end of the carrying out of data processing, delete or return all such Personal Data to You and delete existing copies unless required to retain a copy to meet its legal or regulatory obligations.

3.3 ScreenCloud shall, if requested, provide You with information necessary to demonstrate Your compliance with obligations under Data Protection Laws and this Data Processing Addendum. ScreenCloud shall allow for audits at Your reasonable request, provided that audits are limited to once a year and during business hours, except in the event of a security incident.

4. Sub-processing

4.1 You consent to ScreenCloud using the sub-processors set out in the ScreenCloud Sub-processors table in Attachment 2 to this DPA when processing Personal Data under this Agreement.

4.2 ScreenCloud shall ensure that any sub-processor it engages in relation to this Agreement is engaged on a written agreement giving commitments in relation to the processing of such Personal Data no less onerous than those set out in this Agreement. ScreenCloud shall remain liable to You for the acts of any such sub-processor in relation to such Personal Data.

4.3 ScreenCloud may appoint new sub-processors provided that it notifies You in advance via email and/or other announcement on the Platform and an updated ScreenCloud Sub-processors table. 

4.4 You have thirty (30) days from the notification of the addition of a Sub-processor to reasonably object. Continued use of the Services after this time will be taken as You having agreed to the addition.

5. International Personal Data Transfers

5.1 ScreenCloud shall only transfer the Personal Data provided by You outside the US, the EU or a country with an adequacy agreement, with Your prior authorisation and where a suitable transfer mechanism is in place in accordance with Data Protection Laws.

Attachment 1

Categories of Data Subjects
The categories of data subjects whose personal data is transferred are determined solely by the Data Controller. In the normal course of the Data Processor’s service, the categories of data subject might include (but are not limited to): the data controller's personnel, customers, business partners, affiliates, and users.

Categories of Personal Data
The categories of personal data transferred are determined solely by the Data Controller. In the normal course of the Data Processor’s service, the categories of Personal Data transferred might include (but are not limited to): name, email address, telephone, title, free text projects, task lists, personal media items and personal digital signage entered by the Data Controller.

Special Category Data transferred (if applicable)
At its sole discretion, Customer determines all categories and types of Customer Personal Data it may submit and transfer to the Data Processor through the Services. Customer agrees it will not upload Special Category Data to the Services. 

The frequency of the transfer
Continuous with use of the Service.

Nature of the processing
The provision of the Service to Customer in accordance with the Agreement.

Purpose(s) of the data transfer
To provide the Service to Customer as described in the Agreement.

The period of data retention
For as long as necessary to provide the Service as described in the Agreement, as legally or contractually required, or upon receipt of Customer’s written request for deletion.

Attachment 2

ScreenCloud Sub-processors