Effective date: 2025-10-11
Parties:
Controller (Customer): The organization that uses the Credentium Issuer app to issue credentials.
Processor: CloudTeam spółka z ograniczoną odpowiedzialnością, Plac Konesera 9, 03‑736 Warszawa, Poland, KRS: 0000276018, NIP: 5252388265 ("CloudTeam").
TL;DR (≈1 minute): This DPA (art. 28 GDPR) governs CloudTeam’s processing of Issuer workspace data on the Controller’s documented instructions. CloudTeam hosts in EU Azure regions, uses Auth0 (EU) for authentication, applies encryption, access control, logging, and deletion routines, and engages vetted sub‑processors (see Annex III / live list). The Controller is responsible for lawful collection and issuance bases. Breach notifications are provided without undue delay; data are returned or deleted at end of Services. This DPA prevails over the ToS if they conflict on processing matters.
1.1. This DPA forms part of and is incorporated into the Credentium Terms of Service ("ToS") and any Order/MSA for the Issuer app. Capitalized terms not defined here have the meanings in the ToS.
1.2. Subject‑matter: processing of personal data uploaded or generated in the Issuer workspace (e.g., recipients and issuance metadata) to issue, manage, and revoke digital credentials.
1.3. Duration: for the term of the ToS/Order and until deletion/return under §12.
1.4. Nature & purpose: provisioning, operation, securing, support, and improvement of the Issuer app; automated sealing of credentials; logs/telemetry for security and operations.
2.1. Roles: For Issuer workspace data, the Controller is the controller and CloudTeam is the processor.
2.2. Instructions: CloudTeam shall process personal data only on documented instructions from the Controller, including with respect to transfers to a third country, save where required by Union/Member State law; in that case CloudTeam shall inform the Controller unless the law prohibits such notice.
2.3. The ToS, this DPA, in‑app configuration, and any documented API usage constitute the Controller’s instructions.
3.1. The Controller warrants that it has a lawful basis and provided required notices to data subjects (Art. 13/14), including for any data of minors, and will not instruct CloudTeam to process special categories (Art. 9) unless lawfully justified.
3.2. The Controller shall not upload data that are unnecessary for the issuance purpose and will configure revocation/retention settings appropriate to its needs.
3.3. The Controller remains responsible for managing data subject requests that concern Controller‑owned records; CloudTeam will assist per §8.
4.1. CloudTeam ensures persons authorized to process personal data are bound by confidentiality and receive appropriate data protection and security training.
5.1. CloudTeam implements technical and organizational measures (TOMs) appropriate to the risk (Art. 32), as described in Annex II.
5.2. CloudTeam will maintain policies and controls to preserve confidentiality, integrity, availability, and resilience of processing, including encryption in transit and at rest, RBAC/least privilege, logging/monitoring, multi‑tenant isolation, backup/restore, and secure software development practices.
6.1. General authorization. The Controller authorizes CloudTeam to engage sub‑processors to support the Issuer app. CloudTeam shall impose data‑protection terms on sub‑processors no less protective than this DPA (Art. 28(4)).
6.2. Listing & notice. CloudTeam maintains a live list of sub‑processors with name, purpose, and location (see Annex III / live page). CloudTeam will notify the Controller of material changes and provide a reasonable opportunity to object on justified grounds. If the parties cannot resolve an objection, the Controller may suspend the affected feature or terminate the Order for that feature as its sole remedy.
6.3. CloudTeam remains responsible for each sub‑processor’s performance.
7.1. CloudTeam primarily processes in the EU/EEA. Where processing involves a restricted transfer to a third country (including onward transfers by sub‑processors), CloudTeam will ensure an appropriate transfer mechanism under Chapter V GDPR, such as:
(a) EU Commission Standard Contractual Clauses (SCCs 2021/914), Module 2 (Controller → Processor) and/or Module 3 (Processor → Sub‑processor), with the Docking Clause enabled; and/or
(b) an adequacy decision, or other recognized safeguard.
7.2. Where SCCs apply between Controller and CloudTeam, they are incorporated by reference and prevail for the transferred data; Annex I/II/III to this DPA populate the SCC Appendices. CloudTeam will conduct Transfer Impact Assessments and apply supplementary measures where appropriate.
8.1. Data subject requests: Taking into account the nature of processing, CloudTeam shall assist the Controller by appropriate technical and organizational measures to respond to requests under Chapter III GDPR.
8.2. Security, DPIAs & consultations: CloudTeam shall provide information necessary to demonstrate compliance and assist with DPIAs and prior consultations (Art. 35–36), considering the nature of processing and information available to CloudTeam.
8.3. Records: CloudTeam keeps records of categories of processing activities as required by Art. 30(2).
9.1. CloudTeam shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification will include, where available: (i) nature of the breach; (ii) categories/approximate number of data subjects and records; (iii) likely consequences; (iv) measures taken or proposed to address the breach. CloudTeam will cooperate in good faith to enable the Controller to meet its notification obligations.
10.1. On termination of Services relating to processing, CloudTeam shall, at the Controller’s choice and subject to legal obligations, delete or return personal data, and delete existing copies within the timelines in Annex I and the Privacy Policy. Backups and logs are deleted on rolling schedules as described in Annex I.
10.2. CloudTeam may retain data as required by EU or Member State law and only for such period and purpose.
11.1. CloudTeam shall make available all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections by the Controller or an auditor mandated by the Controller.
11.2. Layered approach: The parties agree to a proportionate audit model—firstly review of independent reports/certifications (if available) and security questionnaires; on‑site audits only where strictly necessary, with ≥14 days’ notice, at reasonable times, no more than once per 12 months, limited to scope relevant to the Issuer app, under confidentiality, and without access to other customers’ data. Controller bears its own audit costs; CloudTeam may charge reasonable support fees for excessive or repeated requests.
12.1. Precedence: If this DPA conflicts with the ToS regarding personal data processing, this DPA prevails. Otherwise the ToS/Order govern, including limitations of liability to the maximum extent permitted by law.
12.2. Contact: privacy@cloudteam.pl (Processor); the Controller shall designate a contact for data protection matters.
A. Subject‑matter and purpose: Operation of the Credentium Issuer app to create, seal, manage, revoke, and deliver digital credentials, plus related security, support, and operational logging.
B. Duration: Term of the ToS/Order; after termination, return or deletion per §10.1; typical rolling retention for logs/backups per Annex I(E).
C. Categories of data subjects: (i) Credential recipients (students, learners, employees, etc.); (ii) Issuer users/admins (staff of Controller); (iii) Technical viewers/verifiers where logs are generated.
D. Types of personal data: Identification and contact data (name, email, organization, role); credential metadata needed for EDC and qualified e‑seal (program/course, achievement, dates, identifiers, status, revocation); audit/security logs (IP, device/browser, event timestamps); support ticket contents. The Controller shall avoid special categories unless strictly necessary and lawfully justified.
E. Retention (typical): Controller account data: life of account + up to 24 months for records; credential issuance records: while credential is valid or until revoked/deleted; Validator uploads (outside Issuer workspace): auto‑deleted ~24h; security/operational logs: ~12 months; support tickets/files: ~24 months; invoices per tax law.
F. Processing operations: collection, storage, organization, structuring, adaptation, retrieval, transmission, restriction, deletion; cryptographic sealing; generating/verifying revocation status; responding to DSARs; logging and monitoring; backup/restore.
Governance & policies: documented security/privacy policies; least‑privilege access; periodic reviews.
Encryption: TLS (HTTPS/HSTS) in transit; encryption at rest for databases/storage; managed key services; secrets managed via secure vaults; hashing for credentials where appropriate.
Access control & authentication: RBAC; SSO/OIDC; MFA for privileged access; separation of duties; session management and secure cookies (Secure/HttpOnly/SameSite where applicable).
Application security: secure SDLC; code reviews; dependency/vulnerability management; environment segregation; configuration hardening; rate‑limiting and anti‑abuse; input validation; regular penetration testing (results available under NDA).
Operations & resilience: monitoring/alerting; logging/audit trails; backups with periodic restore tests; multi‑tenant isolation; capacity and availability management.
Data minimization & deletion: lifecycle policies; automated deletion of temporary files (e.g., Validator ~24h); revocation workflows; secure deletion procedures.
Incident response: documented playbooks; breach detection and notification; post‑incident review and remediation.
Supplier management: due diligence for sub‑processors; contractual safeguards; ongoing monitoring.
Training & awareness: regular privacy/security training for personnel with access to personal data.
Live list: https://legal.cloudteam.global/credentium/sub-processors (or available on request via privacy@cloudteam.pl).
Processor: CloudTeam sp. z o.o., Plac Konesera 9, 03‑736 Warszawa, Poland — privacy@cloudteam.pl.
Controller: As designated in the Order/MSA or in‑app admin settings.
Order of documents: ToS → DPA → Privacy Policy.
Governing law & venue: Polish law; courts of Warsaw, Poland (without prejudice to mandatory law).
References: Privacy Policy: https://legal.cloudteam.global/credentium/privacy-policy • ToS: https://legal.cloudteam.global/credentium/terms-of-service
f99b14bf37edb73b9bbf742ecbbcce04a076e5014204588613695c6002e915b7
Download the raw content and verify: sha256sum filename.html
(The downloaded file contains the exact content used for hash calculation)