rsync.net - Data Processing Addendum
Summary
This rsync.net Data Processing Addendum forms part of, and is subject to the provisions of, the rsync.net Terms of Service. Capitalized terms that are not defined in this Data Processing Addendum have the meanings set forth in the Terms of Service.
Some Initial Comments ...
Personal data at rsync.net takes two forms - the very limited contact and payment information that is associated with your account and how you pay us and your actual stored, or backed up, data itself that you hold in your account.
It is important to note that nobody in the world except for full time employees of rsync.net have any access whatsoever to the first category of data - your contact and payment information - and that we never share any piece of that with any party for any reason whatsoever (other than charging you). We have no "partners" or "affiliates" or "marketing associates" or parent company relationships. This data is used only for the purposes of serving you as a customer and charging you for our services.
rsync.net does not use cookies, third party analytics or trackers and rsync.net does not examine the specific or the aggregate file uploads of any of our customers.
Except for authorizing payments or fulfilling legal warrants within proper jurisdiction rsync.net does not share your personal information with any party for any purpose whatsoever.
Further, only full time employees of rsync.net have any access of any kind to the storage arrays where your saved, or backed up, data is kept.
Finally, your backed up data never leaves the geographic location that you have chosen - if you have chosen Zurich as your rsync.net location, not one bit of backed up data will ever leave Switzerland (unless you have chosen the geo-redundant service option which implies a secondary copy of your data will be transferred to, and stored within, the United States of America).
So, while the following Data Processing Addendum to our Terms of Service will cover a broad range of uses of personal data, in reality, almost none of these are applicable to rsync.net - we have very little personal data from you, possibly zero personal data from your customers and partners, and whatever we do have is used only within rsync.net for the purposes of administration and billing.
1. Additional Definitions
The following definitions apply solely to this Data Processing Addendum:
a. the terms "controller", "data subject", "personal data", "process", "processing" and "processor" have the meanings given to these terms in EU Data Protection Law.
b. "Breach" means a breach of the Security Measures resulting in access to rsync.net's equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Controlled Data transmitted, stored or processed by rsync.net on your behalf and instructions through the Services.
c. "Content" means your User Content and any content provided to us from your End Users, including without limitation text, photos, images, audio, video, code, and any other materials.
d. "EU Data Protection Law" means any data protection or data privacy law or regulation of Switzerland or any European Economic Area (EEA country applicable to Your Controlled Data, including, as applicable, the GDPR and the e-Privacy Directive 2002/58/EC.
e. "GDPR" means the EU General Data Protection Regulation 2016/679.
f. "Security Measures" means the technical and organizational security measures set out here.
g. "Sub-Processor" means an entity engaged by rsync.net to process Your Controlled Data. Note: at the time of this writing, rsync.net, Inc., employs no sub-processors.
h. "Your Controlled Data" means the personal data in the Content rsync.net processes on your behalf and instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Your Controlled Data does not include personal data when controlled by us, including without limitation data we collect (including IP address, device/browser details and web pages visited prior to coming to a website) with respect to your End Users' interactions with a website through their browser and technologies like cookies.
i. ""Standard Contractual Clauses" or "SCCs" means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN ("EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c), or (d) where the UK GDPR means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018, as such Addendum may be revised under Section 18 therein ("UK SCCs") and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCCs") (in each case, as updated, amended or superseded from time to time).
2. Applicability
This Data Processing Addendum only applies to you if you or your End Users are data subjects located within the EEA or Switzerland and only applies in respect of Your Controlled Data. You agree that rsync.net, Inc. is not responsible for personal data that you have elected to process through Third Party Services or outside of the Services, including the systems of any other third-party cloud services, offline or on-premises storage.
3. Details of Data Processing
3.1 Subject Matter. The subject matter of the data processing under this Data Processing Addendum is Your Controlled Data.
3.2 Duration. As between you and us, the duration of the data processing under this Data Processing Addendum is determined by you.
3.3 Purpose. The purpose of the data processing under this Data Processing Addendum is the provision of the Services initiated by you from time to time.
3.4 Nature of the Processing. The Services as described in the Agreement and initiated by you from time to time.
3.5 Type of Personal Data. Your Controlled Data relating to you, your End Users or other individuals whose personal data is included in Content which is processed as part of the Services in accordance with instructions given through your Account.
3.6 Categories of Data Subjects. You, Your End Users and any other individuals whose personal data is included in Content.
4. Processing Roles and Activities
4.1 rsync.net as Processor and You as Controller. You are the controller and rsync.net is the processor of Your Controlled Data.
4.2 rsync.net as Controller. rsync.net may also be an independent controller for some personal data relating to you or your End Users. Please see our Privacy Policy and Terms of Service for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, such as in any access to data regarding your End Users' interactions with Your Site, you receive that as an independent data controller and are responsible for compliance with EU Data Protection Law in that regard.
4.3 Description of Processing Activities. We will process Your Controlled Data for the purpose of providing you with the Services, as may be used, configured or modified from within your Account (the "Purpose" For example, depending on how you use the Services, we may process Your Controlled Data in order to: (a) enable you to integrate content or features from a social media platform on Your Site; or (b) email your End Users on your behalf.
4.4 Compliance with Laws. You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including EU Data Protection Law). You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this Data Processing Addendum. rsync.net will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.
5. Our Processing Responsibilities
5.1 How We Process. We will process Your Controlled Data for the Purpose and in accordance with the Agreement or instructions you give us through your Account. You agree that the Agreement and the instructions given through your Account are your complete and final documented instructions to us in relation to your Controlled Data. Additional instructions outside the scope of this Data Processing Addendum require prior written agreement between you and us, including agreement on any additional fees payable by you to us for carrying out such instructions. We will promptly inform you if, in our opinion, your instructions infringe applicable EU Data Protection Law, or if we are unable to comply with your instructions. We will notify you when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law on important grounds of public interest, such as a prohibition under law to preserve the confidentiality of a law enforcement investigation or request.
5.2 Notification of Breach. We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under applicable EU Data Protection Laws. We will, to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a Breach under this Section is not and will not be construed as an acknowledgement by rsync.net of any fault or liability of rsync.net with respect to the Breach. Despite the foregoing, rsync.net’s obligations under this Section do not apply to incidents that are caused by you, any activity on your Account and/or Third-Party Services.
5.3 Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from an End User, or other individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data that we process on your behalf and instructions.
5.4 Reasonable Assistance with Compliance. We will, to the extent that you cannot reasonably do so through the Services, your Account or otherwise, provide reasonable assistance to you in respect of your fulfillment of your obligation as controller to respond to requests by data subjects under Chapter 3 of the GDPR, taking into account the nature of the Services and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance.
5.5 Security Measures. We will maintain the Security Measures. We may change these Security Measures but will not do so in a way that adversely affects the security of Your Controlled Data. We will take steps to ensure that any natural person acting under our authority who has access to Your Controlled Data does not process it except on our instructions, unless such person is required to do so under applicable law, and that personnel authorized by us to process Your Controlled Data have committed themselves to relevant confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
5.6 Sub-Processors. You agree that we can share Your Controlled Data with Sub-Processors in order to provide you the Services. We will impose contractual obligations on our Sub-Processors, and contractually obligate our Sub-Processors to impose contractual obligations on any further sub-contractors which they engage to process Your Controlled Data, which provide the same level of data protection for Your Controlled Data in all material respects as the contractual obligations imposed in this Data Processing Addendum, to the extent applicable to the nature of the Services provided by such Sub-Processor. A list of our current Sub-Processors is available upon request by sending an email to info@rsync.net Provided that your objection is reasonable and related to data protection concerns, you may object to any Sub-Processor by sending an email to info@rsync.net If you object to any Sub-Processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Controlled Data by the objected-to Sub-Processor. If we are unable to make available such suggested change within a reasonable period of time, we will notify you and if you still object to our use of such Sub-Processor, you may cancel or terminate your Account or, if possible, the portions of the Services that involve use of such Sub-Processor. Except as set forth in this Section 5.6, if you object to any Sub-Processors, you may not use or access the Services. You consent to our use of Sub-Processors as described in this Section 5.6. Except as set forth in this Section 5.6 or as you may otherwise authorize, we will not permit any Sub-Processor to access Your Controlled Data. rsync.net will remain responsible for its compliance with the obligations of this Data Processing Addendum and for any acts or omissions of any Sub-Processor or their further sub-contractors that process Your Controlled Data and cause rsync.net to breach any of rsync.net’s obligations under this Data Processing Addendum, solely to the extent that rsync.net would be liable under the Agreement if the act or omission was rsync.net’s own.
At the time of this writing (April 21, 2023) rsync.net, Inc., employs no sub-processors of any kind. You will be alerted by email, at least 30 days in advance, if there is a change and we engage with a sub-processor for any purpose. If you object to the introduction of a sub-processor, rsync.net, Inc. will work in good faith with you to find an alternative solution or will allow you to terminate your service without penalties.
5.7 rsync.net Audits. rsync.net may (but is not obliged to) use external or internal auditors to verify the adequacy of our Security Measures.
5.8 Customer Audits and Information Requests. You agree to exercise any right you may have to conduct an audit or inspection by instructing rsync.net to carry out the audit described in Section 5.7. You agree that you may be required to agree to a non-disclosure agreement with rsync.net before we share any such report or outcome from such audit with you and that we may redact any such reports as we consider appropriate. If rsync.net does not follow such instruction or if it is legally mandatory for you to demonstrate compliance with EU Data Protection Law by means other than reviewing a report from such an audit, you may only request a change in the following way:
a. First, submit a request for additional information in writing to rsync.net, specifying all details required to enable rsync.net to review this request effectively, including without limitation the information being requested, what form you need to obtain it in and the underlying legal requirement for the request (the “Request”). You agree that the Request will be limited to information regarding our Security Measures.
b. Within a reasonable time after we have received and reviewed the Request, you and we will discuss and work in good faith towards agreeing on a plan to determine the details of how the Request can be addressed. You and we agree to use the least intrusive means for rsync.net to verify rsync.net’s compliance with the Security Measures in order to address the Request, taking into account applicable legal requirements, information available to or that may be provided to you, the urgency of the matter and the need for rsync.net to maintain uninterrupted business operations and the security of its facilities and protect itself and its customers from risk and to prevent disclosure of information that could jeopardize the confidentiality of rsync.net or our users’ information.
You will pay our costs in considering and addressing any Request. Any information and documentation provided by rsync.net or its auditors pursuant to this Section 5.8 will be provided at your cost. If we decline to follow any instruction requested by you regarding audits or inspections, you may cancel any affected Paid Services.
5.9 Questions. Upon your reasonable requests to us for information regarding our compliance with the obligations set forth in this Data Processing Addendum, we shall, where such information is not otherwise available to you, provide you with written responses, provided that you agree not to exercise this right more than one (1) time per calendar year (unless it is necessary for you to do so to comply with EU Data Protection Law). The information to be made available by rsync.net under this Section 5.9 is limited to solely that information necessary, taking into account the nature of the Services and the information available to rsync.net, to assist you in complying with your obligations under the GDPR in respect of data protection impact assessments and prior consultation. You agree that you may be required to agree to a non-disclosure agreement with rsync.net before we share any such information with you.
5.10 Requests. You can delete or access a copy of some of Your Controlled Data through your Account. For any of Your Controlled Data which may not be deleted or accessed through your Account, upon your written request, we will, with respect to any of Your Controlled Data in our or our Sub-Processor’s possession that we can associate with a data subject, subject to the limitations described in the Agreement and unless prohibited by applicable law or the order of a governmental, law enforcement or regulatory body: (a) return such data and copies of such data to you provided that you make such request within no more than ninety (90) days after the cancellation of the applicable Paid Services; or (b) delete, and request that our Sub-Processors delete, such data (excluding in the case of (a) or (b) any of such data which is archived on back-up systems, which we shall securely isolate and protect from any further processing, except to the extent required by applicable law). Otherwise, we will delete Your Controlled Data in accordance with our data retention policy. This Section 5.10 does not apply to personal data held by Third Party Services.
6. Data Transfers
6.1 Customer acknowledges that their signup and billing data - the information used to maintain, and bill for, rsync.net service - is transferred to and from the United States of America where rsync.net (a California Corporation) is located. This signup and billing data is NOT their stored data or their "backups".
As put forth in our Terms of Service, your stored data (your "backups") exist only in a specific location you have chosen. Your stored data (your "backups") will not be transferred from that location for any reason without your explicit instruction. If you commence "geo-redundant" service you are explicitly instructing us to store the secondary copy of your stored data (your "backups") in the United States of America.
6.2 Transfer Mechanism: The parties agree that when the transfer of personal data from Customer (as "data exporter") to rsync.net (as "data importer") is a Restricted Transfer and Applicable Data Protection Legislation require that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA, as follows:
a. In relation to transfers of Account Data and Customer Data that is protected by the GDPR, the EU SCCs shall apply, completed as follows:
1. Module Two or Module Three will apply (as applicable);
2. In Clause 9, Module 2 will apply.
3. In Clause 11, the optional language will not apply;
4. In Clause 17, Module 2 (controller to processor) will apply, and the EU SCCs will be governed by by the law of the EU Member State in which the data exporter is established and if no such law by Irish law.
5. In Clause 18(b), disputes shall be resolved before the courts of the EU Member State in which the data exporter is established and otherwise Ireland.
6. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this DPA.
7. Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this DPA.
b. In relation to transfers of personal data protected by the UK GDPR or Swiss DPA, the EU SCCs as implemented above will apply with the following modifications:
1. references to "Regulation (EU) 2016/679" shall be interpreted as references to UK Privacy Laws or the Swiss DPA (as applicable);
2. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of UK Privacy Laws or the Swiss DPA (as applicable);
3. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "UK" or "Switzerland", or "UK law" or "Swiss law" (as applicable);
4. the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);
5. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" is the UK Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);
6. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" (as applicable);
7. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and
8. with respect to transfers to which UK Privacy Laws apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
c. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.
d. Geo-Redundant service class: Customers of rsync.net (the "controller") are hereby notified that choosing the upgraded "Geo-Redundant" service class will result in the customer data that they control to be exported in a secure fashion from the primary rsync.net location they have specified to a secondary location that is in the United States of America. Choosing the "Geo-Redundant" service class and confirming that service upgrade with associated additional charges shall be taken as confirmation that such data export to the United States of America is consistent with the legal duties of the controller and supercedes all other contractual clauses specified in any contract document between rsync.net and the customer.
7. Liability
The liability of each party under this Data Processing Addendum is subject to the exclusions and limitations of liability set out in the Agreement. You agree that any regulatory penalties or claims by data subjects or others incurred by rsync.net in relation to Your Controlled Data that arise as a result of, or in connection with, your failure to comply with your obligations under this Data Processing Addendum or EU Data Protection Law shall reduce rsync.net’s maximum aggregate liability to you under the Agreement in the same amount as the fine and/or liability incurred by us as a result.
8. Miscellaneous
a. Except as amended by this DPA, the Terms of Service will remain in full force and effect.
b. If there is a conflict between the Terms of Service and this DPA, the terms of this DPA will prevail.
c. In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.
d. Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
e. Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.
f. You are responsible for any costs and expenses arising from rsync.net’s compliance with your instructions or requests pursuant to the Agreement (including this Data Processing Addendum) which fall outside the standard functionality made available by rsync.net generally through the Services. For instance, if you choose the "Geo-Redundant" storage class but then further request physical delivery from the United States to an EU or UK location because of processing requirements.
g. The parties (You, the Controller and rsync.net, the processor) cause this DPA to be executed by their authorized representatives, and this DPA, including its annexes and the Standard Contractual Clauses, will be effective on the date both parties have signed and dated a signable copy of the DPA which will be provided by the Processor (rsync.net) to the Controller (you).
9. ANNEX I TO THE STANDARD CONTRACTUAL CLAUSES
DETAILS OF THE PROCESSING
A. LIST OF PARTIES
1. Data Exporter: The data exporter is the legal entity specified as “Customer” in the DPA. Customers that are an organization are a controller. Customers who are individuals are joint controllers with rsync.net, Inc.
2. Data Importer: The data importer is rsync.net, Inc. which functions as a joint controller with Customers that are individuals and a processor with Customers that are organizations.
B. DESCRIPTION OF TRANSFER
The categories of data subjects, the transfer of special categories of data, and the types of personal data processed in the context of the Services provided by rsync.net, Inc., depend on the content uploaded to servers by or on behalf of the Customer. The frequency and nature of the transfers between the Customer and rsync.net, Inc. depends upon the Services requested and used by Customer. The purpose of the data transfer and further processing by rsync.net, Inc. is for rsync.net, Inc. to provide Services to Customer which are requested by the Customer.
Processing operations
Personal data will be processed in accordance with the rsync.net Terms of Service and may be subject to the following processing activities:
a. Storage and processing necessary to provide, maintain and improve the Services provided pursuant to the Term of Service; and/or
b. Disclosure in accordance with the Terms of Service (including this DPA) and/or as compelled by applicable laws.
rsync.net processes Files for the duration it provides the Services to the Customer. When the Customer cancels its rsync.net subscription and deletes its rsync.net account, rsync.net will delete the Files stored in accordance with the rsync.net Terms of Service and will cease to be a processor or joint controller of the Files.
C. COMPETENT SUPERVISORY AUTHORITY
Where the EU GDPR applies, the competent supervisory authority shall be (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.. Where the UK GDPR applies, the UK Information Commissioner's Office.
9. ANNEX II TO THE STANDARD CONTRACTUAL CLAUSES
TECHNICAL AND ORGANISATIONAL MEASURES
Systems and services security, Risk Management, Access Controls, Encryption, Physical Security, Event Logging, and System Configuration are performed as described in the following document:
rsync.net Systems and Data Security
