Data Protection and Privacy | Roles and Responsibilities | Security | Sub-Processors | FAQ
At CloudBlue, customer trust is our top priority. CloudBlue continually monitors the evolving privacy regulatory and legislative landscape to identify changes. Maintaining customer trust is an ongoing commitment. We strive to inform you of the privacy and data security policies, practices, and technologies we have put in place. In this page, you can find more information on how CloudBlue handles and protects your data.
Data Protection and Privacy
CloudBlue is committed to protect the personal data which our partners and customers entrust to us, and we treat all personal data you share with us in accordance with the requirements of the applicable laws, such as the European Union’s General Data Protection Regulation 2016/679 (“GDPR”).
Roles and Responsibilities
In the Cloud industry, companies can take different roles. It is essential for organizations involved in the processing of personal data to be able to determine whether they are acting as a data controller or as a data processor in respect of such processing. This is particularly important in situations such as a data breach where it will be necessary to determine which organization has what responsibility.
Under the applicable laws, Businesses are responsible for determining and implementing appropriate organizational and security measures for the protection of the personal data they process. CloudBlue as a cloud service provider has implemented organizational and security measures taking into account factors such as state of the art of technology, costs of implementation, the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
CloudBlue may need to use third-party sub-contractors or other affiliates for the provision of the services. However, when using subcontractors, CloudBlue (i) carefully selects its service providers in order to perform the service we commit to our clients at best. (ii) executes necessary agreements with such sub-contractors, and (iii) requests from its sub-contractors to comply with all applicable laws and requirements for the processing of personal data.
The Sub-processors can be of 3 different types:
- CloudBlue Affiliates,
- Infrastructure Providers,
- Other Third Parties.
All of them are carefully selected in order to perform the service we commit to our clients. Our list of Affiliates is continually growing to more locations all over the world to serve more clients located across the globe.
A full list of the CloudBlue Affiliates which may be involved in the delivery of CloudBlue services is provided here below. Such Affiliates are not necessarily applicable to all our clients, but it’s always comforting for the client to know that its data is close to his or her location.
You can find here more information on some of the most frequently asked questions or concerns:
Answer: The General Data Protection Regulation (GDPR) is a European privacy law that became enforceable on May 25, 2018. The GDPR replaced the EU Data Protection Directive, also known as Directive 95/46/EC, and intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.
Answer: Personal data means any information relating to an identified or identifiable natural person, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Bear in mind that under some local legislations the definition of personal data could cover as well other types of information. Please note that “personal data” is not equal to “customer data”. Customer data is a broader notion that typically includes transactional data and any other data processed through CloudBlue’s products.
Answer: Cookies can be personal data. The GDPR explicitly states that online identifiers, even if they are pseudonymized or if they do not directly identify an individual, will be considered personal data if there is potential for an individual to be identified or singled out. In addition, cookies can also be regulated by other European or local laws and regulations.
Answer: Data subject is any identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to any personal data. Bear in mind that under some local legislations the definition of data subject could cover legal persons as well.
Answer: Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Answer: Data transfer is the act of transferring any personal data from one location to another through some communication method. Please bear in mind that under some legal frameworks, is considered a data transfer also the simple access to personal data hosted on a server in one location such as within the territory of the European Economic Area, from another location for example outside the European Economic Area. Personal data transfer may be subject to specific legal requirements depending on the jurisdiction.
Answer: Transfers of personal from the European Union to a location outside the European Economic Area are allowed under the European legal framework if the specific legal conditions for such transfers are complied with. For more information about the locations where CloudBlue transfers data, please refer to our dedicated page
Answer: A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor or between the processor and its sub-processor. It regulates the scope of the data processing – such as the purpose, types of data, types of data subjects etc. – as well as the relationship between the controller and the processor and their rights and obligation with regards to the processing of personal data. Essentially, a DPA is a form of assurance that the processor or sub- processor performs their obligations and shall ensure the protection of personal data. In some jurisdictions the execution of a DPA between controllers and their processor or between the processor and its sub-processors, is a legal requirement. We offer a GDPR-compliant and industry standard Data Processing Agreement.
Answer: As a customer, you maintain ownership of the personal data you upload into CloudBlue products. Therefore, you select which personal data can be processed, stored, and hosted through CloudBlue products. We do not access or use your personal data for any purpose other then what is agreed with you in advance, except in each case as necessary to comply with the applicable laws or a binding order of a governmental body.
Answer: As a customer, you control your data. As long as it is technically feasible, you determine where your data will be stored, including the type of storage and geographic region of that storage in accordance with the options offered by CloudBlue. We offer industry standard security features to protect and encrypt your data in transit and at rest which are appropriate to the risks presented by the processing of your data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing of your data, the nature of the data as well as the risk and severity for the rights and freedoms of natural persons. You manage your data and the access to your data, and access to CloudBlue services and resources through identity and access policy based on users, groups, permissions, and credentials that you control.
Answer: CloudBlue Connect data is hosted on our Cloud Service Provider’s infrastructure with highly reliable servers that guarantees optimal uptime, and data security for all our customers and data (including order, asset, and tiers information within the platform). Depending on the engaged services, the customer can leverage the same infrastructure for Commerce data or determine where those data will be stored. For more information about the locations where CloudBlue stores data, please refer to our dedicated page
Answer: When evaluating the security of a cloud solution, it is important for you to understand and distinguish between the security of the cloud, and your security in the cloud. Security of the cloud encompasses the security measures that CloudBlue implements and operates. CloudBlue is responsible for security of the cloud. Security in the cloud encompasses the security measures that you, as a data controller, implement and operate, related to the CloudBlue products you use. You are responsible for your security in the cloud and responsible to receive awareness education and training with regular updates as relevant for your business role. For more information, see the CloudBlue responsibility scheme.
Answer: Security and data protection compliance is a shared responsibility between CloudBlue and each customer. The shared responsibility model is a useful approach to illustrate the different responsibilities of CloudBlue (as a data processor or sub-processor) and customers (as either data controllers or data processors) under the applicable data protection laws. Under the shared responsibility model, CloudBlue is responsible for the security of the cloud, while the customer is responsible for security in the cloud. Shared model configuration depends on the CloudBlue services that customers elect to use and how those services are integrated into customers’ IT environments. Depending on this configuration, the responsibility of the provider (processor or sub-processor) or the customer (controller), may vary. For more information, see the CloudBlue responsibility scheme.
Answer: At CloudBlue, our highest priority is securing our customers’ data, and we implement rigorous contractual, technical and organizational measures to protect the confidentiality, integrity, and availability of the information regardless of the region where the customer is located and the origin of the data. More information on the specific contractual, technical and organizational measures implemented by CloudBlue are available at our dedicated data privacy page.
Answer: CloudBlue has a security incident monitoring and data breach notification process in place and will notify customers of breaches of CloudBlue’s security shield without undue delay and in accordance with the CloudBlue DPA in place with the customer.
Answer: We recommend that customers with questions regarding CloudBlue’s data protection and security practices contact their account manager or the following dedicated contacts: firstname.lastname@example.org
In case of questions regarding CloudBlue’s data protection and security practices customers should contact their account manager or the following dedicated contacts: email@example.com and firstname.lastname@example.org.