CloudBlue Cloud Marketplace Guide 2025 | Download Now

Cloud Marketplace Guide | Download Now

Get Pricing
REQUEST A DEMO

Overview

Responsibility Schema​

Processing of Personal Data

Responsibility

Roles of Companies in the Processing of Personal Data In the industry, companies can take different roles. It is essential for organizations involved in the processing of personal data to be able to determine whether they are acting as a data controller or as a data processor in respect of such processing. This is particularly important in situations such to prevent a data breach where it will be necessary to determine which organization has what responsibility.

Responsibility Schema

Security and data protection compliance is a shared responsibility between CloudBlue and each customer. The shared responsibility model is a useful approach to illustrate the different responsibilities of CloudBlue (as a data processor or sub-processor) and customers (as either data controllers or data processors) under the applicable data protection laws. Under the shared responsibility model, CloudBlue is responsible for the security of the cloud, while the customer is responsible for security in the cloud. Shared model configuration depends on the CloudBlue services that customers elect to use and how those services are integrated into customers’ IT environments. Depending on this configuration, the responsibility of the provider (processor or sub-processor) or the customer (controller), may vary.

The services provided by CloudBlue will typically fall under one or more of these categories, as explained further under section “What is a data processor”:

  • Software as a Service (“SaaS”)
  • Platform as a Service (“PaaS”)
The following diagram reflects the distribution of responsibilities in the case of a SaaS Configuration:
In case of using a PaaS or IaaS, the data controller could have additional responsibilities, which is represented in the following diagram:

At CloudBlue, our highest priority is securing our customers’ data, and we implement rigorous contractual, technical, and organizational measures to protect the confidentiality, integrity, and availability of the information regardless of the region where the customer is located and the origin of the data.

Considering the above, to ensure compliance with its own obligations as a processor, CloudBlue has implemented appropriate measures to cover the risk associated with the processing of personal data as part of the provision of the cloud services to its customers. Further to that, CloudBlue data protection program is a global one, applicable to all its operations world wide and built based on the requirements of the GDPR. All security and data protection standards and practices required to be respected in the European Union are also implemented and respected by CloudBlue in non-European Union locations.

CloudBlue offers to its customers a GDPR-compliant and industry standard Data Processing Agreement which provides the necessary commitments and assurance regarding the processing and handling of customer’s personal data by CloudBlue through the provision of CloudBlue business offerings.

Our partners and customers have trusted CloudBlue for more than 20 years as their cloud technology partner of choice. We take security and privacy seriously and have established an extensive vendor review and onboarding process which includes the Cyber Security Agreement. Our Information Security, Legal, Privacy, and Compliance teams conduct due diligence reviews for each vendor based on numerous factors, some of which include:

  • the type of data being hosted or shared. 
  • the confidentiality and sensitivity of the data. 
  • the vendor’s privacy and data handling practices. 
  • the vendor’s incident management and business continuity practices.

Roles in the Processing of Personal Data

In the Cloud industry, companies can take on different roles. It is essential for organizations involved in the processing of personal data to be able to determine whether they are acting as a data controller or as a data processor in respect of such processing. This is particularly important in situations such as preventing a data breach where it will be necessary to determine which organization has what responsibility. Sometimes, the same company could act as a data processor and as a data controller.

What is a data controller?

The data controller determines the purposes and the means of the processing of personal data. So, if your company decides ‘why’ and ‘how’, you are the controller of the personal data processing activities.

What is a data processor?

The data processor is a company processing the personal data on behalf of the data controller pursuant to the performance of a particular service or business offering.

However, the fact that one organization provides a service to another organization does not necessarily mean that it is acting as a data processor. It could be a data controller, depending on the degree of control it exercises over the processing operation.

The services provided by CloudBlue will typically fall under one or more of these categories:

  • Software as a Service (“SaaS”): CloudBlue provides software applications over the Internet and represents “Connect” and “Commerce as a Service” (or “Marketplace as a Service”) offerings.
  • Platform as a Service (“PaaS”): CloudBlue provides and/or manages infrastructure required to run the “CloudBlue software”
In accordance with the regulatory guidance and industry practices, CloudBlue, as a cloud service provider, will be acting as a data processor of its customers.

Responsibilities Arising Out of the Processing of Personal Data

Under the applicable data protection laws, the controller is responsible for the processing of personal data, where the processor acts on controller’s instructions. However, in some jurisdictions such as in the European Union, both controllers and processors have their own separate legal obligations with regards to the handling and protection of personal data, for example: security of the data and data transfers.

In such regard, each company bears its own legal responsibility for its compliance with its own legal obligations. It is also important to understand that company’s liability towards the regulators or the responsible administrative authority for breaches by a company of the applicable laws, cannot be limited or excluded by law.

Taking into consideration the nature of the service provided by CloudBlue, multiple parties will play a role in in the security and protection of the personal data stored in and processed through CloudBlue’s platforms and cloud services.

  • CloudBlue’s customer and such customer’s multiple business partners such as vendors, distributors and resellers all play a role. The acts and omissions of any party, other than CloudBlue authorized sub-processors, however, are fully outside of the control or the visibility of the Cloud services provider. 
  • Customer as the controller of the data maintains ownership of the personal data it uploads into CloudBlue products. Therefore, the customer selects which personal data can be processed, stored, and hosted through CloudBlue products. CloudBlue does not access or use the customer’s personal data for any purpose other than what is agreed with the customer in advance, except in each case as necessary to comply with the applicable laws or a binding order of a governmental body. 
  • The customer controls its data. CloudBlue offers industry standard security features to protect and encrypt customer’s data in transit and at rest which are appropriate to the risks presented by the processing of the data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing of the data, the nature of the data as well as the risk and severity for the rights and freedoms of natural persons.
  • When evaluating the security of a cloud solution, it is important to understand and distinguish between the security of the cloud, and security in the cloud. Security of the cloud encompasses the security measures that CloudBlue implements and operates. CloudBlue is responsible for the security of the cloud. Security in the cloud, however, encompasses the security measures that the customer, as a data controller, implements and operates related to the CloudBlue products the customer uses. The customer is responsible for the security in the cloud and is responsible to receive awareness education and training with regular updates as relevant for the business role.

Subscribe and stay updated
on the latest at CloudBlue.

By providing my Personal Data to CloudBlue and its affiliates, I agree to be contacted for marketing purposes and I acknowledge and agree to the collection and processing of my Personal Data in accordance with the Privacy Statement.

Let's talk

CloudBlue

THE MONETIZATION PLATFORM

INTEGRATIONS

SERVICES

BY OBJECTIVE

BY INDUSTRY

BY USE CASE

SUCCESS STORIES

SUPPORT

PARTNER TYPES

PARTNER MODELS

JOIN OUR NETWORK

RESOURCE CENTER

ESSENTIAL REFERENCES

Get Pricing
REQUEST A DEMO