1. Definitions
“Controller”, “Processor”, “Processing”, “Personal data”, and “Personal data breach” have the meanings in the GDPR or UK GDPR as applicable. “Customer” means the legal entity or sole trader with the Cloak Proxy account. “We” / “us” means the Processor (the operator of Cloak Proxy as identified from time to time in your dashboard or in a written agreement).
2. Roles and details of processing
2.1 Subject matter and duration. The subject matter is the provision of residential proxy routing and related account, metering, and security processing. Processing continues for the term of your use of the Service and until deletion in accordance with this DPA and our Privacy policy.
2.2 Nature and purpose. We process personal data you route through the Service solely to transmit, meter, secure, and troubleshoot the Service, and to comply with law.
2.3 Categories of data subjects. Determined by your use case (for example your employees, customers, or visitors). We do not control which data subjects you choose to involve.
2.4 Categories of personal data. May include IP addresses, device or application identifiers, HTTP headers, timestamps, and any personal data embedded in traffic payloads you send. You must not send special-category data through the Service unless strictly necessary, lawful, and expressly agreed in writing.
3. Instructions
We process personal data only on documented instructions from the Customer, including these terms, this DPA, the Acceptable use policy, and configuration you set in the dashboard (including targeting and session options). If we believe an instruction infringes the GDPR or UK GDPR, we will inform you promptly unless prohibited by law.
4. Customer representations
You warrant that (a) you have a valid lawful basis and, where required, appropriate transparency notices and mechanisms for data-subject rights for any personal data you route through the Service; (b) your instructions will not require us to process data in a manner that would violate applicable law; and (c) you will not route special-category personal data through the Service except where strictly necessary, lawful, and expressly agreed in writing. You acknowledge that unlawful instructions or misuse may cause regulatory or reputational harm to us and that our remedies include suspension of processing and enforcement of the indemnity and release in our Terms of service.
5. Confidentiality and personnel
We ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
6. Security
We implement appropriate technical and organisational measures taking into account the state of the art, implementation costs, and risks, including as appropriate pseudonymisation, encryption where suitable, resilience, restore availability, and processes to test and assess effectiveness. A summary is available on request; detailed security documentation may be provided under a reasonable confidentiality undertaking.
7. Sub-processors
You generally authorise us to engage sub-processors who provide hosting, communications, payments-related infrastructure where used, support, and security services. We remain responsible for their performance. We will publish or make available an up-to-date list of sub-processor categories and, where commercially practicable, names. You may object to a new sub-processor on reasonable data-protection grounds; if we cannot accommodate the objection, either party may terminate the affected Service component as your sole remedy.
8. Assistance and data subject rights
Taking into account the nature of processing, we assist you by appropriate technical and organisational measures, insofar as possible, for fulfilment of your obligation to respond to requests from data subjects and for your DPIA or prior consultation obligations, where those obligations arise specifically from our processing. You reimburse reasonable incremental costs for non-standard assistance.
9. Personal data breach
We notify you without undue delay after becoming aware of a Personal data breach affecting personal data we process on your behalf, and provide information reasonably available to allow you to meet any controller reporting obligations.
10. Return and deletion
On termination of the Service (or on your written request, where technically feasible), we delete or return personal data processed on your behalf, except where retention is required by EU or UK law, in which case we isolate and protect the data until deletion is permitted.
11. Audits
We make available information necessary to demonstrate compliance and allow for audits, including inspections, conducted by you or another auditor mandated by you, subject to: (a) reasonable notice; (b) not more than once per twelve months except following a substantiated breach concern; (c) execution of a confidentiality agreement; and (d) conduct during business hours without unreasonable disruption. You may substitute an ISO 27001 or SOC 2 report issued by us or our infrastructure provider where available.
12. International transfers
Where personal data protected by the GDPR or UK GDPR is transferred outside the EEA or UK, we implement appropriate safeguards such as Standard Contractual Clauses (including modules approved for processor-to-sub-processor flows where relevant) together with supplementary measures consistent with applicable guidance.
13. Liability under the DPA
Each party’s liability under this DPA is subject to the limitations in our Terms of service except that nothing in these documents purports to limit liability that cannot be limited under the GDPR or UK GDPR.