Data Processing Addendum
Updated: April 1, 2026
1. Scope and application
This Addendum will apply, if required by Data Protection Legislation (as defined below) and only to the extent that, in providing any Services to You, we process as a processor personal data contained in or generated in relation to Your Customer Content (the “Data”).
This Addendum forms part of Qwen Cloud Website Customer Agreement or other equivalent agreement between You and us in relation to Your use of Services (the “Agreement”), and capitalised terms not defined herein will have the meaning given in the Agreement. In the event and to the extent of a conflict between the other terms of the Agreement including its Addenda or any other agreements between You and us regarding the Data and this Addendum, this Addendum will prevail.
2. Definitions
In this Addendum:
“controller”, “data subject”, “process”, “processor” and “supervisory authority” each has the meaning given in GDPR, or the equivalent term under applicable Data Protection Legislation.
“Data Protection Legislation” means, as applicable: all laws and regulations applicable to and binding on the processing of Data by You and/or Qwen Cloud, including but not limited to (i) GDPR, (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the “UK GDPR”), and in each case, any related national laws, legislation, rules or regulations, related to privacy and data protection (including legislation made under or in relation to (i), (ii)). For clarity, a reference to Data Protection Legislation, includes a reference to Data Protection Legislation as amended, modified, extended, re-enacted, consolidated or replaced from time to time.
“GDPR” means Regulation (EU) 2016/679.
“personal data” means personal data, personal information, personally identifiable information or other equivalent term (each as defined in Data Protection Legislation).
“Restricted Transfer” means (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country, territory or organisation outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country, territory or organisation which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
“Standard Contractual Clauses” means (i) where the Data is protected by the GDPR, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914/EU of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council(“EU SCCs”) and (ii) where the Data is protected by the UK GDPR, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).A copy of the Standard Contractual Clauses can be obtained at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc,or by contacting us at DPO_Intl@alibabacloud.com .
3. Description of processing
For the purposes of this Addendum, You (the controller or processor) appoint us as Your processor to process the Data, for the duration of the Agreement, solely for the purpose of providing the Services to You (the “Permitted Purpose”).
4. Data processing
In processing the Data under the Agreement, we shall, to the extent such Data is in our possession or under our control and subject to your compliance with Clause 5 below:
(a) only process the Data on Your documented instructions unless required otherwise by applicable law;
(b) ensure that all personnel authorised by us to process the Data are subject to suitable confidentiality obligations;
(c) implement and maintain appropriate technical and organisational measures (including access control), or otherwise making reasonable security arrangements, as described at https://www.alibabacloud.com/trust-center, designed to: (i) protect the Data processed by us against unauthorized or accidental access, processing, erasure, loss or use of the Data arising from a breach of our security (a “Security Incident”); We may change those measures from time to time, but not so as to reduce the level of protection for Data below the mandatory minimum required under Data Protection Legislation (as applicable). In the event of a confirmed Security Incident, to the extent required under Data Protection Legislation: (1) we shall notify You and shall provide reasonable information and cooperation to You according to applicable Data Protection Legislation so that You can fulfil any data breach reporting obligations You may have under (and in accordance with the timelines required by) applicable Data Protection Legislation; and (2) we shall further take any reasonably necessary measures and reasonably necessary actions to remedy or mitigate the effects of the Security Incident, and shall keep You informed of all material developments in connection with the Security Incident. Security Incident shall be deemed to include a “personal data breach” or equivalent terms defined under the applicable Data Protection Legislation;
(d) hereby be granted Your general authorisation to engage third party subcontractors to process the Data for the Permitted Purpose, provided that we (i) (subject to Your compliance with Clause 5 below) shall remain liable for any of our subcontractors; (ii) shall maintain an up-to-date list of such subcontractors, which shall be made available to You upon request; and (iii) shall impose data protection terms on any subcontractor we appoint to process any Data, that require it to protect such Data to at least the standard required by applicable Data Protection Legislation, or the provisions of this Addendum, whichever is more protective. You may object to our appointment or replacement of such a subcontractor before its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, we will either not appoint or replace the relevant subcontractor or, if this is not possible, You may terminate the relevant Service and this Addendum to the extent it applies to that Service, but without prejudice to any fees or costs incurred by You for that Service before that termination and without prejudice to the Agreement, any other Services provided to You, and any fees or costs in relation to those other Services;
(e) assist You to respond to data subjects’ requests to exercise their rights regarding any Data under applicable Data Protection Legislation by providing You with technical measures to enable You, to the extent consistent with the functionality of the our Services and our role as a processor, to access, rectify, erase, restrict or export Data directly (and You agree that, taking into account the nature of the processing, this paragraph reflects the extent to which it is possible for us to provide You with such assistance). If a data subject, supervisory authority or any other party directly approaches us with any request, query or complaint regarding any Data, we shall, promptly notify You accordingly or notify that person that they should approach You instead, unless we are prohibited from doing so under applicable law or by an order of a supervisory authority;
(f) to the extent required by applicable Data Protection Legislation, if we believe or become aware that our processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, promptly inform You and provide reasonable cooperation to You (at Your expense) in connection with any data protection impact assessment and/or prior consultation that You may be required under applicable Data Protection Legislation to undertake for Your use of our Services;
(g) at Your choice, delete or return all Data in our possession or control following the termination of the Agreement. This requirement shall not apply to the extent that we are required or permitted by applicable law to retain some or all of the Data, or Data archived on back-up systems, in which event we shall securely isolate and protect such Data from any further processing except: (i) to the extent required by such law until deletion is possible; or (ii) where such Data ceases to contain personal data; and
(h) use independent qualified third party security professionals and auditors, at our selection and expense, to (at appropriate regular intervals) verify the adequacy of our security measures, including the security of the data centers from which we provide the our Services, and generating audit reports and certifications thereof (“Report and Certification”). You agree and acknowledge that we are regularly audited against many industry-recognised standards by independent third-party auditors as described at https://www.alibabacloud.com/trust-center. Upon Your written request (to the extent such right is specifically provided under Data Protection Legislation), and subject to Your execution of a non-disclosure agreement covering the Report and Certification (and verification that You are not a competitor of Qwen Cloud), we will make available to You a summary copy of the Report and Certification demonstrating our compliance with the obligations set forth in this Addendum.
(i) abstain from implementing policies or taking actions that may diminish the protection of Data in a manner inconsistent with Data Protection Legislation.
If You were granted an audit right such as by Standard Contractual Clauses, or by applicable Data Protection Legislation, then You agree to exercise Your audit right by instructing us to execute the audit as described in this clause. If You desire to change this instruction, then You have the right to do so by requesting in writing, or as set forth in the Standard Contractual Clauses which change shall also be requested in writing (for clarity, nothing in the foregoing shall require us to make available any data, material or information of any of our other customers).
For the avoidance of doubt, nothing herein obliges us to disclose any information that is subject to any right, privilege or immunity conferred, or obligation (including without limitation in connection with our performance of any contractual obligation) or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information.
5. Your responsibilities
You agree:
(a) to comply with your obligations under all applicable Data Protection Legislation in relation to Your: (i) use of our Services for processing of any personal data comprised within the Data; and (ii) appointment of us as Your processor to process the Data as contemplated under this Addendum;
(b) that this Addendum, the Agreement, Your other applicable agreements with us and Your configuration and use of the our Services will together comprise Your complete and final documented instructions to us on the processing of Data; and
(c) that You shall not give us as Your processor any instructions, nor shall You use the our Services in any way, that in any such case could infringe any applicable Data Protection Legislation or could cause us or any of our affiliates to infringe any applicable Data Protection Legislation. Without prejudice to the generality of the foregoing, you agree and acknowledge that where You disclose personal data to us, you shall have: (i) obtained or procured all necessary consents where required under applicable law from the relevant data subject(s) for the disclosure of such data subject(s)’s personal data to us for our collection, use and/or disclosure for the Permitted Purpose (without prejudice to any other lawful basis for such handling of personal data by us), and that such consents have not been withdrawn; or (ii) to the extent consent is not required under applicable law, you have secured all necessary legal bases under Data Protection Legislation for disclosing personal data to us for our handling of the personal data for the Permitted Purpose as contemplated under this Addendum.
(d) that You shall be responsible for the correctness of the Data and ensuring that it is kept up-to-date and shall handle any requests or complaints raised by data subjects.
6. International transfers
6.2 To the extent that the transfer of Data from You to us constitutes a Restricted Transfer, You agree that the Standard Contractual Clauses will be deemed entered into (and incorporated by reference into this Addendum) between You (as data exporter) and us (as data importer) as follows:
6.2.1 In relation to Data that is protected by the GDPR, the EU SCCs will apply completed as follows:
(a) If and to the extent You are a controller of such Data Module Two will apply, and if and to the extent You are a processor of such Data Module Three will apply, in each case as follows:
(i) in Clause 7, the optional docking clause will apply (provided that any new party to the EU SCCs shall be subject to our prior written agreement);
(ii) in Clause 9, Option 2 will apply, and the time period for prior notice of subcontractor changes shall be as set out in Clause 4(d) of this Addendum.
(iii) in Clause 11, the optional language will not apply;
(iv) in Clause 17, Option 1 will apply and the EU SCCs will be governed by Dutch law;
(v) in Clause 18(b) disputes shall be resolved before the courts of the Netherlands;
(vi) Annex I of the EU SCCs shall be deemed completed with the information set out in this Addendum and/or in the Appendix 1 to this Addendum, and the competent supervisory authority under Part C of Annex I shall be determined in accordance with Clause 13 of the EU SCCs;
(vii) Annex II of the EU SCCs shall be deemed completed with the information set out in the document linked to in Clause 4(c) of this Addendum;
(b) The following clarifications shall apply to the EU SCCs:
(i) You may exercise Your right of audit under the EU SCCs as set out in and subject to the requirements, of Clause 4(h) of this Addendum;
(ii) We may appoint subcontractors as set out in and subject to the requirements of Clause 4(d) of this Addendum and You may exercise Your right to reject to subcontractors under the EU SCCs in the manner set out in Clause 4(d) of this Addendum;
(iii) Clause 4(g) shall apply in relation to the deletion or return of transferred Data on any termination of the Agreement;
(iv) For the avoidance of doubt, in light of the nature of the Services You are solely responsible for the accuracy of the Data and the legality of its collection by You, and we are not obliged to check any transferred Data for accuracy;
(c) You will pay us fees at its then standard professional services rates and also reimburse us for its reasonable costs reasonably incurred in dealing with any inquiries from You relating to any transferred Data and/or for providing You with any assistance requested by You under the EU SCCs, including without limitation for notifying or otherwise assisting You with data subject requests or responses to data subjects, and cooperation with You to erase or rectify any transferred Data.
6.2.2 In relation to Data protected by the UK GDPR, the UK Addendum will apply completed as follows:
(a) the EU SCCs, completed as set above in clause 6.2.1 shall apply and shall be modified by the UK Addendum (completed as set out in sub-clause (b) below): and
(b) Tables 1 to 3 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs, completed as set out above, and the options “Exporter” and “Importer” shall be deemed checked in table 4. The start date of the UK Addendum (as set out in table 1) shall be the date of this Addendum.
6.2.3. In relation to Data that is subject to jurisdictions outside the scope of the GDPR and UK GDPR, to the extent that such jurisdiction permits the use of EU SCCs (subject to modifications to align with respective Data Protection Law) then the provisions under the EU SCCs shall apply with necessary modifications to align with the respective Data Protection Legislation of the relevant jurisdiction.
6.3 With respect to onward transfers with subcontractors, we shall only participate in such onward transfer (including a Restricted Transfer) of Data where the onward transfer is made in compliance with Data Protection Legislation.
6.4 In the event that any provision of this Addendum contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
6.5 Save as specifically provided under this Addendum, You agree and acknowledge that You are solely responsible to comply with Data Protection Legislation in respect of: (a) Your transfer of Data from one jurisdiction to another; and/or (b) your instructions to us (as Your processor) to transfer Data from one jurisdiction to another. Without prejudice to the generality of the foregoing, You agree and acknowledge that You shall not instruct us nor cause us to transfer any personal data to any country or territory except in accordance with the requirements prescribed under Data Protection Legislation for such transfer, including without limitation in connection with Your obligation, as may be required under Data Protection Legislation, to ensure a standard of protection to Data so transferred that is comparable to the protection under Data Protection Legislation.
7. Miscellaneous
(a) For clarity, the total aggregate liability of us and all our affiliates, employees, agents, affiliates, representatives or anyone acting on its behalf together, arising from or in connection with the Agreement and/or this Addendum and/or the Standard Contractual Clauses or any matter arising therefrom shall not exceed the maximum liability of Qwen Cloud as limited by the paragraph following Clause 11.5 of the Customer Agreement.
(b) We may modify the terms of this Addendum, for example to comply with Data Protection Legislation or to implement any standard contractual clauses adopted by the Information Commissioner's Office, or the European Commission, or a supervisory authority or other competent supervisory authorities under Data Protection Legislation, but it will not do so in a way that would reduce the protections required to be afforded to You below the mandatory minimum required under Data Protection Legislation (as applicable). If we modify the terms of this Addendum, the Addendum will be an amended and restated version on the Website, and we will provide at least 15 days prior written notice of any material amendments to the Addendum to You (which may be posted on the Website or displayed in Your Account). By continuing to use the relevant products or services after the receipt of written notification of such changes by us, You agree to be bound by the amended and restated Addendum.
Appendix 1
A. LIST OF PARTIES
Data exporter(s):
Name: | The entity identified as “Customer” in the Customer Agreement |
Address: | The address for Customer associated with its Account or as otherwise specified in this Data Processing Addendum or the Customer Agreement |
Contact person’s name, position and contact details: | The contact details associated with Customer’s account, or as otherwise specified in this Data Processing Addendum or the Customer Agreement |
Activities relevant to the data transferred under these Clauses: | The activities specified in Sections 3 and 4 of this Data Processing Addendum. |
Signature and date: | Please see signature and date to the Customer Agreement |
Role (controller/processor): | Controller or processor, as set out in this Data Processing Addendum |
Data importer(s):
Name: | “Qwen Cloud” as identified in the Customer Agreement |
Address: | The address for Qwen Cloud specified in the Customer Agreement |
Contact person’s name, position and contact details: | The contact details for Qwen Cloud specified in the Addendum or the Customer Agreement |
Activities relevant to the data transferred under these Clauses: | The activities specified in Sections 3 and 4 of this Data Processing Addendum. |
Signature and date: | Please see signature and date to the Customer Agreement |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: | The data subjects may include Your customers, employees, supplier and End Users. |
Categories of personal data transferred: | Capitalised terms not defined herein will have the meaning given in Your Customer Agreement with Qwen Cloud. The personal data includes any information, content, material and data in electronic format as may be contained in or generated in relation to Customer Content. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | Although we don’t intend to collect any special categories of personal data from You or Your End Users, You may, at your sole discretion and responsibility, cause special categories of personal data to be provided to the Services by You or by any of Your End Users through the products or services you build using our Services, including via our APIs. Such data could include (depending on the content submitted) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, and/or personal data relating to criminal convictions and offences or related security measures. Before uploading any sensitive data, You are obliged to assess and confirm that the technical and organizational measures taken by Qwen Cloud are sufficient for the sensitive data that You choose to upload. |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | Data may be transferred on an occasional or continuous basis solely for the purposes of providing You with the Services and as otherwise set out in the Agreement. |
Nature of the processing: | The personal data will be processed and transferred for the purposes of providing You with the Services and as otherwise set out in the Agreement. |
Purpose(s) of the data transfer and further processing: | The personal data will be processed and transferred for the purposes of providing You with the Services and as otherwise set out in the Agreement. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | Data will be processed and transferred for the duration of the Agreement. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | The above shall apply to such transfers to sub-processors. |
C. COMPETENT SUPERVISORY AUTHORITY
Competent supervisory authority: For the purposes of the EU GDPR, the competent supervisory authority shall be construed in accordance with Clause 13 of the EU SCCs; for the purposes of the UK GDPR, the competent supervisory authority shall be the UK Information Commissioner's Office.