1. Definitions
1.1. “Approved Jurisdiction” means a member state of the European Economic Area, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
1.2. “Data Protection Laws” means, as applicable, any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), and including the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA“).
1.3. “Data Subject” means an individual to whom Personal Data relates. Where applicable, Data Subject shall be deemed as a “Consumer” as this term is defined under the CCPA.
1.4. “EEA” means those countries that are member of the European Economic Area.
1.5. “Permitted Purposes” mean any purposes in connection with Company performing its obligations under the Agreement.
1.6. “Security Incident” shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. For the avoidance of doubt, any Personal Data Breach as defined under the GDPR will be considered a Security Incident.
1.7. “Security Measures” mean commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Company’s business, the level of sensitivity of the data collected, handled and stored, and the nature of Company’s business activities.
1.8. “Standard Contractual Clauses” mean Module Two of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021.
1.9. “Sub-Processor(s)” mean any Affiliate, agent or assignee of Company that may process Personal Data pursuant to the terms of the Main Agreement, and any unaffiliated processor, vendors or service provider engaged by Company.
1.10. The terms “Business“, “Controller”, “Personal Data“, “Processor”, “Process”, “Processing” and “Service Provider” shall have the meanings ascribed to them in the Data Protection Laws, as applicable.
2. Application of this DPA
2.1. This DPA will only apply to the extent all of the following conditions are met:
(A) Company processes Personal Data that is made available by the Customer in connection with the Main Agreement (whether directly by the Customer or indirectly by a third party retained by and operating for the benefit of the Customer);
(B) The Data Protection Laws apply to the processing of Personal Data.
2.2. This DPA will only apply to the services for which the Parties agreed to in the Agreement (“Services“), which incorporates the DPA by reference.
3. Parties’ Roles
3.1. In respect of the Parties’ rights and obligations under this DPA regarding the Personal Data, the Parties hereby acknowledge and agree that the Customer is the Controller (as well as, as applicable, the Business, as this term is defined under the CCPA) and Company is a Processor (as well as, as applicable, the Service Provider, as this term is defined under the CCPA), and accordingly:
(A) Company agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA;
(B) The Parties acknowledge that the Customer discloses Personal Data to Company only for the performance of the Services and that this constitutes a valid business purpose for the processing of such data.
4. Compliance with Laws
4.1. Each Party shall comply with its respective obligations under the Data Protection Laws.
4.2. Company shall provide reasonable cooperation and assistance to Customer in relation to Company’s processing of Personal Data in order to allow Customer to comply with its obligations as a Data Controller under the Data Protection Laws.
4.3. Company agrees to notify Customer promptly if it becomes unable to comply with the terms of this DPA and take reasonable and appropriate measures to remedy such non-compliance.
4.4. Throughout the duration of the DPA, Customer agrees and warrants that:
(A) Personal Data has been and will continue to be collected, processed and transferred by Customer in accordance with the relevant provisions of the Data Protection Laws;
(B) Customer is solely responsible for determining the lawfulness of the data processing instructions it provides to Company and shall provide Company only instructions that are lawful under Data Protection Laws;
(C) The processing of Personal Data by Company for the Permitted Purposes, as well as any instructions to Company in connection with the processing of the Personal Data (“Processing Instructions”), has been and will continue to be carried out in accordance with the relevant provisions of the Data Protection Laws; and that
(D) The Customer has informed Data Subjects of the processing and transfer of Personal Data pursuant to the DPA and obtained the relevant consents or lawful grounds thereto (including without limitation any consent required in order to comply with the Processing Instructions and the Permitted Purposes).
5. Processing Purpose and Instructions
5.1. The subject matter of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, shall be as set out in the Agreement, including any appendices, which are incorporated herein by reference.
5.2. Company shall process Personal Data only for the Permitted Purposes and in accordance with Customer’s written Processing Instructions (unless waived in a written requirement), the Agreement and the Data Protection Laws, unless Company is otherwise required to do so by law to which it is subject (and in such a case, Company shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).
5.3. To the extent that any Processing Instructions may result in the Processing of any Personal Data outside the scope of the Agreement and/or the Permitted Purposes, then such Processing will require prior written agreement between Company and Customer, which may include any additional fees that may be payable by Customer to Company for carrying out such Processing Instructions. Company shall immediately inform Customer if, in Company’s opinion, an instruction is in violation of Data Protection Law.
5.4. Additional instructions of the Customer outside the scope of the Agreement require prior and separate agreement between Customer and Company, including agreement on additional fees (if any) payable to Company for executing such instructions.
5.5. Company shall not sell, retain, use or disclose the Personal Data for any purpose other than for the specific purpose of performing the Services or outside of the direct business relationship between the Parties, including for a commercial purpose other than providing the Services, except as required under applicable laws, or as otherwise permitted under the CCPA (if applicable) or as may otherwise be permitted for service providers or under a comparable exemption from “sale” in the CCPA (as applicable), as reasonably determined by Company. Company’s performance of the Services may include disclosing Personal Data to Sub-Processors where this is relevant in accordance with this DPA. The Company certifies that it, and any person receiving access to Personal Data on its behalf, understand the restrictions contained herein.
6. Reasonable Security and Safeguards
6.1. Company represents, warrants, and agrees to use Security Measures (i) to protect the availability, confidentiality, and integrity of any Personal Data collected, accessed or processed by Company in connection with this Agreement, and (ii) to protect such data from Security Incidents. Such Security Measures include, without limitation, the security measures set out in Appendix 1.
6.2. The Security Measures are subject to technical progress and development and Company may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services procured by Customer.
6.3. Company shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who has access to and processes Personal Data. Company shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.4. Company is responsible for performing its obligations under the Agreement in a manner which enables Company to comply with Data Protection Laws, including implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
7. Security Incidents
7.1. Upon becoming aware of a Security Incident, Company will notify Customer without undue delay and will provide information relating to the Security Incident as reasonably requested by Customer. Company will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Security Incident.
8. Security Assessments and Audits
8.1. Company audits its compliance with data protection and information security standards on a regular basis. Such audits are conducted by Company’s internal audit team or by third party auditors engaged by Company, and will result in the generation of an audit report (“Report”), which will be Company’s confidential information.
8.2. Company shall, upon reasonable and written notice and subject to obligations of confidentiality, allow its data processing procedures and documentation to be inspected, no more than once a year and in normal business hours, by Customer (or its designee), at Customer’s expense, in order to ascertain compliance with this DPA. Company shall cooperate in good faith with audit requests by providing access to relevant knowledgeable personnel and documentation.
8.3. At Customer’s written request, and subject to obligations of confidentiality, Company may satisfy the requirements set out in this section by providing Customer with a copy of the Report so that Customer can reasonably verify Company’s compliance with its obligations under this DPA. If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending Company written notice.
9. Cooperation and Assistance
9.1. If Company receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under GDPR or CCPA, Company will promptly redirect the request to Customer. Company will not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Company is required to respond to such a request, Company will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so. The Customer is responsible for verifying that the requestor is the data subject whose information is being sought. Company bears no responsibility for information provided in good faith to Customer in reliance on this subsection.
9.2. If Company receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, Company shall (to the extent legally permitted) notify Customer upon receipt of such order, demand, or request. It is hereby clarified however that if no such response is received from Customer within three (3) business days (or otherwise any shorter period as dictated by the relevant law or authority), Company shall be entitled to provide such information.
9.3. Notwithstanding the foregoing, Company will cooperate with Customer with respect to any action taken by it pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data. Customer shall cover all costs incurred by Company in connection with its provision of such assistance.
9.4. Upon reasonable notice, Company shall:
(A) Taking into account the nature of the processing, provide reasonable assistance to the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising Data Subject’s rights, at Customer’s expense;
(B) Provide reasonable assistance to the Customer in ensuring Customer’s compliance with its obligation to carry out data protection impact assessments or prior consultations with data protection authorities with respect to the processing of Personal Data, provided, however, that if such assistance entails material costs or expenses to Company, the Parties shall first come to agreement on Customer reimbursing Company for such costs and expenses.
10. Use of Sub-Processors
10.1. Customer provides a general authorization to Company to appoint Sub Processors in accordance with this Clause.
10.2. Company may continue to use those Sub Processors already engaged by Company as at the date of this Agreement, subject to Company, in each case as soon as practicable, meeting the obligations set out in this Clause.
10.3. Company can at any time appoint a new Sub-Processor provided that Customer is given ten (10) days’ prior notice and the Customer does not legitimately object to such changes within that timeframe. In case of legitimate objections, Company shall either refrain from using such Sub-Processor in the context of the processing of Personal Data or shall notify Customer of its intention to continue to use the Sub-Processor. Where Company notifies Customer of its intention to continue to use the Sub-Processor in these circumstances, Customer may, by providing written notice to Company, terminate the Agreement immediately.
10.4. With respect to each Sub-processor, Company shall ensure that the arrangement between Company and the Sub Processor is governed by a written contract including terms which offer at least the same level of protection as those set out in this Agreement and meet the requirements of article 28(3) of the GDPR and/or of the CCPA (as applicable);
10.5. Company will be responsible for any acts, errors or omissions by its Sub-Processors, which may cause Company to breach any of its obligations under this DPA.
10.6. Company will only disclose Personal Data to Sub-Processors for the specific purposes of carrying out the Services on Company’s behalf. Company does not sell or disclose Personal Data to third parties for commercial purposes, except as required under applicable laws.
11. Transfer of EEA resident Personal Data outside the EEA
11.1. If Company processes Personal Data outside the EEA or an Approved Jurisdiction, then the Parties shall be deemed to enter into the Standard Contractual Clauses, in which event the Customer shall be deemed as the Data Exporter and the Company shall be deemed as the Data Importer (as these terms are defined therein):
11.2. To the extent that the Parties will rely on the Standard Contractual Clauses, the following amendments shall apply:
11.2.1. The Parties shall be deemed to enter into the Controller to Processor Standard Contractual Clauses (Module Two).
11.2.2. Clause 7 of the Standard Contractual Clauses shall not be applicable.
11.2.3. In Clause 9, option 2 shall apply.
11.2.4. In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
11.2.5. In Clause 17, option 1 shall apply. The Parties agree that the clauses shall be governed by the law of the Member State in which the Data Exporter is established.
11.2.6. In Clause 18(b) the Parties choose the courts of the state mentioned in section 11.2.5 above as their choice of forum.
11.2.7. The Parties shall complete Appendices 1–3, which are incorporated in the Standard Contractual Clauses by reference.
12. Data Retention and Destruction
12.1. Company will only retain Personal Data for the duration of the Agreement or as required to perform its obligations under the Agreement, or is otherwise required to do so under applicable laws or regulations. Following expiration or termination of the Agreement, Company will delete or return to Customer all Personal Data in its possession as provided in the Agreement, except to the extent Company is required under applicable laws to retain the Personal Data. The terms of this DPA will continue to apply to such Personal Data.
12.2. Notwithstanding the foregoing, Company shall be entitled to maintain Personal Data following the termination of this Agreement for statistical and/or financial purposes provided always that Company maintains such Personal Data on an aggregated basis or otherwise after having removed all personally identifiable attributes from such Personal data.
12.3. Notwithstanding the foregoing, Company shall be entitled to retain Personal Data solely for the establishment or exercise of legal claims, and/or in aggregated and anonymized form, for whatever purpose.
13. General
13.1. Any claims brought under this DPA will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement.
13.2. In the event of a conflict between the Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.
13.3. Changes. Company may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the Company as the Data Processor; (ii) expand the scope of, or remove any restrictions on, either Party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Company.
13.4. Notification of Changes. If Company intends to change this DPA under this section, and such change will have a material adverse impact on Customer, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.
APPENDIX 1
1. Identification of Parties
“Data Exporter“: Customer;
“Data Importer“: Company.
2. Description of Transfer
Data Subjects
The Personal Data transferred concern the following categories of Data Subjects:
- Customer’s end-users
- Customer’s employees
- Customer’s customers
- Other: Data Subjects whose Personal Data may be included within Customer’s logs and database queries, as part of using the service.
Categories of Personal Data
The Personal Data transferred concern the following categories of data:
- Any Personal Data imported or entered to any logs or database queries (e.g., emails, telephone number, etc.) as part of using the service.
Special Categories of Data (if appropriate)
The Personal Data transferred concern the following special categories of data:
- Any special categories of data imported or entered to any logs or database queries (e.g., health data, etc.) as part of using the service.
The frequency of the transfer:
- Continuous
- Other: query data are retrieved but are discarded after the query session end.
Nature of the processing
- Analysis
Purpose of the transfer and further processing
As defined in the Agreement.
Retention period
Personal Data will be retained for the term of the Agreement.
The competent supervisory authority shall be set in accordance with the provisions of Clause 13 of the Standard Contractual Clauses.
APPENDIX 2
This Appendix forms part of the DPA and describes the technical and organizational security measures implemented by the data importer.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
More specifically, Company’s security controls shall include the following:
- Testing and auditing: Regular tests, assessments, and audits are conducted for the effectiveness of Company’s security controls. To maintain the industry’s best practices with regard to security, Company undergoes third party audits regularly. Company maintains SOC 2 Type II compliance. System and Organizational Controls, commonly known as SOC 2, is designed Trust Service Criteria for security, availability, processing integrity, confidentiality, a privacy for managing customer data.
- Authentication and Authorization: Company enforces Multi Factor Authentication (MFA) to all systems where available. Company also enforces a Password Policy for all applications including access customer products. Company follows least privilege rule for system access. Elevated access must be requested and reviewed under Company’s Change Management Policy.
- Code Analysis: Company performs security reviews of code in our source code repository to check for coding best practices and identifiable flaws. Codes are pushed to production after it is reviewed and approved in accordance to the Company’s Change Management Policy.
- Data Encryption: Company enforces encryption for data transmission and communication with the use of HTTPS. Company encrypts data at rest, including but not limited to backups, database, and storage devices.
- Penetration Testing and Vulnerability Management: Company conducts an annual penetration test with and industry recognized penetration testing service. Exposed vulnerabilities are classified with priority as defined in Company’s Vulnerability Priority Definitions and SLAs and are remediated based on time defined by the SLAs in the document.
- Personnel: employees must undergo a third-party background check, in accordance with and as permitted by the applicable laws. Company employees are required to execute a confidentiality and privacy agreement. Company employees are required conduct themselves in a manner consistent with the Company’s Code of Conduct and systems Acceptable Use Policy.
APPENDIX 3
Below is the list of Company’s Sub-processors:
| # | Name | Details | |
| 1 | Google, Inc. | Address: | 1600 Amphitheatre Parkway, Mountain View, CA 94043 |
| Contact details: | https://support.google.com/policies/contact/general_privacy_form | ||
| Description of processing: | Infrastructure hosting provider | ||
| 2 | Amazon Web Services | Address: | 410 Terry Avenue North, Seattle, WA 98109 |
| Contact details: | [email protected] | ||
| Description of processing: | Infrastructure hosting provider | ||
| 3 | Auth0 | Address: | 10800 NE 8th St., Suite 700, Bellevue, WA 98004 |
| Contact details: | [email protected] | ||
| Description of processing: | Authentication infrastructure provider | ||
| 4 | MongoDB Atlas | Address: | 499 Hamilton Ave., Palo Alto, CA 94301 |
| Contact details: | [email protected] | ||
| Description of processing: | Database as a service | ||
| 5 | Honeycomb | Address: | 233 Sansome St 4th Floor, San Francisco, CA 94104 |
| Contact details: | [email protected] | ||
| Description of processing: | Distributed tracing analysis system (Observability infrastructure) | ||
| 6 | Sparkpost | Address: | 9160 Guilford Rd., Columbia, MD 21046 |
| Contact details: | [email protected] | ||
| Description of processing: | Email transaction | ||
| 7 | OpenAI | Address: | 3180 18th Street, San Francisco, CA 94110 |
| Contact details: | [email protected] | ||
| Description of processing: | AI hosting provider | ||
| 8 | Microsoft Corporation | Address: | One Microsoft Way, Redmond, WA 98052 |
| Contact details: | https://www.microsoft.com/en-us/concern/privacy | ||
| Description of processing: | Infrastructure hosting provider |
