This Data Processing Agreement (“DPA”) is hereby entered by and between ScyllaDB Inc. or Scylla DB, Ltd., as applicable (collectively “Company” or “ScyllaDB”) and the Customer. Each a “party” and collectively, the “parties”, and is an integral part of the agreement executed between the parties (“Agreement”). Capitalized terms not defined herein shall have the respective meanings given to them in the Agreement. This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data during the course of the engagement between the parties.
1.1. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.
1.2. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Lawand the CCPA) as may be amended or superseded from time to time.
1.3. “Controller“, “Processors“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “California Consumer”,“Service Provider” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such terms defined in the CCPA. “Personal Data” shall also mean and refer to “Personal Information”, as such terms defined in the CCPA.
1.4. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725 (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) snf (iv) any legislation replacing or updating any of the foregoing.
1.5. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.
1.6. “Customer Data” means any and all Personal Data uploaded by the Customer to the Services.
1.7. “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=
2. RELATIONSHIP OF THE PARTIES
2.1. The parties acknowledge that in relation to all Customer Data, as between the parties, Customer is the Controller of Customer Data, and that the Company, in providing the Services is acting as a Processor on behalf of the Customer. For the purpose of the CCPA (and to the extent applicable), Customer is the Business and the Company is the Service Provider.
2.3. The purpose, subject matter and duration of the Processing carried out by the Company on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex 1 attached hereto.
3. REPRESENTATIONS AND WARRANTIES
3.1. The Customer represents and warrants that: (i) its Processing instructions shall comply with applicable Data Protection Law, (ii) it will comply with Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data, as well as the CCPA provisions; and (iii) due to the nature of the Services, the Company does not monitor or control the data uploaded by the Customer and thus, the type of Personal Data or Categories of the Data Subjects processed by it is subject to the Customer’s sole discretion.
3.2. The Company represents and warrants that it (i) shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Customer, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Company’s written instructions including the Agreement and this DPA. (ii)in the event the Company is required under applicable laws including the Data Protection Laws or any union or member state regulation to Process Customer Data other than as instructed by Customer, the Company shall make its best efforts to inform the Customer of such requirement prior to Processing such Company Data, unless prohibited under applicable law; (iii) provide reasonable cooperation and assistance to Customer in ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of personal data, and with its prior consultation with the supervisory authority obligation (as applicable).
4. PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAW
As between the Parties, the Customer undertakes, accepts and agrees that the Company and the Data Subject do not have a direct relationship. The Customer shall ensure that it obtains a proper affirmative act of consent from Data Subjects in the event required in accordance with applicable Data Protection Law and other relevant notices and privacy requirements in order to Process Personal Data as set out herein and for the transfer of Personal Data, where applicable. Notwithstanding the above, in the event Special Categories of Personal Data or Sensitive Data will be processed by the Company on behalf of the Customer the Customer shall notify the Company in writing and the Company shall implement specific restrictions.
5. RIGHTS OF DATA SUBJECT AND PARTIES COOPERATION OBLIGATIONS
5.1. It is agreed that where the Company receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by Company, where relevant, the Company will direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
5.2. Where applicable, Company shall assist the Customerto ensure that Personal Data Processed is accurate and up to date, by informing the Customer without delay if Company becomes aware that the Personal Data it is processing is inaccurate or has become outdated.
6. COMPANY’S PERSONNEL
Company shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Personal Data; ensure persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this DPA and any Data Protection Laws.
7. DO NOT SALE PERSONAL INFORMATION
It is hereby agreed that any share of Personal Data between the parties is made solely for fulfilling a Business Purpose and the Company does not receive or process any Personal Data as consideration for the Services. Thus, such Processing of Personal Data shall not be considered as a Sell.
8.1. The Customer acknowledges that the Company may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). The Customer hereby, authorizes the Company to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. The Company may, continue to use those Sub-Processors already engaged by the Company, as listed in Schedule III, and the Company may engage an additional or replace an existing Sub-Processor to process Personal Data subject to providing a 30 days prior notice to the Customer. In case the Customer has not objected to the adding or replacement of a Sub-Processor, such Sub-Processor shall be considered as approved by the Customer. In the event the Customer objects, its sole remedy is to terminate the Agreement.
8.2. The Company shall, where it engages any Sub-Processor, impose, through a legally binding contract between the Company and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor. The Company shall ensure that such contract will required the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law. Company shall, upon written request by the Customer, provide with such Sub-Processor’s agreement and any subsequent amendments. To the extent necessary to protect business secret or other confidential information, including personal data, as shall be determined by Company sole discretion, Company may redact the text of the agreement prior to sharing the copy with the Customer.
8.3. The Company shall remain fully responsible to the Customer for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the Sub-Processor to fulfil its contractual obligations.
9. TECHNICAL AND ORGANIZATIONAL MEASURES
9.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the parties, Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and in accordance with best industry practices to protect data from a Security Incident. Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Technical and organizational measures implemented by Company (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons are according to the System and Organization Controls 2 (SOC2) industry standard. Upon Customer request and subject to Customer’s confidentiality undertaking Company shall provide with the Company’s SOC2 reports. For more information regarding the SOC2, please see our SOC2 webpage here.
9.2. The security measures are further detailed in Schedule II.
10. SECURITY INCIDENT
10.1. The Company will notify the Customer upon becoming aware of any confirmed Security Incident involving the Customer Data in the Company’s possession or control, as determined by the Company in its sole discretion. The Company will, in connection with any Security Incident affecting the Customer Data: (i) quickly and without delay, take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) co-operate with the Customer and assist Customer with the Customer’s obligation to notify affected individuals in the case of Security Incident.
10.2. Company’s notification regarding or response to a Security Incident under this Section 10 shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident.
11. AUDIT RIGHTS
11.1. Company shall deal promptly and adequately with inquiries from the Customer about the processing of data in accordance with this DPA, further, shall make available to the Customer all information necessary to demonstrate compliance with the obligations under the EU Data Protection Laws.
11.2. The Company shall make available, solely upon prior written notice and no more than once per year, unless in the event of a Security Incident, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). The Company may object to an auditor appointed by the Customer in the event the Company reasonably believes the auditor is not suitably qualified or independent, is a competitor of the Company or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from the Company. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to the Company’s premises, equipment, personnel and business. Any and all conclusions of such Audit shall be confidential and reported back to the Company immediately.
12. DATA TRANSFER
12.1. The Customer acknowledges and agrees that in order to be provided with the Services the Parties shall transfer and Company may access and Process the Personal Data form territories which are not part of the EEA, including countries which the European Commission has not decided as providing adequate protection or is not exempt under Article 49 of the GDPR (“Restricted Transfer”), the following shall apply:
12.1.1. In order to maintain the integrity, security and confidentiality of the Personal Data, such transfer shall be subject, in addition to the terms of this DPA, to the terms and obligations of the Module II of the Standard Contractual Clauses (which may be found here) in which event Company shall be deemed as the Data Importer and the Customer shall be deemed as the Data Exporter.
12.1.2. The purpose and description of the transfer shall be detailed in ANNEX I.
12.2. The Customer further agrees that where Company engages a Sub-Processor, in accordance with Section 8 above for carrying out specific processing activities (on behalf of the Customer) and those processing activities involve a transfer of Personal Data within the meaning of Chapter V of the GDPR, Company and the Sub-Processor can ensure compliance with Chapter V of GDPR by using Standard Contractual Clauses in which event Company shall be deemed as the Data Exporter and the Sub-Processor shall be deemed as the Data Importer. For the purposes of such engagement, Company and the Sub-Processor will enter into Module III of the Standard Contractual Clauses.
12.3. The Company agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses. Subject to Clause 13 of the Standard Contractual Clauses the jurisdiction of the competent supervisory authority shall be either in the jurisdiction of the lead supervisory authority or the EU representative or an EU establishment. Further, subject to Clause 17 the Standard Contractual Clauses shall be governed by the law of the EU Member State in which the Customer is established. Notwithstanding the above, subject to Clause 18 the Data Subject may also bring legal proceedings against the parties before the courts of the Member State in which he/she has his/her habitual residence.
12.4. Specifically, EU-US Transfers: Following Schrems II, Case No. C-311/18, and related guidance from Supervisory Authorities, the parties acknowledge that supplemental measures may be needed with respect to EU-U.S. data transfers where Personal Data of the Customer may be Processed in the US. The Customer acknowledges and warrants that Customer’s EU operations involve merely ordinary commercial services, and any EU-U.S. transfers of Personal Data contemplated by this DPA involve ordinary commercial information, which is not the type of data that is of interest to, or generally subject to, surveillance by U.S. intelligence agencies. Accordingly, the Company acknowledges that it will not provide access to Customer’s Personal Data to any US government or intelligence agency, except where under Company’s sole discretion and legal counsels advice it is necessary under the US law or a valid and binding order of a government authority (such as pursuant to a court order). In any such case, the Company supplier will attempt to redirect the law enforcement agency to request the data directly from the Customer. Unless the Company is legally prohibited from doing so, in any such case the Company will: (1) give the Customer notice of the demand no later than five (7) days after such demand is received to allow the Customer to seek recourse or other appropriate remedy to adequately protect the privacy of EEA Data Subjects; and (2) in any event, provide access only to such Customer’s Personal Data as is strictly required by the relevant law or binding order (having used reasonable efforts to minimize and limit the scope of any such access), as determined solely by Company’s legal advisors.
In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. Except as set forth herein all of the terms and conditions of the Agreement shall remain in full force and effect.
14. TERM & TERMINATION
14.1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. Notwithstanding to contrary any part of this DPA the Customer shall be entitled to terminate the DPA if: (i) the processing of the Customer‘s Personal Data by Companyhas been suspended by the Customer in the event that Company is in breach of its obligations under This DPA and if compliance with this DPA is not restored within a reasonable time and in any event within one month following a written notice to Company. (ii) Company is in substantial or persistent breach of this DPA or its obligations under the GDPR; (iii) Company fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA or the GDPR.
14.2. Company shall be entitled to terminate this DPA and Agreement in case Company believe that processing of personal data under this DPA, and after having informed the Customers that its instructions infringe applicable legal requirements.
14.3. Following termination of this DPA, Company shall, at the choice of the Customer, delete all Customer‘s Personal Data processed on behalf of the Customer and certify to the Customer that it has done so, or, return all the Customer‘s Personal Data to the Customer and delete existing copies unless applicable law or regulatory requires storage of the Customer‘s Personal Data. Until the data is deleted or returned, Company shall continue to ensure compliance with this DPA.
DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA
This Schedule I includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR and details of transferring Personal Data subject to the Standard Contractual Clauses.
Categories of data subjects whose personal data is processed or transferred:
Subject to Customer’s discretion the Company as a cloud provider solely stores the data without knowledge of the data uploaded Categories of personal data transferred
Categories of personal data processed and transferred:
Subject to Customer’s discretion the Company as a cloud provider solely stores the data without knowledge of the data uploaded
Sensitive data processed or transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure:
Subject to Customer’s discretion the Company as a cloud provider solely stores the data without knowledge of the data uploaded
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Nature of the processing and transferring:
Storage and cloud management services, as applicable
Purpose(s) for which the personal data is processed or transferred on behalf of the controller:
Providing the data exporter with the services
Duration of the processing:
As determined by the data exporter or the data exporter customers’ (i.e., the controller)
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The sub-processors are hosting services, storage providers, all of the above is applicable to the sub-processors.
TECHNICAL AND ORGANISATIONAL MEASURES
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
Access to the ScyllaDB’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. ScyllaDB’s has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned private passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. ScyllaDB is using automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.
Data Access Control
User authentication measures have been put in place in order to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by ScyllaDB. Furthermore, ScyllaDB conducts ongoing reviews of the employees who have been given authorization to access Personal Data, in order to assess whether such access is still required. ScyllaDB revokes access to Personal Data immediately upon termination of employment. Authorized individuals can only access Personal Data that are located in their individual profiles.
Organizational and Operational Security
ScyllaDB puts a lot of effort and invests a lot of resources into ensuring that ScyllaDB’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. ScyllaDB strives to raise awareness regarding the risks involved in the processing of Personal Data. In addition, ScyllaDB has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on applicable ScyllaDB hardware and software, in order to protect against malicious software.
ScyllaDB maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, ScyllaDB’s servers include an automated backup procedure. ScyllaDB also conducts regular controls of the condition and labelling of data storage devices for data security. ScyllaDB ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable.
Physical Access Control
ScyllaDB recognizes the significance of physical security controls as a key component in its overall security program. Physical access methods, procedures and controls have been implemented to help prevent unauthorized access to data, assets and restricted areas. Processes are in place to remove access to physical resources when an individual no longer requires access.
In addition, ScyllaDB does not hold any customer data or personal info on site. Physical Access to ScyllaDB office does not provide any privileges to the production environment.
External penetration test is performed on an annual basis. The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable Third-party vendor. In addition, ScyllaDB conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans is performed using external tools, in order to detect potential security breaches.
Scylla Implements Encryption at rest of customer data as well as encryption in transit of all communication between client and service, as well as communication between elements in the services.
In some cases, encryption is based on underline cloud provider services, in some cases it is implemented as part of Scylla Enterprise. Encryption between ScyllaDB customers and the ScyllaDB application is enabled using a minimum HTTPS TLS 1.2 authenticated tunnel.
Compliance and Certification
Scylla operations, policies and procedures are audited regularly to ensure Scylla meets all standards expected as a cloud system provider. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. Scylla’s systems and Services were audited and verified by such compliance certification. Scylla Cloud System and Organization Controls (SOC) Reports may be provided upon customer request and according to confidentiality undertaking by the Customer.
Description of the processing