Data Processing Agreement

This Data Processing Agreement (“DPA”) executed by and between ScyllaDB Inc its parent company ScyllaDB Ltd., its subsidiaries and affiliates (collectively “Company” or “ScyllaDB”) and the Customer. Each a “party” and collectively, the “parties”, and is an integral part of the agreement executed between the parties (“Agreement”). Capitalized terms not defined herein shall have the respective meanings given to them in the Agreement. This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data during the course of the engagement between the parties.

WHEREAS, ScyllaDB, provides the Customer with a NoSQL solutions for organizations and cloud services for establishing the entire Customer’s database infrastructure (“Services”);

WHEREAS, the Services may require ScyllaDB to Process Personal Data (as such terms are defined below) on the Customer’s behalf subject to the terms and conditions of this DPA; and

WHEREAS, the parties desire to supplement this DPA to achieve compliance with the UK, EU, Swiss, United States and other data protection laws and agree on the following:

1. APPLICATION OF THE DPA

1.1. This DPA reflect the parties’ agreement on the processing of Personal Data in connection with the Services and the Agreement and in accordance with Data Protection Laws. This DPA will only apply to the extent: (i) ScyllaDB processes Personal Data that is made available, directly or indirectly, by Customer (or on its behalf) in connection with the Services and the Agreement; and (ii) Data Protection Laws apply to the processing of Personal Data.

1.2. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA.

The following description reviews the technical and organizational measures implemented by ScyllaDB as the data importer to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The security objectives of ScyllaDB are identified and managed to maintain a high level of security and consists of the following (concerning all data assets and systems):

Availability – information and associated assets should be accessible to authorized users when required. The computer network must be resilient. ScyllaDB will detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems, and information.

Confidentiality – ensuring that information is only accessible to those authorized to access it, on a need-to-know-basis.

Integrity – safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of electronic data.

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

System Control

Access to the ScyllaDB’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. ScyllaDB’s has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned private passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. ScyllaDB is using automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.

Data Access Control

User authentication measures have been put in place in order to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by ScyllaDB. Furthermore, ScyllaDB conducts ongoing reviews of the employees who have been given authorization to access Personal Data, in order to assess whether such access is still required. ScyllaDB revokes access to Personal Data immediately upon termination of employment. Authorized individuals can only access Personal Data that are located in their individual profiles.

Organizational and Operational Security

ScyllaDB puts a lot of effort and invests a lot of resources into ensuring that ScyllaDB’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. ScyllaDB strives to raise awareness regarding the risks involved in the processing of Personal Data. In addition, ScyllaDB has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on applicable ScyllaDB hardware and software, in order to protect against malicious software.

Availability Control

ScyllaDB maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, ScyllaDB’s servers include an automated backup procedure. ScyllaDB also conducts regular controls of the condition and labelling of data storage devices for data security. ScyllaDB ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable.

Physical Access Control

ScyllaDB recognizes the significance of physical security controls as a key component in its overall security program. Physical access methods, procedures and controls have been implemented to help prevent unauthorized access to data, assets and restricted areas. Processes are in place to remove access to physical resources when an individual no longer requires access.

In addition, ScyllaDB does not hold any customer data or personal info on site. Physical Access to ScyllaDB office does not provide any privileges to the production environment.

Penetration Testing

External penetration test is performed on an annual basis. The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable Third-party vendor. In addition, ScyllaDB conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans is performed using external tools, in order to detect potential security breaches

Encryption

ScyllaDB Implements Encryption at rest of customer data as well as encryption in transit of all communication between client and service, as well as communication between elements in the services.

In some cases, encryption is based on underline cloud provider services, in some cases it is implemented as part of ScyllaDB Enterprise. Encryption between ScyllaDB customers and the ScyllaDB application is enabled using a minimum HTTPS TLS 1.2 authenticated tunnel.

Compliance and Certification

ScyllaDB operations, policies and procedures are audited regularly to ensure ScyllaDB meets all standards expected as a cloud system provider. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. ScyllaDB’s systems and Services were audited and verified by such compliance certification. ScyllaDB is SOC2 certified, as well as ISO 27001:2013, ISO 27017:2015 and ISO 27018:2019.

Such certifications and audits are meant to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons are according to the System and Organization Controls 2 (SOC2) industry standard as well as ISO 27001:2013, ISO 27017:2015 and ISO 27018:2019. Upon Customer request and subject to Customer’s confidentiality undertaking ScyllaDB shall provide with the Customer with the SOC2 reports or executive summary of the ISO 27001:2013, ISO 27017:2015 and ISO 27018:2019 audits.

For more information regarding the SOC2, please see our SOC2 webpage here.

Additional Safeguards

Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner Vs. Facebook Ireland Limited and Maximillian Schrems decision (“Schrems II”), these measures include the following:

• encryption both in transit and at rest;
• As of the date included in the “Last Updated” header above, ScyllaDB has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision.
• No court has found ScyllaDB to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
• ScyllaDB will not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
• ScyllaDB will use all available legal mechanisms to challenge any demands for data access through any national security process that it receives, as well as any non-disclosure provisions attached thereto.
• ScyllaDB will notify the Customer (if required and as applicable) if it can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.

ANNEX III

LIST OF SUB-PROCESSORS

ANNEX IV

EU INTERNATIONAL TRANSFERS AND SCC

1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.

2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Customer as the data controller of the Personal Data and ScyllaDB is the data processor of the Personal Data.

3. The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and the ScyllaDB (as Data Importer), the following shall apply:

a) Clause 7 of the Standard Contractual Clauses shall not be applicable.

b) In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in the Sub-Processing Section of the DPA.

c) In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.

d) In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable).

e) In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.

4. Annex I.A of the Standard Contractual Clauses shall be completed as follows:

4.a.1. “Data Exporter“: Customer

4.a.2. “Data Importer“: ScyllaDB

4.a.3. Roles: (A) With respect to Module Two: (i) Data Exporter is a data controller and (ii) the Data Importer is a data processor.

4.a.4. Data Exporter and Data Importer Contact details: As detailed in the Agreement.

4.a.5. Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

5. Annex I.B of the Standard Contractual Clauses shall be completed as follows:

a) The purpose of the processing, nature of the processing, categories of data subjects, categories of personal data and the parties’ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.

b) The frequency of the transfer and the retention period of the personal data is as described in Annex I (Details of Processing) of this DPA.

c) The sub-processor which personal data is transferred are listed in Annex III.

6. Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.

7. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.

8. Annex III of this DPA (List of Sub-processors) serves as Annex III of the Standard Contractual Clauses.

9. Transfers to the US: Measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed in Annex II, as well as:

ScyllaDB agrees and hereby represents it maintains, and will continue to maintain, the following additional safeguards in connection with any Personal Data transferred under this Annex IV:

a) ScyllaDB maintains industry standard measures to protect the Personal Data from interception (including in transit from Customer to ScyllaDB and between different systems and services). This includes maintaining encryption of Personal Data in transit and at rest.

b) ScyllaDB will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”).

c) If ScyllaDB becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, ScyllaDB shall: inform the relevant Authority that ScyllaDB is a Processor of the Personal Data and that Customer, as the Controller has not authorized ScyllaDB to disclose the Personal Data to the Authority; inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Customer in writing; and use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the ScyllaDB’s control.

d) Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, ScyllaDB has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, ScyllaDB shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so.

ScyllaDB will inform Customer, upon written request (and not more than once a year), of the types of binding legal demands for Personal Data ScyllaDB has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.

ANNEX V

UK INTERNATIONAL TRANSFERS AND SCC

1. The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.

2. This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from controllers to processors or from the processor to its sub-processors.

3. Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.

4. This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.

5. Amendments to the UK Standard Contractual Clauses:

5.1. Part 1: Tables

5.1.1. Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV above.

5.1.2. Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV above.

5.1.3. Table 3 Appendix Information:

Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.

Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.

Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in Annex II above.

Annex III: List of Sub processors: shall be completed as set forth in Annex III above.

5.1.4. Table 4 Ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.

ANNEX VI

SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY

The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:

• • The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
  • The clauses in the DPA protect the Personal Data of legal entities until the entry into force of the Revised Swiss FDPA.
  • All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.
  • References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).
  • In respect of data transfers governed by Swiss Data Protection Laws and Regulations, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws and Regulations until such laws are amended to no longer apply to a legal entity.
  • The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.

ANNEX VII

CCPA ADDENDUM

In addition to the requirements set forth under the DPA, which shall apply to the collection, processing, use, sharing, sale, and retention of California residents’ Personal Information, the obligations set forth under this addendum (“CCPA Addendum”) shall further apply. All terms used but not defined in this CCPA Addendum shall have the meaning set forth in the DPA.

1. For the purpose of the CCPA, Customer is the Business and ScyllaDB is the Service Provider.
2. ScyllaDB shall process Personal Information on behalf of the Customer as a Service Provider under the CCPA and shall not: (1) sell or share the Personal Information; (2) retain, use or disclose the Personal Information for any purpose other than for a Business Purpose as specified in the Agreement; or (3) combine the Personal Information that ScyllaDB receives from, or on behalf of, Customer with other Personal Information that it receives from, or on behalf of, another customer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA.
3. ScyllaDB permits Customer to monitor its compliance with the terms of this CCPA Addendum subject to Section 8 in the DPA “Audit Rights”.
4. ScyllaDB agrees to notify the Customer if ScyllaDB makes a determination that it can no longer meet its obligations under this CCPA Addendum or the CCPA requirements.
5. ScyllaDB shall assist Customer in respect of Consumers’ request to limit the use of their Sensitive Personal Information (“SPI”), where and if applicable. ScyllaDB shall provide assistance and procures that its subcontractors will provide assistance as Customer may request, where applicable, in connection with any obligation by Customer to respond to requests for exercising the rights of a Consumer under the CCPA. ScyllaDB shall (a) promptly notify Customer; (b) only act upon the Consumer’s request with the prior written consent of the Customer; and (c) make available to Customer all needed information which is necessary to demonstrate compliance.
6. ScyllaDB acknowledges and confirms that it does not receive or process any Personal Information as consideration for any Services or other items that ScyllaDB provides to Customer under the Agreement.
7. ScyllaDB certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Information under the Agreement.