This Data Processing Agreement (“DPA”) is hereby entered by and between ScyllaDB Inc. or Scylla DB, Ltd., as applicable (collectively “Company”) and the Customer. Each a “party” and collectively, the “parties”, and is an integral part of the agreement executed between the parties (“Agreement”). This DPA shall only apply to the extent that: (i) The EU Data Protection Law (as defined below) applies to the Processing (as such term shall be defined below) of Personal Data (as such term shall be defined below) under the Agreement including in the event that: (a) the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”); or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party; or (ii) the Personal Data relates to California Consumers, as defined below. Furthermore, this DPA shall only apply to the Processing of Personal Data and shall not apply to information a party may collect or provide to the other party which does not constitute or contain Personal Data, such as anonymized, aggregated or statistic data. Capitalized terms used but not defined herein shall have the meaning ascribed to them in the Agreement.
1.1. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.
1.2.“Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law and the CCPA) as may be amended or superseded from time to time.
1.3.”Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such terms defined in the CCPA. “Personal Data” shall also mean and refer to “Personal Information”, as such terms defined in the CCPA.
1.4.”EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
1.5.“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.
1.6.“Customer Data” means any and all Personal Data uploaded by the Customer to the Services, including Customer’s suppliers’ names, contact details, etc.
2. RELATIONSHIP OF THE PARTIES
The parties acknowledge that in relation to all Customer Data, as between the parties, Customer is the Controller of Customer Data, and that the Company, in providing the Services is acting as a Processor on behalf of the Customer. For the purpose of the CCPA (and to the extent applicable), Customer is the Business and the Company is the Service Provider.
3. REPRESENTATIONS AND WARRANTIES
The Customer represents and warrants that: (a) its Processing instructions shall comply with applicable Data Protection Law, and the Customer acknowledges that, taking into account the nature of the Processing, the Company is not in a position to determine whether the Customer’s instructions infringe applicable Data Protection Law; and (b) it will comply with EU Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data, as well as the CCPA provisions. The Company represents and warrants that it shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Customer, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Company’s written instructions including the Agreement and this DPA. .Notwithstanding the above, in the event the Company is required under applicable laws to Process Customer Data other than as instructed by Customer, the Company shall make its best efforts to inform the Customer of such requirement prior to Processing such Company Data, unless prohibited under applicable law.
4. PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAW
As between the Parties, the Customer undertakes, accepts and agrees that the Company and the Data Subject do not have a direct relationship. The Customer shall ensure that it obtains a proper affirmative act of consent from Data Subjects in the event required in accordance with applicable Data Protection Law and other relevant notices and privacy requirements in order to Process Personal Data as set out herein and for the transfer of Personal Data, where applicable.
5. RIGHTS OF DATA SUBJECT AND PARTIES COOPERATION OBLIGATIONS
It is agreed that where the Company receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by Company, where relevant, the Company will direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
6. NO SALE OF PERSONAL INFORMATION
It is hereby agreed that any share of Personal Data between the parties is made solely for fulfilling a Business Purpose and the Company does not receive or process any Personal Data as consideration for the services. Thus, such Processing of Personal Data shall not be considered as a Sell.
The Customer acknowledges that the Company may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). The Customer hereby, authorizes the Company to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. The Company may, continue to use those Sub-Processors already engaged by the Company and the Company may engage an additional or replace an existing Sub-Processor to process Personal Data provided that it notifies the Customer of its intention to do so. The Company shall, where it engages any Sub-Processor, impose, through a legally binding contract between the Company and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor. The Company shall ensure that such contract will required the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
8. TECHNICAL AND ORGANIZATIONAL MEASURES
The Company hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws and in any event the security measures shall be at least at the same level as those of the Customer’s to ensure lawful processing of Customer Data and safeguard Customer Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.
9. SECURITY INCIDENT
The Company will notify the Customer upon becoming aware of any confirmed Security Incident involving the Customer Data in the Company’s possession or control, as determined by the Company in its sole discretion. Company’s notification regarding or response to a Security Incident under this Section 8 shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident. The Company will, in connection with any Security Incident affecting the Customer Data: (i) quickly and without delay, take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; and (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
10. AUDIT RIGHTS
The Company shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). The Company may object to an auditor appointed by the Customer in the event the Company reasonably believes the auditor is not suitably qualified or independent, is a competitor of the Company or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from the Company. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to the Company’s premises, equipment, personnel and business. Any and all conclusions of such Audit shall be confidential and reported back to the Company immediately.
11. DATA TRANSFER
Where EU Data Protection Law applies, neither party shall transfer Personal Data to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data.
In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. Except as set forth herein all of the terms and conditions of the Agreement shall remain in full force and effect.
13. TERM & TERMINATION
This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates.