Close-to-the-metal architecture handles millions of OPS with predictable single-digit millisecond latencies.
Learn MoreAnnouncing ScyllaDB 6.0 — True Elastic Scale | Learn More
Close-to-the-metal architecture handles millions of OPS with predictable single-digit millisecond latencies.
Learn MoreScyllaDB is purpose-built for data-intensive apps that require high throughput & predictable low latency.
Learn MoreLevel up your skills with our free NoSQL database courses.
Take a CourseOur blog keeps you up to date with recent news about the ScyllaDB NoSQL database and related technologies, success stories and developer how-tos.
Read MoreLast Updated July, 2024
This Data Processing Agreement (“DPA”) forms part of and is governed by the Cloud Service Agreement or any other agreement (“Agreement”) executed by and between ScyllaDB Ltd. and its affiliates (collectively “ScyllaDB”) and the Customer (“Customer”). ScyllaDB and Customer shall each be referred to as “party” and collectively as “parties”.
All capitalized terms not defined herein shall have the meaning set forth in the Agreement or under the applicable Data Protection Laws (as defined below).
The parties have agreed to enter this DPA to address the compliance obligations imposed upon the parties pursuant to Data Protection Laws. Therefore, this DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data through the course of the Services.
1.2. The terms “Business”, “Business Purpose“, “Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Personal Information”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, “Sensitive Data”, “Service Provider”, “Sale” (or “Sell”) and“Share”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them under applicable Data Protection Laws. Further, under this DPA: “Data Subject” shall also mean and refer to a “Consumer”, “Personal Data” shall also mean and refer to “Personal Information” and “Special Categories of Data” shall also mean and refer to “Sensitive Data”.
1.4. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, European Data Protection Laws, the US Data Protection Laws and India Data Protection Laws) as may be amended or superseded from time to time.
1.5. “European Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”); (ii) Regulation 2018/1725; (iii) e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) the Data Protection Act 2018 (DPA 2018), as amended, and the EU GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (iv) the Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”) as well as the Ordinance on the Federal Act on Data Protection (“FODP“); and (vii) any legislation replacing or updating any of the foregoing; and binding judicial or administrative interpretation of any of the above, or approved certification mechanisms issued by any relevant Supervisory Authority.
1.6. “India Data Protection Laws” means any privacy law effective as of the Effective Date of the Agreement applicable to the Processing of Personal Data of individuals in India, and any legislation replacing or updating such laws, including the Digital Personal Data Protection Act, 2023, as may be amended from time to time.
1.7. “Instructions” means the written, documented instructions issued by the Customer to ScyllaDB directing the ScyllaDB to perform a specific or general action with regard to Customer Data (including, but not limited to, instructions to provide the Services under the Agreement and instructions under this DPA).
1.8. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data. Any Personal Data Breach will comprise a Security Incident.
1.9. “Standard Contractual Clauses” or “SCC” mean, collectively and as applicable, the: (i) standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, available HERE (“EU SCC”) (ii) the UK “International Data Transfer Addendum to The European Commission Standard Contractual Clauses” available HERE (“UK SCC”); and (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”).
1.10.”US Data Protection Laws” means any U.S. federal and state privacy laws effective as of the Effective Date of the Agreement and applies to ScyllaDB’s Processing of Customer Data, including without limitation the: (i) California Consumer Privacy Act of 2018, including as modified by the California Privacy Rights Act (collectively the ’CCPA‘); (ii) Colorado Privacy Act (’CPA’); (iii) Connecticut Data Privacy Act (’CDPA’); (iv) Florida Digital Bill of Rights (‘FDBR’); (v) Montana Consumer Data Privacy Act (‘MTCDPA’); (vi) the Oregon Consumer Data Privacy Act (‘OCDPA’); (vii) Texas Data Privacy and Security Act (‘TDPSA’); (viii) Utah Consumer Privacy Act (‘UCPA’), and; (ix) Virginia Consumer Data Protection Act (‘VCDPA’), all as amended or superseded from time to time.
2. ROLES AND DETAILS OF PROCESSING
2.1. The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Data, ScyllaDB is acting as a Processor and Customer is acting as a Controller.
2.1.1. For the purpose of the CCPA, ScyllaDB shall Process Customer Data as the Service Provider on behalf of the Customer as the Business and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the Customer Data with other Personal Data that it receives from, or on behalf of another customer.
2.1.2. For the purpose of the India Data Protection Laws, ScyllaDB shall Process Customer Data as the Processor on behalf of the Customer as the Data Fiduciary.
2.2. Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law. Without derogating from the generality of the above, the Customer shall be exclusively responsible to ensure compliance of its Instructions to enable lawful collection and Processing of Customer Data, including obtaining any required consent and providing any required disclosures.
2.3. The subject matter and duration of the Processing carried out by ScyllaDB on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.
3. REPRESENTATIONS AND WARRANTIES
3.1. ScyllaDB represents and warrants that it shall Process Customer Data, on behalf of the Customer, solely for the purpose of providing the Service, all in accordance with Customer’s Instructions. Notwithstanding the above, in the event ScyllaDB is required under applicable laws, including Data Protection Law, to Process Customer Data other than as instructed by Customer, ScyllaDB shall make reasonable efforts to inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law.
3.2. ScyllaDB hereby certifies it understands the rules, requirements and definitions under applicable Data Protection Laws.
3.3. ScyllaDB shall inform Customer without undue delay in the event that, according to ScyllaDB’s reasonable discretion, any of Customer’s Instructions infringes applicable laws, and ScyllaDB shall have the right to immediately cease and suspend any such Processing activity related to the infringing Instruction.
3.4. ScyllaDB shall provide reasonable cooperation and assistance to the Customer in ensuring compliance with its obligation to carry out data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities to the extent required under applicable Data Protection Laws, provided that ScyllaDB shall only be required to assist as for information which is reasonably available to Customer.
3.5. ScyllaDB shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Customer Data; and (ii) that persons authorized to Process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. DATA SUBJECTS RIGHTS AND LEGAL REQUEST
4.1. It is agreed that where ScyllaDB receives a request from a Data Subject or an applicable authority in respect of Customer Data, ScyllaDB will notify the Customer of such request promptly and direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws.
4.2. ScyllaDB shall provide Customer with commercially reasonable cooperation and assistance in relation to the handling Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law and provided that Customer will reimburse ScyllaDB for such costs arising from assistance, where the assistance exceeds reasonable commercial efforts and resources.
5. SUB-PROCESSING
5.1. The Customer acknowledges that ScyllaDB may transfer Customer Data to and otherwise interact with third party data Processors (“Sub-Processor”). The Customer hereby authorizes ScyllaDB to engage and appoint such Sub-Processors as listed in Annex III, to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. ScyllaDB may continue to use those Sub-Processors already engaged by ScyllaDB, as listed in Annex III, or to engage an additional or replace an existing Sub-Processors to Process Customer Data, subject to the provision of a ten (10) days prior notice of its intention to do so to the Customer. In case the Customer has not objected to the addition or replacement of a Sub-Processor within such notice period, such Sub-Processor shall be deemed approved by the Customer. In the event the Customer exercise his objection right within such notice period, ScyllaDB may, under ScyllaDB’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement where the Services cannot be reasonably provided under such circumstances, without liability to Customer.
5.2. ScyllaDB shall, where it engages any Sub-Processor, impose, through a legally binding contract between ScyllaDB and the Sub-Processor, data protection obligations that are no less onerous than, and provide at least the same level of protection as, those set out in this DPA. ScyllaDB shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection
5.3. ScyllaDB shall remain responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with this DPA.
6. TECHNICAL AND ORGANIZATIONAL MEASURES
6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, ScyllaDB hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws to ensure lawful Processing of Customer Data and safeguard Customer Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction, as described under Annex II to this DPA, as updated from time to time (provided that any such amendments will not have a material negative effect on the level of protection provided to Customer Data).
7. SECURITY INCIDENT
7.1. ScyllaDB will notify the Customer without undue delay upon becoming aware of any Security Incident involving the Customer Data, and will take reasonably necessary steps to remediate, minimize any effects of and investigate the Security Incident and to identify its cause; co-operate with the Customer and provide the Customer with such reasonable assistance and information in connection with the containment, investigation, remediation or mitigation of the Security Incident and, if applicable, obligation to notify the affected individuals.
7.2. ScyllaDB’s notification or compliance with its obligations under this Section 7 shall not be construed as an acknowledgment by ScyllaDB of any fault or liability with respect to the Security Incident.
8. AUDIT RIGHTS
8.1. ScyllaDB shall maintain records of the Processing activities carried out under this DPA and its compliance with its obligations under this DPA, and shall make such records available to the Customer, subject to a thirty (30) days prior written request, however no more than once per twelve (12) months of engagement. Such records provided shall be constructed as ScyllaDB’s Confidential Information and shall be subject to the corresponding confidentiality obligations under the Agreement.
8.2. In the event the records and documentation provided subject to Section 8.1 above are reasonably determined as not sufficient for the purpose of demonstrating compliance with this DPA, ScyllaDB shall make available, subject to a thirty (30) days prior written request and no more than once per twelve (12) months of engagement, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). ScyllaDB may object to an auditor appointed by the Customer in the event the Provider reasonably determines the auditor is not suitably qualified or is a competitor of ScyllaDB. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to ScyllaDB, including its business operation and personnel. Audit documentations and results shall remain confidential by the Customer.
8.3. Nothing in this DPA will require ScyllaDB to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other ScyllaDB’s customer or ScyllaDB’s internal data including without limitation data processed in ScyllaDB’s role as a Controller, internal accounting or financial information; (ii) any trade secret of ScyllaDB or its affiliates; (iii) any information that, in ScyllaDB’s reasonable opinion, could compromise the security of any systems or cause any breach of its obligations under applicable law or its security, privacy or confidentiality obligations to any third party; or (iv) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws. No access to any part of ScyllaDB’s IT systems or infrastructure (including, without limitation, any hands-on or intrusive testing) will be permitted.
9. CROSS BORDER PERSONAL DATA TRANSFERS
9.1. Customer acknowledges and agrees that for the provisions of the Services, Scylla may Process, including transfer, Customer Data on various jurisdictions where Scylla’s affiliates and Sub-Processors operate. Scylla will ensure that transfers are made in compliance with Data Protection Laws that applies to such Provider’s Processing.
9.1.1. Where the GDPR, UK GDPR or the Swiss FADP applies: Scylla will not transfer Customer Data originating from the European Union, the UK or Switzerland, unless it takes all such measures as are necessary to ensure the transfer is in compliance with European Data Protection Laws. Such measures may include (without limitation): (i) transferring such Customer Data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including to an Adequate Country or data privacy and transfer frameworks; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (iii) to a recipient that has executed the Standard Contractual Clauses.
9.1.2. When Customer and Scylla rely on the SCC to facilitate a transfer to a third country the following shall apply:
(i) For transfers of Customer Data from the EEA, the EU SCC shall apply and completed as follows: (1) Module II (Controller to Processors) will apply; (2) n Clause 7 the optional docking clause will not apply; (3) in Clause 9, option 2 (general written authorization) shall apply and the method for appointing Sub-Processor shall be as set forth in the Sub-Processing Section of the DPA; (4) in Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body; (5) in Clause 17, option 1 shall apply, and the EU SCC shall be governed by the law of Ireland; (6) In Clause 18(b) the parties choose the courts of Ireland, as their choice of forum and jurisdiction; (7) Annex I(A) of the EU SCC is completed as follows: Customer is the Data Exporter, ScyllaDB is the Data Importer, the parties’ contact details are as completed under the Agreement; (8) Annex I(B) of the EU SCC is completed as set out in Annex I of this DPA; (9) Annex I(C) of the EU SCC shall identify the competent supervisory authority/ies as the supervisory authority of Ireland; (10) Annex II of the EU SCC is deemed completed with the information set out in Annex II of this DPA; (11) Annex III of the EU SCC shall be completed with the list of sub-processors set out in Annex III of this DPA.
(ii) For transfer of Customer Data from the UK, the UK SCC shall apply and completed as follows: (1) Table 1 shall be completed as set forth in section (i)(7) above; (2) Table 2 shall be completed as set forth in Section (i)(1) – (i)(4) above; (3) Tables 3 shall be completed as follows: Annex 1A shall be completed with relevant information as set out in Section (i)(7) above; Annex 1B shall be completed with relevant information as set out in Annex I of this DPA; Annex II shall be completed with relevant information as set out in Annex II of this DPA; Annex III shall be completed with the list of sub-processors set out in Annex III of this DPA; (4) Table 4 shall be completed with the “neither party” option; and (5) Any conflict between the terms of the EU SCC and the UK SCC will be resolved in accordance with Section 10 and Section 11 of the UK SCC.
(iii) For transfer of Customer Data from Switzerland, the Swiss SCC shall apply in accordance with the terms under Annex IV, and the following modifications (1) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (2) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (3) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner” and the “relevant courts in Switzerland”.
9.1.3. Where the India Data Protection Laws apply, ScyllaDB will not transfer any Customer Data to blacklisted countries.
10.TERM, TERMINATION AND CONFLICT
10.1. This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates or as long as ScyllaDB Processes Customer Data.
10.2. ScyllaDB shall be entitled to terminate this DPA or cease the Processing of Customer Data in the event that Processing of Customer Data under the Customer’s Instructions infringe applicable legal requirements, provided Customer did not cure such infringement within ten (10) days from receiving applicable notice from ScyllaDB. Alternately, ScyllaDB may, in its sole discretion, suspend the Processing of the Customer Data until such infringement is cured without.
10.3. Following the termination of this DPA, ScyllaDB shall, at the choice of the Customer, delete all Customer Data Processed on behalf of the Customer and certify to the Customer that it has done so, or return all Customer Data to the Customer and delete existing copies, unless applicable law or regulatory requirements requires that ScyllaDB continue to store Customer Data. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this DPA. Customer’s choice shall be provided in writing to ScyllaDB, following effect of termination.
10.4. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
ANNEX I
DETAILS OF PROCESSING
This Annex I include certain details of the Processing of Customer Data as required under the Data Protection Laws.
Categories of Data Subjects:
Customer may submit Personal Data to the Service, the extent of which is determined and controlled by Customer in its sole discretion.
Categories of Personal Data:
Customer may submit Personal Data to the Service, the extent of which is determined and controlled by Customer in its sole discretion.
Special Categories of Personal Data:
Customer is specifically prohibited from providing ScyllaDB any Sensitive Data or Special Categories of Data, unless agreed in writing by ScyllaDB.
Nature of the Processing:
Storage, organization, communication, transfer, host and other types of Processing for the purpose of providing the Services as set out in the Agreement.
Purpose(s) of Processing:
To provide the Services.
Retention Period:
For as long as is it necessary to provide the Service by ScyllaDB; provided there is no legal obligation to retain the Customer Data post termination or unless otherwise requested by the Customer.
Process Frequency:
Continuous basis
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES
The following description reviews the technical and organizational measures implemented by ScyllaDB as a Processor of Customer Data, to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.
The security objectives of ScyllaDB are identified and managed to maintain a high level of security and consists of the following (concerning all data assets and systems):
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons:
1. System Control
Access to the ScyllaDB’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. ScyllaDB’s has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are required to choose unique and complex passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. ScyllaDB is using automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack, in addition multi-factor authentication is enforced
2. Data Access Control
User authentication measures have been put in place in order to ensure that access to Customer Data is restricted solely to those employees who have been given permission to access it and to ensure that the Customer Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Customer Data, as well as any action performed involving the use of Customer Data requires a password and a second authentication factor, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by ScyllaDB. Furthermore, ScyllaDB conducts ongoing reviews of the employees who have been given authorization to access Customer Data, in order to assess whether such access is still required. ScyllaDB revokes access to Customer Data immediately upon termination of employment.
3. Physical Access Control
ScyllaDB recognizes the significance of physical security controls as a key component in its overall security program. Physical access methods, procedures and controls have been implemented to help prevent unauthorized access to data, assets and restricted areas. Processes are in place to remove access to physical resources when an individual no longer requires access. Physical Access to ScyllaDB office does not provide any privileges to the production environment.
4. Organizational and Operational Security
ScyllaDB puts a lot of effort and invests a lot of resources into ensuring that ScyllaDB’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. ScyllaDB strives to raise awareness regarding the risks involved in the processing of Customer Data. In addition, ScyllaDB has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on it applicable ScyllaDB hardware and software, in order to protect against malicious software.
5. Availability Control
ScyllaDB maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, ScyllaDB’s servers include an automated backup procedure. ScyllaDB also conducts regular controls of the condition and labelling of data storage devices for data security. ScyllaDB ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable.
6. Penetration Testing
External penetration test is performed on an annual basis. The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable third-party vendor. In addition, ScyllaDB conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans are performed using external tools, in order to detect potential security breaches.
7. Encryption
ScyllaDB Implements Encryption at rest of Customer Data as well as encryption in transit of all communication on and to the service, as well as communication between elements in the services.
In some cases, encryption is based on underline cloud provider services, in some cases it is implemented as part of ScyllaDB Enterprise. Encryption between ScyllaDB customers and the ScyllaDB application is enabled using a minimum HTTPS TLS 1.2 authenticated tunnel.
8. Compliance and Certification
ScyllaDB operations, policies and procedures are audited regularly to ensure ScyllaDB meets all standards expected as a cloud system provider. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. ScyllaDB’s systems and Services were audited and verified by such compliance certification. ScyllaDB is SOC2 certified, as well as ISO 27001:2013, ISO 27017:2015 and ISO 27018:2019.
Such certifications and audits are meant to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons are according to the System and Organization Controls 2 (SOC2) industry standard as well as ISO 27001:2013, ISO 27017:2015 and ISO 27018:2019. Upon Customer request and subject to Customer’s confidentiality undertaking ScyllaDB shall provide with the Customer with the SOC2 reports or executive summary of the ISO 27001:2013, ISO 27017:2015 and ISO 27018:2019 audits.
For more information regarding the SOC2, please see our SOC2 webpage here.
9. Additional Safeguards implemented by ScyllaDB for Customer Data Transfers to the US:
Measures and assurances regarding U.S. government surveillance have been implemented by ScyllaDB, and ScyllaDB agrees and hereby represents it maintains the following additional safeguards:
A. ScyllaDB maintains industry standard measures to protect the Customer Data from interception (including in transit from Customer to ScyllaDB and between different systems and services). This includes maintaining encryption in transit and at rest.
B. As of the Effective Date of the Agreement, ScyllaDB has not received any national security orders.
C. No court has found ScyllaDB to be: (i) the type of entity eligible to receive process issued under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”); (ii) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or a member of any of the categories of entities described within that definition.
D. In the event that FISA applies to ScyllaDB, ScyllaDB will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Customer Data, including (if applicable) under Section 702 of the FISA.
E. If ScyllaDB becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or receive a copy of the Customer Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, ScyllaDB shall: (i) inform the relevant Authority that ScyllaDB is a Processor of the Customer Data and that Customer, as the Controller, has not authorized ScyllaDB to disclose the Customer Data to the Authority; (ii) inform the relevant Authority that any and all requests or demands for access to Customer Data should be directed to or served upon Customer in writing; and (iii) use reasonable legal mechanisms to challenge any such demand for access to Customer Data.
F. Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Customer Data, ScyllaDB has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, ScyllaDB shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so. ScyllaDB will inform Customer, upon written request (and not more than once a year), of the types of binding legal demands for Customer Data ScyllaDB has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.
ANNEX III
LIST OF SUB-PROCESSORS
Name | Processing region | Description of the Processing | Transfer mechanism |
Microsoft Azure | USA | Cloud Services | SCC, or Data Privacy Framework, as applicable |
Google Could Platform | USA | Cloud Services | SCC, or Data Privacy Framework, as applicable |
Amazon Web Services | USA and Ireland | Cloud Services | SCC, or Data Privacy Framework, as applicable |
Recurly Inc. | USA | Payment Services | SCC, or Data Privacy Framework, as applicable |
Stripe Inc. | USA | Payment Services – to process payments by Credit Card (mostly) and other payment methods. | SCC, or Data Privacy Framework, as applicable |
Zendesk Inc. | USA | Support Services | SCC, or Data Privacy Framework, as applicable |
SeekWell Inc. | Australia | Analytics Services | DPA |
ANNEX IV
EU INTERNATIONAL TRANSFERS AND SCC
1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Customer as the Controller of the Customer Data and ScyllaDB is the Processor of the Customer Data.
3. The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and the ScyllaDB (as Data Importer), the following shall apply:
a) Clause 7 of the Standard Contractual Clauses shall not be applicable.
b) In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in the Sub-Processing Section of the DPA.
c) In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
d) In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable).
e) In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction.
4. Annex I.A of the Standard Contractual Clauses shall be completed as follows:
4.a.1. “Data Exporter“: Customer
4.a.2. “Data Importer“: ScyllaDB
4.a.3. Roles: (A) With respect to Module Two: (i) Data Exporter is a data controller and (ii) the Data Importer is a data processor.
4.a.4. Data Exporter and Data Importer Contact details: As detailed in the Agreement.
4.a.5. Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
5. Annex I.B of the Standard Contractual Clauses shall be completed as follows:
a) The purpose of the processing, nature of the processing, categories of data subjects, categories of personal data and the parties’ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.
b) The frequency of the transfer and the retention period of the personal data is as described in Annex I (Details of Processing) of this DPA.
c) The sub-processor which personal data is transferred are listed in Annex III.
6. Annex I.C of the Standard Contractual Clauses shall be completed as follows: the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.
7. Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.
8. Annex III of this DPA (List of Sub-processors) serves as Annex III of the Standard Contractual Clauses.
9. Transfers to the US: Measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed in Annex II.
ANNEX V
UK INTERNATIONAL TRANSFERS AND SCC
1. The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.
2. This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from controllers to processors or from the processor to its sub-processors.
3. Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.
4. This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
5. Amendments to the UK Standard Contractual Clauses:
5.1. Part 1: Tables
5.1.1. Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV above.
5.1.2. Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV above.
5.1.3. Table 3 Appendix Information:
Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.
Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in Annex II above.
Annex III: List of Sub processors: shall be completed as set forth in Annex III above.
5.1.4. Table 4 Ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.
ANNEX VI
SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY
The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:
ANNEX VII
1. CCPA Specifications:
1.1. For the purpose of the CCPA, Customer is the Business and ScyllaDB is the Service Provider.
1.2. ScyllaDB shall Process Customer Data on behalf of the Customer as a Service Provider under the CCPA and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the Customer Data with other Personal Data that it receives from, or on behalf of, another customer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA.
1.3. If, and to the extent applicable, ScyllaDB shall assist Customer in respect of a Consumer request to limit the use of its Sensitive Personal Information (“SPI”) by ScyllaDB.
1.4. ScyllaDB certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from Selling any Customer Data.
2. U.S. Applicable States Specifications:
2.1. For the purpose of this U.S. Addendum ”Applicable States” shall mean Virginia, California, Colorado, Utah and Connecticut.
2.2. ScyllaDB agrees to notify the Customer if ScyllaDB makes a determination that it can no longer meet its obligations under this U.S. Addendum or U.S. Data Protection Law.
2.3. ScyllaDB shall provide information necessary to enable Customer to conduct and document any data protection assessments required by U.S. Data Protection Laws. Notwithstanding the above, ScyllaDB is responsible for only the measures allocated to it.
2.4. ScyllaDB shall provide assistance and procures that its subcontractors will provide assistance, as Customer may reasonably request, where and to the extent applicable, in connection with any obligation by Customer to respond to Consumer’s requests for exercising their rights under the U.S. Data Protection Laws. Including without limitation, by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s respective obligation. ScyllaDB acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for Processing the Customer Data.
2.5. Each party shall, taking into account the context of Processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The parties are hereby establishing a clear allocation of the responsibilities between them to implement these measures. ScyllaDB technical measures are detailed in the DPA and Annexes above.
2.6. The Processing instructions, including the nature of Processing, purpose of Processing, the duration of Processing, the type of Personal Data and categories of Data Subjects, are set forth in Annex I above.
2.7. Each party will comply with the requirements set forth under US Data Protection Laws with regards to processing of de-identified data; as such term is defined under the applicable U.S. Data Protection Law.
3. When Processing Customer Data or Usage Data (as defined in the Agreement) for the permitted purposes under U.S. Data Protection Laws, ScyllaDB shall ensure it complies with applicable laws and shall be liable for such Processing activities.
Apache® and Apache Cassandra® are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. Amazon DynamoDB® and Dynamo Accelerator® are trademarks of Amazon.com, Inc. No endorsements by The Apache Software Foundation or Amazon.com, Inc. are implied by the use of these marks.