Feeling stuck with Segment? Say đź‘‹ to RudderStack.
Effective Date:Â March 20th, 2022
1. Introduction.
This Data Protection Addendum (“DPA”) is entered into by and between RudderStack, Inc., a Delaware corporation (“RudderStack”), and forms part of the Master Subscription Agreement (the “Agreement”) to reflect the Parties’ agreement with regard to the Processing of Customer Personal Data.
Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates.
2. Definitions.
Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement or the Applicable Data Protection Laws, or, to the extent they are technical terms, defined in the relevant RudderStack documentations: https://www.rudderstack.com/docs.
a. “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
b. “Applicable Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the Processing of Personal Data under the Agreement as amended from time to time.
c. "Authorized Affiliates" means any of Customer’s Affiliates that (i) are permitted to use the Services pursuant to the Agreement, but have not signed their own separate agreement with RudderStack and are not a “Customer” as defined under the Agreement, (ii) qualify as a Controller or Processor of Customer Personal Data Processed by RudderStack, and (iii) are subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom.
d. “Customer Data” has the same meaning as defined in the Agreement. This DPA applies to RudderStack’s Processing of Customer Personal Data, which is Customer Data that (i) constitute Personal Data, and (ii) is electronic data and information submitted by or for Customer to the Services.
e. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
f. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
g. “Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by Applicable Data Protection Laws.
h. “Security Incident” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data being Processed by RudderStack. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
i. “Subprocessor” means any third party authorized by RudderStack to Process any Customer Personal Data.
3. General; Term.
a. This DPA forms part of the Agreement and except as expressly set forth in this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will govern.
b. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
c. This DPA will automatically terminate upon expiration or termination of the Agreement.
4. Relationship of the Parties.
a. RudderStack as Processor. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is a controller or processor and RudderStack is a processor. RudderStack will process Customer Personal Data in accordance with Customer’s instructions as outlined in Section 6.
b. Authorized Affiliates. By signing the Agreement, Customer enters into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of Customer and in the name and on behalf of Customer’s Authorized Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer” will include Customer and its Authorized Affiliates. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is a party only to this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
c. Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Authorized Affiliates.
5. Compliance with Law. Each party will comply with its obligations under Applicable Data Protection Laws with respect to its Processing of Customer Data.
6. Role and Scope of the Processing.
a. Customer Instructions. RudderStack will Process Customer Personal Data only in accordance with Customer’s instructions. By entering into the Agreement, Customer instructs RudderStack to Process Customer Personal Data to provide the Services and pursuant to any other written instructions given by Customer and acknowledged in writing (via email) by RudderStack as constituting instructions for purposes of this DPA. Customer acknowledges and agrees that such instruction authorizes RudderStack to Process Customer Personal Data (a) to perform its obligations and exercise its rights under the Agreement; and (b) to perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement.
b. Customer Personal Data. Customer agrees that, with respect to Customer Personal Data, Customer shall have sole responsibility for (a) the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data; and (b) ensuring Customer has the right to transfer, or provide access to, the Customer Personal Data to RudderStack for Processing in accordance with the terms of the Agreement (including this DPA). Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Customer Personal Data, to the extent applicable under Applicable Data Protection Laws.
c. Sources and Destinations. For clarity, nothing in this DPA limits RudderStack from transmitting Customer Personal Data to and among Sources and Destinations as directed by Customer through the Services. The parties agree that neither Sources nor Destinations are Subprocessors of RudderStack and that, between the parties, Customer is solely responsible for the Processing of Customer Personal Data by, and other acts and omissions of, Sources and Destinations or parties associated therewith.
7. Subprocessing.
a. Appointment of Subprocessors. Customer generally authorizes RudderStack to engage Subprocessors to Process Customer Personal Data. In such instances, RudderStack:
(i) will enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this DPA; and
(ii) remains liable for compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause RudderStack to breach any of its obligations under this DPA.
b. List of Subprocessors. A list of RudderStack’s Subprocessors is as below:
- Amazon Web Services - USA - Cloud Service Provider
c. Objection to New Subprocessors. When any new Subprocessor is engaged, RudderStack will notify Customer of the engagement, which notice may be given via a message by emailing brett@rudderstack.com. RudderStack will give such notice at least ten (10) calendar days before the new Subprocessor Processes any Customer Personal Data, except that if RudderStack reasonably believes engaging a new Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Customer Personal Data or avoid material disruption to the Services, RudderStack will give such notice as soon as reasonably practicable. If, within five (5) calendar days after such notice, Customer notifies RudderStack in writing that Customer objects to RudderStack’s appointment of a new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement.
8. Security.
a. Security Measures. RudderStack will implement and maintain technical and organizational security safeguards designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with RudderStack’s security standards referenced in the Agreement.
b. Customer Responsibility.
(i) Customer is responsible for reviewing the information made available by RudderStack relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices (but the modifications will not materially decrease RudderStack’s obligations as compared to those reflected in such terms as of the Effective Date).
(ii) Customer agrees that, without limitation to RudderStack’s obligations under this Section 8, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that it uses with the Services; (d) maintaining its own backups of Customer Personal Data.
c. Security Incident. Upon becoming aware of a confirmed Security Incident, RudderStack will notify Customer without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of RudderStack’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notices will describe, to the extent possible, details of the Security Incident, including steps taken to mitigate the potential risks and steps RudderStack recommends Customer take to address the Security Incident. Without prejudice to RudderStack’s obligations under this Section 8.c., Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Security Incidents. RudderStack’s notification of or response to a Security Incident under this Section 8.c. will not be construed as an acknowledgement by RudderStack of any fault or liability with respect to the Security Incident.
9. Audits and Reviews of Compliance.
a. RudderStack’s Audits and Certifications. We have attained System and Organization Controls (SOC) 2 Type II certification through a third-party auditor. The SOC 2 Type II report validates that RudderStack meets the requirements of customers in highly controlled industries who need expert evaluation about how vendors handle the principles of security. For more information on our security practices, please refer to our data transfer impact assessment: https://www.rudderstack.com/data-transfer-impact-assessment.
b. Audit Reports. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, RudderStack will make available to Customer a copy of RudderStack’s most recent Audit Report. Customer agree that any audit rights granted by Applicable Data Protection Laws will be satisfied by these Audit Reports. To the extent that RudderStack’s provision of an Audit Report does not provide sufficient information for Customer to verify RudderStack’s compliance with this DPA or Customer is required to respond to a regulatory authority audit, Customer agrees, to the extent possible, audit RudderStack’s compliance with its obligations under this DPA through reasonable requests for information, including security and audit questionnaires. RudderStack will provide written responses to the extent the requested information is necessary to confirm RudderStack’s compliance with this DPA. Any information provided by RudderStack under this Section 9.b. constitutes RudderStack’s confidential information under the Agreement.
c. Customer Audit. No more than once during any consecutive 12 month period, Customer may contact RudderStack to request an audit of RudderStack’s Processing activities covered by this DPA (“Customer Audit”) at Customer’s expense. A Customer Audit may be conducted by Customer either itself or through a third-party auditor (as defined below) selected by Customer when:
- the information available pursuant to Section 9.a. and 9.b. is not sufficient to demonstrate compliance with the obligations set out in this DPA;
- Customer has received a notice from RudderStack of a Security Incident; or
- such an audit is required by Applicable Data Protection Laws or by Customer’s competent supervisory authority.
Any Customer Audits will be limited to Customer Personal Data Processing and storage facilities operated by RudderStack or RudderStack’s Affiliates. Customer acknowledges that RudderStack operates a multi-tenant cloud environment. Accordingly, RudderStack shall have the right to reasonably adapt the scope of any Customer Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other RudderStack customers’ information. Customer agrees to conduct any Customer Audit during RudderStack’s normal business hours, under reasonable duration and shall not unreasonably interfere with RudderStack’s day-to-day operations. Before any Customer Audit commences, Customer and RudderStack shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by or on behalf of RudderStack.
If a third party is to conduct an audit under this Section 9.c., RudderStack may object to the auditor if the auditor is, in RudderStack’s reasonable opinion, not independent, a competitor of RudderStack or otherwise unqualified. Such objection by RudderStack will require Customer to appoint another auditor or conduct the audit itself. Prior to the commencement of any audit, the auditor must execute a written confidentiality agreement acceptable to RudderStack.
10. Impact Assessments and Consultations. RudderStack will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require RudderStack to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Laws. Our data transfer impact assessment can be found here: https://www.rudderstack.com/data-transfer-impact-assessment.
11. Data Subject Requests. RudderStack will, upon Customer’s request and at Customer’s expense, provide Customer with such assistance as it may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection). Customer shall direct assistance requests to dpo@rudderstack.com. If RudderStack receives a request from a Data Subject in relation to their Customer Personal Data,RudderStack will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request. Customer will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Customer Personal Data.
12. Return or Deletion of Customer Data.
a. RudderStack will enable Customer to delete Customer Personal Data during the Term in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Personal Data during the Term and that Customer Personal Data cannot be recovered by Customer, this use will constitute an instruction to RudderStack to delete the relevant Customer Personal Data from RudderStack’s systems in accordance with applicable law.
On expiry of the Term, if Customer instructs RudderStack to delete all Customer Personal Data (including existing copies) from RudderStack’s systems in accordance with applicable law, RudderStack will, after a recovery period of up to 30 days following such expiry, comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless applicable law requires storage. Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Personal Data it wishes to retain afterwards.
b. Notwithstanding the foregoing, Customer understands that RudderStack may retain Customer Data if required by law, and such data will remain subject to the requirements of this DPA.
13. Authorized Affiliates’ Specific Terms.
a. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with RudderStack under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
b. Where an Authorized Affiliate becomes a party to this DPA with RudderStack, it shall to the extent required under Applicable Data Protection Laws be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
(i) Except where Applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against RudderStack directly by itself, the parties agree that solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA, not separately for each Authorized Affiliate individually, but in a combined manner for itself and all of its Authorized Affiliates together.
(ii) The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out a Customer Audit of the procedures relevant to the protection of Customer Personal Data, take all reasonable measures to limit any impact on RudderStack by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Authorized Affiliates in one single audit.
14. Limitation of Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and RudderStack, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, RudderStack’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.
15. International Provisions.
a. Processing in the United States. Customer acknowledges that, as of the Effective Date, RudderStack’s primary processing facilities are in the United States.
b. Jurisdiction Specific Terms. To the extent that RudderStack Processes Customer Data originating from and protected by Applicable Data Protection Laws in one of the Jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.
c. Cross Border Data Transfer Mechanism. To the extent that Customer’s use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area (“EEA”), the UK, Switzerland or any other jurisdiction listed in Schedule 3) to RudderStack located outside of that jurisdiction (a “Transfer Mechanism”), the terms and conditions of Schedule 3 (Cross Border Transfer Mechanisms) will apply.
The parties’ authorized signatories have duly executed this DPA:
RudderStack, Inc.
Signature:
Name:
Title:
Date:
Customer:
Signature:
Name:
Title:
Date:
SCHEDULE 1
SUBJECT MATTER & DETAILS OF PROCESSING
1. Nature and Purpose of the Processing. RudderStack will process Personal Data as necessary to provide the Services under the Agreement. RudderStack does not sell Customer Personal Data and does not share such Customer Personal Data with third parties for compensation or for those third parties’ own business interests.
We receive, transform, and route customer end-user event data from source (application, website, mobile device or SaaS platform) to destination (customer warehouse or business tools) systems.
2. Processing Activities.
Customer Personal Data will be subject to the following basic processing activities: the provision of Services that allow Customers to integrate, transform, analyze and transfer Customer data to destination applications, while retaining full-control over the data.
3. Duration of the Processing. The period for which Personal Data will be retained and the criteria used to determine that period is as follows:
Prior to the termination of the Agreement, RudderStack will process stored Customer Personal Data for the purpose of providing the Services until Customer elects to delete such Customer Data via the Services or in accordance with the Agreement.
4. Categories of Data Subjects.
Customer’s data subjects.
5. Categories of Personal Data.
The categories of Customer Personal Data are such categories as Customer is authorized to ingest into the Services under the Agreement.
6. Sensitive Data or Special Categories of Data.
We do not control the personal data that is sent to our platform and our customers determine what data travels across our pipelines and their retention time. We are not aware of the content that our customers are passing through. However, in the event the customer requests to transfer special categories of Personal Data , it would then be specified in the DPA.
SCHEDULE 2
TECHNICAL & ORGANIZATIONAL SECURITY MEASURES
Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses. The following provides more information regarding RudderStack’s technical and organizational security measures set forth below.
Technical and Organizational Security Measures:
MODULE TWO: Transfer controller to processor
RudderStack as data importer will implement the following types of security measures:
1. Minimal data retention: RudderStack’s platform is designed to hold as little customer data as possible. Customer data passed to RudderStack is retained no longer than three hours unless the customer requests additional storage.
2. Encryption: All data traffic to and from RudderStack is transmitted over Secure HTTP (HTTPS) using TLS v1.2 or better. All EBS volumes underlying RudderStack data stores are encrypted using the industry standard AES-256 encryption algorithm to encrypt Customer data. AWS KMS is used for key management and cryptographic operations.
3. Multi-tenancy: We have adopted a multi-tenancy model to ensure that one customer’s data is never available to another customer. Customer data separation is logical. Each customer is assigned a unique Workspace ID and customer data is separated by this ID.
4. Logical separation between control and data plane: The control plane manages the configuration of our customer’s sources and destinations, while the data plane is RudderStack's core engine responsible for receiving and buffering the event data, transforming the events into the required destination format and relaying the events to the destination. The data plane is intentionally separated from the control plane to give you complete ownership of your data.
5. Controlled access to Postgresql database: Events are stored temporarily in Postgresql database, until they are either transmitted to the destination or purged within a maximum duration of 3 hours. Postgresql can only connect to the application nodes within the Kubernetes cluster. In the rare event an engineer must access the Postgres instance, access is logged and monitored.
6. Control plane access control and authentication: The platform supports role-based access control which allows access to data based on access privileges associated with the user's user ID. RudderStack’s Enterprise version supports 2-Factor Authentication via email or phone verification using a one-time password (OTP).
7. Monitoring: A monitoring utility is configured to track and monitor changes to resources and services used within AWS. Alerts sent by the monitoring utility are investigated and timely addressed.Security groups are assigned to EC2 instances using the AWS Management Console to implicitly deny and explicitly allow incoming traffic. AWS WAF and AWS GuardDuty provide continuous monitoring of the company's and enable early detection of potential security breaches, which are handled in accordance with defined incident response procedures.
8. Backup and recovery: We maintain backups of the production version of the RudderStack Cloud platform in the VCS. Backups of the databases supporting the RudderStack Cloud platform are performed using AWS backup, which has been configured to perform backups according to an established schedule of daily incremental backups and weekly full backups and retain 35 days of backups. Backups are encrypted at rest.
9. Personnel security: All personnel go through background screening, and are bound by privacy and confidentiality obligations as part of their contract and non-disclosure agreement with RudderStack. All personnel are also required to undertake relevant security and privacy training.
10. Audits: We have attained Service Organization Controls (SOC) 2 Type 2 assessment through a third-party auditor. The SOC 2 Type 2 report validates that RudderStack meets the requirements of customers in highly controlled industries who need expert evaluation about how vendors handle the principles of security.
11. Contractual measures: Our contractual measures are set out in the DPA we sign with our customers. We are obligated under the SCCs (incorporated within the DPA) to notify our customers in the event we are made subject to a request for government access to customer personal data from a government authority.
RudderStack's hosted solution is running on AWS EKS with the cluster spanning multiple availability zones within the United States. As our subprocessor, any data sent to AWS is subject to equal enforcement of the terms of the DPA we sign with our customers. Our agreement with AWS is supplemented with AWS’s DPA, incorporating the new SCCs. AWS has also set out the key technical, contractual and organizational supplementary measures that AWS takes and makes available to protect customer data and support the effectiveness of the SCCs which can be found at https://d1.awsstatic.com/whitepapers/Security/navigating-compliance-with-eu-data-transfer-requirements.pdf
12. Supplementary Safeguards: The supplementary safeguards below describes how we protect Customer data in case we receive disclosure requests:
As of the date of this contract, RudderStack has not received any directive under Section 702 of the U.S. Foreign Intelligence Surveillance Act, codified at 50 U.S.C. § 1881a (“FISA Section 702”).
Unless legally prohibited from doing so, RudderStack will implement the following measures in case of disclosure requests arising from a legal order to protect Customer data:
1. If we are required by a legal order (such as a subpoena, court order,, or any other legal or regulatory requirement) to disclose any of Customer data (a “demand”), we will:
a. attempt to redirect the relevant government authority to request that data directly from Customer;
b. provide Customer with notice and a copy of the demand as soon as practicable; and
c. attempt to inform the relevant government authority that we have reasonable grounds to believe that by virtue of our product design, we neither have access to Customer Personal Data transiting through our platform nor do we persist any Customer data within our infrastructure unless we are requested to do so.
d. In support of the above, RudderStack may provide Customer’s basic contact information to the government authority. RudderStack will document and record the requests for access received from public authorities and the response provided, alongside a summary of the legal reasoning and the actors involved. When and to the extent legally permissible, RudderStack will provide these records to Customer, who may provide them to affected data subjects.
2. We will promptly inform Customer if we are unable to comply with the terms of SCCs, in which case Customer is entitled to suspend the transfer of Customer Personal Data.
SCHEDULE 3
CROSS BORDER DATA TRANSFER MECHANISM
1. Definitions.
a. “Standard Contractual Clauses” means, depending on the circumstances unique to any particular Customer, any of the following:
(i) UK Standard Contractual Clauses; and
(ii) 2021 Standard Contractual Clauses
b. “UK Standard Contractual Clauses” means the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”)
c. "2021 Standard Contractual Clauses" means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
2. UK Standard Contractual Clauses. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by reference) and completed as follows:
a. The UK Controller to Processor SCCs will apply where RudderStack is processing Customer Personal Data. The illustrative indemnification clause will not apply. Schedule 1 serves as Appendix 1 of the UK Controller to Processor SCCs. Schedule 2 serves as Appendix 2 of the UK Controller to Processor SCCs.
3. The 2021 Standard Contractual Clauses. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will apply in the following manner:
a. Module Two (Controller to Processor) will apply where Customer is a controller of Customer Personal Data and RudderStack is a processor of Customer Personal Data;
b. Module Three (Processor to Processor) will apply where Customer is a processor of Customer Personal Data and RudderStack is a sub-processor of Customer Personal Data;
c. For each Module, where applicable:
(i) in Clause 7, the option docking clause will not apply;
(ii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set forth in Section 7 (Subprocessing) of this DPA;
(iii) in Clause 11, the optional language will not apply;
(iv) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law.
(v) in Clause 18(b), disputes will be resolved before the courts of Ireland;
(vi) In Annex I, Part A:
Data Exporter: Customer and authorized affiliates of Customer.
Contact Details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive privacy communications.
Data Exporter Role: The Data Exporter’s role is outlined in Section 4 of this DPA.
Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: RudderStack, Inc.
Contact Details: Brett Umberg, Head of GTM, brett@rudderstack.com
Data Importer Role: The Data Importer’s role is outlined in Section 4 of this DPA.
Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
(vii) In Annex I, Part B:
The categories of data subjects are described in Schedule 1, Section 4.
The sensitive data transferred is described in Schedule 1, Section 6.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is described in Schedule 1, Section 1.
The purpose of the processing is described in Schedule 1, Section 1.
The period of the processing is described in Schedule 1, Section 3.
For transfers to sub-processors, the subject matter, nature, and duration of the processing: see above.
(viii) In Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority.
(ix) Schedule 2 serves as Annex II of the Standard Contractual Clauses.
4. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA, including Schedule 4 (Jurisdiction Specific Terms), the provisions of the Standard Contractual Clauses will prevail.
SCHEDULE 4
JURISDICTION SPECIFIC TERMS
1. California
a. The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).
b. The terms “business”, “commercial purpose”, “service provider”, “sell” and “personal information” have the meanings given in the CCPA.
c. With respect to Customer Personal Data, RudderStack is a service provider under the CCPA.
d. RudderStack will not (a) sell Customer Personal Data; (b) retain, use or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Personal Data for a commercial purpose other than providing the Services; or (c) retain, use or disclose the Customer Personal Data outside of the direct business relationship between RudderStack and Customer.
e. The parties acknowledge and agree that the Processing of Customer Personal Data authorized by Customer’s instructions described in Section 6 of this DPA is integral to and encompassed by RudderStack’s provision of the Services and the direct business relationship between the parties.
f. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the parties acknowledge and agree that RudderStack’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
2. EEA
a. The definition of “Applicable Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679)(“GDPR”).
b. When RudderStack engages a Subprocessor under Section 7 (Subprocessing), it will:
(i) require any appointed Subprocessor to protect Customer Personal Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
(ii) require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.
c. GDPR Penalties. Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
3. Switzerland
a. The definition of “Applicable Data Protection Laws” includes the Swiss Federal Act on Data Protection.
b. When RudderStack engages a Subprocessor under Section 7 (Subprocessing), it will
(i) require any appointed Subprocessor to protect Customer Personal Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
(ii) require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.
4. United Kingdom
a. References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
b. When RudderStack engages a Subprocessor under Section 7 (Subprocessing), it will
(i) require any appointed Subprocessor to protect Customer Personal Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and
(ii) require any appointed Subprocessor to agree in writing to only process data in a country that the UK has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.