This Data Processing Addendum ("DPA") forms part of, and is subject to, the Master SaaS Agreement or other written or electronic terms of service or subscription agreement between the member of the Cerby Group that is a party to such agreement (“Cerby”) and the legal entity defined as ‘Customer’ thereunder together with all Customer Affiliates who are signatories to an Order Form for their own Service Account pursuant to such agreement (collectively, for purposes of this DPA, “Customer”) (such agreement, the “Agreement”). This DPA shall be effective on the effective date of the Agreement, unless this DPA is separately executed in which case it’s effective on the date of the last signature ("Effective Date"). All capitalized terms not defined in this DPA shall have the meanings set forth in the Definitions section of the Cerby Terms of Service (https://www.cerby.com/terms-of-service).
1. Definitions.
“California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq., as amended, including the California Privacy Rights Act.
"Customer Personal Data" means any Personal Data that is Customer Data under the Agreement.
"Data Controller" means an entity that determines the purposes and means of the Processing of Personal Data.
"Data Processor" means an entity that Processes Personal Data on behalf of a Data Controller.
"Data Protection Laws" means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and the CCPA.
“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
"EU & UK Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR") and (ii) the United Kingdom’s Data Protection Act 2018, including the GDPR as implemented by the laws of the United Kingdom.
"Services" means the Service procured by Customer, and any other services provided by Cerby under the Agreement, including but not limited to support and technical services.
"Personal Data" means any information, including opinions, relating to an identified or identifiable natural person and includes similarly defined terms in Data Protection Laws, including, but not limited to, the definition of “personal information” in the CCPA.
"Processing" shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination and "Process", "Processes" and "Processed" will be interpreted accordingly.
"Purposes" shall mean (i) Cerby’s Processing of Customer Personal Data via provision of the Service under the Agreement, any Order Form and this DPA, including Processing initiated by Users in their use of the Service, and (ii) further documented, reasonable instructions from Customer agreed upon by the parties and consistent with the Agreement.
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.
"Standard Contractual Clauses" or “SCCs” means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) and (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs”). In context of this DPA, this means the EU SCCs for for Controller to Processor as approved by the European Commission in the form set out in Annex A. Appendices 1 and 2 of the EU SCCs shall be as set forth in this DPA at Section 3.4 (Details of Data Processing) and 5.1 (Security Measures), respectively, and any addenda applicable to the UK SCCs.
"Sub-processor" means any other Data Processors engaged by a member of the Cerby Group to Process Customer Personal Data.
2. Scope and Applicability of this DPA. This DPA applies where and only to the extent that Cerby Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing the Services.
3. Roles and Scope of Processing.
3.1 Role of the Parties. As between Cerby and Customer, Customer is either the Data Controller of Customer Personal Data, or if Customer is acting on behalf of a third-party Data Controller, then a Data Processor, and Cerby shall Process Customer Personal Data only as a Data Processor acting on behalf of Customer and, with respect to CCPA, as a “service provider” as defined therein. To the extent any Usage Data (as defined in the Agreement) is considered Personal Data under applicable Data Protection Laws, Cerby is the Data Controller of such data and shall Process such data in accordance with the Agreement and applicable Data Protection Laws.
3.2 Customer Instructions. Cerby will Process Customer Personal Data only for the Purposes. Customer shall ensure its Processing instructions are lawful and that the Processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. The parties agree that the Agreement (including this DPA) sets out Customer’s complete and final instructions to Cerby for the Processing of Customer Personal Data. Any Processing outside the scope of these instructions will require prior written agreement between Customer and Cerby.
3.3 Customer Processing of Personal Data. Customer agrees that it: (i) will comply with its obligations under Data Protection Laws with respect to its Processing of Customer Personal Data; (ii) will make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data; and (iii) has obtained all consents, permissions and rights necessary under Data Protection Laws for Cerby to lawfully Process Customer Personal Data for the Purposes, including, without limitation, Customer's sharing and/or receiving of Customer Personal Data with third-parties via the Services.
3.4 Details of Data Processing.
3.4.1 Subject matter: The subject matter of the Processing under this DPA is the Customer Personal Data.
3.4.2 Duration: Notwithstanding expiry or termination of the Agreement, this DPA and Standard Contractual Clauses (if applicable) will remain in effect until, and will automatically expire upon, deletion of all Customer Personal Data as described in this DPA.
3.4.3 Purpose: Cerby shall Process Customer Personal Data only for the Purposes.
3.4.4 Nature of the Processing: Cerby provides Services as described in the Agreement and any Order Form.
3.4.5 Categories of Data Subjects: The categories of Data Subjects to which Customer Personal Data relate are: Employees, agents, advisors, freelancers of Customer or its Affiliates (who are natural persons).
3.4.6 Types of Personal Data: The types of Customer Personal Data are:
(a) Identification and contact data (name, address, title, contact details);
(b) Employment details (employer, job title, geographic location, area of responsibility);
(c) and/or IT information (IP addresses, usage data, cookies data, location data).
3.4.7 Special Categories of Personal Data (if applicable): None.
4. Sub-processing.
4.1 Authorized Sub-processors. Customer generally authorizes the engagement of Sub-processors and specifically consents to Amazon Web Services (“AWS”) (for hosting, data analysis, computation, and storage), Datadog (for system logging and metrics) and Sentry (for error handling and alerting) listed here or the (“Sub-processor Site”) as of the Effective Date. For clarity, this Section 4 (Sub-Processing) constitutes Customer’s general consent for Cerby’s engagement of onward subprocessors under the Standard Contractual Clauses.
4.2 Sub-processor Obligations. Cerby shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data as Cerby’s obligations in this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations in this DPA. Upon written request, Cerby shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-processor agreements where required to satisfy Customer’s obligations under Data Protection Laws.
4.3 Changes to Sub-processors. Cerby shall make available on its Sub-processor Site a mechanism for Customer to subscribe to notifications of new Sub-processors. Cerby shall provide such notification at least fourteen (14) days in advance of allowing the new Sub-processor to Process Customer Personal Data (the “Objection Period”). During the Objection Period, Customer may object in writing to Cerby’s appointment of the new Sub-processor, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties will discuss Customer’s concerns in good faith with a view to achieving resolution. If Customer can reasonably demonstrate that the new Sub-processor is unable to Process Customer Personal Data in compliance with the terms of this DPA and Cerby cannot provide an alternative Sub-processor, or the parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may terminate the Order Form(s) with respect only to those aspects of the Services which cannot be provided by Cerby without the use of the new Sub-processor by providing written notice to Cerby. Cerby will refund Customer any prepaid unused fees of such Order Form(s) following the effective date of termination with respect to such terminated Services.
5. Security.
5.1 Security Measures. Cerby shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data in accordance with Cerby's Security Policy at https://www.cerby.com/security, incorporated herein by this reference. Cerby may review and update its Security Policy from time to time, provided that any such updates shall not materially diminish the overall security of the Services or Customer Personal Data.
5.2 Confidentiality of Processing. Cerby shall ensure that any person who is authorized by Cerby to Process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.3 No Assessment of Customer Personal Data by Cerby. Cerby shall have no obligation to assess the contents of Customer Personal Data to identify information subject to any specific legal requirements. Customer is responsible for reviewing the information made available by Cerby relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.
6. Customer Audit Rights.
6.1 Upon written request and at no additional cost to Customer, Cerby shall provide Customer, or its appropriately qualified third-party representative (collectively, the "Auditor"), access to reasonably requested documentation in the form of (i) AWS’ (or, if available, Cerby’s) ISO 27001, HITRUST CSF, and PCI-DSS third-party certifications, (ii) AWS’ (or, if available, Cerby’s) SOC 1 or SOC 2 audit reports, and (iii) Cerby's most recently completed industry standard security questionnaire, such as a SIG or CAIQ (collectively, “Reports”).
6.2 Customer may also, on 30 days prior written notice, send a written request for an audit (including inspection) of Cerby’s facilities. Following receipt by Cerby of such request, Cerby and Customer shall mutually agree in advance on the details of the audit, including reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit. Cerby may charge a fee (rates shall be reasonable, taking into account the resources expended by Cerby) for any such audit. The Reports, audit, and any information arising therefrom shall be Cerby's Confidential Information.
6.3 Where the Auditor is a third-party, the Auditor may be required to execute a separate confidentiality agreement with Cerby prior to any review of Reports or an audit of Cerby, and Cerby may object in writing to such Auditor, if in Cerby's reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of Cerby. Any such objection by Cerby will require Customer to either appoint another Auditor or conduct the audit itself. Expenses incurred by Auditor in connection with any review of Reports or an audit, shall be borne exclusively by the Auditor. For clarity, the exercise of audit rights under the Standard Contractual Clauses shall be as described in this Section 6 (Customer Audit Rights).
7. Data Transfers
7.1 Hosting and Processing Locations. Cerby will only host Customer Personal Data in the region(s) offered by Cerby and selected by Customer on an Order Form or as Customer otherwise configures via the Services (the “Hosting Region”). Customer is solely responsible for the regions from which its Users access the Customer Personal Data, for any transfer or sharing of Customer Personal Data by Customer or its Users and for any subsequent designation of other Hosting Regions (either for the same Account, a different Account, or a separate Service). Once Customer the Hosting Region is agreed, Cerby will not Process Customer Personal Data from outside the Hosting Region except as necessary to comply with the law or binding order of a governmental body.
7.2 Transfer Mechanisms. For any transfers by Customer of Customer Personal Data from the European Economic Area and/or its member states, United Kingdom and/or Switzerland (collectively, “Restricted Countries”) to Cerby in a country which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the Data Protection Laws of the Restricted Countries) (collectively, “Third Country”), such transfers shall be governed by a valid mechanism for the lawful transfer of Customer Personal Data recognized under Data Protection Laws, such as those directly below:
7.2.1 Standard Contractual Clauses (processors): Cerby agrees to abide by, and Process Customer Personal Data from the Restricted Countries in compliance with the Standard Contractual Clauses which are incorporated into this DPA by reference, and for these purposes Cerby shall be the "data importer" and Customer is the "data exporter" under the Standard Contractual Clauses (notwithstanding that Customer may be an entity located outside of a Restricted Country).
7.2.2 Notwithstanding the foregoing, if Cerby has adopted Binding Corporate Rules (BCRs) for Processors that cover the transfer of Customer Personal Data to a Third Country, then such BCRs shall govern the transfer of Customer Personal Data.
8. Return or Deletion of Data. Customer may retrieve or delete all Customer Personal Data upon expiration or termination of the Agreement as set forth in the Agreement. Subject to 10.3, any Customer Personal Data not deleted by Customer shall be deleted by Cerby promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement.
9. Security Incident Response.
9.1 Security Incident Reporting. If Cerby becomes aware of a Security Incident, Cerby shall notify Customer without undue delay, and in any case, where feasible, notify Customer within seventy-two (72) hours after becoming aware. Cerby shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident.
9.2 Security Incident Communications. Cerby shall provide Customer timely information about the Security Incident, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Cerby to mitigate or contain the Security Incident, the status of Cerby's investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Cerby personnel do not have visibility to the content of Customer Personal Data, it will be unlikely that Cerby can provide information as to the particular nature of the Customer Personal Data, or where applicable, the identities, number or categories of affected Data Subjects. Communications by or on behalf of Cerby with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Cerby of any fault or liability with respect to the Security Incident.
10. Cooperation.
10.1 Data Subject Requests. To the extent legally permitted, Cerby shall promptly notify Customer if Cerby receives a request from a Data Subject that identifies Customer and seeks to exercise the Data Subject’s right to access, rectify, erase, transfer or port Customer Personal Data, or to restrict the Processing of Customer Personal Data
(“Data Subject Request”). The Service provides Customer with a number of controls that Customer may use to assist it in responding to a Data Subject Request and Customer will be responsible for responding to any such Data Subject Request. To the extent Customer is unable to access the relevant Customer Personal Data within the Services using such controls or otherwise, taking into account the nature of the Processing, Cerby shall (upon Customer's written request) provide commercially reasonable cooperation to assist Customer in responding to any Data Subject Requests.
10.2 Data Protection Impact Assessments. Cerby shall provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
10.3 Government, Law Enforcement, and/or Third Party Inquiries. If Cerby receives a demand to retain, disclose, or otherwise Process Customer Personal Data for any third party, including, but not limited to law enforcement or a government authority (“Third-Party Demand”), then Cerby shall attempt to redirect the Third-Party Demand to Customer. Customer agrees that Cerby can provide information to such third party as reasonably necessary to redirect the Third-Party Demand. If Cerby cannot redirect the Third-Party Demand to Customer, then Cerby shall, to the extent legally permitted to do so, provide Customer reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Customer to seek a protective order or other appropriate remedy.
11. Relationship with the Agreement.
11.1 The parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment or exhibit (including the Standard Contractual Clauses (as applicable)) that Cerby and Customer may have previously entered into in connection with the Services.
11.2 Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data.
11.3 In no event shall this DPA or any party restrict or limit the rights of any Data Subject or of any competent supervisory authority.
11.4 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
THE PARTIES HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
1. Transfers from the European Union. For transfers of Personal Information from the European Union, the EU SCCs are hereby incorporated by reference when they are available and are a valid transfer mechanism under applicable Data Protection Laws. The Parties further agree to the following provisions with respect to the EU SCCs:
1.1 Identity of the Parties. The data exporter is Customer, and the data importer is Cerby. Accordingly, Module Two (controller to processor) is the sole module applicable to transfers involving Personal Information.
1.2 Conflicts. In the event of any conflict or inconsistency between this DPA and the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses shall prevail.
1.3 Appendices. Responses to the Annexes to the 2021 Standard Contractual Clauses are provided in Appendices 1 and 2 set forth below.
1.4 Specific Provisions. The following specific provisions apply to the 2021 Standard Contractual Clauses:
(a) In Clause 7, the Parties do not permit docking.
(b) In Clause 9, the Parties select Option 2 and a time period of 14 days.
(c) In Clause 11, the Parties do not select the independent dispute resolution option.
(d) In Clauses 17 (Option 2) and 18(b), the Parties agree that the jurisdiction is the member state in which controller is established, or if the controller is not established in a member state, the Republic of Ireland.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed by the parties.
Data exporter: The data exporter is the entity identified as the "Customer" in the Data Processing Addendum in place between data exporter and data importer and to which these Clauses are appended ("DPA").
Data importer: The data importer is Cerby, as defined in the DPA. Cerby provides enterprise cloud computing solutions, which process Customer Personal Data upon the instruction of the Customer in accordance with the terms of the Agreement.
Description of Data Processing: Please see Section 3.4 (Details of Processing) of the DPA for a description of the categories of data subjects, categories of data, special categories of data and processing operations.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached): As set forth in Section 5.1 of the DPA.
