This DataStax Astra Privacy and Data Processing Policy (“DataStax Astra DPP”) forms a part of the DataStax Astra Terms (the “Agreement”) or other agreement(s) entered into between you or the entity which you represent (“Customer”) and DataStax, Inc. (“DataStax”). In this DataStax Astra DPP capitalised terms will have the meanings given to them as set out in section 13.

  1. Scope
    1. This DataStax Astra DPP applies to the use by Customer of DataStax Astra.
    2. This DataStax Astra DPP governs the processing of Customer Data which is the Personal Data that is processed by DataStax in connection with Customer’s use of the DataStax Astra services.
    3. Customer acknowledges and agrees that in order to use DataStax Astra, the Customer must use the DataStax Console and/or Other Consoles. Customer therefore acknowledges and agrees that the processing of Customer Account Data, Payment Data and Support Data is governed by the Console DPP, and that the processing of Customer Data is governed by the DataStax Astra DPP.
    4. This DataStax Astra DPP is updated from time to time by DataStax.
    5. In respect of sections 1.1 and 1.2, Customer and DataStax have entered into this DataStax Astra DPP to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by the EU Data Protection Laws and other applicable laws.
    6. Each party will comply with all applicable rules, regulations and laws to it, including the performance of this DataStax Astra DPP.
  2. Personal Data Processing 
    1. The type of Personal Data (categories of data) that may be processed pursuant to this DataStax Astra DPP and the subject matter, duration, nature (processing operations), purpose of the processing, and the categories of Data Subjects, are as described in this section 2 and section 3  as amended from time to time. Customer shall use reasonable endeavours to avoid making Personal Data accessible by DataStax, other than such Personal Data requested by DataStax.
    2. Each of the Customer and DataStax warrant in relation to Personal Data that it will comply (and will procure that any of its staff and/or Sub-Processors comply), with the EU Data Protection Laws and all other applicable data protection laws.  As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.
    3. In respect of the parties' rights and obligations under this DataStax Astra DPP regarding the processing of Personal Data, the parties hereby acknowledge and agree that the Customer is the Data Controller or Data Processor and depending on the exact circumstances DataStax will be the Data Processor or Data Sub-Processor, for example where Customer processes Personal Data on behalf of a data controller and DataStax then processes such Personal Data on behalf of Customer DataStax would be acting as a Sub-Processor, and accordingly DataStax agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DataStax Astra DPP.
    4. Any queries regarding this DataStax Astra DPP should be emailed to privacy@datastax.com.
  3. Details of Personal Data Processing:
    1. Subject Matter: Customer Data

      Categories of data subjects: 

      The Customer decides the categories which may include customer’s: end-users, staff, vendors and Customer’s customers;

      Categories of data:

      Uploaded to DataStax Astra by Customer, as decided by Customer;

      Special categories of data:

      DataStax does not intend to process any special categories of data, provided, however where Customer does upload such data to the DataStax Astra, it is decided by Customer and Customer retains all ownership, management of, and processing purpose decision power of such data;

      Purpose of data processing:

           A. the provision of the DataStax Astra initiated by the customer from time to time;
           B. to comply with the Agreement; and 
           C. to comply with other reasonable instructions given by the Customer under the terms of the Agreement, and as required by applicable laws.

      Processing operations:

      The storage, analysis, management, compute and other services as set out in the Agreement under which process operations are initiated by Customer from time to time;

      Duration of processing:

      The duration of the processing between DataStax and Customer is determined under this DataStax Astra DPP, the Agreement, and by the Customer.
  4. DataStax Obligations
    1. With respect to all Personal Data under this DataStax Astra DPP, and insofar as DataStax processes Personal Data pursuant to this DataStax Astra DPP, DataStax warrants that it shall:
      1. only process the Personal Data in order to provide the Products and shall act only in accordance with this DataStax Astra DPP and the Agreement and the Customer's written instructions as represented by the Agreement and this DataStax Astra DPP;
      2. if applicable laws require DataStax to process Personal Data other than pursuant to the Customer's instruction, DataStax will notify the Customer (unless prohibited from doing so by applicable laws);
      3. as soon as reasonably practicable upon becoming aware, inform the Customer if, in DataStax's opinion, any instructions provided by the Customerinfringe the GDPR;
      4. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures set out at https://www.datastax.com/products/datastax-security-assurance;
      5. take reasonable steps to ensure that only authorised personnel have access to such Personal Data and that any persons whom it authorises to have access to the Personal Data are under obligations of confidentiality;
      6. promptly notify the Customer if it receives a Data Subject Request pertaining to the Customer Data.  Unless required by applicable laws, DataStax shall not respond to a Data Subject Request received by DataStax without the Customer’s prior written consent except to confirm that such request relates to the Customer to which the Customer hereby agrees. To the extent Customer does not have the ability to address a Data Subject Request, DataStax shall upon the Customer’s request provide reasonable assistance to facilitate a Data Subject Request to the extent DataStax is able to under any applicable laws (provided that Customer shall pay DataStax’s costs for providing such assistance at DataStax's standard consultancy rates). In providing reasonable assistance to facilitate  a Data Subject Request, DataStax is not required to view, manage, access or otherwise similar actions as regards Customer Data but rather is to help facilitate the Customer in doing this;
      7. As soon as reasonably practicable following termination or expiry of the Agreement or completion of applicable Product delivery, DataStax will delete or, upon Customer’s request, return to the Customer all Personal Data processed pursuant to this DataStax Astra DPP, unless required to retain the Personal Data by applicable law.   
      8. provide such assistance as the Customer reasonably requests (taking into account the nature of processing and the information available to DataStax) to the Customer in relation to the Customer’s obligations under EU Data Protection Laws with respect to: (a) data protection impact assessments (as such term is defined in the GDPR); (b) notifications to the Supervisory Authority under EU Data Protection Laws and/or communications to Data Subjects by the Customer in response to any Security Breach; and (c) the Customer’s compliance with its obligations under the GDPR with respect to the security of processing, provided in each case that Customer shall pay DataStax’s charges for providing such assistance at DataStax's standard consultancy rates. In providing reasonable assistance to facilitate  Customer obligations, DataStax is not required to view, manage, access or otherwise similar actions Customer Data but rather is to help facilitate the Customer in doing so.
  5. Customer Obligations
    1. While using DataStax Astra, Customer agrees that, taking into account DataStax obligations under this DataStax Astra DPP, the Customer is responsible for ensuring:
      1. the implementation and maintenance of the appropriate security controls and tools available, some of which are set out at https://www.datastax.com/products/datastax-security-assurance which explains the shared security responsibilities of the parties, to Customer in relation to the proportionate risk to Customer’s Customer Data, which may help Customer to meet its technical and organisational obligations under the GDPR;
      2. that Customer does not disclose or otherwise compromise the DataStax Console access details, which may include Customer Account Data;
      3. that Customer is using and implementing back-up options available to Customer for Customer Data;
      4. that unless otherwise directed by DataStax in writing, Customer shall not make any Personal Data accessible to or by DataStax outside of the standard operating procedures for delivery of DataStax Astra;
    2. that Customer Acknowledges that DataStax has no responsibility to protect or back-up Customer Data that Customer elects to move, transfer, partially or fully store outside of DataStax’s and its Sub-Processors systems, e.g. to an on-premise system.
  6. Security Breach Notification
    1. Datastax as soon as reasonably practicable upon becoming aware, will 1) notify the Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DataStax Astra DPP, that DataStax processed on behalf of Customer, 2) take reasonable necessary steps to mitigate, stop, and prevent any damage that the Security Breach may cause upon any Personal Data processed under this DataStax Astra DPP;
    2. a Security Breach will not include unsuccessful attempts or activities that do not compromise the security of any Personal Data processed under this DataStax Astra DPP, or data that is not Personal Data, in DataStax’s reasonable opinion, including unsuccessful attempts and activities such as: pings, unsuccessful log in, firewall attacks, no compromise of security of Personal Data under this DataStax Astra DPP, port scans, denial of service attacks, or other similar events and attacks; 
    3. DataStax will use its sole discretion to decide how to notify Customer of a Security Breach, e.g. by telephone, and it is the responsibility of the Customer to ensure that its contact details within the DataStax Console and Customer Account Data are up-to-date, accurate and that such communication method(s) are secure; 
    4. promptly provide the Customer with reasonable cooperation and assistance in good faith in respect of the Security Breach and all information in DataStax's possession concerning the Security Breach; (a) not make any announcement about a Security Breach (a "Breach Notice") without: (b) the prior written consent from the Customer;
      1. such prior written consent shall include approval by the Customer of the content, media and timing of the Breach Notice; and
      2. such prior written consent from Customer will not be required by DataStax to make a disclosure or announcement where applicable laws require DataStax to make such a disclosure or announcement;
    5. in giving reasonable cooperation and assistance DataStax is not required to access or view Customer Data but rather will give reasonable assistance to enable Customer to perform this task. Customer is solely responsible for complying with any applicable laws regarding notification that apply to Customer and fulfilling such requirements;
    6. DataStax in providing notification of a Security Breach under this section does not admit to or acknowledge any liability or fault as regards to the Security Breach notified under this section; and
    7. If the Customer determines that a Security Breach must be notified to any Supervisory Authority and/or Data Subjects and/or the public or portions of the public, the Customer will notify DataStax before the communication is made and supply DataStax with copies of any written documentation to be filed with the Supervisory Authority and of any notification the Customer proposes to make (whether to any Supervisory Authority, Data Subjects the public or portions of the public) which references DataStax, its security measures and/or role in the Security Breach, whether or not by name. Subject to the Customer's compliance with any mandatory notification deadlines under the GDPR, the Customer will consult with DataStax in good faith and take account of any clarifications or corrections DataStax reasonably requests to such notifications and which are consistent with the GDPR.
  7. Sub-Processing
    1. The Customer grants a general authorisation: (a) to DataStax to appoint other members of the DataStax Group as Sub-Processors; and (b) to DataStax and other members of the DataStax Group to appoint third party data centre operators, providers of information technology tools, and outsourced service providers as Sub-Processors to support the performance and delivery of DataStax Astra. 
    2. DataStax will maintain a list of relevant Sub-Processors at the following URL: https://www.datastax.com/security/subprocessors and will add the names of new and replacement Sub-Processors as applicable from time to time.  
    3. At least 30 days before DataStax engages any new/replacement Sub-Processors DataStax will provide  a mechanism that will notify the Customer of any change(s). 
    4. The Customer may object to any new or replacement Sub-Processor, by writing to DataStax objecting to such a change. The parties will seek to resolve the matter in good faith, DataStax may use a new or replacement Sub-Processor whilst the objection procedure in this section, 7.4, is in process.
    5. Section 7.4 does not affect the Customers right to also or alternatively object to the change(s) in Sub-Processors by terminating the Agreement by giving DataStax written notice, provided DataStax is given such notice within sixty (60) days of such notice of the change(s) being given to Customer as described in section 7.3.
    6. DataStax will ensure that any Sub-Processor it engages to provide the services on its behalf in connection with the Agreement does so only on the basis of a written contract which imposes on such Sub-Processor terms substantially no less protective of Personal Data than those imposed on DataStax in this DataStax Astra DPP. DataStax shall procure the performance by such Sub-Processor of the Relevant Terms and shall be liable to the Customer for any breach by such person of any of the Relevant Terms.
  8. Data Transfers
    1. The Customer acknowledges that the provision of DataStax Astra under the Agreement may require the processing of Personal Data by DataStax and its Sub-Processors in countries outside the EEA from time to time.
    2. In relation to any processing of Personal Data by DataStax that takes place in a country outside the EEA that is not an Adequate Country, the parties agree that the Standard Contractual Clauses are incorporated into this DataStax Astra DPP (found here: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087) and deemed to have been executed by the parties (such that DataStax will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and the Customer will comply with the obligations of 'data exporter') and that the Appendices in Annex 1 (Appendices to the SCCs) of this DataStax Astra DPP shall be incorporated into those Standard Contractual Clauses and shall apply in respect of that processing.
    3. The following terms shall apply to the Standard Contractual Clauses:
      1. Customer may exercise its right of audit under clause 5.1(f) of the Standard Contractual Clauses as set out in, and subject to the requirements of section 8.2 and 9 of this DataStax Astra DPP;
      2. DataStax may appoint Sub-Processors as set out in, and subject to the requirements of sections 7 and 8.3 of this DataStax Astra DPP; if, in the performance of this DataStax Astra DPP and/or the Agreement, DataStax transfers any Personal Data to a Sub-Processor (which shall include without limitation any affiliates of DataStax) and without prejudice to section 7 where such Sub-Processor will process Personal Data outside the EEA, DataStax shall in advance of any such transfer ensure that a mechanism to achieve adequacy in respect of that processing is in place such as:
        1. the requirement for DataStax to execute or procure that the third party execute on behalf of the Customer Standard Contractual Clauses approved by the EU authorities under EU data Protection Laws;
        2. the requirement for the third party to be certified under the Privacy Shield framework; or
        3. the existence of any other specifically approved safeguard for data transfers (as recognised under the EU Data Protection Laws) and/or a European Commission finding of adequacy.
  9. Audit and Records
    1. DataStax shall, in accordance with and to the extent required by EU Data Protection Laws and Clause 5(f) of the Standard Contractual Clauses where applicable, make available to the Customer such information in DataStax's possession or control as the Customer may reasonably request and which DataStax is lawfully entitled to disclose with a view to demonstrating DataStax's compliance with the obligations of Data Processors under EU Data Protection Law in relation to its processing of Personal Data.
    2. The Customer may exercise its right of audit under EU Data Protection Laws, through DataStax providing: 
      1. to Customer a summary of an audit report provided that the applicable audit(s): are performed periodically; are assessed against relevant standards; are conducted by a qualified third party auditor selected by DataStax but otherwise conducted with all due and necessary independence and professionalism; and are documented in a report that affirms that DataStax's controls meet the standards against which they are assessed; and
      2. additional information in DataStax's possession or control to an EU supervisory authority when it requests or requires additional information in relation to the data processing activities carried out by DataStax under this DataStax Astra DPP unless DataStax is  prohibited from doing so by applicable laws.
    3. DataStax shall further provide detailed written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer considers necessary to confirm DataStax's compliance with the EU Data Protection Laws.
    4. Customer shall promptly notify DataStax with information regarding any non-compliance discovered during the course of a review of the audit summaries and additional information provided by DataStax, and DataStax shall use commercially reasonable efforts to address any confirmed non-compliance.
    5. Nothing in Clauses 9 shall modify or change the Standard Contractual Clauses where applicable. Should the Customer wish to change its instruction regarding Clause 8.1 of this DataStax Astra DPP in order to carry an Audit under applicable Standard Contractual Clause 5(f), then Customer may send written notice in accordance with such written notice provision under the Agreement requesting so. If DataStax declines to change such an instruction, then DataStax may terminate the Agreement. 
    6. This section does not affect the rights of Data Subjects or Supervisory Authorities under the Standard Contractual Clauses where applicable, nor does it vary or modify the Standard Contractual Clauses where they are applicable.
    7. If the information provided to Customer, in section 9.2 and 9.4,  is not sufficient to demonstrate compliance with EU Data Protection Laws then at DataStax’s sole discretion DataStax Customer may send written notice in accordance with such written notice provision under the Agreement, requesting an on-site audit of DataStax’s processing procedures in relation to Personal Data, but only to the extent as required under the EU Data Protection Laws or other applicable laws. Customer will reimburse DataStax for its reasonable costs in relation to any such on-site audit. Details on such fees will be provided to Customer, including how such fees were calculated, in advance of such an audit. Customer will be liable to pay any and all fees by an auditor appointed by Customer to carry out such an audit,
    8. Customer and Datastax will mutually agree, if Customer exercises clause 9.7, upon the date, duration and scope of the audit. The Customer and DataStax will also agree upon reasonable security and confidentiality agreements and measures to be imposed upon the Customer in carrying out any such audit under section 9.7. The reasonable costs of such an audit will be paid for by Customer and the details of such fees will be calculated in advance, including how such a fee was calculated, and given to the Customer.
    9. Datastax may object in writing to the appointment of any auditor, for the purposes of section 9.7 to 9.8, if in DataStax’s reasonable opinion the auditor lacks the relevant qualifications, lacks independence, is a competitor (whether directly or indirectly) or is for some other reason manifestly unsuitable. Such an objection by Datastax would require the Customer to conduct the audit themselves or to choose another auditor.
    10. Section 9 is subject to the Customer and DataStax having an applicable non-disclosure or confidentiality agreement in place, the Customer agrees to enter such an agreement pursuant to exercising its rights under section 9.
  10. Requests for Personal Data
    1. If a government or government agency demands that DataStax supply it with Personal Data as defined in section 3 of this DataStax Astra DPP, DataStax will attempt to direct the government (or agency) towards making a request directly to the Customer. DataStax may therefore supply the government (or agency) with limited contact information, Customer Account Data that is known or available to DataStax from Console Data. If compelled by the government (or agency) to disclose Personal Data related to this DataStax Astra DPP, as defined under section 3, DataStax will first give Customer reasonable notice of this so that Customer may seek a protective, injunctive or other such appropriate judicial or otherwise order, unless DataStax is prohibited by applicable laws from giving Customer such notice. If the Standard Contractual Clauses apply, nothing in this section varies or modifies the Standard Contractual Clauses.
  11. Conflict of terms
    1. This DataStax Astra DPP is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DataStax Astra DPP and the terms of the Agreement, the terms of this DataStax Astra DPP shall prevail so far as the subject matter concerns the processing of Personal Data under this DataStax Astra DPP.
  12. Miscellaneous 
    1. DataStax's liability to the Customer and to each member of the Customer Group (taken together) under or in connection with this DataStax Astra DPP (including under the Standard Contractual Clauses) shall be subject to the same limitations and exclusions of liability as apply under the Agreement as if that liability arose under the Agreement.  Nothing in this DataStax Astra DPP will limit DataStax's liability in respect of personal injury or death in negligence or for any other liability or loss which may not be limited by agreement under relevant law. 
    2. This DataStax Astra DPP sets out all of the terms that have been agreed between the parties in relation to the subject matter covered by it.  Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DataStax Astra DPP.
    3. A person who is not a party to this DataStax Astra DPP shall not have any rights to enforce this DataStax Astra DPP including (where applicable) under the Contracts (Rights of Third Parties) Act 1999 of the United Kingdom to enforce any term of this DataStax Astra DPP.  
    4. Should any provision of this DataStax Astra DPP be invalid or unenforceable, then the remainder of this DataStax Astra DPP shall remain valid and in force.  The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein. 
    5. Without prejudice to clause 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses, this DataStax Astra DPP shall be governed by and construed in accordance with the laws of the country of territory stipulated for this purpose in the Agreement and each of the parties agrees to submit to the Choice of jurisdiction as stipulated in the Agreement in respect of any claim or matter arising under this DataStax Astra DPP.
    6. Other than in respect of any accrued liabilities of either party and the provisions of this section 12, this DataStax Astra DPP shall terminate automatically on the expiry or termination for whatever reason of the Agreement.
  13. Definitions and Interpretation
    1. The following expressions are used in this DataStax Astra DPP: 
      1. "Adequate Country" means a country or territory that is recognised under EU Data Protection Laws from time to time as providing adequate protection for Personal Data;
      2. “Agreement” means the DataStax Astra Terms that the Customer entered into with DataStax for the provision of DataStax Products;
      3. “DataStax Astra DPP” means this “DataStax Astra Privacy and Data Processing Policy”;
      4. “Breach Notice” means an announcement by either DataStax or Customer of a Security Breach,  to anyone or entity other than DataStax or Customer; 
      5. “Clauses” means the Standard Contractual Clauses incorporated by section 8 of this DataStax Astra DPP and Annex 1, and Appendices therein incorporated, incorporated into those Standard Contractual Clauses by section 8.2 of this DataStax Astra DPP;
      6. Console Data” means Payment Data, Customer Account Data, and Support Data;
      7. “Console DPP” means the “DataStax Console Privacy and Data Processing Policy”;
      8. “Customer”, “Customers”, “Customer’s”, “You”, “you” means you or the entity which you represent;  
      9. “Customer Account Data” means the data created or made available by the Customer in order to purchase and use the Products, but which is not: 1) Payment Data and/or 2) Customer Data;
      10. “Customer Data” means any and all electronic data or information, including Personal Information which is: transferred to, created in, stored in, processed in, or modified in Customer’s DataStax Astra database by Customer, Customer’s end-users or entities/persons acting on Customer’s behalf;
      11. "Customer Group" means Customer and any corporate entities which are from time to time: (a) under Common Control with Customer; and (b) established and/or doing business in the European Economic Area or Switzerland;
      12. “Data Exporter” is defined by the Standard Contractual Clauses;
      13. “Data importer” is defined by the Standard Contractual Clauses;
      14. “Data Subject” shall have the meaning ascribed to it in the EU Data Protection Laws;
      15. "Data Subject Request" means a request from or on behalf of a Data Subject relating to and including the exercise of their rights under articles 12 to 23 of the GDPR which include but are not limited to,  access to, or rectification, erasure or data portability in respect of that person’s Personal Data or an objection from or on behalf of a Data Subject to the processing of its Personal Data;
      16. “DataStax” means DataStax, Inc;
      17. “DataStax Astra” means the DataStax cloud service designated “DataStax Astra”, which hosts Customer Data, for Customer, which is managed and which operations are initiated by Customer. For the purposes of this DataStax Astra DPP, DataStax Astra does not mean the DataStax Console or Other Consoles;
      18. “DataStax Console” means the applicable DataStax registration, billing, deployment, configuration, monitoring and reporting platform for DataStax Astra available at astra.datastax.com;  
      19. “DataStax Console Privacy and Data Processing Policy” means the “DataStax Console Privacy and Data Processing Policy”;
      20. "DataStax Group" means DataStax and any corporate entities which are from time to time under Common Control with or by DataStax; 
      21. “EEA” means the European Economic Area.
      22. "EU Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR;
      23. "GCP Console" means the Google Cloud Customer portal for the registration, billing, deployment, configuration, monitoring and/or reporting for DataStax Astra for Customers who purchased via the Google Cloud Platform Marketplace, which may be subject to additional Google terms and conditions;
      24. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as the General Data Protection Regulation);
      25. “Google Cloud Platform Marketplace” means the Google service available at https://cloud.google.com/marketplace/ ;
      26. “Other Consoles” means a console for the registration, billing, deployment, configuration, monitoring and/or reporting for DataStax Astra, including the GCP Console;
      27. “Payment Data” means the data provided by Customer to DataStax comprising, only, payment card or bank account and other regulated / restricted / sensitive information that is necessary to effect payment for the Products;
      28. "Personal Data" means all data which is defined as ‘Personal Data’ in the EU Data Protection Laws and to which EU Data Protection Laws apply and which is provided by the Customer to DataStax or accessed, stored or otherwise processed by DataStax; 
      29. Privacy Shield” means the framework, under which Personal Data flows to the United States of America, established by the ‘European Commission Implementing Decision (EU) 2016/1250 OF 12 July 2016’ in the Official Journal of the European Union; 
      30. "Processing", "Data Controller", "Data Subject", “Sub-Processor”,"Supervisory Authority" and "Data Processor" shall have the meanings ascribed to them in the EU Data Protection Laws; 
      31. "Products" means the applicable software subscriptions, products,  and/or services that Customer has procured from DataStax under the Agreement;
      32. Relevant Terms” means the agreement that DataStax imposes, or will impose, upon any Sub-Processor it engages to provide the services on its behalf in connection with the Agreement and which terms are substantially no less protective of Personal Data than those imposed on DataStax in this DataStax Astra DPP;
      33. Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data that DataStax processes under this DataStax Astra DPP. A Security Breach will not include unsuccessful attempts or activities that do not compromise the security of the Personal Data processed under this DataStax Astra DPP in DataStax’s reasonable opinion, including unsuccessful attempts and activities such as: pings, unsuccessful log in, firewall attacks, no compromise of security of Console Data, port scans, denial of service attacks, or other similar events and attacks;
      34. Standard Contractual Clauses” means the Controller-to-Processor Standard Contractual Clauses as referred to in European Commission Decision 2010/87/EU (as referred to in https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087); and
      35. Support Data” means data provided by Customer, or required to be accessible by DataStax, in order for DataStax to assist Customer, as requested by Customer, in the provision of support for the Products, for example queries raised by Customer encountering errors, which may include the processing of Customer Account Data.
    2. An entity "Controls" another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in "Common Control" if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.

 

Annex 1 

Appendices to the SCCs

As described in section 8 of the DataStax Astra Privacy and Data Processing Policy, the following Appendices are incorporated into the Standard Contractual Clauses and entered into between the parties to the DataStax Astra Privacy and Data Processing Policy. 

Appendix 1

to the Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses which are incorporated by section 8 of this DataStax Astra Privacy and Data Processing Policy. 

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Customer and its Affiliates. Customer is the legal entity that entered into (along with the data importer, DataStax, Inc.) the agreement (''Agreement'') under which DataStax provides certain Products (as defined in the Agreement) to Customer and/or its Affiliates. The data exporter shall use all reasonable endeavours to avoid making personal data accessible by the data importer.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

DataStax, Inc. (“DataStax”).  DataStax is a provider of the DataStax Astra service which may be used by the data exporter in accordance with the terms of the Agreement.

Data subjects

The Data subjects are defined in section 3 of the DataStax Astra Data Privacy and Data Processing Policy.

Categories of data

The Categories of data are defined in section 3 of the DataStax Astra Data Privacy and Data Processing Policy.

Special categories of data (if appropriate)

The Special categories of data are defined in section 3 of the Datastax Astra Privacy and Data Processing Policy.

Processing operations

The processing operations are defined in section 3 of the Datastax Astra Privacy and Data Processing Policy.

Appendix 2

to the Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses incorporated by section 8 of this DataStax Astra Privacy and Data Processing Policy.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The technical and organisational security measures set out at: https://www.datastax.com/products/datastax-security-assurance as amended from time to time. 

Appendix 3 

to the Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses which are incorporated by section 8 of this DataStax Astra Privacy and Data Processing Policy.

This Appendix sets out the parties’ interpretation of their respective obligations under specific Standard Contractual Clauses identified below. Where a party complies with the interpretations set out in this Appendix, that party shall be deemed by the other party to have complied with its commitments under those Standard Contractual Clauses, incorporated by section 8 of this DataStax Astra Privacy and Data Processing Policy.

  1. Clause 4(h)and 8: Disclosure of these Clauses
    1. Nothing herein shall prevent disclosure of these Clauses by data exporter to a third party to comply with applicable laws, including to a data subject pursuant to Clause 4(h) or a supervisory authority pursuant to Clause 8.
  2. Clause 5(a): Suspension of data transfers and termination
    1. The parties acknowledge that data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses.
    2. The parties acknowledge that if data importer cannot provide such compliance for whatever reason, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract.
    3. If the data exporter intends to suspend the transfer of personal data and/or terminate the contract, it shall endeavour to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (''Cure Period'').
    4. If after the Cure Period the data importer has not or cannot cure the non-compliance then the data exporter may suspend or terminate the transfer of personal data and/or terminate the contract immediately. The data exporter shall not be required to provide such notice and Cure Period in instance where it considers there is a material risk of harm to data subjects or their personal data.
  3. Clause 5(f): Audit
    1. Section 9 of this DataStax Astra Privacy and Data Processing Policy shall ensure compliance with clause 5(f) of the Standard Contractual Clauses and Customer acknowledges and agrees to this. Customer instructs DataStax in relation to clause 5(f) of the Standard Contractual Clauses via clause 9 of this DataStax Astra Privacy and Data Processing Policy.
  4. Clause 5(j): Disclosure of sub-Processor agreements
    1. The parties acknowledge that the obligation of the data importer to send promptly a copy of any onward Sub-Processor agreement it concludes under the Standard Contractual Clauses to the data exporter.
    2. The parties further acknowledge that, pursuant to Sub-Processor confidentiality restrictions, data importer may be restricted from disclosing onward Sub-Processor agreements to data exporter. Notwithstanding this, data importer shall use reasonable efforts to require any Sub-Processor it appoints to permit it to disclose the Sub-Processor agreement to data exporter.
    3. Even where data importer cannot disclose a Sub-Processor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information it reasonably is able to provide in connection with such sub-processing agreement to data exporter.
  5. Clause 6: Liability
    1. Any claims brought under the Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event shall any party limit its liability with respect to any data subject rights under these Clauses.
  6. Clause 11: Onward Sub Processing
    1. Section 7 of this DataStax Astra Privacy and Data Processing Policy shall ensure compliance with clause 11 of the Standard Contractual Clauses and Customer acknowledges and agrees to this. Customer instructs DataStax in relation to clause 11 of the Standard Contractual Clauses via section 7 of this DataStax Astra Privacy and Data Processing Policy.