This DataStax Console Privacy and Data Processing Policy (“Console DPP”) forms a part of the DataStax Astra Terms (the “Agreement”) or other agreement(s) entered into between you or the entity which you represent (“Customer”) and DataStax,Inc.. In this Console DPP capitalised terms will have the meanings given to them as set out in section 17.

  1. Scope
    1. This Console DPP applies to the use by Customer of the DataStax Console, whether accessed or purchased via the Console or via Other Consoles.
    2. This Console DPP governs the processing of Customer Account Data, Payment Data and Support Data which is the Personal Data that is processed by DataStax in relation to the use of the DataStax Console by Customer, except as stated within this Console DPP.
    3. Customer acknowledges and agrees that in order to use DataStax Astra, the Customer must use the DataStax Console and/or Other Consoles. Customer therefore acknowledges and agrees that the processing of Customer Account Data, Payment Data and Support Data is governed by the Console DPP, and that the processing of Customer Data is governed by the DataStax Astra DPP. 
    4. This Console DPP does not govern Payment Data for Customers who use Other Consoles to purchase DataStax Astra.
    5. In respect of sections 1.1 and 1.2, the Customer and DataStax have entered into this Console DPP to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by the EU Data Protection Laws and other applicable laws.
    6. Each party will comply with all applicable rules, regulations and laws to it, including the performance of this Console DPP.
  2. Personal Data Processing 
    1. The type of Personal Data (categories of data) that may be processed pursuant to this Console DPP and the subject matter, duration, nature (processing operations), purpose of the processing, and the categories of Data Subjects, are as described in this section 2 and section 3  as amended from time to time. Customer shall use all reasonable endeavours to avoid making Personal Data, other than such Personal Data requested by DataStax, accessible by DataStax.
    2. Each of the Customer and DataStax warrant in relation to Personal Data that it will where applicable comply (and will procure that any of its staff and/or Processors comply) with EU Data Protection Laws and all other applicable laws.
    3. In respect of the parties' rights and obligations regarding the processing of Personal Data under this Console DPP, the parties hereby acknowledge and agree that DataStax is the Controller as defined under this Console DPP and accordingly DataStax agrees that it shall process all Personal Data, defined under section 3, in accordance with its obligations pursuant to this Console DPP.
  3. DataStax details
    1. DataStax, Inc.  is the Data Controller of Personal Data, as set out under this Console DPP.
    2. How to contact us regarding this Console DPP:

      privacy@datastax.com
    3. DataStax’s Data Protection Officers’ details:

      privacy@datastax.com
    4. DataStax, Inc address:

      3975 Freedom Circle
      4th Floor
      Santa Clara, California 95054 
      United States of America
    5. Details of Personal Data Processing:

      Subject Matter: Payment Data, Customer Account Data, Support Data

      Categories of data subjects: Customer’s staff;

      Categories of data:

      Payment Data: Bank account and payment card details such as: email address, unique customer identifier, order identification, bank account details, payment card details, card expiration date, card security code, billing address, date/time/amount of transaction, merchant name/identification, location, other regulated or restricted payment information. Financial data such as: balance data, balance transaction data, transactions data, card brand, card funding type, customer description, payment destination, ID of the bank account or card the payout was sent to, unique identifiers connected to transaction data and balance transaction data. 

      Customer Account Data: First name, last name, company name, date of registration, email address;

      Support Data: provided by Customer in connection with receiving support services, as decided by Customer but likely to include: first name, last name, organisation identification and possibly email address. The Customer will have the options to also provide: locale for user, organisation identification (name of organisation is required but Customer can add additional information), phone number, and a photo;

      Special categories of data:

      DataStax does not intend to process any special categories of data;

      Purpose of data processing:

      Payment Data:

           A. to effectuate payment by the Customer that is necessary for the provision of DataStax Products;
           B. to ensure compliance of all applicable laws for DataStax (e.g. compliance with Anti - Money Laundering and  fraud prevention obligations);
           C. the provision of services initiated by Customer from time to time;
           D. analysis; and
           E. provision of information relating to DataStax products.

      Account Data:

           A. the provision of services initiated by Customer from time to time;
           B. verification;
           C. ensure security of relevant data;
           D. account management activities;
           E. relevant outreach activities;
           F. information provision;
           G. provision of information relating to DataStax products;
           H. analysis;

      Support Data:

           A. resolution of Customer queries;
           B. support, maintenance and advice to Customer in relation to provision of the Products; and
           C. development and improvement of the Products.

      Processing operations:

      Payment Data is collected, analysed, and communicated to DataStax on behalf of DataStax which is initiated by Customer, as set out under the Agreement. 

      Customer Account Data processing operations: storage, analysis, verification, operational. 

      Support Data: processing operations: Storage, analysis, verification and computation of data;

      Duration of processing:

      The duration of the processing between DataStax and Customer is determined under this Console DPP, the Agreement, and by the Customer.
  4. Legal basis for processing Personal Data
    1. DataStax’s legal basis for processing Personal Data as described in section 3, except “provision of information relating to DataStax Products”, is that the processing is necessary for the performance of the Agreement or that the processing is necessary for the purposes of the legitimate interests pursued by DataStax, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.
    2. legitimate Interests pursued by DataStax are:
      1. the provision of the Products to Customer;
      2. performance of the Agreement and DPP between DataStax and Customer;
      3. improvement of DataStax products and user experience,
      4. compliance with any applicable laws.
    3. Where DataStax processes information for the purposes of the “provision of information relating to DataStax products” as described in section 3, DataStax does so on the lawful basis of consent. That is the Data Subject (Customer) has given consent for the processing of Personal Data for this purpose (provision of information relating to DataStax Products).
  5. Independent Controller/Payment Data
    1. Section 5 is not applicable to Customers who purchase or acquire Products through Other Consoles.
    2. DataStax currently uses Stripe, a payment provider and vendor, in order to provide certain Products.
    3. Customer provides DataStax and Stripe with Payment Data, which is set out in section 5.5, which DataStax is an Independent Data Controller of, as defined in section 3, and to the extent that Stripe operates and manages the electronic commerce platform and facilitates payment transactions on the DataStax Console, on behalf and for DataStax, then Stripe is our Data Processor. 
    4. Stripe for the same Payment Data provided to DataStax, which is defined in section 5.5, is also an Independent Controller to the extent that Stripe processes Personal Data involved in payment transactions for their own purposes, as is defined and stated under the applicable agreement and privacy policy between Customer and Stripe which will control such processing of data and personal data and to which this Console DPP will not control the processing of such data. Where Stripe processes Personal Data as an Independent Controller Customer will enter an agreement with Stripe for the protection of their Personal Data.
    5. Stripe processes the following categories of data as disclosed by their privacy policy: payment card details such as: email address, unique customer identifier, order identification, bank account details, payment card details, card expiration date, card security code, date/time/amount of transaction, merchant name/identification, location, other regulated or restricted payment information.
    6. Stripe’s purposes for processing as disclosed by their privacy policy is: 
      1. monitor, prevent and detect fraudulent payment transactions, and to prevent harm to Customer, vendor and Vendor’s affiliates, and to third parties;
      2. comply with legal or regulatory obligations applicable to the processing and retention of Payment Data to which Vendor is subject, including applicable to the processing and retention of Payment Data to which Vendor is subject, including applicable anti-money laundering screening and compliance with know-your-customer obligations (“AML & KYC Obligations”); 
      3. analyze, develop and improve Vendor’s products and services; 
      4. provide the Vendor’s products and services to Vendor’s users.
    7. Should Customer not wish to engage with the processing described in section 5 they may object to such processing, however DataStax will not be able to provide DataStax Astra and dependent upon timing of objection DataStax can only terminate processing of Personal Data where DataStax acts as an Independent Controller.
  6. Sharing of Personal Data
    1. DataStax shares the Personal Data described in section 3 with the following categories of recipients:
           A. Suppliers and/or vendors;
           B.  Customer.
  7. DataStax Obligations
    1. With respect to all Personal Data, and insofar as DataStax processes Personal Data, DataStax warrants that it shall:
      1. only process the Personal Data, described in section 3, in order to provide the Products and shall act only in accordance with this Console DPP and the Agreement;
      2. if applicable laws require DataStax to process Personal Data other than pursuant to this Console DPP, DataStax will notify the Customer (unless prohibited from so doing by applicable laws);
      3. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures set out at https://www.datastax.com/products/datastax-security-assurance;
    2. take reasonable steps to ensure that only authorised personnel have access to such Personal Data and that any persons whom it authorises to have access to the Personal Data are under obligations of confidentiality;
    3. as soon as reasonably practicable following termination or expiry of the Agreement or other such longer period as specified in the Console DPP or the Agreement, DataStax will delete Personal Data (including copies thereof) processed pursuant to this Console DPP, unless required to retain the Personal Data by applicable laws;
  8. Customer Obligations
    1. Customer agrees that, taking into account DataStax obligations under this Console DPP, Customer is solely responsible for its use of  the DataStax Console to ensure:
      1. that Customer does not disclose or otherwise compromise the DataStax Console access details, which includes Customer Account Data;
      2. that unless otherwise directed by DataStax in writing, Customer shall not make any Personal Data accessible to or by DataStax outside of such Personal Data that is requested by DataStax;
      3. that Customer warrants that it has all and any applicable legal consents and authority required by any applicable laws  to disclose any and all Personal Data that it shares with DataStax.
  9. Data Subject Rights and Information
    1. The Data Subject has the right to request from DataStax access to and rectification or erasure of Personal Data or restriction of processing concerning the Data subject or to object to processing as well as the right to data portability;
    2. the right to lodge a complaint with a Supervisory Authority (the Information Commissioner’s Office being DataStax lead Supervisory Authority);
    3. the provision of Personal Data is necessary to enter into a contract;
    4. the Data Subject is not obliged to provide the Personal Data, however without such information DataStax cannot provide the Products for the Customer.
  10. Security 
    1. DataStax recognises and takes the privacy and security of its Customer seriously. DataStax's approach to security can be found at: https://www.datastax.com/products/datastax-security-assurance
  11. Processing
    1. The Customer grants a general authorisation: (a) to DataStax to appoint other members of the DataStax Group as Data Processors; and (b) to DataStax and other members of the DataStax Group to appoint third party data centre operators, providers of information technology tools, and outsourced service providers as Sub-Processors to support the performance and delivery of the DataStax Console. 
    2. DataStax will maintain a list of relevant Data Processors at the following URL: https://www.datastax.com/security/subprocessors and will add the names of new and replacement Processors as applicable from time to time.  
    3. At least 30 days before DataStax engages any new/replacement Data Processors DataStax will provide  a mechanism that will notify the Customer of a change(s). 
    4. The Customer may object to any new or replacement Data Processor, by writing to DataStax objecting to such a change. The parties will seek to resolve the matter in good faith, DataStax may use a new or replacement Processor whilst the objection procedure in this section, 11.4, is in process.
    5. Section 11.4 does not affect the Customers right to also or alternatively object to the change(s) in Data Processor(s) by terminating the Agreement by giving DataStax written notice, provided DataStax is given such notice within sixty (60) days of such notice of the change(s) being given to Customer as described in section 11.3.
    6. DataStax will ensure that any Data Processor it engages to provide the services on its behalf in connection with the Agreement does so only on the basis of a written contract which imposes on such Data Processor terms substantially no less protective of Personal Data than those imposed on DataStax in this Console DPP. DataStax shall procure the performance by such Data Processor of the Relevant Terms.
  12. Data Transfers
    1. The Customer acknowledges that the provision of the DataStax Console under the Agreement may require the processing of Personal Data by DataStax and its Data Processor(s) in countries outside the EEA from time to time.
    2. In relation to any processing of Personal Data by DataStax that takes place in a country outside the EEA that is not an Adequate Country, the parties agree that the Standard Contractual Clauses are incorporated into this Console DPP (found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32004D0915&from=EN) and deemed to have been executed by the parties (such that DataStax will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and the Customer will comply with the obligations of 'data exporter') and that the Appendices in Annex B (Appendices to the SCCs) of this Console DPP shall be incorporated into those Standard Contractual Clauses and shall apply in respect of that processing.
    3. The following terms shall apply to the Standard Contractual Clauses:
      1. Customer may exercise its right of audit under clause II(g) of the Standard Contractual Clauses as set out in, and subject to the requirements of, section 12.2 and 13 of this Console DPP;
      2. DataStax may appoint Data Processors as set out, and subject to the requirements of sections 11 and 12.3 of this Console DPP; if, in the performance of this Console DPP and/or the Agreement, DataStax transfers any Personal Data to a Data Processor (which shall include without limitation any affiliates of DataStax) and without prejudice to section 11 where such Data Processor will process Personal Data outside the EEA, DataStax shall in advance of any such transfer ensure that a mechanism to achieve adequacy in respect of that processing is in place such as:
        1. the requirement for DataStax to execute or procure that the third party execute on behalf of the Customer standard contractual clauses approved by the EU authorities under EU Data Protection Laws;
        2. the requirement for the third party to be certified under the Privacy Shield framework; or
        3. the existence of any other specifically approved safeguard for data transfers (as recognised under the EU Data Protection Laws) and/or a European Commission finding of adequacy.
  13. Audit and Records
    1. DataStax shall, in accordance with and to the extent required by EU Data Protection Laws and Clause II(g) of the Standard Contractual Clauses where applicable, make available to the Customer such information in DataStax's possession or control as the Customer may reasonably request and which DataStax is lawfully entitled to disclose with a view to demonstrating DataStax's compliance with the obligations of Data Processors under EU Data Protection Law in relation to its processing of Personal Data.
    2. The Customer where applicable may exercise its right of audit under EU Data Protection Laws and Clause II(g), through DataStax providing: 
      1. to Customer a summary of an audit report provided that the applicable audit(s): are performed periodically; are assessed against relevant standards; are conducted by a qualified third party auditor(s) selected by DataStax but otherwise conducted with all due and necessary independence and professionalism; and are documented in a report that affirms that DataStax's controls meet the standards against which they are assessed; and
      2. additional information in DataStax's possession or control to an Supervisory Authority when it requests or requires additional information in relation to the data processing activities carried out by DataStax under this Console DPP, unless DataStax is  prohibited from doing so by applicable laws.
    3. DataStax shall further provide detailed written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer considers necessary under Clause II(g) of the Standard Contractual Clauses.
    4. Customer shall promptly notify DataStax with information regarding any non-compliance discovered during the course of a review of the audit summaries and additional information provided by DataStax, and DataStax shall use commercially reasonable efforts to address any confirmed non-compliance.
    5. This section does not affect the rights of Data Subjects or Supervisory Authorities under the Standard Contractual Clauses where applicable, nor does it vary or modify the Standard Contractual Clauses where they are applicable.
    6. Section 13 is subject to the Customer and DataStax having an applicable non-disclosure or confidentiality agreement in place, the Customer agrees to enter such an agreement pursuant to exercising its rights under section 13.
  14. Request for Financial Resources Proof
    1. DataStax shall, in accordance with and to the extent required by Clause II(f) of the Standard Contractual Clauses where applicable, make available to the Customer such information in DataStax's possession or control as the Customer may reasonably request and which DataStax is lawfully entitled to disclose with a view to demonstrating DataStax's compliance with the obligations under the Standard Contractual Clauses.
    2. The Customer where applicable may exercise its right that DataStax provide evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage), under Standard Contractual Clause II(f), through DataStax providing: 
      1. to Customer a summary of an insurance policy that is active.
    3. Customer shall promptly notify DataStax with information regarding any non-compliance discovered during the course of reviewing such a summary of an insurance policy as described in section 14.2.1 and DataStax shall use commercially reasonable efforts to address any confirmed non-compliance.
    4. This section does not affect the rights of Data Subjects or Supervisory Authorities under the Standard Contractual Clauses where applicable, nor does it vary or modify the Standard Contractual Clauses where they are applicable.
    5. Section 14 is subject to the Customer and DataStax having an applicable non-disclosure or confidentiality agreement in place, the Customer agrees to enter such an agreement pursuant to exercising its rights under section 14.
  15. Requests for Personal Data
    1. If a government or government agency demands that DataStax supply it with Personal Data as defined in section 3 of this Console DPP, DataStax will attempt to direct the government (or agency) towards making a request directly to the Customer. DataStax may therefore supply the government (or agency) with limited contact information, Customer Account Data that is known or available to DataStax from Console Data. If compelled by the government (or agency) to disclose Personal Data related to this Console DPP, as defined under section 3, DataStax will first give Customer reasonable notice of this so that Customer may seek a protective, injunctive or other such appropriate judicial or otherwise order, unless DataStax is prohibited by applicable laws from giving Customer such notice. If the Standard Contractual Clauses apply, nothing in this section varies or modifies the Standard Contractual Clauses.
  16. Conflict of terms
    1. This Console DPP is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this Console DPP and the terms of the Agreement, the terms of this Console DPP shall prevail so far as the subject matter concerns the processing of Personal Data within the scope of this Console DPP..
  17. Miscellaneous 
    1. If the Customer decides that a Security Breach must be notified to any Supervisory Authority and/or Data Subjects and/or the public or portions of the public, the Customer will notify DataStax before the communication is made and supply DataStax with copies of any written documentation to be filed with the Supervisory Authority and of any notification the Customer proposes to make (whether to any Supervisory Authority, Data Subjects the public or portions of the public) which references DataStax, its security measures and/or role in the Security Breach, whether or not by name. Subject to the Customer's compliance with any mandatory notification deadlines under the GDPR, the Customer will consult with DataStax in good faith and take account of any clarifications or corrections DataStax reasonably requests to such notifications and which are consistent with the GDPR.
    2. DataStax's liability to the Customer and to each member of the Customer Group (taken together) under or in connection with this Console DPP (including under the Standard Contractual Clauses incorporated via section 12 of this Console DPP) shall be subject to the same limitations and exclusions of liability as apply under the Agreement as if that liability arose under the Agreement.  Nothing in this Console DPP will limit DataStax's liability in respect of personal injury or death in negligence or for any other liability or loss which may not be limited by agreement under applicable law. 
    3. This Console DPP sets out all of the terms that have been agreed between the parties in relation to the Processing of Personal Data as defined in sections 1, 2 and 3.  Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this Console DPP.
    4. A person who is not a party to this Console DPP shall not have any rights to enforce this Console DPP including (where applicable) under the Contracts (Rights of Third Parties) Act 1999 of the United Kingdom to enforce any term of this Console DPP.  
    5. Should any provision of this Console DPP be invalid or unenforceable, then the remainder of this Console DPP shall remain valid and in force.  The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein. 
    6. Without prejudice to clause II (h) (iii), clause IV, and clause V of the Standard Contractual Clauses, this Console DPP shall be governed by and construed in accordance with the laws of the country of territory stipulated for this purpose in the Agreement and each of the parties agrees to submit to the choice of jurisdiction as stipulated in the Agreement in respect of any claim or matter arising under this Console DPP
    7. Other than in respect of any accrued liabilities of either party and the provisions of this section 17, this Console DPP shall terminate automatically on the expiry or termination for whatever reason of the Agreement. 
  18. Definitions and Interpretation 
    1. The following expressions are used in this Console DPP: 
      1. "Adequate Country" means a country or territory that is recognised under EU Data Protection Laws      from time to time as providing adequate protection for personal data;
      2. Agreement” means the DataStax Astra Terms that the Customer entered into with DataStax for the provision of DataStax Products;
      3. Astra DPP” means this “DataStax Astra Privacy and Data Processing Policy”;
      4. Breach Notice” means an announcement by either DataStax or Customer of a Security Breach,  to anyone or entity other than DataStax or Customer; 
      5. DataStax Console” means the DataStax registration, billing, deployment, configuration, monitoring and reporting platform for the Cloud Services available at constellation.datastax.com; 
      6. Clauses” means the Standard Contractual Clauses incorporated by section 12 of this Console DPP and Annex 1, and Appendices therein incorporated, incorporated into those Standard Contractual Clauses by section 12.2.2 of this Console DPP;
      7. Console Data” means Payment Data, Customer Account Data, Support Data 
      8. Console DPP” means the “DataStax Console Privacy and Data Processing Policy”;
      9. Customer”, “Customers”, “Customer’s”, “You”, “you” means you or the entity which you represent;  
      10. Customer Account Data” means the data created or made available by the Customer in order to purchase and use the Products, but which is not: 1) Payment Data and/or 2) Customer Data;
      11. Customer Data” means any and all electronic data or information, including Personal Information which is: transferred to, created in, stored in, processed in, or modified in the Customer’s Database by Customer, Customer’s end-users or entities/persons acting on its behalf;
      12. "Customer Group" means Customer and any corporate entities which are from time to time: (a) under Common Control with Customer; and (b) established and/or doing business in the European Economic Area or Switzerland;
      13. Data Exporter”, “data exporter” is defined by the Standard Contractual Clauses;
      14. Data importer”, “data importer” is defined by the Standard Contractual Clauses;
      15. Data Subject”, “data subject” shall have the meaning ascribed to it in the EU Data Protection Laws;
      16. "Data Subject Request" means a request from or on behalf of a Data Subject relating to and including the exercise of their rights under articles 12 to 23 of the GDPR which include but are not limited to,  access to, or rectification, erasure or data portability in respect of that person’s Personal Data or an objection from or on behalf of a Data Subject to the processing of its Personal Data;
      17. DataStax” means DataStax, Inc;
      18. DataStax Astra” means the DataStax cloud service designated “DataStax Astra”, which hosts Customer Data, for Customer, which is managed and which operations are initiated by Customer. For purposes of this Console DPP, DataStax Astra does not mean the DataStax Console or Other Consoles;
      19. DataStax Console Privacy and Data Processing Policy” means this “DataStax Console Privacy and Data Processing Policy”;
      20. "DataStax Group" means DataStax and any corporate entities which are from time to time under Common Control with or by DataStax;
      21. EEA” means the European Economic Area.
      22. "EU Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR;
      23. "GCP Console" means the Google Cloud Customer portal for the registration, billing, deployment, configuration, monitoring and/or reporting for DataStax Astra for Customers who purchased via the Google Cloud Platform Marketplace, which may be subject to additional Google terms and conditions;
      24. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as the General Data Protection Regulation);
      25. "Google Cloud Platform Marketplace” means the Google service available at https://cloud.google.com/marketplace/;
      26. Other Consoles” means means a console for the registration, billing, deployment, configuration, monitoring and/or reporting for DataStax Astra, including the GCP Console;
      27. Payment Data” means the data provided by Customer to DataStax comprising, only, payment card or bank account and other regulated / restricted / sensitive information that is necessary to effect payment for the Products;
      28. "Personal Data" means all data which is defined as ‘Personal Data’ in the EU Data Protection Laws and to which EU Data Protection Laws apply and which is provided by the Customer to DataStax or accessed, stored or otherwise processed by DataStax; 
      29. Privacy Shield” means the framework, under which Personal Data flows to the United States of America, established by the ‘European Commission Implementing Decision (EU) 2016/1250 OF 12 July 2016’ in the Official Journal of the European Union; 
      30. "Processing", "Data Controller", "Data Subject", “Sub-Processor”,"Supervisory Authority" and "Data Processor" shall have the meanings ascribed to them in the EU Data Protection Laws; 
      31. "Products" means the applicable software subscriptions and/or services that Customer has procured from DataStax under the Agreement;
      32. Relevant Terms” means the agreement that DataStax imposes, or will impose, upon any Data Processor it engages to provide the services on its behalf in connection with the Agreement and which terms are substantially no less protective of Personal Data than those imposed on DataStax in this Console DPP;
      33. Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data that DataStax processes under this Console DPP. A Security Breach will not include unsuccessful attempts or activities that do not compromise the security of the Personal Data processed under this Console DPPin DataStax’s reasonable opinion, including unsuccessful attempts and activities such as: pings, unsuccessful log in, firewall attacks, no compromise of security of Console Data, port scans, denial of service attacks, or other similar events and attacks;
      34. Standard Contractual Clauses” means the Controller-to-Controller standard contractual clauses as referred to in COMMISSION DECISION of 27 December 2004 2001/497/EC(as referred to in https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32004D0915&from=EN); and
      35. Support Data” means data provided by Customer, or required to be accessible by DataStax, in order for DataStax to assist Customer, as requested by Customer, in the provision of the Products, for example queries raised by Customer encountering errors, which may include the processing of Customer Account Data.
    2. An entity "Controls" another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in "Common Control" if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.

Annex B

Appendices to the SCCs

As further described in section 12 of the Console DPP, the following Appendices are incorporated into the SCCs entered into between the parties to the DPP.  

Appendix B

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

DESCRIPTION OF THE TRANSFER

(To be completed by the parties)

Data subjects

The personal data transferred concern the following categories of data subjects:

The categories of data are defined in section 3 of the DataStax Console Privacy and Data Processing Policy.

Purposes of the transfer(s)

The transfer is made for the following purposes:

The purposes of the transfer are defined in section 3 of the DataStax Console Privacy and Data Processing Policy.

Categories of data

The personal data transferred the following categories of data:

The categories of data are defined in section 3 of the DataStax Console Privacy and Data Processing Policy.

Recipients

The personal data transferred may be disclosed only to the following recipients or categories of recipients:

The recipients or categories of recipients are defined in section 6 and 12 of the DataStax Console Privacy and Data Processing Policy.

Sensitive data (if appropriate)

The personal data transferred concern the following categories of sensitive data:

The special categories of data are defined in section 3 of the DataStax Console Privacy and Data Processing Policy.

Data protection registration information of data exporter (where applicable)

Additional useful information (storage limits and other relevant information)

Data importer acts as an Independent Controller. The Data exporter acts as an Independent Controller. Data importer does not act as a processor. Data importer does not act as a joint-controller.  Data exporter is not a processor of Data importer.

Contact points for data protection enquiries

Data importer
DataStax, Inc                               
privacy@datastax.com      
3975 Freedom Circle
4th Floor
Santa Clara, California 95054, United States of America

Data exporter

Is the Customer,  “Customer” being defined under this Console Privacy and Data Processing Policy.

Appendix C

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses II(a) and 5(c) (or document/legislation attached):

The technical and organisational security measures set out at: 

https://www.datastax.com/products/datastax-security-assurance

as amended from time to time.