DataStax Product Data Processing Agreement
Privacy Terms · Last Updated Date:
January 7, 2021
This DataStax Data Processing Agreement (“DPA”) forms a part of the DataStax Terms (the “Agreement”) or other agreement(s) entered into between you or the entity which you represent (“Customer”) and DataStax, Inc. This DPA governs any processing by DataStax of Customer Data that is also Personal Data ("Customer Personal Data"), where applicable, in relation to DataStax Products and Services (and as described in Section 1 of Annex 1 as amended from time to time). This DPA applies to the use by Customer of all DataStax Products and Services in order to ensure that adequate safeguards are put in place with respect to the protection of Personal Data as required by applicable Data Protection Laws.
1. Definitions: In this DPA, the following terms shall have the following meanings:
(a) "Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and "Process") and "Special Categories of Personal Data" shall have the meanings given in Applicable Data Protection Law; and
(b) "Applicable Privacy Law(s)" means the relevant data protection and privacy law(s) to which each of the parties are subject, including (where relevant) but not limited to EU Data Protection Laws.
(c) "EU Data Protection Law(s)" means: (a) the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); and (b) any and all applicable national data protection laws made under or pursuant to (a), including, for the avoidance of doubt, after European Union law ceases to apply to the United Kingdom ("UK"), the GDPR as it applies to UK by virtue of the UK's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018; in each case as may be amended or superseded from time to time.
2. Customer Personal Data Processing
(a) The type of Customer Personal Data (categories of data) that may be processed pursuant to this DPA and the subject matter, duration, nature (processing operations), purpose of the processing, and the categories of Data Subjects, are to enable DataStax to supply the Products and Services to the Customer and fulfil its obligations to the Customer under the Agreement. Customer shall not make Personal Data, other than such Personal Data necessary for DataStax to provide the Products and/or Services, accessible to DataStax.
(b) Each of the Customer and DataStax warrant in relation to Customer Personal Data that it will where applicable comply (and will procure that any of its staff and/or Processors comply) with Applicable Privacy Laws and all other applicable laws.
(c) In respect of the parties' rights and obligations under the Agreement regarding the Customer Personal Data, the parties hereby acknowledge and agree that the Customer is the Controller and DataStax is the Processor and accordingly DataStax agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA.
3. DataStax Obligations: With respect to all Customer Personal Data, and insofar as DataStax processes Customer Personal Data, DataStax warrants that it shall:
(a) only process the Customer Personal Data in order to provide the Products and/ or Services and shall act only in accordance with this DPA and the Agreement;
(b) if applicable laws require DataStax to process Customer Personal Data other than pursuant to this DPA, DataStax will notify the Customer (unless prohibited from so doing by applicable laws);
(c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data (a "Security Breach"). Such measures include, without limitation, the security measures set out at https://www.datastax.com/products/datastax-security-assurance;
(d) take reasonable steps to ensure that only authorised personnel have access to such Customer Personal Data and that any persons whom it authorises to have access to the Customer Personal Data are under obligations of confidentiality;
(e) as soon as reasonably practicable following termination or expiry of the Agreement or completion of applicable Product delivery, DataStax will delete or return to the Customer (at the Customer's direction) all Customer Personal Data (including copies thereof) processed pursuant to this DPA, unless required to retain the Customer Personal Data by applicable laws;
(f) if DataStax becomes aware of a confirmed Security Breach, DataStax will inform Customer without undue delay and shall provide the Customer with reasonable information and cooperation to the Customer to that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law;
(g) not make any announcement about a Security Breach (a "Breach Notice") without:
(i) the prior written consent from the Customer; and
(ii) prior written approval by the Customer of the content, media and timing of the Breach Notice,
unless required to make a disclosure or announcement by applicable law;
(h) promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under Applicable Data Protection Laws (including its rights of access, correction, objection, erasure and data portability, as applicable) (a "Data Subject Request"). Unless required by applicable law, DataStax shall not respond to a Data Subject Request received by DataStax without the Customer’s prior written consent except to confirm that such request relates to the Customer to which the Customer hereby agrees, and to the extent Customer does not have the ability to address a Data Subject Request, DataStax shall upon the Customer’s request provide reasonable assistance to facilitate a Data Subject Request to the extent DataStax is able to consistent with applicable law (provided that Customer shall pay DataStax’s costs for
(i) providing such assistance at the DataStax's standard consultancy rates);
provide such assistance as the Customer reasonably requests (taking into account the nature of processing and the information available to DataStax) to the Customer in relation to the Customer’s obligations under Applicable Privacy Laws with respect to:
(i) data protection impact assessments (as such term is defined in the GDPR);
(ii) notifications to the supervisory authority under EU Data Protection Laws and/or communications to data subjects by the Customer in response to any Security Breach; and
(iii) the Customer’s compliance with its obligations under the GDPR with respect to the security of processing,
provided that Customer shall pay DataStax’s charges for providing such assistance at DataStax's standard consultancy rates.
4. Customer Obligations
(a) Customer agrees that, taking into account DataStax's obligations under this DPA, Customer is solely responsible for its use of the DataStax Products and/ or Services to ensure:
(i) that unless otherwise directed by DataStax in writing, Customer shall not make any Personal Data accessible to or by DataStax outside of such Personal Data that is required by DataStax in order to provide the DataStax Products and/or Services;
(ii) that Customer warrants that it has all and any applicable legal consents and authority required by any applicable laws to disclose any and all Personal Data that it shares with DataStax;
(iii) Customer warrants that they will not upload any data which is categorized under Data Restrictions under and relevant agreement for Products and/ or Services
(b) Customer shall comply with the obligations that apply to it under Applicable Privacy Laws.
(a) The Customer grants a general authorisation: (a) to DataStax to appoint other members of the DataStax Group as subprocessors; and (b) to DataStax to appoint third party data centre operators, providers of information technology tools, and outsourced service providers as subprocessors to support the performance and delivery of the DataStax Products and/ or Services.
(b) DataStax will maintain a list of relevant subprocessors at the following URL: https://www.datastax.com/security/subprocessors and will add the names of new and replacement Processors as applicable from time to time.
(c) If the Customer has a reasonable objection to any new or replacement subprocessor, it shall notify DataStax of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. DataStax may use a new or replacement subprocessor whilst the objection procedure in this section is in process.
(d) DataStax will ensure that any subprocessor it engages to provide the services on its behalf in connection with the Agreement does so only on the basis of a written contract which imposes on such subprocessor terms substantially no less protective of Customer Personal Data than those imposed on DataStax in this DPA. DataStax shall procure the performance by such Data Processor with those terms.
(e) DataStax remains liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor, subject to the other terms of the Agreement.
6. Data Transfers
(a) The Customer acknowledges that the provision of DataStax Products and/ or Services under the Agreement may require the processing of Customer Personal Data by DataStax and its subprocessor(s) in countries outside the EEA or the UK from time to time.
(b) If, in the performance of this Addendum and/or the Agreement, DataStax transfers any Customer Personal Data to a subprocessor (which shall include without limitation any affiliates of DataStax) and without prejudice to section 4 where such subprocessor will process Customer Personal Data outside the EEA or the UK, DataStax shall in advance of any such transfer ensure that it has taken such measures as are necessary to ensure the transfer is compliant with EU Data Protection Law.
Such measures may include (without limitation) transferring the Customer Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data, to a recipient that has achieved binding corporate rules authorisation in accordance with EU Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission in decision 2010/87/EU ("Standard Contract Clauses"), and as they may be updated from time to time, so long as such measures remain lawful.
(c) Where Standard Contractual Clauses are put in place between DataStax and a subprocessor and there is a conflict between the terms of this DPA (as passed down to the subprocessor) and the Standard Contract Clauses entered into between DataStax and the subprocessor, the Standard Contract Clauses will prevail.
7. Audit and Records
(a) DataStax shall, in accordance with and to the extent required by Applicable Privacy Laws, make available to the Customer such information in DataStax's possession or control as the Customer may reasonably request and which DataStax is lawfully entitled to disclose with a view to demonstrating DataStax's compliance with this DPA.
(b) The Customer may exercise its right of audit under Applicable Privacy Laws, through DataStax providing to Customer an audit report provided that the applicable audit(s): are performed periodically; are assessed against relevant standards; are conducted by auditors selected by DataStax but otherwise conducted with all due and necessary independence and professionalism; and are documented in a report that affirms that DataStax's controls meet the standards against which they are assessed.
(c) DataStax shall further provide detailed written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer considers necessary to confirm DataStax's compliance with the Applicable Privacy Laws.
(d) Customer shall promptly notify DataStax with information regarding any non-compliance discovered during the course of an audit, and DataStax shall use commercially reasonable efforts to address any confirmed non-compliance.
(a) If the Customer decides that a Security Breach must be notified to any Supervisory Authority and/or Data Subjects and/or the public or portions of the public, the Customer will notify DataStax before the communication is made and supply DataStax with copies of any written documentation to be filed with the Supervisory Authority and of any notification the Customer proposes to make (whether to any Supervisory Authority, Data Subjects the public or portions of the public) which references DataStax, its security measures and/or role in the Security Breach, whether or not by name. The Customer will consult with DataStax in good faith and take account of any clarifications or corrections DataStax reasonably requests to such notifications and which are consistent with the GDPR.
(b) DataStax's liability to the Customer and Customer Group under or in connection with this DPA shall be subject to the same limitations and exclusions of liability as apply under the Agreement as if that liability arose under the Agreement. Nothing in this DPA will limit DataStax's liability in respect of personal injury or death in negligence or for any other liability or loss which may not be limited by agreement under applicable law.
(c) This DPA sets out all of the terms that have been agreed between the parties in relation to the Processing of Customer Personal Data as defined in this DPA. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.
(d) A person who is not a party to this DPA shall not have any rights to enforce this DPA including (where applicable) under the Contracts (Rights of Third Parties) Act 1999 of the United Kingdom to enforce any term of this DPA.
(e) Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
(f) Other than in respect of any accrued liabilities of either party and the provisions of this section, this DPA shall terminate automatically on the expiry or termination for whatever reason of the Agreement. Notwithstanding the foregoing, DataStax’s obligations hereunder with respect to any Customer Personal Data processed pursuant to this DPA shall continue until the later of the expiration or termination of the Agreement or DataStax’s deletion of Customer Personal Data.
Details of the Personal Data and Processing Activities
1. The Personal Data (if any) comprises:
DataStax does not intentionally collect or process Customer Personal Data in the course of providing its products and services.
Customer may make Customer Personal Data accessible by DataStax within the scope of provision of the applicable Products and Services by DataStax, the nature and extent of which is determined and controlled solely by the Customer.
The categories of data subjects whose Personal Data may be submitted by the Customer to DataStax in this way, in order for DataStax to provide the Services to the Customer, may include: (i) Customers’ staff involved in the procurement and receipt of the DataStax products and services; and (ii) other data subjects whose Personal Data is contained within any data made available to DataStax by Customers or its Affiliates.
Customer shall use all reasonable endeavours to avoid making Personal Data accessible by DataStax.
2. The duration of the processing of Personal Data (if any) :
The duration of the processing of Customer Personal Data (if any) will be until the earliest of: (i) the expiry/termination of the Agreement; or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Agreement (to the extent applicable).
3. The processing of Personal Data (if any) will comprise:
Processing of any Customer Personal Data by DataStax for the performance and use of the Subscriptions and Services by the Customer pursuant to the Agreement and as described in paragraph 4 below.
4. Details of Personal Data processing activities
Depending on the Products and/or Services that Customer has procured from DataStax, the types of data processing that DataStax may conduct will include processing necessary for the purposes of:
(i) providing support, maintenance and advice in relation to DataStax’s Software;
(ii) providing consultancy services in relation to DataStax’s Software;
(iii) the provision of any other DataStax products and services; product and customer account management activities including relevant outreach activities and information provision; and
(iv) where applicable to the service, providing database administration and management services including providing supporting services such as search, advanced replication, tiered storage, and analytics; and
(v) anonymising Customer Personal Data to create a non-personal dataset for Product and/or Service development and improvement purposes.
California Consumer Privacy Act Addendum (CCPA-A)
This CCPA-A is an addendum to the DPA and applies where DataStax processes Customer Data of California residents ("CCPA Personal Information"). DataStax shall not retain, use or disclose the CCPA Personal Information for any purpose other than for the specific purpose of performing the DataStax services, or as otherwise permitted by the CCPA, including retaining, using or disclosing the CCPA Personal Information for a commercial purpose other than providing the DataStax services.
Capitalised terms shall have the meanings as set out in section 18 of the DPA, except where a term is defined in this CCPA-A in which case section the definition in the CCPA-A shall control the meaning of the word.
Conflict Of Terms
This CCPA-A is without prejudice to the rights and obligations of the parties under the Agreement, which shall continue to have full force and effect. In the event of any conflict between the terms of this CCPA-A and the terms of the Agreement and/or DPA, the terms of this CCPA-A shall prevail so far as the subject matter concerns California residents.
This CCPA-A may be updated from time to time by DataStax.
Definitions And Interpretation
“California Consumer Privacy Act” or “CCPA” means the “Assembly Bill No.375” enacted by the legislature, and as amended from time to time of aforementioned legislature, in the state of California, the United States of America; “CCPA-A” means this “California Consumer Privacy Act Addendum”;
“Personal Information” means all data which is defined as “Personal Information” under the California Consumer Privacy Act and to which the California Privacy Act applies.
How To Contact Us Regarding This CCPA-A Addendum
For any enquiries please email firstname.lastname@example.org.