1. Definitions and Interpretation

1.1. In this Agreement the following words shall have the following meanings:

“Data Protection Legislation” means the General Data Protection Regulation (Regulation (EU) 2016/679), the ePrivacy Regulation repealing Directive 2002/58EC, Data Protection Bill (once enacted into English law) the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (whilst in force) and all laws and regulations applicable to the relevant party relating to the processing of personal data under or in relation to the Supplier Agreements including, where applicable, the guidance and codes of practice issued by the Information Commissioner or any other applicable supervisory authority, and the equivalent of any of the foregoing in any relevant jurisdiction;

“EU-US Privacy Shield” means the scheme designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States;

“Personal Data Breach” means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;

“personal data”, “data subject”, “controller”, “processor” and “process” shall be interpreted in accordance with applicable Data Protection Legislation;

“Privacy Shield” means the EU-US Privacy Shield and the Swiss-US Privacy Shield;

“Privacy Shield Principles” means the requirements set out in the Privacy Shield framework (as made available, in relation to the EU-US Privacy Shield, at https://www.privacyshield.gov/EU-US-Framework);

“Standard Contractual Clauses” means the controller-to-processor Standard Contractual Clauses as referred to in European Commission Decision 2010/87/EU;

“Supplier Agreements” means all agreements between Supplier and DataStax, Inc. (or its subsidiaries) existing from time to time under which Supplier provides any forms of software, personnel, goods and/or services to DataStax; and

“Swiss-US Privacy Shield” means the scheme designed by the U.S. Department of Commerce and the Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from Switzerland to the United States.

1.2. Any reference to “includes” or “including” shall be construed without limitation.

2. Data Processing

2.1. The terms of this Agreement are applicable to all Supplier Agreements and set out the subject-matter and duration of the processing of DataStax personal data, the nature and purpose of the processing, the type of personal data and the categories of data subjects.

2.2. The parties shall amend this Agreement from time to time by written agreement.

3. Data Processing Requirements

3.1. Each party shall comply with its respective obligations under applicable Data Protection Legislation.

3.2. Supplier shall:

3.2.1 process DataStax personal data only in accordance with DataStax’s documented instructions (except to the extent Supplier is otherwise required by applicable law and provided that, unless prohibited by applicable law, Supplier shall notify DataStax of such requirement before such processing);

3.2.2. not process or transfer DataStax Personal Data outside the European Economic Area without DataStax’s prior written consent (and if such consent has been obtained, Supplier shall comply with section 6 of this Agreement);

3.2.3. ensure that all individuals engaged in the processing of DataStax personal data under the Supplier Agreements are subject to strict obligations of confidentiality, non-disclosure and non-use in respect of such personal data for the duration of their processing of DataStax personal data; and

3.2.4. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing DataStax personal data pursuant to the Supplier Agreements and in accordance with good industry practice.

3.3. Without prejudice to the other obligations in the Supplier Agreements, Supplier shall implement the security measures identified in this Agreement.

4. Notifications and Assistance

4.1. If any data subject exercises its rights under applicable Data Protection Legislation against DataStax that is connected to actions or omissions of the Supplier, Supplier shall at no cost to DataStax:

4.1.1. provide all necessary information relating to the circumstances of the exercise of rights required by DataStax; and

4.1.2. assist DataStax in fulfilling DataStax obligations as controller following written request from DataStax.

4.2. If Supplier becomes aware of any potential, threatened or actual Personal Data Breach that may affect DataStax personal data in any way, it shall:

4.2.1. immediately notify DataStax;

4.2.2. provide all necessary information relating to the circumstances of the Personal Data Breach required by DataStax; and

4.2.3. assist DataStax, as directed by DataStax, in connection with any required notification to the applicable Supervisory Authority and, where applicable, data subjects, taking into account the nature of processing and the information available to Supplier.

5. Supplemental Data Processing Requirements

5.1. Supplier may only engage other processors (“Sub Processors”) for the processing of DataStax personal data in accordance with the terms of the Supplier Agreements and which are specified in this Agreement (or which are otherwise agreed in writing by DataStax from time to time). Supplier remains responsible and liable for all acts and omissions of all Sub Processors as if they were its own and Supplier shall ensure that each Sub Processor Supplier enters into an agreement with contains equivalent protections for DataStax personal data as are contained in this Agreement.

5.2. If DataStax considers that the processing of personal data performed pursuant to the Supplier Agreements requires a privacy impact assessment to be undertaken, DataStax may inform Supplier in writing and Supplier shall provide all relevant information and assistance to DataStax to facilitate such privacy impact assessment at no additional cost to DataStax.

5.3. If Supplier considers that DataStax instructions relating to processing of DataStax personal data under the Supplier Agreements may infringe Data Protection Legislation, Supplier shall notify DataStax.

5.4. Except to the extent otherwise required by applicable law, following termination or expiry of the Supplier Agreements Supplier shall, at DataStax’s option, delete or return all DataStax personal data and all copies thereof to DataStax.

5.5. Supplier shall make available all information necessary to demonstrate Supplier’s compliance with this Agreement and shall permit and contribute to any data audits reasonably required by DataStax upon DataStax’s written request.

5.6. If Supplier is required by DataStax to comply with the Privacy Shield Principles in the table describing “Permitted Data Processing” Supplier shall comply with the Privacy Shield Principles in addition to any other obligations in this Agreement.

5.7. If at any time Supplier can no longer comply with the requirements in sections 3 or 5, Supplier shall inform DataStax immediately.

6. Data Transfers outside the European Economic Area

6.1. If Supplier has secured prior written consent from DataStax in accordance with section 3.2.2:

6.1.1. unless section 6.1.2 and/or 6.1.3 applies, Supplier and DataStax hereby agree that the Standard Contractual Clauses are incorporated by reference to form part of this Agreement, where Supplier is the data processor and DataStax is the data controller, and as further set out in section 6.2;

6.1.2. if the transfer of DataStax personal data shall be to the USA only and this Agreement specifies that Privacy Shield shall be used, the Supplier shall adhere to the Privacy Shield Principles as further set out in section 6.3;

6.1.3. if the transfer of DataStax personal data to a specified adequate third country is expressly permitted pursuant to this Agreement, and so long as the applicable Commission decision(s) on the adequacy of the protection of personal data in such third countries remains valid, no additional transfer safeguards shall be required.

6.2. Where section 6.1.1 applies:

6.2.1. in relation to Clauses 9 and 11(1) of the Standard Contractual Clauses, the governing law of the Standard Contractual Clauses shall be the law of England and Wales;

6.2.2. Appendix 1, Appendix 2 and any other information required to be added to the Standard Contractual Clauses in order for them to be complete shall be completed/interpreted in accordance with the information provided in this Agreement and (to the extent further information is required) the relevant Supplier Agreements.

6.3. Where section 6.1.2 applies:

6.3.1. Supplier represents and warrants that it has and will maintain the relevant certifications; and

6.3.2. should Supplier cease to have the relevant certifications at any time, DataStax and Supplier agree that the Standard Contractual Clauses shall automatically apply in accordance with section 6.1.1.

7. Miscellaneous

7.1. In the event that there is any conflict or inconsistency between the terms of the Supplier Agreements and the terms of this Agreement, the terms of this Agreement shall prevail.

7.2. DataStax reserves the right to amend this Agreement on written notice to Supplier if required to comply with law relating to the protection or treatment of personal data.

7.3. Failure of either party to enforce rights under this Agreement is not a waiver of such rights and will not operate or be construed to waive any other provision of the Agreement. The rights and remedies herein provided are in addition to those available to either party at law or in equity.

7.4. Each party represents and warrants that it has the full power to enter into this Agreement and to perform its obligations under the Agreement. Additionally, in relation to the collection and provision of any data to DataStax under the Supplier Agreements, Supplier also warrants that: (i) it complies with all applicable laws and regulations when providing the data and services, especially, without limitation all applicable local data protection and marketing laws and/or regulations within the EU and its member states; (ii) during the collection, processing and use of individual personal information, the person to whom the data belongs (the “Data Subject”) has been informed of and consented to: (a) its right to object at no cost to the collection, processing and/or use of its data; (b) the purpose of the collection, processing and/or use of its data; (c) its rights to object at no cost to the use of its data for purposes of canvassing in particular for commercial purposes; and (d) being contacted by DataStax for marketing and other purposes; and (iii) they have the right to grant the licenses and other rights related to the use of personal data, including without limitation to the extent the processing of personal data has been collected through social public networking platforms or other public means.

7.5. Supplier will secure and maintain insurance against general liability and property damage in amounts sufficient to protect DataStax in the event of such liability or damage. Notwithstanding any limitations of liability specified in the Supplier Agreements, Supplier shall defend, indemnify and hold DataStax, its officers, directors, employees, contractors and agents harmless from and against any and all third party claims, demands, losses, damages or expenses, including reasonable attorneys’ fees and court costs (collectively, “Claims”), arising out of or in connection with any failure by Supplier to adhere to the requirements in this Agreement.

7.6. Subject to section 7.7, this Agreement will be construed in accordance with, and all disputes will be governed by, the laws of England and each party irrevocably consents to the exclusive jurisdiction of the courts of England and Wales. If at any time in DataStax’s view the use of English law no longer meets the requirement of being “Union or Member State law”, as required pursuant to Article 28(3) of General Data Protection Regulation (Regulation (EU) 2016/679), DataStax may elect by providing written notice to Supplier that this Agreement shall be construed in accordance with, and all disputes will be governed by, the laws of France and each party irrevocably consents to the exclusive jurisdiction of the courts of Paris.

7.7. Any dispute arising out of or in connection with this Agreement, including any question regarding its existence, validity or termination, shall be referred to and finally resolved by arbitration under the LCIA Rules, which Rules are deemed to be incorporated by reference into this Agreement. The number of arbitrators shall be one. The seat, or legal place, of arbitration shall be London. The language to be used in the arbitral proceedings shall be English.

7.8. Except as expressly provided herein, no modification of this Agreement will be effective unless contained in writing and signed by an authorized representative of each party. DataStax may make changes to terms located at a URL referenced in this Agreement, including these Personal Data Processing Terms (collectively, the “URL Terms”) from time to time. DataStax will post the amended terms and will update the “Last Updated Date” at the top. By continuing to provide the applicable services and/or products to Datastax after DataStax has provided Supplier with such notice of a change, Supplier is indicating that it agrees to be bound by the modified terms. If the change has a material adverse impact on Supplier and Supplier does not agree to the change, Supplier must notify DataStax within 30 days of the applicable Last Updated Date. If Supplier notifies DataStax as required, then Supplier will remain governed by the terms in effect immediately prior to the change.

7.9. This Agreement is a standalone agreement between the parties that shall not be varied, superseded or extinguished by any ‘entire agreement’ provisions, or any other terms, that appear in the Supplier Agreements. The terms of this Agreement will survive any expiration or termination of the Supplier Agreements.

7.10. The Agreement may not be assigned by either party by operation of law or otherwise, without the prior written consent of the other party, which consent will not be unreasonably withheld.

7.11. If any portion of this Agreement is for any reason found to be invalid, illegal or unenforceable, such portion shall be limited to the minimum extent necessary, and all other provisions shall remain in full force and effect.