DataStax Data Processing Agreement
December 20, 2023
This DataStax Data Processing Agreement (“DPA”) forms a part of the DataStax Terms (the “Agreement”) or other agreement(s) entered into between you or the entity which you represent (“Customer”) and DataStax, Inc. This DPA governs any processing by DataSta x of Customer Data that is also Personal Data ("Customer Personal Data"), where applicable, in relation to DataStax Products and Services (and as described in Section 1 of Annex 1 as amended from time to time). This DPA applies to the use by Customer of all DataStax Products and Services in order to ensure that adequate safeguards are put in place with respect to the protection of Personal Data as required by Applicable Privacy Laws.
1. Definitions: In this DPA, the following terms shall have the following meanings:
(a) "Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and "Process") and "Special Categories of Personal Data" shall have the meanings given in Applicable Privacy Law; and
(b) "Applicable Privacy Law(s)" means the relevant data pro tection and privacy law(s) to which each of the parties are subject, including (where relevant) but not limited to EU/UK Data Protection Laws.
(c) "EU/UK Data Protection Law(s)" means: (a) the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); (b) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (c) the EU e -Privacy Directive (Directive 2002/58/EC); and (d) any and all applicable national data pro tection laws made under or pursuant to or that apply in conjunction with any of (a),(b) or (c) above; as may be amended or superseded from time to time.
(d) "Restricted Transfer" means: (a) where the GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (b) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country whichis not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and
(e) "Standard Contractual Clauses" means (a) where the GDPR applies, the contractual clauses annexed to the European Commission's Implemen ting Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (b) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 ("UK Addendum").
2. Customer Personal Data Processing
(a) The type of Customer Personal Data (categories of data) that may be processed pursuant to this DPA and the subject matter, duration, nature (processing operations), purpose of the processing, and the categories of Data Subjects, are to enable DataStax to supply the Products and Services to the Customer and fulfil its obligations to the Customer under the Agreement. Customer shall not make Personal Data, other than such Personal Data necessary for DataStax to provide the Products and/or Services, accessible to DataStax.
(b) Each of the Customer and DataStax warrant in relation to Customer Personal Data that it will where applicable comply (and will procure that any of its staff and/or Processors comply) with Applicable Privacy Laws and all other applicable laws.
(c) In respect of the parties' rights and obligations under the Agreement regarding the Customer Personal Data, the parties hereby acknowledge and agree that the Customer is the Controller and DataStax is the Processor (or where Customer is a Processor on beha lf of a third party Controller, DataStax shall be a subprocessor) and accordingly DataStax agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA.
3. DataStax Obligations: With respect to all Customer Personal Data, and insofar as DataStax processes Customer Personal Data, DataStax warrants that it shall:
(a) only process the Customer Personal Data in order to provide the Products and/ or Services and shall act only in accordance with this DPA and the Agreement;
(b) if applicable laws require DataStax to process Customer Personal Data other than pursuant to this DPA, DataStax will notify the Customer (unless prohibited from so doing by applicable laws);
(c) implement appropriate technical and organisational measures to en sure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a "Security Breach"). Such measures include, without limitation, the security measures set out in Annex II;
(d) take reasonable steps to ensure that only authorized personnel have access to such Customer Personal Data and that any persons whom it authorises to have access to the Customer Personal Data are under obligations of confidentiality;
(e) as soon as reasonably practicable but no longer than 90 days following termination or expiry of the Agreement or completion of applicable Product delivery, DataStax will delete or return to the Customer (at the Customer's direction as Controller or on behalf of the third party Controller) all Customer Personal Data (including copies thereof) processed pursuant to this DPA, unless required to retain the Customer Personal Data by applicable laws, in an accessible and machine-readable format;
(f) if DataStax becomes aware of a confirmed Security Breach, DataStax will inform Customer (who, where Customer is a Processor, shall in turn inform its Controller) without undue delay and shall provide the Customer with reasonable information and cooperation to the Customer to that Customer (or its Controller) can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Privacy Laws;
(g) not ma ke any announcement about a Security Breach (a "Breach Notice") without:
(i) the prior written consent from the Customer (on its behalf or on behalf of its Controller); and
(ii) prior written approval by the Customer (on its behalf or on behalf of its Controller) of the content, media and timing of the Breach Notice, unless required to make a disclosure or announcement by applicable law;
(h) promptly notify the Customer (who, where Customer is a Processor, shall in turn inform its Controller) if it receives a request from a Data Subject to exercise their rights under Applicable Privacy Laws (including its rights of access, correction, objection, erasure and data portability, as applicable) (a "Data Subject Request"). Unless required by applicable law, DataStax shall not respond to a Data Subject Request received by DataStax without the Customer’s prior written consent except to confirm that su ch request relates to the Customer to which the Customer hereby agrees, and to the extent Customer (or its Controller) does not have the ability to address a Data Subject Request, DataStax shall upon the Customer’s request provide reasonable assistance to facilitate a Data Subject Request to the extent DataStax is able to consistent with applicable law (provided that Customer shall pay DataStax’s costs for providing such assistance at the DataStax's standard consultancy rates);
(i) provide such assistance as th e Customer reasonably requests (taking into account the nature of processing and the information available to DataStax) to the Customer in relation to the Customer’s (or its Controller's) obligations under Applicable Privacy Laws with respect to:
(i) data prot ection impact assessments (as such term is defined in the GDPR/UK GDPR);
(ii) notifications to the supervisory authority under EU/UK Data Protection Laws and/or communications to data subjects by the Customer (or its Controller) in response to any Security Breach; and
(iii) the Customer’s (or its Controller's) compliance with its obligations under the GDPR/UK GDPR with respect to the security of processing, provided that Customer shall pay DataStax’s charges for providing such assistance at DataStax's standard consult ancy rates.
4. Customer Obligations
(a) Customer agrees that, taking into account DataStax's obligations under this DPA, Customer is solely responsible for its use of the DataStax Products and/ or Services to ensure:
(i) that unless otherwise directed by DataStax in writing, Customer shall not make any Personal Data accessible to or by DataStax outside of such Personal Data that is required by DataStax in order to provide the DataStax Products and/or Services;
(ii) that Customer warrants that it has all and any applicable legal consents and authority requ ired by any applicable laws to disclose any and all Personal Data that it shares with DataStax;
(iii) Customer warrants that they will not upload any data which is categorized under Data Restrictions under the relevant agreement for Products and/ or Services
(b) Customer shall (and shall require its Controller shall) comply with the obligations that apply to it under Applicable Privacy Laws.
5. Sub-processing
(a) The Customer grants a general authorisation on its behalf, and where Customer is a processor, on behalf of the Controller: (a) to DataStax to appoint other members of the DataStax Group as subprocessors; and (b) to DataStax to appoint third party data centre operators, providers of information technology tools, and outsourced service providers as subprocessors to support the performance and delivery of the DataStax Products and/ or Services.
(b) DataStax will maintain a list of relevant subprocessors at the following URL: https://www.datastax.com/security/subprocessors and will add the names of new and replacement Processors as applicable from time to time.
(c) If the Customer has a reasonable objection to any new or replacement subprocessor, it shall notify DataStax of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. DataStax may use a new or replacement subprocessor whilst the objection procedure in this section is in process.
(d) DataStax will ensure that any subprocessor it engages to provide the services on its behalf in connection with the Agreement does so only on the basis of a written contract which imposes on such subprocessor terms substantially similar to Customer Personal Data than those imposed on DataStax in this DPA. DataStax shall procure the performance by such Data Processor with those terms.
(e) DataStax remains liable fo r any breach of this DPA that is caused by an act, error or omission of its subprocessor, subject to the other terms of the Agreement.
6. Data Transfers
(a) The Customer acknowledges that the provision of DataStax Products and/ or Services under the Agreement may require the processing of Customer Personal Data by DataStax and its subprocessor(s) in countries outside the EEA or the UK from time to time.
(b) The parties agree that when the transfer of Customer Personal Data from Customer (as "data exporter") to DataSt ax (as "data importer") is a Restricted Transfer it shall be subject to the appropriate standard contractual clauses as follows:
(i) In relation to data that is protected by the GDPR, the EU SCCs will apply completed as follows:
(A) Module Two will apply to the extent that Customer is a Controller of the Customer Personal Data, and Module Three will apply to the extent that Customer is a Processor of the Customer Personal Data on behalf of a third party Controller;
(B) in Clause 7, the optional docking clause will apply;
(C) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 5 of this Agreement;
(D) in Clause 11, the optional language will not apply;
(E) in Clause 17, Option 1 w ill apply, and the EU SCCs will be governed by Irish law;
(F) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(G) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA;
(H) Annex II of the EU SCC s shall be deemed completed with the information set out in Annex II to this DPA.
(c) In relation to data that is protected by the UK GDPR, the UK Addendum will apply completed as follows:
(i) The EU SCCs as set out above in Clause 6(b)(i) of this DPA shall also apply to transfers of such Customer Personal Data, subject to sub - clause (ii) below;
(ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs , completed as set out above, and the options "neither party" shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this DPA.
(d) In the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
(e) If, in the performance of this DPA and/or the Agreement, DataStax transfers any Customer Personal Data to a subprocessor (which shall include without limitation any affiliates of DataStax) and without prejudice to section 4 where such transfer is a Restricted Transfer, DataStax shall in advance of any such transfer ensure that it has taken such measures as are necessary to ensure the transfer is compliant with EU /UK Data Protection Law and is made pursuant to Standard Contractual Clauses implemented between the relevant exporter and importer of the Customer Personal Data.
(f) Where Standard Contractual Clauses are put in place between DataStax and a subprocessor and there is a conflict between the terms of this DPA (as passed down to the subprocessor) and the Standard Contract Clauses entered into between DataStax and the subpr ocessor, the Standard Contract Clauses will prevail.
7. Audit and Records
(a) DataStax shall, in accordance with and to the extent required by Applicable Privacy Laws, make available to the Customer such information in DataStax's possession or control as the Customer may reasonably request and which DataStax is lawfully entitled to disclose with a view to demonstrating DataStax's compliance with this DPA.
(b) The Customer may exercise its right of audit under Applicable Privacy Laws, through DataStax providing to Customer an audit report provided that the applicable audit(s): are perform ed periodically; are assessed against relevant standards; are conducted by auditors selected by DataStax but otherwise conducted with all due and necessary independence and professionalism; and are documented in a report that affirms that DataStax's contro ls meet the standards against which they are assessed.
(c) DataStax shall further provide detailed written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit qu estionnaires, that Customer considers necessary to confirm DataStax's compliance with the Applicable Privacy Laws.
(d) Customer shall promptly notify DataStax with information regarding any non - compliance discovered during the course of an audit, and DataStax shall use commercially reasonable efforts to address any confirmed non -compliance.
8. Miscellaneous
(a) If the Customer (or its Controller) decides that a Security Breach must be notified to any Supervisory Authority and/or Data Subjects and/or the public or por tions of the public, the Customer will notify DataStax before the communication is made by the Customer (or its Controller) and supply DataStax with copies of any written documentation to be filed with the Supervisory Authority and of any notification the Customer (or its Controller) proposes to make (whether to any Supervisory Authority, Data Subjects the public or portions of the public) which references DataStax, its security measures and/or role in the Security Breach, whether or not by name. The Custom er will consult with (and require its Controller via the Customer to consult with) DataStax in good faith and take account of any clarifications or corrections DataStax reasonably requests to such notifications and which are consistent with the GDPR/UK GDP R.
(b) DataStax's liability to the Customer and Customer Group under or in connection with this DPA shall be subject to the same limitations and exclusions of liability as apply under the Agreement as if that liability arose under the Agreement. Nothing in thi s DPA will limit DataStax's liability in respect of personal injury or death in negligence or for any other liability or loss which may not be limited by agreement under applicable law.
(c) This DPA sets out all of the terms that have been agreed between the parties in relation to the Processing of Customer Personal Data as defined in this DPA. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.
(d) A person who is not a party to this DPA shall not have any rights to enforce this DPA including (where applicable) under the Contracts (Rights of Third Parties) Act 1999 of the United Kingdom to enforce any term of this DPA.
(e) Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
(f) Other than in respect of any accrued liabilities of either party and the provisions of this section, this DPA shall terminate automatically on the expi ry or termination for whatever reason of the Agreement. Notwithstanding the foregoing, DataStax’s obligations hereunder with respect to any Customer Personal Data processed pursuant to this DPA shall continue until the later of the expiration or terminatio n of the Agreement or DataStax’s deletion of Customer Personal Data.
California Consumer Privacy Act Addendum (CCPA-A)
Scope
This CCPA-A is an addendum to the DPA and applies where DataStax processes Customer Data of California residents ("CCPA Personal Information"). DataStax shall not retain, use or disclose the CCPA Personal Information for any purpose other than for the specific purpose of performing the DataStax services, or as otherwise permitted by the CCPA, including retaining, using or disclosing the CCPA Personal Information for a commercial purpose other than providing the DataStax services.
Capitalized terms shall have the meanings as set out in section 18 of the DPA, except where a term is defined in this CCPA -A in which case the definition in the CCPA -A shall control the meaning of the word.
Conflict Of Terms
This CCPA -A is without prejudice to the rights and obliga tions of the parties under the Agreement, which shall continue to have full force and effect. In the event of any conflict between the terms of this CCPA-A and the terms of the Agreement and/or DPA, the terms of this CCPA - A shall prevail so far as the subject matter concerns California residents.
This CCPA-A may be updated from time to time by DataStax.
Definitions And Interpretation
“California Consumer Privacy Act” or “CCPA” means the “Assembly Bill No.375” enacted by the legislature, and as amended from time to time of aforementioned legislature, in the state of California, the United States of America; “CCPA-A” means this “California Consumer Privacy Act Addendum”;
“Personal Information” means all data which is defined as “Personal Information” under the California Consumer Privacy Act and to which the California Privacy Act applies.
How To Contact Us Regarding This CCPA-A Addendum
For any enquiries please email privacy@datastax.com.
Annex 1
Details of the Personal Data and Processing Activities
A. LIST OF PARTIES
Data exporter:
|
Name: |
Customer |
|
Address: |
As provided for in the Agreement |
|
Contact person’s name, position and contact details: |
As provided for in the Agreement |
|
Activities relevant to the data transferred under these Clauses: |
Supply of the products and services as provided for in the |
|
Role (controller/processor): |
Controller or Processor acting on behalf of the Controller. |
Data importer:
|
Name: |
DataStax, Inc |
|
Address: |
2755 Augustine Drive 8th Floor Santa Clara, CA 95054, US |
|
Contact person’s name, position and contact details: |
Jason Anderson, General Counsel legal@datastax.com |
|
Activities relevant to the data transferred under these Clauses: |
Providing the services set out in the Agreement. |
|
Role (controller/processor): |
Processor or Subprocessor |
В. DESCRIPTION OF TRANSFER
The Customer acknowledges that the processing of Customer Personal Data by DataStax will include all Customer Personal Data uploaded to the Products for the purpose of DataStax provisioning the Products to Customer. The descriptions of the processing and transfer of Customer Personal Data is set out below and are subject to change or modification pursuant to Section 2(a) of this DPA.
Astra DB and Astra Streaming |
|
|
Categories of data subjects whose personal data is transferred |
The categories of data subjects are determined andcontrolled by Customer in its sole discretion and may include: (i) Customers’ employees involved in the procurement and receipt of the DataStax products and services; and (ii) other data subjects whose Personal Data is |
|
Categories of personal data transferred |
The categories of personal data transferred are |
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only if or staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. |
Sensitive data transferred is determined and controlled by Customer, in its sole discretion, subject to any applicable conditions or restrictions under the Agreement. |
|
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). |
Continuous Basis |
|
Nature of the processing |
|
|
Purpose(s) of the data transfer and further processing |
To enable DataStax, Inc. to provide the services set out in the Agreement |
|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period |
Until the earliest of: (i) the expiry/termination of the |
|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing |
As specified at https://www.datastax.com/security/subprocessors |
Luna, Luna Streaming, DataStax Technical Support and Professional Services |
|
|
Categories of data subjects whose personal data is transferred |
Customers’ staff, contractors or collaborators |
|
Categories of personal data transferred |
Personal & IT identifiers:
|
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only if or staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. |
None |
|
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). |
Continuous Basis |
|
Nature of the processing |
|
|
Purpose(s) of the data transfer and further processing |
To enable DataStax, Inc. to provide the services set out in the Agreement |
|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period |
Until the earliest of: (i) the expiry/termination of the |
|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing |
As specified at https://www.datastax.com/security/subprocessors
|
C. COMPETENT SUPERVISORY AUTHORITY
|
Identify the competent supervisory authority/ies in accordance with Clause 13 |
Data Protection Commission of Ireland |
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Details of the technical and organisational measures for the protection of Customer Data can be found at https://www.datastax.com/legal/technical-security-measures