Data Processing Addendum
The terms “process”, “processing”, “processor”, “transfer”, “controller” shall have the meaning given to them under the Applicable Regulations. “Applicable Data Protection Law”: means all laws and regulations, including laws and regulations of the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under these Terms. “Administrative Data” means data related to employees or representatives of the Customer that is collected and used by Kadiska in order to manage the Customer’s account, for Kadiska’s customer support and billing purposes. Administrative Data may include Personal Data and information about the contractual commitments between Customer and Kadiska, whether collected at the time of the initial registration or thereafter in connection with the delivery of the Services. “BGP” or “Border Gateway Protocol” means a protocol that manages how packets are routed across the internet through the exchange of routing and reachability information between edge routers. BGP directs packets between Autonomous Systems (AS), which are networks managed by an enterprise or service provider. “BGP Data” means information about a Party’s BGP route tables. “Browser Data” means data collected by Kadiska from the W3C Application Programming Interfaces (API). “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). “Personal Data” shall have the meaning given under Applicable Data Protection Law and is limited to that Personal Data Kadiska processes as part of Service Data. “EU Standard Contractual Clauses” mean the standard contractual clauses (for Processors) in the form set out in the Annex of European Commission Decision 2010/87/EU, as amended or updated from time to time. “Sub-processor” means any Processor engaged by Kadiska. “Support Data” means information that Kadiska collects when Customer submits a request for support services or other troubleshooting, including information about the Services and other details related to the support incident.
2. General Principles
2.1 Pursuant to the Applicable Regulations and in the context of the Agreement:
- The Customer is data controller of the Personal Data or, when applicable, data processor of its own clients;
- Kadiska is data processor of the Personal Data, processing exclusively on behalf and only on documented instructions from the Customer.
2.2 The Parties recognize that the Agreement, as well as the use of the Service and its functionalities, in accordance with the Agreement, form the documented instructions of the Customer. Any additional instruction concerning the processing of Personal Data by Kadiska shall be provided by the Customer in written form. The instruction specifies the purpose of processing and the operation to be performed by Kadiska, provided that the Customer agrees beforehand on the estimate from Kadiska for the additional instruction. Kadiska shall inform the Customer in a period of five (5) days from the date of the receipt from Kadiska of the instruction by any means, if, in its opinion, an instruction infringes the Applicable Regulations.
2.3 The Customer recognizes that it has the exclusive control and knowledge, and notably, of the origin of the Personal Data processed for the specific purpose of the Agreement. Consequently, the Customer shall fulfil its obligations as data controller.
2.4 Kadiska will delete the Personal Data and copies thereof in accordance with the Agreement, unless any applicable law or the Applicable Regulations require storage of the Personal Data.
2.5 The Customer shall inform Kadiska, when signing the Agreement, of the person to contact for all information, communications, notifications, or requests made in respect of the Appendix. If the Customer does not provide Kadiska with this information, the signatory will be considered as the relevant contact person.
2.6 If it is strictly necessary for the performance of the Agreement, Kadiska may transfer Personal Data provided that the Customer is informed beforehand of such transfer. In any case, Kadiska shall not transfer Personal Data, without implementing the appropriate safeguards in application of article 46 of the GDPR, outside:
- 2.6.1 the European Union
- 2.6.2 the European Economic Area
- 2.6.3 a third country or territory recognized by the European Commission as ensuring an adequate level of protection in application of the Applicable Regulations, for instance through SCC (Standard Contractual Clauses)
3. Security of Personal Data
3.1 In accordance with article 32(1) of the GDPR, the Customer and Kadiska shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The measures taken by Kadiska are listed in a security measures document, an updated version of which is available to the Customer upon request.
3.2 Kadiska is exclusively responsible for the security aspects of the Service falling under its control. The Customer is responsible for the security and the confidentiality of its respective systems and the access it grants to the Service. The Customer shall ensure that the use and the configuration of the Service meet the security requirements of the Applicable Regulations. Kadiska is not bound by any obligation to protect Personal Data which is:
- (i) stored outside of the Service;
- (ii) transferred out of the Service by the Customer; or
- (iii) transferred out of the Service by Kadiska under instruction of the Customer.
3.3. Kadiska ensures that persons authorized to process the Personal Data have committed themselves to confidentiality.
4. Cooperation with the Customer
4.1 Kadiska shall communicate to the Customer without undue delay after receiving any request, notice of investigation or complaint from any data subject concerning the processing of Personal Data under the Agreement (“Data Subject Requests”). Acting as data controller, the Customer shall remain solely responsible for the answer to be provided to Data Subject Requests and Kadiska shall not answer any Data Subject Requests. Notwithstanding the foregoing, and taking into account the nature of the processing of the Personal Data, Kadiska shall upon request assist the Customer in the fulfillment of the Customer’s obligations in responding to Data Subject Requests. Customer acknowledges that Kadiska will use appropriate technical and organizational measures in providing any such assistance, insofar as this is reasonably possible.
4.2 Upon written request from the Customer, Kadiska shall provide the Customer, with all the useful information in its possession for the purpose of assisting the Customer, as data controller, to satisfy the privacy impact assessment requirements of the Applicable Regulations. Any such privacy impact assessment shall be carried out by and under the sole responsibility of the Customer.
5. Notification of Data Breach
5.1 Kadiska shall notify the Customer within 72 hours after becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed (“Data Breach”).
5.2 Kadiska shall provide the Customer without undue delay after the notification of the Data Breach and insofar as this is possible, the following information:
- 5.2.1 the categories and approximate number of data subjects concerned;
- 5.2.2 the categories and approximate number of Personal Data records concerned;
- 5.2.3 describe the likely consequences of the personal data breach;
- 5.2.4 describe the measures taken or proposed to be taken by Kadiska to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
6.1 Kadiska may engage a sub-processor for the processing of Personal Data that is, in Kadiska’s sole discretion, strictly necessary for the performance of the Agreement.
6.2 Kadiska shall only engage sub-processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Applicable Regulations.
6.3 Kadiska shall by way of written agreement impose obligations substantively equivalent to those set out in the Agreement and in the Applicable Regulations on its sub-processors. Kadiska shall remain fully liable to the Customer for the performance of that sub-processor's obligations.
6.4 Kadiska may only engage a sub-processor which:
- 6.4.1 is established in one of the member states of the European Union or the European Economic Area, or;
- 6.4.2 proposes one of the appropriate safeguards pursuant to article 46 of the GDPR.
6.5 The list of the sub-processors of Kadiska shall be provided on written request. Kadiska shall inform the Customer of any addition or replacement of sub-processors as soon as possible. This information constitutes the information to the Customer as specified in article 1.6 of this DPA. The Customer may object in writing to such addition or replacement within a period of ten (10) business days from receipt of the information. The absence of objection from the Customer after this period shall be considered acceptance of the sub-processor. In case of objection from the Customer, Kadiska may provide the Customer with elements that could lift its objections. If the Customer maintains its objections, the Parties shall discuss in good faith of the continuation of the Agreement.
On request, Kadiska will send to the Customer any document reasonably necessary to demonstrate Kadiska’s compliance with its obligations as a processor under the Agreement by e-mail. Any other method for sending these documents will be at the Customer’s expense. The Customer may request additional verification from Kadiska if the documents provided do not enable it to verify Kadiska’s compliance with its obligations as a processor under the Agreement. In such a case, the Customer should make a written request to Kadiska, by registered letter with acknowledgement of receipt, in which Customer justifies its request for further information. Kadiska shall answer the Customer as soon as possible.
8. Description of the processing
The nature of the Personal Data processing, the purpose of the processing, the Personal Data processed, the category of data subject concerned and the duration of the processing are described in the dedicated document available at docs.kadiska.com.
9. Permitted use and Disclosure
Notwithstanding anything to the contrary in this DPA, (i) Kadiska may disclose BGP Data, Browser Data and Support Data to third parties, provided such data has been aggregated and/or appropriately de-identified to reasonably prevent the identification of Customer; (ii) Kadiska may use BGP Data, Browser Data and Support Data for its own business purposes without attribution or compensation to Customer; and (iii) Kadiska may use Administrative Data for its own internal business purposes or to fulfill its obligations to Customer under an applicable agreement. Kadiska shall not be required to return or destroy Administrative Data, BGP Data, Browser Data or Support Data and shall continue to be permitted to use and disclose such Administrative Data, BGP Data, Browser Data and Support Data as set forth in this Section 9 (Permitted Use and Disclosure) following the termination or expiration of this DPA.