YugabyteDB Managed Data Processing Addendum

Last Updated: September 8, 2021

This Data Processing Addendum (“DPA”) forms part of the YugabyteDB Managed Terms of Service between Yugabyte and Customer for the YugabyteDB Managed database software as a service (the “Agreement”). All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

DEFINITIONS
1. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto;
2. “CCPA Personal Information” means “personal information” as such term is defined by the CCPA, including any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household;
3. “Customer Personal Information” means the CCPA Personal Information and the GDPR Personal Data that Yugabyte Processes on behalf of Customer, in each case in connection with Yugabyte’s provision of the Services. For the avoidance of doubt, Customer Personal Information may include CCPA Personal Information and/or GDPR Personal Data that Customer directs Yugabyte to Process on behalf of Customer’s own clients;
4. “Controller” means the entity which, along or jointly with others, determines the purposes and means of the Processing of GDPR Personal Data;
5. “Data Protection Laws” means all applicable laws, regulations and other legal requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of Personal Data, including the European Data Protection Laws, and the CCPA;
6. “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
7. “European Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (the “GDPR”), the UK Data Protection Act, the UK General Data Protection Regulation, and any applicable national legislation implementing or supplementing the foregoing, in each case as amended, replaced or superseded from time to time, and all other applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of GDPR Personal Data;
8. “GDPR Personal Data” means “personal data” as such term is defined by the European Data Protection Laws, including any information relating to an identified or identifiable individual or device (a “data subject”);
9. “Processing” means any operation or set of operations which is performed on Customer Personal Information, or on sets of Customer Personal Information, whether or not by automated means, and “Process” will be interpreted accordingly;
10. “Processor” means an entity that Processes Customer Personal Information on behalf of a Controller;
11. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Information;
12. “Sell” shall have the meaning given in the CCPA;
13. “Services” means the service(s) provided by Yugabyte to Customer under the Agreement;
14. “Service Provider” shall have the meaning given in the CCPA;
15. “Standard Contractual Clauses” means the Standard Contractual Clauses (processors) approved by the European Commission Decision C(2010)593 and set out in Schedule 1, or any subsequent version thereof released by the European Commission (which will automatically apply); and
16. “Subprocessor” means an entity that Processes Customer Personal Information on behalf of a Processor.
DATA PROCESSING
1. Role of the Parties. The Parties acknowledge and agree that:
  1. for the purposes of the GDPR, Yugabyte acts as a Processor and Customer acts as the Controller of GDPR Personal Data (except when Customer is itself a Processor of the GDPR Personal Data, in which case Yugabyte is a Subprocessor); and
  2. for the purposes of the CCPA, Yugabyte will act as a Service Provider in its performance of its obligations pursuant to the Agreement.
2. Instructions for Data Processing. Yugabyte will, subject to Section 2.3, only collect, retain, use, Sell, disclose, release, transfer, make available or otherwise Process Customer Personal Information in accordance with:
  1. the Agreement, to the extent necessary to provide the Services to Customer; and
  2. Customer’s written instructions, including as set forth in ANNEX 1 to this DPA.
  Notwithstanding the foregoing, nothing in this DPA shall restrict Yugabyte’s ability to Process Customer Personal Information in anonymous format.
3. Yugabyte may Process Customer Personal Information to the extent required by:
  1. applicable laws to which Yugabyte is subject;
  2. where Customer is established in the EEA, or the Processing of such Customer Personal Information by Customer falls within the scope of the GDPR, applicable EEA Member State laws; or
  3. where Customer is established in the United Kingdom, or the Processing of such Customer Personal Information by Customer falls within the scope of the UK Data Protection Act 2018, applicable law in the United Kingdom, in which case Yugabyte shall, unless prohibited by such applicable laws on important grounds of public interest, inform Customer of that legal requirement before Processing that Customer Personal Information.
4. Customer shall provide all applicable notices to data subjects required under applicable Data Protection Laws for the lawful Processing of Customer Personal Information by Yugabyte in accordance with the Agreement.
5. Customer will obtain any consents required under applicable Data Protection Laws for the lawful Processing of Customer Personal Information by Yugabyte in accordance with the Agreement.
6. Customer agrees to defend, indemnify and keep indemnified, and hold harmless, at its own expense, Yugabyte against all costs, claims, damages and expenses incurred by Yugabyte or for which Yugabyte may become liable due to any failure by Customer to comply with Section 2.4 and Section 2.5.
7. Customer acknowledges that Yugabyte is reliant on Customer for direction as to the extent to which Yugabyte is entitled to use and process Customer Personal Information. Consequently, Yugabyte will not be liable for any claim brought against Customer by a data subject arising from any act or omission by Yugabyte to the extent that such act or omission resulted from Customer’s instructions or Customer’s use of the Services.
SUBPROCESSORS
1. Consent to Subprocessor Engagement. Customer generally authorizes Yugabyte to engage Subprocessors in connection with the Processing of Customer Personal Information for the performance of the Agreement. Yugabyte will maintain a list of its Subprocessors at the following URL: https://www.yugabyte.com/yugabyte-cloud-subprocessors/, and will add the names of new and replacement Processors as applicable from time to time. Yugabyte shall inform Customer of its intention to engage any new or replacement Subprocessors in writing at least fifteen (15) days in advance of the date of the intended commencement of the engagement. Customer may object to such intended engagement by giving written notice at the latest ten (10) days in advance of the date of the intended commencement of the engagement. If Customer objects to Yugabyte’s appointment of a Subprocessor on reasonable grounds relating to the protection of Personal Information, then either Yugabyte shall not appoint the Subprocessor to Process Customer Personal Information or Customer may elect to suspend or terminate this DPA. In all cases, Yugabyte shall impose substantially similar data protection terms on any Subprocessor it appoints as those provided for by this DPA, and Yugabyte shall remain fully liable for any breach of this DPA that is caused by an act, error, or omission of Subprocessor.
2. Third-Party Applications: The Services may provide functionality which includes but is not limited to application programming interfaces, which allows Customer to integrate Customer authorized third-party products and applications with the Services (“Third-Party Applications”). Customer acknowledges and agrees that if Customer elects to enable or leverage Third-Party Applications to integrate with the Services, then it does so at its own risk and Yugabyte has no responsibility for any Customer Personal Information Processed by or through these respective Third-Party Applications, nor is Yugabyte a co-processor, Subprocessor, or Controller with respect to any Customer Personal Information processed by or on behalf of Customer through the respective third-party or through any Third-Party applications.
TRANSFERS
1. Prohibition on Transfers of GDPR Personal Data. GDPR Personal Data from Customer’s establishments in the EEA may only be exported or accessed by Yugabyte or its Subprocessors outside the EEA (the “International Transfer”):
  1. if the recipient, or the country or territory in which it Processes GDPR Personal Data, ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of GDPR Personal Data as determined by the European Commission; or
  2. in accordance with Section 4.2.
2. Standard Contractual Clauses
  1. The Standard Contractual Clauses apply where there is an International Transfer to a country or territory that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of GDPR Personal Data as determined by the European Commission.
  2. For Subprocessors based outside the EEA and outside any country for which the European Commission has published an adequacy decision (the “Third Country Subprocessors”), Yugabyte will enter into an unchanged version of the Standard Contractual Clauses with Third Country Subprocessors prior to the Subprocessor’s processing of GDPR Personal Data. Customer hereby accedes to the Standard Contractual Clauses between Yugabyte and the Third Country Subprocessor. Yugabyte will enforce the Standard Contractual Clauses against the Subprocessor on behalf of Customer if a direct enforcement right is not available under European Data Protection Laws.
  3. If there is an inconsistency between any of the provisions of this DPA and the provisions of the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall prevail.
DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
1. Yugabyte Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Yugabyte shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including, where applicable by virtue of Article 28(3)(c) of the GDPR, and as appropriate, the measures referred to in Article 32(1) of the GDPR. Without limiting the generality of the foregoing, Yugabyte shall put in place and maintain the technical and organizational measures as set out in ANNEX 2 of this DPA.
2. Security Audits. Yugabyte audits its compliance with data protection and information security standards on at least an annual basis. Subject to obligations of confidentiality, Yugabyte will make available to Customer a summary of its most recent relevant and applicable audit reports and/or supporting documentation reasonably required by Customer so that Customer can verify Yugabyte’s compliance with this DPA. To the extent that the audit reports and/or supporting documentation provided by Yugabyte do not validate Yugabyte’s compliance with its obligations under this DPA, Customer may conduct a remote or on-site audit of Yugabyte’s compliance with this DPA which shall be limited to once per calendar year, unless requested by a Supervisory Authority or in the event that Yugabyte is subject to a Security Incident caused by Yugabyte’s failure to meet its obligations under the Agreement or this DPA. Any such audit shall be conducted by an independent reputable third-party chosen by Customer and reasonably acceptable to Yugabyte. Before the commencement of any such audit, Customer shall provide Yugabyte with a detailed proposed audit plan which at a minimum will include a detailed description of the scope of the audit, duration of the audit, and the proposed commencement date of the audit. Yugabyte shall review Customer’s proposed audit plan and provide Customer with any concerns or questions regarding the audit plan; the Parties agree to work collaboratively to reach an agreement on a final audit plan. The results of the audit and all information reviewed during any such audit shall be considered Yugabyte Confidential Information and shall be protected by Customer and Customer’s third-party auditors in accordance with the confidentiality provisions noted in the Agreement and this DPA. Notwithstanding anything to the contrary, Customer’s auditor may only disclose to the Customer specific violations of this DPA, if any, and the basis for such findings, and shall not disclose to Customer any of the records or information reviewed during the audit. The Parties agree that any audits pursuant to clause 5(f) of the Standard Contractual Clauses will comply with the terms and conditions of this Section 5.2.
3. Security Incident Notification. If Yugabyte becomes aware of a Security Incident affecting Customer Personal Information, then Yugabyte shall notify Customer without undue delay , take any additional steps that are reasonably necessary to remedy any non-compliance with this DPA, including complying with all applicable requirements of the Agreement, and reasonably cooperate with Customer in the investigation of the Security Incident. Yugabyte’s obligation to report or respond to a Security Incident shall not be construed as an acknowledgement of any fault by Yugabyte with respect to the Security Incident.
4. Yugabyte Employees and Personnel. Yugabyte shall limit access to Customer Personal Information to those employees or other personnel who have a business need to have access to such Customer Personal Information. Further, Yugabyte shall ensure that such employees or other personnel have agreed in writing to protect the confidentiality and security of such Customer Personal Information in accordance with the provisions of this DPA.
5. Government Disclosure. Yugabyte shall promptly notify Customer of any request for the disclosure of Customer Personal Information by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
ACCESS REQUESTS AND DATA SUBJECT RIGHTS
1. Data Subject Requests. Unless otherwise required by applicable law, Yugabyte shall promptly notify Customer of any request received by Yugabyte or any Subprocessor from a data subject in respect of Customer Personal Information and shall not respond to the data subject.
2. Data Subject Rights. Yugabyte shall, where possible, assist Customer with ensuring its compliance under applicable Data Protection Laws by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising data subject rights laid down in the Data Protection Laws. In particular, Yugabyte shall, where possible:
  1. provide Customer with the ability to correct, delete, block, access, or copy Customer Personal Information, or
  2. promptly correct, delete, block, access, or copy Customer Personal Information within the Services at Customer’s request.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
1. Where applicable by virtue of the Data Protection Laws, Yugabyte shall provide reasonable assistance to Customer with any data protection impact assessments and with any prior consultations to any regulatory authority of Customer which are referred, in each case solely in relation to Processing of Customer Personal Information and taking into account the nature of the Processing and information available to Yugabyte.
DURATION AND TERMINATION
1. Return of Customer Personal Information. Yugabyte shall afford Customer thirty (30) days from the termination or expiration of the Agreement to request in writing the return of Customer Personal Information in a format technically feasible and practical for Yugabyte. Subject to the foregoing, Yugabyte shall return a copy of all Customer Personal Information by secure file transfer or other secure transfer mechanism as agreed to by the Parties within thirty (30) days of receipt of a timely return request.
2. Deletion of Customer Personal Information.. Subject to Section 8.2 below, Yugabyte shall, within ninety (90) days of the date of termination of the Agreement:
  1. delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Information Processed by Yugabyte or any Subprocessors.
3. Yugabyte and its Subprocessors may retain Customer Personal Information to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Yugabyte shall ensure the confidentiality of all such Customer Personal Information and shall ensure that such Customer Personal Information is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
LAW AND JURISDICTION
1. Where the GDPR is applicable to the Processing of Customer Personal Information under this DPA, this DPA shall be governed by, and construed in accordance with the law of the Member State in which Customer is established or, where Customer is established in the United Kingdom or Switzerland, English law or Swiss law respectively. In all other cases, this DPA shall be governed by the same law as the Agreement.
MISCELLANEOUS
1. Amendment. The Parties acknowledge that the foregoing provisions are designed to comply with the mandates of Data Protection Laws. No change, amendment, or modification of this DPA shall be valid unless set forth in writing and agreed to by both Parties. Notwithstanding the foregoing, the Parties acknowledge that privacy and data protection laws are rapidly evolving and that amendment of this DPA may be required to ensure compliance with such developments. The Parties specifically agree to take such action as may be reasonably necessary from time to time for the Parties to comply with applicable Data Protection Laws.
2. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the Parties to comply with the Data Protection Laws.
3. Effect of Agreement. In the event of any inconsistency between the provisions of this DPA and the Agreement, the provisions of the DPA shall control. In the event of inconsistency between the provisions of this DPA and mandatory provisions of the Data Protection Laws, or their interpretation by any court or regulatory agency with authority over Customer or Yugabyte, such interpretation shall control. Where provisions of this DPA are different from those mandated in the Data Protection Laws but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this DPA shall control.
4. General. If any part of a provision of this DPA is found to be illegal or unenforceable, it shall be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this DPA shall not be affected. All notices relating to the Parties’ legal rights and remedies under this DPA shall be provided in writing to a Party, shall be sent to its address or email address set forth in the signature block below, or to such other address or email address as may be designated by that Party by notice to the sending Party, and shall reference this DPA. Nothing in this DPA shall confer any right, remedy or obligation upon anyone other than Customer and Yugabyte. This DPA is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications and understandings (written and oral) regarding its subject matter.

ANNEX 1
DETAILS OF THE PROCESSING

This ANNEX 1 includes certain details of the Processing of GDPR Personal Data as required by Article 28(3) of the GDPR.

In providing Services, Yugabyte does not intentionally process GDPR Personal Data. Customer may process such GDPR Personal Data through the Services, but the nature and extent of such Processing is solely determined and controlled by Customer.

Data Exporter

The Customer subscribed to the Services that include Processing of GDPR Personal Data.

Data Importer

Yugabyte and its Subprocessors.

Data Subjects

Unless provided otherwise by the Data Exporter, transferred GDPR Personal Data relates to the following categories of data subjects:

Customers, business partners, and vendors of the Data Exporter (who are natural persons)
Employees or contract persons of Data Exporter customers, business partners, and vendors.
Agents, advisors, or any user authorized by the Data Exporter to use the Service (who are natural persons)

Data Categories

Customer determines the categories of data entered onto the Services. The transferred GDPR Personal Data typically relates to the following categories of data:

Name
Business Contact Information (company, title or position, email address, phone numbers, physical business address)
Personal Contact Information (email address, phone numbers, physical personal address)
Localization data
Authentication data
Pictures and Videos (which are not classified as Special Categories of Data under the European Data Protection Laws.)
Connection Data
System access / usage / authorization data,

Special Categories of Data

The personal data transferred could concern the following special categories of data:

None. Data Exporter agrees not to submit any Customer Personal Information which would be considered Special Categories of Data under the European Data Protection Laws.

Processing Operations

The transferred GDPR Personal Data is subject to the following basic processing activities:

The basic processing activities of Customer Personal Information which is GDPR Personal Data by the Data Importer is the provision and maintenance of the Services pursuant to the Agreement entered into by the Parties.

ANNEX 2
Technical and Organisational Security Measures

Data Importer maintains internal policies and procedures, and procures that its Subprocessors also maintain internal policies and procedures that are materially consistent with this Annex where applicable, which are designed to:

secure any Customer Personal Information Processed by Data Importer against accidental or unlawful loss, access, or disclosure;
identify reasonably foreseeable and internal risks to security and unauthorised access to any Customer Personal Information Processed by Data Importer; and
minimise security risks, including through risk assessments and regular testing.

These measures may include:

Preventing unauthorised persons from gaining access to Data Importer’s information systems that are used to Process Customer Information Systems (physical access control) by taking measures such as:
- Documenting security and other incidents (maintaining an incident log);
- Protecting and managing physical access to assets and facilities; and
- Implementing and maintaining security controls for each computer room and/or data centre and any area containing Customer Personal Information which includes but is not limited to the establishment of secure areas, securing data processing equipment, providing industry standard access controls to facilities that Process Customer Personal Information, the implementation of alarm systems, and other security measures as appropriate.
- Ensuring all access to facilities that Process Customer Personal Information is logged and monitored.
Preventing data processing systems from being used without authorisation (logical access control) by taking measures such as:
- Using appropriate network security devices such as i routers and firewalls;
- Periodic review of user access to Data Importer information systems which Process Customer Personal Information;
- Secure log-in with unique credentials for each Data Importer authorized user, including multi-factor authentication (MFA) while accessing any public entry point to Data Importer’s information technology infrastructure;
- automatic disablement of user credentials when several consecutive failed attempts are made to access a user terminal.
- dedication of individual terminals and/or terminal user accounts with permissions granted on the need-to-know principle.
- formalized change control management procedures for any changes that occur to Data Importer information systems.
- use of firewall technology, either application or physical.
- annual vulnerability and penetration tests of Data Importer information systems used to Process Customer Personal Information.
- Locking of unattended workstations;
- Role-based access for critical systems containing Customer Personal Information;
- Implementing and maintaining a process for routine system updates for known vulnerabilities;
- Monitoring for security vulnerabilities on critical systems and applications;
- Deployment and updating of antivirus software on Data Importer’s workstations that access Data Importer’s information systems that Process Customer Personal Information; and
- Compliance with applicable laws, regulations and industry standards as applicable to the performance of the Agreement and this DPA.
Ensuring that persons entitled to use a data processing system can gain access only to the data to which they have a right of access, and that, in the course of processing or use and after storage, Customer Personal Information cannot be read, copied, modified or deleted without authorisation (access control to data) by taking measures such as:
- Using appropriate network security devices such as routers and firewalls;
- Monitoring the network to detect potential cybersecurity events ;
- Secure log-in with unique user-ID/password for each of Data Importer’s authorized users, including multi-factor authentication (MFA) while accessing any public entry point to Data Importer’s information technology infrastructure that Processes Customer Personal Information;
- Logging and analysis of access to Data Importer’s information systems used to Process Customer Personal Information;
- Role-based access for critical systems containing Customer Personal Information;
- Deployment and updating of antivirus software on Data Importer’s workstations;
- Maintaining a documented incident response plan that addresses actions to be carried out should a Security Incident occur;
- Maintaining documented policy and procedure for record retention and destruction; and
- Implementing and maintaining response and recovery procedures which are tested on at least an annual basis in the event of a disaster.
Ensuring that Customer Personal Information cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage and that all data transmissions are logged, monitored, and tracked as is technically feasible and practicable (data transfer control) by taking measures such as:
- Where appropriate in light of the types or nature of the data processed, encryption of communication and encryption of data in storage which is under the Data Importer’s control,
- Tunnelling (VPN = Virtual Private Network)
- FSecure transport containers in case of physical transport.
- Logging of the transmission of Customer Personal Information as is technically feasible and practicable for Data Importer.
- Logical network isolation of Data Importer systems that Process Customer Personal Information from other Data Importer customer environments.
Ensuring that Customer Personal Information is protected against accidental destruction or loss (availability control) to the extent that is under the Data Importer’s control by taking measures such as:
- Maintaining backup procedures
- redundant servers and/or information system infrastructure in a separate location
- Maintaining uninterruptible power supply and auxiliary power systems
- Climate monitoring and control for information technology infrastructure including but not limited to, fire resistant doors, fire and smoke detection, fire extinguishing system,
- Anti-virus on Workstations connecting to Data Importer systems that Process Customer Personal Information.
- Firewall systems
- Disaster Recovery Plans which include Recovery Time Objectives (RTO) and Recovery Point Objections (RPO) that are tested on at least an annual basis .
- Implementation of denial of service (DOS) preventative and/or remediation measures.
Ensuring suitable measures to monitor Data Importer’s systems administrators to ensure that the Data Importer’s systems administrators act in accordance with the Data Exporter’s instructions by taking measures such as:
- Formal assignment of systems administrator based on job duties and the need-to-know principle.
- Logging of actions taken by a respective systems administrator as is technically feasible and practicable.
- Maintaining a list of a respective systems administrator’s identification details.
- Auditing on at least a quarterly basis any Data Importer user personnel’s access to the Data Importer’s production environment to ensure Data Importer user personnel that have access to the environment are still authorized to access Data Importer information systems that Process Customer Personal Information.
Ensuring that data collected for different purposes or different principals can be processed separately (separation control) by taking measures such as:
- Ensuring the separation of development, quality assurance, and production environments.
- Prohibiting the use of Processing Customer Personal Information in Data Exporter’s non-production environment.
- Logical network isolation of Data Importer systems that Process Customer Personal Information from other Data Importer customer environments.

ANNEX 3

INTERNATIONAL DATA TRANSFERS – RISK ASSESSMENT TEMPLATE

Yugabyte provides the information below to enable Customer to perform the risk assessment pursuant to Section 4.1 of these Terms of Data Processing.

OVERVIEW
Date		Effective Date of the Agreement
Entity name		YugaByte, Inc.
Brief description of transfer (Please indicate the scale and regularity of transfers in this regard)		See Annex 1.
Data privacy role in regard to the data processing for us (e.g. data processor)		Data Processor
Current legal mechanism for the international transfer (e.g. Standard Contractual Clauses, Article 49 General Data Protection Regulation)		Standard Contractual Clauses
A. SYSTEMATIC DESCRIPTION OF THE DATA PROCESSING
Describe the nature, scope and context of the data processing		Yugabyte processes Customer Personal Information in order to deliver the Services to Customer.
Purposes of the data processing		See Annex 1.
Functional/technical description of the data processing		See Annex 1.
Categories of personal data being processed		See Annex 1.
Number of datasets that are being processed		Customer shall provide datasets from time to time as needed in connection with Yugabyte’s delivery of the Services. The number of datasets that are being processed are solely determined by the Customer.
The recipients of the personal data		Company entities	Yugabyte
		Vendors	https://www.yugabyte.com/yugabyte-cloud-subprocessors/
Assets on which the personal data sits (e.g. hardware, software, networks, people, paper or paper transmission channels)		Customer Personal Information is stored on Yugabyte’s subprocessor(s) infrastructure.
B. REGULATORY FRAMEWORK
Factors relevant to the assessment		Analysis
Applicable regulatory regime		U.S. Law
Safeguard offered by local data privacy laws		None (regarding non-U.S. persons)
Risks posed by laws authorizing authorities to access or conduct surveillance on personal data for security or other reasons (including laws applicable to company’s cloud service or other communication providers)	Foreign Intelligence Surveillance Act, Sec. 702	Risk of surveillance mainly on U.S. soil.
	Executive Order 12333 & Presidential Policy Directive 28	Risk of surveillance mainly during transit to/through the U.S.
	[Applicable Law 3] (please indicate if other applicable laws pose any similar risks, e.g. applicable sector-specific laws)	Yugabyte is not aware of any further laws applicable in this respect.
Access to judicial process to protect data subject rights		None (regarding non-U.S. persons); merely generalized judicial review of FISA surveillance decisions by the FISC
Role of regulators and supervisory authorities in protecting data		None (regarding non-U.S. persons)
Ability of individuals to raise complaints, appeal and enforce decisions		None (regarding non-U.S. persons)
C. REQUEST FOR INFORMATION
Factors relevant to the assessment		Analysis
Note: Please indicate if you are under a legal obligation not to answer one of the following questions.
Please indicate whether you qualify as an electronic communication service provider within the meaning of 50 USC § 1881(b)(4) (i.e. as a telecommunications carrier, provider of electronic communication service, provider of a remote computing service, any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored or an officer, employee, or agent of any such entity)		There is a risk, even though not probable, that Yugabyte may qualify as an Electronic Communication Service Provider in the meaning of 50 USC § 1881 (b) (4) due to the hosted software services it currently provides to its Customers or may provide in the future.
Please indicate whether you have been subject to additional government requests for customer data.		Never.
Please indicate whether you cooperate in any respect with US authorities conducting surveillance of communications under EO 12.333, should this be mandatory or voluntary.		No, this has never been requested.
Please indicate whether you periodically issue transparency reports including Information on data access requests in regard to the U.S.		No.
D. MITIGATING MEASURES
Please indicate whether you have implemented any safeguards to mitigate the risk associated with the data transfer (e.g. encryption).		Yes.
If applicable, describe these measures as precise as possible.		See Annex 2.

SCHEDULE 1
Standard Contractual Clauses (Processors)

For the purposes of this SCHEDULE 1, references to the “data exporter” and “data importer” shall be to Customer and to Yugabyte respectively (each a “party”; together “the parties”).

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix A which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix B to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix B, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix B before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix B which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
1. (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
2. (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

APPENDIX A

Data exporter

The data exporter is Customer.

Data importer

The data importer is Yugabyte.

Data subjects

The GDPR Personal Data transferred concern the categories of data subjects identified in Annex 1 to this DPA.

Categories of data

The GDPR Personal Data transferred concern the categories of data identified in Annex 1 to this DPA.

Processing operations

The GDPR Personal Data transferred will be subject to the following basic processing activities identified in Annex 1 to this DPA.

APPENDIX B

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

The data importer implements the technical and organisational security measures identified in Annex 2 to this DPA.

YugabyteDB Managed Data Processing Addendum – September 8, 2021