Last Updated: October 16, 2024
Prior versions of this YugabyteDB Aeon Data Processing Addendum are available here.
This Data Processing Addendum (“DPA“) forms part of the YugabyteDB Aeon Terms of Service between Yugabyte and Customer for the YugabyteDB Aeon database software as a service (the “Agreement“). All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.
- DEFINITIONS
- “APPI” means the Act on the Protection of Personal Information (Act No. 57 of May 30, 2003) of Japan, including any amendments and any implementing regulations thereto;
- “APPI Personal Data” means “personal data” as such term is defined by the APPI;
- “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto;
- “CCPA Personal Information” means “personal information” as such term is defined by the CCPA, including any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household;
- “Customer Personal Information” means the APPI Personal Data, CCPA Personal Information, GDPR Personal Data, PDPA Personal Data and PIPA Personal Information that Yugabyte Processes on behalf of Customer, in each case in connection with Yugabyte’s provision of the Services. For the avoidance of doubt, Customer Personal Information may include the APPI Personal Data, CCPA Personal Information, GDPR Personal Data, PDPA Personal Data and/or PIPA Personal Information that Customer directs Yugabyte to Process on behalf of Customer’s own clients;
- “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of APPI Personal Data, GDPR Personal Data, PDPA Personal Data and/or PIPA Personal Information;
- “Data Protection Laws” means all applicable laws, regulations and other legal requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of Personal Data, including the European Data Protection Laws, the CCPA, the APPI, the PDPA and the PIPA;
- “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
- “European Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (the “GDPR“), the UK Data Protection Act, the UK General Data Protection Regulation, and any applicable national legislation implementing or supplementing the foregoing, in each case as amended, replaced or superseded from time to time, and all other applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of GDPR Personal Data;
- “GDPR Personal Data” means “personal data” as such term is defined by the European Data Protection Laws, including any information relating to an identified or identifiable individual or device (a “Data Subject“);
- “PIPA” means the Personal Information Protection Act of South Korea;
- “PIPA Personal Information” means “personal information” as such term is defined by the PIPA;
- “PDPA” means the Personal Data Protection Act 2012 of Singapore;
- “PDPA Personal Data” shall have the meaning given in the PDPA, presently defined to refer to any data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which an organization has or is likely to have access;
- “PDPC” means the Personal Data Protection Commission of Singapore;
- “Processing” means any operation or set of operations which is performed on Customer Personal Information, or on sets of Customer Personal Information, whether or not by automated means, and “Process” will be interpreted accordingly;
- “Processor” means an entity that Processes Customer Personal Information on behalf of a Controller;
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Information, including without limitation any “data breach” as such term is defined under the PDPA;
- “Sell” shall have the meaning given in the CCPA;
- “Services” means the service(s) provided by Yugabyte to Customer under the Agreement;
- “Service Provider” shall have the meaning given in the CCPA;
- “Standard Contractual Clauses” means the applicable standard contractual clauses identified in ANNEX 4 of this DPA;
- “Subprocessor” means an entity that Processes Customer Personal Information on behalf of a Processor; and
- “UK” means the United Kingdom.
- “Yugabyte” means YugabyteDB, Inc.
- DATA PROCESSING
- Role of the Parties. The Parties acknowledge and agree that:
- for the purposes of the CCPA, Yugabyte will act as a Service Provider in its performance of its obligations pursuant to the Agreement; and
- for the purposes of Data Protection Laws other than the CCPA, to the extent applicable, Yugabyte acts as a Processor and Customer acts as the Controller of Customer Personal Information (except when Customer is itself a Processor of the Customer Personal Information, in which case Yugabyte is a Subprocessor).
- Instructions for Data Processing. Yugabyte will, subject to Section 2.3, only collect, retain, use, Sell, disclose, release, transfer, make available or otherwise Process Customer Personal Information in accordance with:
- the Agreement, to the extent necessary to provide the Services to Customer; and
- Customer’s written instructions, including as set forth in ANNEX 1 to this DPA.
Notwithstanding the foregoing, nothing in this DPA shall restrict Yugabyte’s ability to Process Customer Personal Information in anonymous format.
- Yugabyte may Process Customer Personal Information to the extent required by:
- applicable laws to which Yugabyte is subject;
- where Customer is established in the EEA, or the Processing of such Customer Personal Information by Customer falls within the scope of the GDPR, applicable EEA Member State laws;
- where Customer is established in the United Kingdom, or the Processing of such Customer Personal Information by Customer falls within the scope of the UK Data Protection Act 2018, applicable law in the United Kingdom, in which case Yugabyte shall, unless prohibited by such applicable laws on important grounds of public interest, inform Customer of that legal requirement before Processing that Customer Personal Information; or
- where Customer is established in Japan, Singapore and/or South Korea, or the Processing of such Customer Personal Information by Customer falls within the scope of the APPI, the PDPA, and/or the PIPA, applicable law in the relevant jurisdiction(s).
- Customer shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful Processing of Customer Personal Information by Yugabyte in accordance with the Agreement.
- Customer will obtain any consents required under applicable Data Protection Laws for the lawful Processing of Customer Personal Information by Yugabyte in accordance with the Agreement.
- Customer agrees to defend, indemnify and keep indemnified, and hold harmless, at its own expense, Yugabyte against all costs, claims, damages and expenses incurred by Yugabyte or for which Yugabyte may become liable due to any failure by Customer to comply with Section 2.4 and Section 2.5.
- Customer acknowledges that Yugabyte is reliant on Customer for direction as to the extent to which Yugabyte is entitled to use and process Customer Personal Information. Consequently, Yugabyte will not be liable for any claim brought against Customer by a Data Subject arising from any act or omission by Yugabyte to the extent that such act or omission resulted from Customer’s instructions or Customer’s use of the Services.
- To the extent the PIPA applies:
- In the event that Yugabyte or its Subprocessor is in breach of any obligations under this DPA and/or the PIPA, thereby causing damages to Customer or any third-party, Yugabyte shall compensate Customer or such third-party for the damages resulting therefrom.
- Where a third-party requests Customer to compensate for the damages incurred by Yugabyte or its Subprocessor under the PIPA, and Customer provides such compensation directly to the third-party, Customer may make an ex post facto claim for indemnification of the compensation amount against Yugabyte.
- To the extent the APPI applies, Yugabyte will not Process any Customer Personal Information that is subject to the APPI, even in anonymous format, with the knowledge of the substance of such Customer Personal Information.
- Role of the Parties. The Parties acknowledge and agree that:
- SUBPROCESSORS
- Consent to Subprocessor Engagement. Customer generally authorizes Yugabyte to engage Subprocessors in connection with the Processing of Customer Personal Information for the performance of the Agreement. Yugabyte will maintain a list of its Subprocessors at the following URL: https://www.yugabyte.com/yugabytedb-aeon-subprocessors/, and will add the names of new and replacement Processors as applicable from time to time. Yugabyte shall inform Customer of its intention to engage any new or replacement Subprocessors in writing at least fifteen (15) days in advance of the date of the intended commencement of the engagement. Customer may object to such intended engagement by giving written notice at the latest ten (10) days in advance of the date of the intended commencement of the engagement. If Customer objects to Yugabyte’s appointment of a Subprocessor on reasonable grounds relating to the protection of Personal Information, then either Yugabyte shall not appoint the Subprocessor to Process Customer Personal Information or Customer may elect to suspend or terminate this DPA. In all cases, Yugabyte shall impose substantially similar data protection terms on any Subprocessor it appoints as those provided for by this DPA, and Yugabyte shall remain fully liable for any breach of this DPA that is caused by an act, error, or omission of Subprocessor.
- Third-Party Applications. The Services may provide functionality which includes but is not limited to application programming interfaces, which allows Customer to integrate Customer authorized third-party products and applications with the Services (“Third-Party Applications”). Customer acknowledges and agrees that if Customer elects to enable or leverage Third-Party Applications to integrate with the Services, then it does so at its own risk and Yugabyte has no responsibility for any Customer Personal Information Processed by or through these respective Third-Party Applications, nor is Yugabyte a co-processor, Subprocessor, or Controller with respect to any Customer Personal Information processed by or on behalf of Customer through the respective third-party or through any Third-Party applications.
- TRANSFERS
- Prohibition on Transfers of GDPR Personal Data. GDPR Personal Data which are undergoing Processing or are intended for Processing after transfer to a third country outside of the EEA or UK, respectively, may only be exported to or accessed by Yugabyte or its Subprocessors (the “International Transfer”):
- if the recipient, or the country or territory in which it Processes GDPR Personal Data, ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of GDPR Personal Data as determined by the European Commission for transfers from the EEA or the UK Secretary of State for transfers from the UK; or
- in accordance with Section 4.2.
- Standard Contractual Clauses
- The Standard Contractual Clauses apply, and are incorporated by reference into this DPA, where there is an International Transfer to a country or territory that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of GDPR Personal Data as determined by the European Commission for transfers from the EEA or the UK Secretary of State for transfers from the UK.
- For Subprocessors based outside the EEA or UK and outside any country for which the European Commission or UK Secretary of State, respectively, has published an adequacy decision (the “Third Country Subprocessors”), Yugabyte will enter into appropriate Standard Contractual Clauses, as described in ANNEX 4 of this DPA, prior to the Subprocessor’s processing of GDPR Personal Data. Yugabyte will enforce the Standard Contractual Clauses against the Subprocessor on behalf of Customer if a direct enforcement right is not available under European Data Protection Laws.
- Prohibition on Transfers of PDPA Personal Data (if applicable). PDPA Personal Data which have been collected in Singapore and are undergoing Processing or are intended for Processing after transfer to a third country outside of Singapore, may only be exported or accessed by Yugabyte or its Subprocessors if the recipient, in the country or territory in which it Processes the PDPA Personal Data, is bound by legally enforceable obligations to provide an adequate level of protection for the rights and freedoms of Data Subjects that is comparable to the protection under the PDPA.
- Restriction of Transfers of APPI Personal Data. If the APPI is applicable to Customer, then Customer will obtain informed consent from Japanese Data Subjects in accordance with the APPI before transferring their APPI Personal Data outside of Japan.
- Prohibition on Transfers of GDPR Personal Data. GDPR Personal Data which are undergoing Processing or are intended for Processing after transfer to a third country outside of the EEA or UK, respectively, may only be exported to or accessed by Yugabyte or its Subprocessors (the “International Transfer”):
- DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
- Yugabyte Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Yugabyte shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including, where applicable by virtue of Article 28(3)(c) of the GDPR, and as appropriate, the measures referred to in Article 32(1) of the GDPR. Without limiting the generality of the foregoing, Yugabyte shall put in place and maintain the technical and organizational measures as set out in ANNEX 2 of this DPA.
- Security Audits. Yugabyte audits its compliance with data protection and information security standards on at least an annual basis. Subject to obligations of confidentiality, Yugabyte will make available to Customer a summary of its most recent relevant and applicable audit reports and/or supporting documentation reasonably required by Customer so that Customer can verify Yugabyte’s compliance with this DPA. To the extent that the audit reports and/or supporting documentation provided by Yugabyte do not validate Yugabyte’s compliance with its obligations under this DPA, Customer may conduct a remote or on-site audit of Yugabyte’s compliance with this DPA which shall be limited to once per calendar year, unless requested by the PDPC or another data protection supervisory authority or in the event that Yugabyte is subject to a Security Incident caused by Yugabyte’s failure to meet its obligations under the Agreement or this DPA. Any such audit shall be conducted by an independent reputable third-party chosen by Customer and reasonably acceptable to Yugabyte. Before the commencement of any such audit, Customer shall provide Yugabyte with a detailed proposed audit plan which at a minimum will include a detailed description of the scope of the audit, duration of the audit, and the proposed commencement date of the audit. Yugabyte shall review Customer’s proposed audit plan and provide Customer with any concerns or questions regarding the audit plan; the Parties agree to work collaboratively to reach an agreement on a final audit plan. The results of the audit and all information reviewed during any such audit shall be considered Yugabyte confidential information and shall be protected by Customer and Customer’s third-party auditors in accordance with the confidentiality provisions noted in the Agreement and this DPA. Notwithstanding anything to the contrary, Customer’s auditor may only disclose to the Customer specific violations of this DPA, if any, and the basis for such findings, and shall not disclose to Customer any of the records or information reviewed during the audit. The Parties agree that any audits pursuant to clause 8.9 of the Standard Contractual Clauses will comply with the terms and conditions of this Section 5.2.
- Security Incident Notification. If Yugabyte becomes aware of a Security Incident affecting Customer Personal Information, then Yugabyte shall notify Customer without undue delay, take any additional steps that are reasonably necessary to remedy any non-compliance with this DPA, including complying with all applicable requirements of the Agreement, and reasonably cooperate with Customer in the investigation of the Security Incident. Yugabyte’s obligation to report or respond to a Security Incident shall not be construed as an acknowledgement of any fault by Yugabyte with respect to the Security Incident.Further, in respect of a Security Incident affecting Customer Personal Information involving PDPA Personal Data, Yugabyte shall further assess, in a reasonable and expeditious manner, whether the Security Incident is a notifiable data breach under the PDPA and if so, shall notify the PDPC (in addition to the Customer and other affected individuals, if any) as soon as is practicable.
- Yugabyte Employees and Personnel. Yugabyte shall limit access to Customer Personal Information to those employees or other personnel who have a business need to have access to such Customer Personal Information. Further, Yugabyte shall ensure that such employees or other personnel have agreed in writing to protect the confidentiality and security of such Customer Personal Information in accordance with the provisions of this DPA and that such employees or other personnel receive periodic training as to the confidentiality and security measures set forth in this DPA.
- Government Disclosure. Yugabyte shall promptly notify Customer of any request for the disclosure of Customer Personal Information by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
- ACCESS REQUESTS AND DATA SUBJECT RIGHTS
- Data Subject Requests. Unless otherwise required by applicable law, Yugabyte shall promptly notify Customer of any request received by Yugabyte or any Subprocessor from a Data Subject in respect of Customer Personal Information and shall not respond to the Data Subject.
- Data Subject Rights. Yugabyte shall, where possible, assist Customer with ensuring its compliance under applicable Data Protection Laws by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising Data Subject rights laid down in the Data Protection Laws. In particular, Yugabyte shall:
- provide Customer with the ability to correct, delete, block, access, or copy Customer Personal Information;
- promptly correct, delete, block, access, or copy Customer Personal Information within the Services at Customer’s request; and
- use reasonable effort to ensure that the Customer Personal Information is accurate and complete, taking into account the nature, reliability, and currency of the Customer Personal Information, if the Customer Personal Information is likely to be used by the Yugabyte to make a decision that affects the Data Subject(s) concerned or disclosed by Yugabyte to another organization.
- DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
- Where applicable by virtue of the Data Protection Laws, Yugabyte shall provide reasonable assistance to Customer with any data protection impact assessments and with any prior consultations to any regulatory authority of Customer which are referred, in each case solely in relation to Processing of Customer Personal Information and taking into account the nature of the Processing and information available to Yugabyte.
- DURATION AND TERMINATION
- Return of Customer Personal Information. Yugabyte shall afford Customer thirty (30) days from the termination or expiration of the Agreement to request in writing the return of Customer Personal Information in a format technically feasible and practical for Yugabyte. Subject to the foregoing, Yugabyte shall return a copy of all Customer Personal Information by secure file transfer or other secure transfer mechanism as agreed to by the Parties within thirty (30) days of receipt of a timely return request.
- Deletion of Customer Personal Information. Subject to Section 8.3 below, Yugabyte shall, within ninety (90) days of the date of termination of the Agreement:
- delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Information Processed by Yugabyte or any Subprocessors.
- Yugabyte and its Subprocessors may retain Customer Personal Information to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Yugabyte shall ensure the confidentiality of all such Customer Personal Information and shall ensure that such Customer Personal Information is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
- LAW AND JURISDICTION
- Where the GDPR is applicable to the Processing of Customer Personal Information under this DPA, this DPA shall be governed by, and construed in accordance with the law of the Member State in which Customer is established or, where Customer is established in the United Kingdom or Switzerland, English law or Swiss law respectively.
- Where the PDPA is applicable to the Processing of Customer Personal Information under this DPA, this DPA shall be governed by, and construed in accordance with the laws of Singapore.
- Where the PIPA is applicable to the Processing of Customer Personal Information under this DPA, this DPA shall be governed by, and construed in accordance with the laws of South Korea.
- Where the APPI is applicable to the Processing of Customer Personal Information under this DPA, this DPA shall be governed by, and construed in accordance with the laws of Japan.
- In all other cases, this DPA shall be governed by the same law as the Agreement.
- MISCELLANEOUS
- Amendment. The Parties acknowledge that the foregoing provisions are designed to comply with the mandates of Data Protection Laws. No change, amendment, or modification of this DPA shall be valid unless set forth in writing and agreed to by both Parties. Notwithstanding the foregoing, the Parties acknowledge that privacy and data protection laws are rapidly evolving and that amendment of this DPA may be required to ensure compliance with such developments. The Parties specifically agree to take such action as may be reasonably necessary from time to time for the Parties to comply with applicable Data Protection Laws.
- Interpretation. Any ambiguity in this Agreement shall be resolved to permit the Parties to comply with the Data Protection Laws.
- Effect of Agreement. In the event of any inconsistency between the provisions of the Agreement, this DPA, the Annexes to this DPA, and the Standard Contractual Clauses (where applicable) respectively, the order of precedence shall be as follows:
- The Standard Contractual Clauses (where applicable);
- The Annexes of this DPA to the extent that they are meant to complete the Standard Contractual Clauses (where applicable);
- The main body of this DPA including its Annexes;
- The Agreement.
In the event of inconsistency between the provisions of this DPA and mandatory provisions of the Data Protection Laws, or their interpretation by any court or regulatory agency with authority over Customer or Yugabyte, such interpretation shall control. Where provisions of this DPA are different from those mandated in the Data Protection Laws but are nonetheless permitted by such rules as interpreted by courts or agencies, the provisions of this DPA shall control. For the avoidance of doubt, where Standard Contractual Clauses apply, the terms of this DPA are meant to supplement the applicable Standard Contractual Clauses, in particular, by way of providing guidance for their practical implementation, and are not intended to contradict, directly or indirectly, any clauses of the applicable Standard Contractual Clauses.
- General. If any part of a provision of this DPA is found to be illegal or unenforceable, it shall be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this DPA shall not be affected. All notices relating to the Parties’ legal rights and remedies under this DPA shall be provided in writing to a Party, shall be sent to its address or email address set forth in the signature block below, or to such other address or email address as may be designated by that Party by notice to the sending Party, and shall reference this DPA. Nothing in this DPA shall confer any right, remedy or obligation upon anyone other than Customer and Yugabyte. This DPA is the complete and exclusive agreement between the Parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications and understandings (written and oral) regarding its subject matter.
ANNEX 1
DETAILS OF THE PROCESSING
This ANNEX 1 forms part of the DPA and the Standard Contractual Clauses (if any).
- PARTIES TO THE PROCESSING
Customer Yugabyte Name The entity identified as “Customer” in the Agreement. Yugabyte, Inc. Address The address for Customer associated with its Yugabyte account or as otherwise specified in the Agreement. The address identified at the following URL for the applicable region: https://www.yugabyte.com/contact/ Contact Person’s Name, Position and Contact Details The contact details associated with Customer’s account, or as otherwise specified in the Agreement Name: Cyrus Wadia Position: General Counsel
Contact details: privacy@yugabyte.com
Activities relevant to the data transferred The activities specified in Section 2 of the DPA. The activities specified in Section 2 of the DPA. Role The role specified in Section 2.1 of the DPA. For International Transfers, Customer is the Data Exporter. The role specified in Section 2.1 of the DPA. For International Transfers, Yugabyte is the Data Importer. - DESCRIPTION OF TRANSFERCategories of Data SubjectsUnless provided otherwise by Customer, Customer Personal Information relates to the following categories of Data Subjects:
- Customers, business partners, and vendors of the Customer (who are natural persons)
- Employees or contract persons of Customer’s customers, business partners, and vendors.
- Agents, advisors, or any user authorized by Customer to use the Service (who are natural persons)
Categories of Customer Personal Information
In providing Services, Yugabyte does not intentionally Process Customer Personal Information. Customer may Process such customer Personal Information through the Services, but the nature and extent of such Processing is solely determined and controlled by Customer. To that end, Customer determines the categories of Customer Personal Information and other data entered onto the Services. Customer Personal Information entered onto the Services typically relates to the following categories:
- Name
- Business Contact Information (company, title or position, email address, phone numbers, physical business address)
- Personal Contact Information (email address, phone numbers, physical personal address)
- Localization data
- Authentication data
- Pictures and Videos (which are not classified as Special Categories of Data under the European Data Protection Laws.)
- Connection Data
- System access / usage / authorization data
Categories of Sensitive Data under European Data Protection Laws
None. Customer agrees not to submit any Customer Personal Information which would be considered Special Categories of Data under applicable European Data Protection Laws.
Nature of the Processing
The basic processing activities of Customer Personal Information by Yugabyte is the provision and maintenance of the Services pursuant to the Agreement entered into by the Parties.
Frequency of International Transfers
Where International Transfers are occurring, the Customer Personal Information will be transferred on a continuous basis according to the terms of the Agreement.
Purpose(s) of Processing and International Transfers (if applicable)
The purpose of Processing and International Transfers (where applicable) is the provision and maintenance of the Services pursuant to the Agreement entered into by the Parties.
The Period for Which Personal Data will be Retained
The Customer Personal Information will be retained pursuant to Section 8 of the DPA.
Subject Matter, Nature and Duration of the Processing of Subprocessors
Customer generally authorizes Yugabyte to engage Subprocessors in connection with the Processing of Customer Personal Information for the performance of the Agreement. A description of Yugabyte’s Subprocessors are available at the following URL: https://www.yugabyte.com/yugabytedb-aeon-subprocessors/. Customer Personal Information will be retained pursuant to Section 8 of the DPA.
ANNEX 2
Technical and Organizational Security Measures
Yugabyte maintains internal policies and procedures, and procures that its Subprocessors also maintain internal policies and procedures that are materially consistent with this Annex where applicable, which are designed to:
- secure any Customer Personal Information Processed by Yugabyte against accidental or unlawful loss, access, or disclosure;
- identify reasonably foreseeable and internal risks to security and unauthorized access to any Customer Personal Information Processed by Yugabyte; and
- minimize security risks, including through risk assessments and regular testing.
These measures may include:
- Preventing unauthorized persons from gaining access to Yugabyte’s information systems that are used to Process Customer Information Systems (physical access control) by taking measures such as:
- Documenting security and other incidents (maintaining an incident log);
- Protecting and managing physical access to assets and facilities;
- Implementing and maintaining security controls for each computer room and/or data centre and any area containing Customer Personal Information which includes but is not limited to the establishment of secure areas, securing data processing equipment, providing industry standard access controls to facilities that Process Customer Personal Information, the implementation of alarm systems, and other security measures as appropriate; and
- Ensuring all access to facilities that Process Customer Personal Information is logged and monitored.
- Preventing data processing systems from being used without authorisation (logical access control) by taking measures such as:
- Using appropriate network security devices such as i routers and firewalls;
- Periodic review of user access to Yugabyte information systems which Process Customer Personal Information;
- Secure log-in with unique credentials for each Yugabyte authorized user, including multi-factor authentication (MFA) while accessing any public entry point to Yugabyte’s information technology infrastructure;
- automatic disablement of user credentials when several consecutive failed attempts are made to access a user terminal;
- dedication of individual terminals and/or terminal user accounts with permissions granted on the need-to-know principle;
- formalized change control management procedures for any changes that occur to Yugabyte information systems;
- use of firewall technology, either application or physical;
- annual vulnerability and penetration tests of Yugabyte information systems used to Process Customer Personal Information;
- Locking of unattended workstations;
- Role-based access for critical systems containing Customer Personal Information;
- Implementing and maintaining a process for routine system updates for known vulnerabilities;
- Monitoring for security vulnerabilities on critical systems and applications;
- Deployment and updating of antivirus software on Yugabyte’s workstations that access Yugabyte’s information systems that Process Customer Personal Information; and
- Compliance with applicable laws, regulations and industry standards as applicable to the performance of the Agreement and this DPA.
- Ensuring that persons entitled to use a data processing system can gain access only to the data to which they have a right of access, and that, in the course of processing or use and after storage, Customer Personal Information cannot be read, copied, modified or deleted without authorisation (access control to data) by taking measures such as:
- Using appropriate network security devices such as routers and firewalls;
- Monitoring the network to detect potential cybersecurity events;
- Secure log-in with unique user-ID/password for each of Yugabyte’s authorized users, including multi-factor authentication (MFA) while accessing any public entry point to Yugabyte’s information technology infrastructure that Processes Customer Personal Information;
- Logging and analysis of access to Yugabyte’s information systems used to Process Customer Personal Information;
- Role-based access for critical systems containing Customer Personal Information;
- Deployment and updating of antivirus software on Yugabyte’s workstations;
- Maintaining a documented incident response plan that addresses actions to be carried out should a Security Incident occur;
- Maintaining documented policy and procedure for record retention and destruction; and
- Implementing and maintaining response and recovery procedures which are tested on at least an annual basis in the event of a disaster.
- Ensuring that Customer Personal Information cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage and that all data transmissions are logged, monitored, and tracked as is technically feasible and practicable (data transfer control) by taking measures such as:
- Where appropriate in light of the types or nature of the data processed, encryption of communication and encryption of data in storage which is under Yugabyte’s control;
- Tunnelling (VPN = Virtual Private Network);
- FSecure transport containers in case of physical transport;
- Logging of the transmission of Customer Personal Information as is technically feasible and practicable for Yugabyte; and
- Logical network isolation of Yugabyte systems that Process Customer Personal Information from other Yugabyte customer environments.
- Ensuring that Customer Personal Information is protected against accidental destruction or loss (availability control) to the extent that is under Yugabyte’s control by taking measures such as:
- Maintaining backup procedures;
- Maintaining redundant servers and/or information system infrastructure in a separate location;
- Maintaining uninterruptible power supply and auxiliary power systems;
- Climate monitoring and control for information technology infrastructure including but not limited to, fire resistant doors, fire and smoke detection, and fire extinguishing systems;
- Anti-virus on Workstations connecting to Yugabyte systems that Process Customer Personal Information;
- Firewall systems;
- Disaster Recovery Plans which include Recovery Time Objectives (RTO) and Recovery Point Objections (RPO) that are tested on at least an annual basis; and
- Implementation of denial of service (DOS) preventative and/or remediation measures.
- Ensuring suitable measures to monitor Yugabyte’s systems administrators to ensure that the Yugabyte’s systems administrators act in accordance with Customer’s instructions by taking measures such as:
- Formal assignment of systems administrator based on job duties and the need-to-know principle;
- Logging of actions taken by a respective systems administrator as is technically feasible and practicable;
- Maintaining a list of a respective systems administrator’s identification details; and
- Auditing on at least a quarterly basis any Yugabyte user personnel’s access to Yugabyte’s production environment to ensure Yugabyte user personnel that have access to the environment are still authorized to access Yugabyte information systems that Process Customer Personal Information.
- Ensuring that data collected for different purposes or different principals can be processed separately (separation control) by taking measures such as:
- Ensuring the separation of development, quality assurance, and production environments;
- Prohibiting the use of Processing Customer Personal Information in Customer’s non-production environment; and
- Logical network isolation of Yugabyte systems that Process Customer Personal Information from other Yugabyte customer environments.
Pursuant to Section 3 of the DPA, Yugabyte shall impose substantially similar data protection terms on any Subprocessor it appoints as those provided for by the DPA.
ANNEX 3
INTERNATIONAL DATA TRANSFERS – RISK ASSESSMENT
Yugabyte provides the information below to enable Customer to perform a risk assessment pursuant to Section 4.1 of this DPA.
OVERVIEW | |||
Date | Effective Date of the Agreement | ||
Entity name | YugabyteDB, Inc. | ||
Brief description of transfer (Please indicate the scale and regularity of transfers in this regard) | See Annex 1. | ||
Data privacy role in regard to the data processing for us (e.g., data processor) | The role specified in Section 2.1 of the DPA. For International Transfers, Yugabyte is the Data Importer. | ||
Current legal mechanism for the international transfer (e.g. Standard Contractual Clauses, Article 49 General Data Protection Regulation) | Standard Contractual Clauses | ||
A. SYSTEMATIC DESCRIPTION OF THE DATA PROCESSING | |||
Describe the nature, scope and context of the data processing | Yugabyte processes Customer Personal Information in order to deliver the Services to Customer. | ||
Purposes of the data processing | See Annex 1. | ||
Functional/technical description of the data processing | See Annex 1. | ||
Categories of personal data being processed | See Annex 1. | ||
Number of datasets that are being processed | Customer shall provide datasets from time to time as needed in connection with Yugabyte’s delivery of the Services. The number of datasets that are being processed are solely determined by the Customer. | ||
The recipients of the personal data | Company entities | Yugabyte | |
Vendors | The Subprocessers listed under the following link: https://www.yugabyte.com/yugabyte-cloud-subprocessors/ | ||
Assets on which the personal data sits (e.g., hardware, software, networks, people, paper or paper transmission channels) | Customer Personal Information is stored on Yugabyte’s Subprocessor(s) infrastructure. | ||
B. REGULATORY FRAMEWORK | |||
Factors relevant to the assessment | Analysis | ||
Applicable regulatory regime | U.S. Law | ||
Safeguard offered by local data privacy laws | None (regarding non-U.S. persons) | ||
Risks posed by laws authorizing authorities to access or conduct surveillance on personal data for security or other reasons (including laws applicable to company’s cloud service or other communication providers) | Foreign Intelligence Surveillance Act, Sec. 702 | Risk of surveillance mainly on U.S. soil. | |
Executive Order 12333 & Presidential Policy Directive 28 | Risk of surveillance mainly during transit to/through the U.S. | ||
[Applicable Law 3] (please indicate if other applicable laws pose any similar risks, e.g. applicable sector-specific laws) | Yugabyte is not aware of any further laws applicable in this respect. | ||
Access to judicial process to protect Data Subject rights | None (regarding non-U.S. persons); merely generalized judicial review of FISA surveillance decisions by the FISC | ||
Role of regulators and supervisory authorities in protecting data | None (regarding non-U.S. persons) | ||
Ability of individuals to raise complaints, appeal and enforce decisions | None (regarding non-U.S. persons) | ||
C. REQUEST FOR INFORMATION | |||
Factors relevant to the assessment | Analysis | ||
Note: Please indicate if you are under a legal obligation not to answer one of the following questions. | |||
Please indicate whether you qualify as an electronic communication service provider within the meaning of 50 USC § 1881(b)(4) (i.e. as a telecommunications carrier, provider of electronic communication service, provider of a remote computing service, any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored or an officer, employee, or agent of any such entity) | There is a risk, even though not probable, that Yugabyte may qualify as an Electronic Communication Service Provider in the meaning of 50 USC § 1881 (b) (4) due to the hosted software services it currently provides to its Customers or may provide in the future. | ||
Please indicate whether you have been subject to additional government requests for customer data. | Never. | ||
Please indicate whether you cooperate in any respect with US authorities conducting surveillance of communications under EO 12.333, should this be mandatory or voluntary. | No, this has never been requested. | ||
Please indicate whether you periodically issue transparency reports including Information on data access requests in regard to the U.S. | No. | ||
D. MITIGATING MEASURES | |||
Please indicate whether you have implemented any safeguards to mitigate the risk associated with the data transfer (e.g. encryption). | Yes. | ||
If applicable, describe these measures as precise as possible. | See Annex 2. |
ANNEX 4
Standard Contractual Clauses
- EEA Customer Data Transfers
For all International Transfers described in Section 4.2.1. of the DPA originating from the EEA, the following Standard Contractual Clauses apply (the “EEA SCCs”):- Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 shall apply where Customer acts as the Controller of GDPR Personal Data and Yugabyte acts as a Processor; and
- Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 shall apply where Customer acts as a Processor of GDPR Personal Data and Yugabyte acts as a Subprocessor.
- e ANNEX 1 of this DPA;
- Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Section B of ANNEX 1 of this DPA;
- For purposes of Annex I.C (Competent Supervisory Authority), the competent supervisory authority is (i), where Customer is established in the EEA, the supervisory authority with responsibility for ensuring compliance by Customer with the GDPR as regards the International Transfer, (ii) where Customer is not established in the EEA but has appointed a representative in the EEA, the supervisory authority of the Member State in which the representative is established, or (iii) where Customer is not established in the EEA and has not appointed a representative in the EEA, the supervisory authority of one of the Member States in which the Data Subjects whose GDPR Personal Data is transferred;
- Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in ANNEX 2e
- UK Customer Data Transfers
For all International Transfers described in Section 4.2.1. of the DPA originating from the UK:- neither the UK SCCs (as defined below) nor the DPA shall be interpreted in a way that conflicts with rights and obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (together, the “UK Data Protection Laws”);
- (1) where Customer acts as the Controller of GDPR Personal Data and Yugabyte acts as a Processor, Module Two (controller to processor), or (2) where Customer acts as a Processor of GDPR Personal Data and Yugabyte acts as a Subprocessor, Module Three (processor to processor), of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 are deemed to be amended to the extent necessary so they operate:
- for transfers made by Customer to Yugabyte, to the extent that UK Data Protection Laws apply to Yugabyte’s processing when making that transfer; and
- to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR (such amended Standard Contractual Clauses, the “UK SCCs”);
- the amendments referred to in the above Section 2(b) include (without limitation) the following:
- references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK GDPR” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article of the UK GDPR;
- references to Regulation (EU) 2018/1725 are removed;
- references to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”;
- the “competent supervisory authority” shall be the Information Commissioner;
- clause 17 of the UK SCCs is replaced with the following:”These Clauses are governed by the laws of England and Wales“;
- clause 18 of the UK SCCs is replaced with the following:”Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts“;
- any footnotes to the UK SCCs are deleted in their entirety.
For purposes of the UK SCCs:
- Annex I.A (List of Parties) shall be deemed to incorporate the information in Section A of ANNEX 1 of this DPA;
- Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Section B of ANNEX 1 of this DPA;
- Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in ANNEX 2 of this DPA.
- EEA and UK Subprocessor Data Transfers
For all International Transfers described in Section 4.2.2. of the DPA from Yugabyte to a Third Country Subprocessor, Yugabyte will enter into an agreement with the Third Country Subprocessor incorporating Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 along with any amendments necessary so they operate:- for transfers made by Yugabyte to Subprocessor, to the extent that UK Data Protection Laws apply to Contractor’s processing when making that transfer; and
- to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR.