Data Processing Addendum
This Data Processing Addendum represents an addendum to Your existing commercial agreement with GoodData governing Your use of GoodData products or services ("Agreement")(each, a "Party" and together, the "Parties") ("Addendum") and is hereby incorporated into the Agreement. In the event of any conflict between this Addendum and any data processing terms contained in the Agreement between the Parties, the terms of this Addendum regarding the transfer of Personal Data shall control and supersede the terms set forth in the original Agreement.
All capitalized terms not otherwise defined herein shall have the meaning set forth in the Agreement or the Applicable Data Processing Law, as applicable.
Applicable Data Protection Law means all applicable international, federal, national and state privacy and data protection laws that apply to the processing of Personal Data that is the subject matter of the Agreement (including, where applicable, European Data Protection Law and the CCPA).
CCPA means the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq.
Controller means the entity that determines the purposes and means of the processing of Personal Data, and for the purposes of this Agreement means You.
European Data Protection Law means the EU General Data Protection Regulation 2016/679 ("GDPR") and any applicable national laws made under the GDPR.
Personal Data means Customer Data and/or Support Data that is "personal data," "personal information," "personally identifiable information," or an equivalent term, as defined by Applicable Data Protection Law..
Processor means an entity that processes Personal Data on behalf of the Controller.
Security Breach means a breach of security relating to Personal Data where there is an unlawful or unauthorized use or acquisition of Personal Data due to GoodData's failure to comply with the GoodData Security Program with respect to the Subscription or Support Services for systems entirely controlled by GoodData. The term Security Breach always excludes: (a) unsuccessful attempts to penetrate computer networks or servers maintained by or for GoodData; and (b) immaterial incidents that occur on a routine basis, such as security scans, brute-force attempts or "denial of service" attacks.
Standard Contractual Clauses means the annex found in EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (available as of the Effective Date at http://data.europa.eu/eli/dec/2010/87/oj). Attached hereto are Appendices 1 and 2 to the Standard Contractual Clauses and such Appendices are hereby incorporated by reference to the Standard Contractual Clauses. Parties agree that Standard Contractual Clauses shall be governed by the law of a Member State where EU Data Protection Laws apply.
Relationship of the Parties. As between the Parties, You are the Controller and appoint GoodData as a Processor to process the Personal Data.
Purpose Limitation. GoodData shall process the Personal Data as a Processor only for the purposes described in Appendix 1 to the Standard Contractual Clauses, and in accordance with Your documented instructions (the "Permitted Purpose"). You agree and acknowledge that You will confer with GoodData and will obtain GoodData's prior written consent before You load any Personal Data deemed to be included in "Special Categories of Personal Data" under GDPR (e.g. data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation) onto GoodData's platform.
International transfers of Personal Data. GoodData will at all times provide an adequate level of protection for the Personal Data, wherever processed, in accordance with the requirements of Applicable Data Protection Law. To the extent that Personal Data originating from the European Economic Area (EEA) will be processed in a territory which has not been designated by the European Commission as providing an adequate level of data protection or a territory that is not subject to a bilateral arrangement that provides a legal basis for Personal Data transfers and with which GoodData complies, both Parties will comply with the obligations in the Standard Contractual Clauses (including its Appendices), which shall form an integral part of this Addendum. In the event of any conflict between the Standard Contractual Clauses and this Addendum, the Standard Contractual Clauses shall control and supersede.
Confidentiality of Processing. GoodData shall keep strictly confidential all Personal Data that it processes on behalf of You. GoodData shall ensure that any person that it authorises to process the Personal Data (including GoodData's affiliates and their staff, agents and subcontractors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Personal Data who is not under such a duty of confidentiality. GoodData shall ensure that only Authorised Persons will process the Personal Data, and that such processing shall be limited to the extent necessary to achieve the Permitted Purpose. GoodData accepts responsibility for any breach of this Addendum caused by the act, error or omission of an Authorised Person.
Prohibition on Selling Information of California residents. For avoidance of doubt, GoodData is a Service Provider and not a Third Party as defined by the CCPA. Therefore, GoodData shall not: (i) sell the Personal Data, (ii) retain, use, or disclose the Personal Data for any purpose other than providing the services specified in the Agreement or for a Business Purpose. Specifically, GoodData shall not retain, use, or disclose the Personal Data for a Commercial Purpose, or (iii) retain, use, or disclose the Personal Data outside of the direct business relationship between GoodData and You. Notwithstanding anything in the Addendum or any related order form or other document, the Parties acknowledge and agree that Your provision of access to Personal Data is not part of and explicitly excluded from the exchange of consideration, or any other thing of value, between the Parties.
Security. GoodData shall implement appropriate technical and organisational measures to protect the Personal Data from a Security Breach. At a minimum, such measures shall include the security measures identified in Appendix 2 to the Standard Contractual Clauses, and as further described in the Documentation. Where there is an unlawful or unauthorized use or acquisition of Personal Data in systems entirely controlled by GoodData, or GoodData discovers any unauthorized use or acquisition of Personal Data in any third party systems that are processing Personal Data on GoodData's behalf, GoodData will promptly notify You of such breach and promptly investigate.
Subprocessing. GoodData shall not subcontract any processing of the Personal Data to a third party ("Subprocessor") without Your prior written consent. Notwithstanding the foregoing, You consent to GoodData engaging its Affiliates and Subprocessors listed at https://www.gooddata.com/subprocessors/, provided that GoodData provides at least thirty (30) days' prior written notice of the addition of any Subrocessor (including the categories of Personal Data processed, details of the processing it performs or will perform, and the location of such processing) by email, or by means of a notice on the aforementioned GoodData site. We encourage You to periodically review such GoodData site for the latest information on GoodData Subprocessor practices, and especially before You provide GoodData with any Personal Data. Your continued use of a GoodData site after any changes or revisions to the Subprocessor list have been published shall indicate Your agreement with the terms of such revised list. If You object to GoodData's appointment of a new Subprocessor on reasonable grounds relating to the protection of Your Personal Data, then either GoodData will not appoint the Subprocessor or the Parties will promptly confer and discuss alternative arrangements to enable GoodData to continued processing of Personal Data. In all cases, GoodData shall impose the same data protection obligation on any Subprocessor it appoints as those provided for by this Addendum and GoodData shall remain liable for any breach of this Addendum that is caused by an act, error or omission of its Subprocessor to the extent it is liable for its own acts and omissions under the Agreement.
Cooperation and Individuals' Rights. To extent You are unable to directly respond to a privacy inquiry made by a Data Subject itself, GoodData shall then provide all reasonable and timely assistance to You to enable You to respond to: (i) any request from Data Subject to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from an individual, regulator, court or other third party in connection with the processing of the Personal Data. In the event that any such communication is made directly to GoodData, GoodData shall promptly inform You providing full details of the same and shall not respond to the communication unless specifically required by law or authorized by You.
Data Protection Impact Assessment. If GoodData believes or becomes aware that its processing of the Personal Data is likely to result in a high risk to the data protection rights and freedoms of individuals, it shall promptly inform You of the same. GoodData shall provide You with all such reasonable and timely assistance as You may require in order to conduct a data protection impact assessment, and, if necessary, to consult with its relevant data protection authority.
Security Breach. Upon becoming aware of a Security Breach, GoodData shall inform You without undue delay and shall provide all such timely information and cooperation as You may reasonably require in order for You to fulfill Your data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law and relevant contractual obligations owed by You to Your Users. GoodData shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Breach and shall keep You informed of all developments in connection with the Security Breach. GoodData shall not notify any third parties of a Security Breach unless and to the extent that: (a) You have agreed to such notification, and/or (b) notification is required to be made by GoodData under Applicable Data Protection Laws.
Deletion or Return of Data. Upon termination or expiry of the Agreement, GoodData shall (at Your election) destroy or enable You to retrieve all Data (including all copies of the Personal Data) in its possession or control (including any Personal Data subcontracted to a third party for processing). Unless agreed to otherwise by the Parties, GoodData shall enable You to retrieve Your Personal Data within thirty (30) days of Your request. GoodData shall delete all Personal Data within the GoodData platform within ninety (90) days of the termination of this Addendum or the Agreement, or upon Your written request. This requirement shall not apply to the extent that GoodData is required by applicable law to retain some or all of the Personal Data, in which event GoodData shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
Compliance Assessments. No more than once per year, solely for the purpose of meeting its audit requirements under Article 28, section 3(h) of the GDPR or its obligations under 5(f) and 12(2) of the Standard Contract Clauses, You may request an audit in writing. GoodData shall then permit You (or its appointed third-party auditors) to review GoodData's SOC-2, Type II or similar audit report and relevant security and compliance documentation, including but not limited to self-assessment questionnaires and security testing results. GoodData shall also respond to any written audit questions submitted to it by You. You will be entitled to this information once in any twelve (12) calendar month period, except if and when required by the instruction of a competent data protection authority. The You agree that these reports and other documentation will be used as the primary and only mechanism to audit and inspect GoodData's processing activities, unless You are required to perform an on-site audit by the applicable data protection authority, or if GoodData materially fails to comply with GDPR negatively impacting Your Personal Data. In the event that You require an on-site audit of the procedures relevant to the protection of Your Personal Data, then such audits requested must meet the following requirements:
Any audit must be requested with at least thirty (30) days prior notice and include a detailed audit plan that describes the proposed scope, duration, reimbursement rates, and start date of the audit which the Parties must mutually agree upon prior to the commencement of an audit. Audit requests must be sent to email@example.com.
The auditor must execute a written GoodData form nondisclosure agreement prior to conducting the audit.
The audit must be conducted during GoodData's regular business hours, subject to GoodData's policies, and may not unreasonably interfere with GoodData's business activities.
You will reimburse GoodData for any time expended at its then-current reasonable Ancillary Services rates, made available to You upon request. All reimbursement rates will be reasonable and take into account the resources expended by GoodData.
For all audits, You must immediately notify GoodData with information regarding any suspected or actual non-compliance revealed during an audit. Any information resulting or derived from any audit under this Section 2.12 including any You analyses, notes, assessments or other materials in whatever form or media constitute GoodData Confidential Information subject to applicable protections defined in the Agreement.
General cooperation to remediate. In the event that Applicable Data Protection Law, or a data protection authority or regulator, provides that the transfer or processing of Personal Data under this Addendum is no longer lawful or otherwise permitted, then the Parties shall agree to remediate the processing (by amendment to this Addendum or otherwise) in order to meet the necessary standards or requirements. If GoodData is unable to remediate the processing within the applicable cure period set forth in the Agreement, then You will be entitled to terminate the Agreement (and any other agreement between the Parties relating to the provision of services by GoodData to You) in accordance with the respective termination provision) of the Agreement.
YOUR AFFILIATES GoodData obligations set forth herein will extend to Your Affiliates to which You provide access to the Subscription Services or Software or whose Personal Data is processed within the Subscription or Support Services, subject to the following conditions:
Compliance. You shall at all times be liable for Your Affiliates' compliance with this Addendum and all acts and omissions by Your Affiliate are considered Your acts and omissions.
Claims. Your Affiliates will not bring a claim directly against GoodData. In the event Your Affiliate wishes to assert a valid legal action, suit, claim or proceeding against GoodData (an "Affiliate Claim"): (i) You must bring such Affiliate Claim directly against GoodData on behalf of such Affiliate, unless the Applicable Data Protection Laws require that Your Affiliate be a party to such Affiliate Claim; and (ii) all Affiliate Claims will be considered claims made by You and are at all times subject to any aggregate limitation of liability set forth in the Agreement.
Affiliate Ordering. If Your Affiliate licenses a separate instance of the respective GoodData services under the terms of the Agreement, then such Affiliate will be deemed a party to this Addendum and shall be treated as You under the terms of this Addendum.
Communication. Unless otherwise provided in this Addendum, all requests, notices, cooperation, and communication, including Instructions issued or required under this Addendum (collectively, "Communication"), must be in writing and between You and GoodData only and You shall inform the applicable Affiliate of any Communication from GoodData pursuant to this Addendum. You shall be solely responsible for ensuring that any Communications You provide to GoodData relating to Personal Data for an Affiliate reflects the relevant Affiliate's intentions. You warrant and represent that You are and will at all relevant times remain duly and effectively authorized to give instructions on behalf of each relevant Affiliate.
Liability Cap. If the Standard Contractual Clauses have been entered into as described in Section 2.3 (International transfers of Personal Data) then, subject to Section 4.2 (Liability Cap Exclusions), the total combined liability of either Party and its Affiliates towards the other Party and its Affiliates under or in connection with the Agreement and such Standard Contractual Clauses combined will be limited to the agreed Liability Cap for the relevant Party.
Liability Cap Exclusions. Nothing in Section 4.1 (Liability Cap) will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
- The obligations placed upon the GoodData under this Addendum shall survive so long as GoodData and/or its Subprocessors process Personal Data on Your behalf under the terms of the Agreement.
Unless there is a separately negotiated data processing agreement between the Parties, in which case the terms of such agreement shall control, this Addendum sets forth the entire agreement and understanding of the Parties relating to the subject matter contained herein and merges all prior discussions and agreements between them, and no Party shall be bound by any representation other than as expressly stated in this Addendum or a written amendment to this Addendum signed by authorized representatives of each of the Parties.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is (please specify briefly activities relevant to the transfer): You (as specified by the Agreement)
Each data exporter wishes to appoint the data importer to provide it with data processing services. The role of the data importer, the nature of the data processing services it will provide, the categories of data that it will process, and the protections it will apply to protect those data are set out in these Clauses.
The data importer is (please specify briefly activities relevant to the transfer): The GoodData entity specified in the Agreement and its Affiliates
A service provider which processes personal data upon the instruction of the data exporter in accordance with the terms of the agreement between data exporter and data importer relating to the provision of services by data importer to data exporter.
The personal data transferred concern the following categories of data subjects (please specify):
Data exporter may transfer personal data to data importer, the extent of which is determined and controlled by data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
Prospects, customers, business partners and vendors of data exporter (who are natural persons);
Employees or contact persons of data exporter's prospects, customers, business partners and vendors; and
Employees, agents, advisors, freelancers of the data exporter (who are natural persons).
Categories of data
The personal data transferred concern the following categories of data (please specify):
Data exporter may transfer personal data to data importer, the extent of which is determined and controlled by data exporter in its sole discretion, and which may include, but is not limited to the following categories of personal data:
- First and last name
- Contact information (company, email, phone, physical business address)
- ID data
- Professional life data
- Personal life data (including but not limited to home addressed, personal phone numbers, resumes, attendance records, bank details)
- Connection data
- Localisation data
- Support Data
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify): N/A
The personal data transferred will be subject to the following basic processing activities (please specify):
The objective of processing of personal data by the data importer is the performance of the data importer's services pursuant to the agreement between data exporter and the data importer relating to the provision of services by the data importer to data exporter.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Physical Access Controls: the data importer shall take reasonable measures to prevent physical access, such as security personnel and secured buildings and factory premises, to prevent unauthorized persons from gaining access to personal data.
System Access Controls: the data importer shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.
Data Access Controls: the data importer shall take reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing. In addition to the access control rules set forth in Sections 1-3 above, data importer implements an access policy under which access to its system environment, to personal data and other data by authorized personnel only.
Transmission Controls: the data importer shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
Input Controls: the data importer shall take reasonable measures to provide that it is possible to check and establish whether and by whom personal data has been entered into data processing systems, modified or removed. The data importer shall take reasonable measures to ensure that (i) the personal data source is under the control of the data exporter; and (ii) personal data integrated into data importer's systems is managed by secured file transfer from the data importer and data subject.
Data Backup: the data importer shall ensure that back-ups are taken on a regular basis, are secured, and encrypted when storing personal data to protect against accidental destruction or loss when hosted by the data importer.
Logical Separation: the data importer shall ensure that data from the data exporter is logically segregated on the data importer's systems to ensure that personal data that is collected for different purposes may be processed separately