Data Processing Addendum
Last updated: March 24, 2024
Pursuant to the Tigris Subscription Agreement (“the Agreement”), Customer, on behalf of itself and its affiliates, and Tigris Data Inc. (referred in herein as “Vendor”) (each a “Party”; collectively the “Parties”), the Parties hereby adopt this Data Processing Addendum (“DPA”) for so long as Vendor processes Personal Data on behalf of Customer. This DPA prevails over any conflicting terms of the Agreement.
DPA
-
Definitions. For the purposes of this DPA
1.1 “Privacy Laws” means, collectively, all applicable European, U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals' Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information). Privacy Laws include, but are not limited to, the following:
1.1.1 The General Data Protection Regulation (EU) 2016/679 (the "GDPR") and its national implementations in the European Economic Area;
1.1.2 The e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) and its national implementations in the European Economic Area;
1.1.3 The UK General Data Protection Regulation, the UK Data Protection Act 2018 and the Privacy and Electronic Communications Regulations;
1.1.4 California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”);
1.1.5 Colorado Privacy Act;
1.1.6 Connecticut Personal Data Privacy and Online Monitoring Act;
1.1.7 Delaware Personal Data Privacy Act;
1.1.8 Indiana Consumer Data Protection Act;
1.1.9 Iowa Consumer Data Protection Act;
1.1.10 Montana Consumer Data Privacy Act;
1.1.11 Oregon Consumer Privacy Act;
1.1.12 Tennessee Information Privacy Act;
1.1.13 Texas Data Privacy and Security Act;
1.1.14 Utah Consumer Privacy Act; and
1.1.15 Virginia Consumer Data Protection Act.
1.2 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person. Where applicable, Personal Data shall be interpreted consistent with the same or similar term under Privacy Laws.
1.3 “Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA.
1.4 “Sale” and “Selling” have the meaning defined in the Privacy Laws.
1.5 “Controller” means a person or entity that collects individuals’ Personal Data and alone, or jointly with others, determines the purposes and means of the Processing of such Personal Data. Where applicable, Controller shall be interpreted consistent with the same or similar term under the Privacy Laws.
1.6 “Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in the Privacy Laws.
1.7 “Consumer” means a natural person. Where applicable, Consumer shall be interpreted consistent with the same or similar term under the Privacy Laws.
1.8 “Processing,” “Process,” and “Processed” means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means. Where applicable, Processing, Process, and Processed shall be interpreted consistent with the same or similar term under the Privacy Laws.
1.9 “SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council , as amended or replaced from time to time.
1.10 “UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
1.11 “Customer Personal Data” means Personal Data provided by Customer to, or which is collected on behalf of Customer by, Vendor to provide services to Customer pursuant to the Agreement.
1.12 In the event of a conflict in the meanings of defined terms in the Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.
-
Scope, Roles, and Termination.
2.1 Applicability - This DPA applies only to Vendor’s Processing of Customer Personal Data for the nature, purposes, and duration set forth in Appendix A.
2.2 Roles of the Parties - For the purposes of the Agreement and this DPA, Customer is the Party responsible for determining the purposes and means of Processing Customer Personal Data as the Controller and appoints Vendor as a Processor to Process Customer Personal Data on behalf of Customer for the limited and specific purposes set forth in Appendix A.
2.3 Obligations at Termination - Upon termination of the Agreement, except as set forth therein or herein, Vendor will discontinue Processing and destroy Customer Personal Data in its or its subcontractors’ and sub-processors’ possession without undue delay. Vendor may retain Customer Personal Data to the extent required by law but only to the extent and for such period as required by such law and always provided that Vendor shall ensure the confidentiality of all such Customer Personal Data. Vendor may anonymize the Customer Personal Data to satisfy its obligations under this clause.
-
Compliance
3.1 Compliance with Obligations - In addition to the representations and warranties set forth in the Agreement, Vendor, its employees, agents, subcontractors, and sub-processors (a) shall comply with the obligations of the Privacy Laws, (b) shall provide the level of privacy protection required by the Privacy Laws, (c) shall provide Customer with all reasonably-requested assistance to enable Customer to fulfill its own obligations under the Privacy Laws, and (d) understand and shall comply with this DPA. Upon the reasonable request of Customer, Vendor shall make available to Customer all information in Vendor’s possession necessary to demonstrate Vendor’s compliance with this subsection.
3.2 Compliance Assurance - Customer has the right to take reasonable and appropriate steps to ensure that Vendor uses Customer Personal Data consistent with Customer’s obligations under applicable Privacy Laws.
3.3 Compliance Monitoring - Customer has the right to monitor Vendor’s compliance with this. DPA through measures, including, but not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other annual technical and operational testing not more than once every 12 months. Vendor shall cooperate fully with any audit initiated by Customer, provided that such audit will not unreasonably interfere with the normal conduct of Vendor’s business. Unless the audit reveals a breach by Vendor of this DPA or applicable Privacy Laws, Customer shall bear the costs of the audit.
3.4 Compliance Remediation – Vendor shall promptly notify Customer if it determines that it can no longer meet its obligations under applicable Privacy Laws. Upon receiving notice from Vendor in accordance with this subsection, Customer may direct Vendor to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
3.5 Security - The Parties shall implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, to protect Customer Personal Data from unauthorized access, destruction, use, modification, or disclosure. Without limiting the forgoing, the Parties shall comply with the Security Measures set forth at Appendix B when Processing Customer Personal Data.
-
Restrictions on Processing.
4.1 Limitations on Processing - Vendor will Process Customer Personal Data solely as instructed in the Agreement and this DPA. Except as expressly permitted by the Privacy Laws, Vendor is prohibited from (i) Selling or Sharing Customer Personal Data, (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose of performing the services specified in Appendix A, (iii) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties, and (iv) combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable Privacy Laws.
4.2 Confidentiality - Vendor shall ensure that its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to Customer Personal Data.
4.3 Subcontractors; Sub-processors – Customer hereby authorizes Vendor to engage sub-processors. Vendor’s current subcontractors and sub-processors are set forth in Appendix C. Vendor shall notify Customer of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, Vendor shall ensure that Vendor’s subcontractors or sub-processors who Process Customer Personal Data on Vendor’s behalf agree in writing to the same or equivalent restrictions and requirements that apply to Vendor in this DPA and the Agreement with respect to Customer Personal Data, as well as to comply with the applicable Privacy Laws.
4.4 Right to Object – Customer may object in writing to Vendor’s appointment of a new subcontractor or sub-processor on reasonable grounds relating to a potential or actual violation of Privacy Laws by notifying Vendor in writing within 30 calendar days of receipt of notice in accordance with Section 4.3. In the event Customer objects, the Parties shall discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution.
-
Consumer Rights.
5.1 Vendor shall provide commercially reasonable assistance to Customer for the fulfillment of Customer’s obligations to respond to Privacy Law-related Consumer rights requests regarding Customer Personal Data.
5.2 Where applicable, Vendor shall enable Customer to comply with any Consumer request made pursuant to the Privacy Laws / Customer shall inform Vendor of any Consumer request made pursuant to the Privacy Laws that they must comply with. Customer shall provide Vendor with the information necessary for Vendor to comply with the request.
5.3 Vendor shall not be required to delete any Customer Personal Data to comply with a Consumer’s request directed by Customer if retaining such information is specifically permitted by applicable Privacy Laws; provided, however, that in such case, Vendor will promptly inform Customer of the exceptions relied upon under applicable Privacy Laws and Vendor shall not use Customer Personal Data retained for any purpose other than provided for by that exception.
5.4 Taking into account the nature of the Processing, and the information available to Vendor, Vendor shall assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer’s own obligations under Privacy Laws to: comply with requests to exercise data subject rights; conduct data protection impact assessments; and prior consultations with supervisory authorities.
-
International Data Transfers.
6.1 Customer hereby authorizes Vendor to perform international data transfers to any country deemed adequate by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Privacy Laws; or pursuant to the SCCs referred to in Sections 6.2 and 6.3.
6.2 By signing this DPA, Vendor and Customer conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a third-party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Vendor; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is 30 calendar days; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Dublin, Ireland; Annex I, II and III to module 2 of the EEA SCCs are Appendix A, B and C to this DPA respectively.
6.3 By signing this DPA, Vendor and Customer conclude the UK Addendum, which is hereby incorporated and applies to international data transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Vendor, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 6.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) to the “Approved EU SCCs” are Appendix A, B, C to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
6.4 If Vendor’s compliance with Privacy Laws applicable to international data transfers is affected by circumstances outside of Vendor’s control, including if a legal instrument for international data transfers is invalidated, amended, or replaced, then Customer and Vendor will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by supervisory authorities, Vendor reserves the right to amend the Agreement and this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Privacy Laws.
-
Deletion of Customer Personal Data.
7.1 Upon direction by Customer, and in any event no later than 180 days after receipt of a request from Customer, Vendor shall promptly delete or anonymize Customer Personal Data, unless Vendor is required by law to retain such data, in which case Vendor shall, on ongoing basis, isolate and protect the security and confidentiality of such Personal Data and prevent any further processing except to the extent required by such law and shall destroy or return to Customer all other Personal Data not required to be retained by Vendor by law.
-
Security.
8.1 Vendor and Customer shall implement and maintain no less than commercially reasonable security procedures and practices, appropriate to the nature of the information, to protect Customer Personal Data from unauthorized access, destruction, use, modification, or disclosure.
8.2 Upon becoming aware of an actual unauthorized access, destruction, use, modification, or disclosure of Customer Personal Data (“Security Incident”), the Party experiencing the Security Incident shall notify other Party without undue delay and shall provide timely updates and information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.
8.3 Vendor and Customer shall comply with the Data Security Addendum attached at Appendix B.
-
Exemptions.
9.1 Notwithstanding any provision to the contrary in the Agreement or this DPA, the terms of this DPA shall not apply to Vendor’s Processing of Customer Personal Data that is exempt from applicable Privacy Laws.
-
Sale of Data
10.1 The Parties acknowledge and agree that the exchange of Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this DPA.
-
Changes to Applicable Privacy Laws.
11.1 The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, the Privacy Laws.
Appendix A - Description of the Transfer and Processing Details
LIST OF PARTIES
Data exporter
Name | Customer (as defined above). |
Address | The address for Customer as set forth in the Agreement. |
Contact person’s name, position and contact details | The contact details for Customer as set forth in the Agreement. |
Activities relevant to the data transferred under these Clauses | Customer receives Vendor’s services as described in the Agreement and Vendor Processes Personal Data on behalf of Customer in that context. |
Signature and date | Customer’s signature and date on the Agreement. |
Role (controller/processor) | Controller, or Processor on behalf of Third-Party Controller. |
Data importer
Name | Tigris Data. |
Address | The address for Tigris Data as set forth in the Agreement. |
Contact person’s name, position and contact details | The contact details for Tigris Data as set forth in the Agreement |
Activities relevant to the data transferred under these Clauses | Vendor provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context. |
Signature and date | Tigris Data signature and date on the Agreement. |
Role (controller/processor) | Processor on behalf of Vendor, or Subprocessor on behalf of Third-Party Controller. |
DESCRIPTION OF THE TRANSFER
-
Categories of data subjects whose personal data is transferred.
Customer may submit Customer Personal Data to the Services (as determined and controlled by the Customer in its sole discretion subject to any constraints set forth in the Agreement), which may relate to the following categories of Data Subjects:
- Employees, agents, advisors, and contractors of Customer (in each case, who are natural persons).
- Users of Customer’s systems or users of systems over which the Customer has oversight which are the subject of the Services.
- Users authorized by Customer to access and use the Services.
- Any other category of Data Subjects whose Personal Data is contained or embedded within the data, information, and materials Customer submits to the Services or has Tigris Data (or another third party) submit into the Services on its behalf.
-
Categories of personal data transferred.
Customer may submit Customer Personal Data to the Services (as determined and controlled by the Customer in its sole discretion subject to any constraints set forth in the Agreement), which may relate to the following categories of Personal Data:
- First and last name, title, position, employment-related and professional information.
- Contact information (company, email, phone, physical address).
- Any other category of Personal Data contained within the data, information, and materials Customer submits to the Services or has Tigris Data(or another third party) submit into the Services on its behalf.
-
Tigris Object Storage Service is not intended to meet any legal obligations for any Sensitive data.
COMPETENT SUPERVISORY AUTHORITY
- The competent authority for the Processing of Personal Data relating to data subjects located in the EEA is the supervisory authority of Ireland.
- The competent authority for the Processing of Personal Data relating to data subjects located in the UK is the UK Information Commissioner.
Appendix B – Security Measures
The Parties will apply at least the following types of security measures to Customer Personal Data:
-
Physical access control
Tigris Data shall take reasonable measures to prevent physical access, such as secured buildings, to prevent unauthorized persons from gaining access to personal data.
-
System access control
Tigris Data shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, and/or logging of access.
-
Data access control
Tigris Data shall take reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing. Tigris Data shall take reasonable measures to implement an access policy under which access to its system environment, to personal data and other data by authorized personnel only.
-
Transmission control
Tigris Data shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
-
Input control
Tigris Data shall take reasonable measures to ensure that (i) the personal data source is under the control of data exporter; and (ii) personal data integrated into Tigris Data’s systems are managed by secured file transfer from Tigris Data and data subject.
Appendix C – Sub-Processors
To support delivery of Vendor’s services, Vendor may engage and use third parties as sub-processors to Process certain Customer Personal Data. This Appendix C provides information about the sub-processors used by Vendor as of the date of this DPA.
Sub-Processor Name | Location | Sub-Processing Activities |
---|---|---|
Fly.io | United States | Hosting provider |
AWS | United States | Account management, backup storage, engineering support |
OCI | United States | Account management, backup storage, engineering support |
Slack | United States | Internal communication |
Plain | United States | Customer support communication |
Stripe | United States | Payment processing |
Loops | United States | Email communication |