Data Processing Agreement
Effective Date: January 1, 2020
PLEASE READ THIS DATA PROCESSING AGREEMENT (“DPA”) CAREFULLY BEFORE INSTALLING OR OTHERWISE USING THE PREFECT CLOUD SOFTWARE AS A SERVICE (AS DEFINED BELOW) AND ACCOMPANYING DOCUMENTATION (THE “DOCUMENTATION”) DELIVERED TO YOU BY OR OTHERWISE RETRIEVED FROM PREFECT TECHNOLOGIES, INC., A DELAWARE CORPORATION WITH AN ADDRESS AT 1301 K ST NW, MINDSPACE SW313, WASHINGTON DC 20005 (“DATA PROCESSOR”). BY DOWNLOADING AND/OR USING THE PREFECT CLOUD SOFTWARE AS A SERVICE, YOU ARE AFFIRMATIVELY STATING (1) YOU HAVE READ THIS DPA, AGREE TO ALL OF ITS TERMS, CONSENT TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS DPA, (2) YOU UNDERSTAND THAT YOU ARE A DATA CONTROLLER FOR ALL DATA YOU PROVIDE TO PREFECT AS THAT TERM IS GENERALLY USED AND UNDERSTOOD BY RELEVANT DATA PROTECTION LEGISLATION, AND (3) YOU HAVE DOWNLOADED AND/OR ARE MAKING USE OF THE PREFECT CLOUD SOFTWARE AS A SERVICE. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS DPA, DO NOT DOWNLOAD OR USE THE SOFTWARE.
IF YOU ARE ACCEPTING THIS DPA ON BEHALF OF ANOTHER ENTITY THAT YOU REPRESENT, YOU REPRESENT AND WARRANT THAT: (I) YOU HAVE FULL LEGAL AUTHORITY TO BIND SUCH ENTITY TO THIS DPA; (II) YOU HAVE READ AND UNDERSTAND THIS DPA; AND (III) YOU AGREE ON BEHALF OF SUCH ENTITY TO BE BOUND BY THIS DPA.
ACCEPTANCE OF THIS DPA AND RELATED PREFECT CLOUD SAAS AGREEMENT ARE REQUIRED AS A CONDITION PRECEDENT TO ACCESS AND USE OF THE PREFECT CLOUD SOFTWARE AS A SERVICE AND DOCUMENTATION. IF YOU DO NOT AGREE TO ALL OF THE TERMS AND CONDITIONS OF THIS DPA, OR IF YOU DO NOT HAVE THE LEGAL AUTHORITY TO ACCEPT THIS DPA ON BEHALF OF ANOTHER ENTITY THAT YOU REPRESENT, YOU MUST IMMEDIATELY REFRAIN FROM ANY FURTHER ACCESS OF THE PREFECT CLOUD SOFTWARE AS A SERVICE AND DOCUMENTATION.
AS USED IN THIS DPA, THE TERM “DATA CONTROLLER” MEANS YOU AND/OR ANOTHER ENTITY THAT YOU REPRESENT AND ON BEHALF OF WHOM YOU ACCEPT THIS DPA AND PROVIDE PERSONAL DATA FOR PROCESSING IN ACCORDANCE THEREWITH, WHICH IS EFFECTIVE AS OF ANY SUCH DATA OF ACCEPTANCE (THE “DPA EFFECTIVE DATE”). AS BETWEEN THE DATA CONTROLLER AND DATA PROCESSOR, EACH IS INDIVIDUALLY REFERRED TO HEREIN AS A “PARTY” AND COLLECTIVELY THE “PARTIES.”
In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Prefect Cloud Software as a Service (SaaS) Agreement (as defined below). By entering this DPA, the Parties agree that Data Processor will Process Personal Data (as defined herein) for Data Controller in accordance with the terms and conditions set out in this DPA.
1.1 This DPA is an addendum to, and forms part of, the Prefect Cloud Software as a Service (SaaS) Agreement executed between Data Processor and Data Controller for the provision of Prefect Cloud remote execution services (“Service”) and as amended from time to time as permitted therein (“Agreement”). References to the Agreement will be construed as inclusive of the terms of this DPA.
1.2 For the avoidance of doubt, the provisions of this DPA shall supersede and have precedence over any provisions in the Agreement, or in any other agreement between the Parties, in respect to the Processing of Personal Data.
1.3 The terms used in this DPA shall have the meanings set forth in this DPA. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement.
1.4 Except as modified below, the terms of the Agreement shall remain in full force and effect.
In this DPA:
2.1 “Affiliate” means an entity that owns or controls, is owned or controlled by, or is or under common control or ownership with, the relevant Party, where “control” means the beneficial ownership of more than 50% of the issued share capital or other equity interests of a company or the legal power to direct or cause the direction of the general management of that entity, and “controls”, “controlled” and the expression “change of control” shall be construed accordingly.
2.2 “Data Protection Legislation” means Directive 95/46/EC, as transposed into domestic legislation of each Member State of the European Economic Area and in each case as amended, replaced or superseded from time to time, including without limitation by the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”) and any data protection laws substantially amending, replacing or superseding the GDPR, and/or other applicable data protection or national/federal or state/provincial/emirate privacy legislation in force, such as the California Consumer Privacy Act (“CCPA”), including where applicable, statutes, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by courts, any Supervisory Authority and other applicable authorities.
2.3 “Delete” means the removal or obliteration of Personal Data such that it cannot be recovered or reconstructed.
2.4 “Malicious Software” means any software program or code intended to destroy, interfere with, corrupt, or cause undesired effects on program files, data or other information, executable code, applications, software, macros, etc., whether or not its operation is immediate or delayed, and whether the malicious software is introduced wilfully, negligently or without knowledge of its existence.
2.5 “Personal Data” means any personal data, as defined under applicable Data Protection Legislation, Processed by Data Processor or any Subprocessor on behalf of Data Controller pursuant to or in connection with the Agreement.
2.6 “Personal Data Breach” means a breach of Processing leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise Processed, as well as any breach of any other requirements in the Agreement or any applicable Data Protection Legislation.
2.7 “Relevant Date” means the date falling on the earlier of: a) the cessation of Processing of the Personal Data by Data Processor; or b) termination of the Agreement.
2.8 “Restricted Transfer” means: a) a transfer of the Personal Data from Data Controller to Data Processor or Sub-processor; or b) an onward transfer of the Personal Data from Data Processor or Subprocessor to (or between two establishments of) Data Processor or Sub-processor, in each case, being a transfer to a third country (outside the European Union) where such transfer would be prohibited by Data Protection Legislation in the absence of the Standard Contractual Clauses or other legal instruments required by GDPR.
2.9 “Standard Contractual Clauses” means the standard contractual clauses that are based on the Commission Decision of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (2010/87/EU) (including any subsequent repealing standard contractual clauses adopted by the European Commission regarding transfer to third countries).
2.10 “Sub-processor” means any Data Processor (including any third party or Affiliate of Data Processor) appointed by Data Processor to process Personal Data on behalf of Data Controller in connection with the Agreement.
2.11 “Supervisory Authority” means: a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and b) any similar regulatory authority responsible for the enforcement of applicable Data Protection Legislation.
2.12 “Data Controller”, “Data Processor”, “Data Subject”, and “Processing”, outside their use defining the parties to this DPA, shall have the same meanings as in applicable Data Protection Legislation and “Processed” and “Process” shall be construed in accordance with the definition of “Processing.”
3. Compliance and Change of Law
3.1 The Parties shall, during the term of the Agreement, comply with applicable Data Protection Legislation in the Processing of Personal Data.
3.2 With respect to the GDPR and all applicable Data Protection Legislation, the Parties shall comply with their respective obligations under the Agreement from the DPA Effective Date.
3.3 The Parties agree to work together reasonably and in good faith with a view to agreeing any further changes to this DPA or its attachments which are necessary to ensure that both Parties continue to comply with the GDPR and all applicable Data Protection Legislation (taking into account any applicable transition provisions). This is without prejudice to each Party’s responsibility to meet its own current and future obligations in relation to the protection of Personal Data. For the avoidance of doubt, it is agreed that no additional costs will be charged to Data Controller for or in relation to the modification to Processing or the DPA or its attachments that are necessary to achieve compliance with any such new Data Protection Legislation.
4.1 Where Personal Data is Processed by Data Processor, its agents, Subprocessors or employees under or in connection with the Agreement, Data Processor shall, and shall procure that its agents, Sub-processors and employees shall, at Data Processor’s own expense:
The Scope of Processing
4.1.1 not Process the Personal Data other than on Data Controller’s documented instructions (whether as set out in the Agreement or otherwise) unless Processing is required by Data Protection Legislation to which Data Processor is subject, in which case Data Processor shall, to the extent practical and/or permitted by such Data Protection Legislation, inform Data Controller of that legal requirement before the relevant Processing of that Personal Data. Data Controller instructs Data Processor (and authorises Data Processor to instruct each Subprocessor) to Process the Personal Data as reasonably necessary for the provision of the Services and consistent with the Agreement. Appendix A to this DPA sets out the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subject as required by Article 28(3) of the GDPR or equivalent provisions of any Data Protection Legislation.
As between the Parties, nothing in Appendix A (including as amended pursuant to this paragraph 4.1.1) confers any right or imposes any obligation on either Party.
4.1.2 create and maintain a register setting out:
18.104.22.168 each transfer of Personal Data authorised by Data Controller from time to time;
22.214.171.124 a description of the technical and organisational measures adopted by Data Processor to protect the Personal Data in accordance with paragraph 4.1.3; and
126.96.36.199 upon request, and within a reasonable period of time, provide Data Controller with sufficient information (as set out in this Agreement) to enable Data Controller to carry out a review of the Processing activities of Data Processor.
4.1.3 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, among other things, as appropriate:
188.8.131.52 the encryption of the Personal Data;
184.108.40.206 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
220.127.116.11 the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident;
18.104.22.168 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing; and
22.214.171.124 any other organisational measures listed in the Agreement.
4.1.4 in assessing the appropriate level of security, take account of the risks that are presented by Processing in view of the nature of the Personal Data, particularly risk from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
4.1.5 make such changes as necessary to ensure ongoing compliance with paragraph 4.1.3
4.1.6 take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Personal Data, as strictly necessary to perform the Services in the context of that individual’s duties to Data Processor, ensuring that all such individuals:
126.96.36.199 are informed of the confidential nature of the Personal Data;
188.8.131.52 where required, have undertaken appropriate training in relation to Data Protection Legislation; and
184.108.40.206 are subject to user authentication and log-on processes when accessing Personal Data.
4.1.7 keep all Personal Data and any analyses, profiles or documents derived therefrom separate from all other data and documentation of Data Processor.
Data Protection Impact Assessment and Prior Consultation
4.1.8 provide reasonable assistance to Data Controller, at additional reasonable cost to Data Processor, with any data protection impact assessments that are required under Article 35 GDPR and with any prior consultations to any relevant Supervisory Authority that are required under Article 36 GDPR. Data Controller, at additional reasonable cost to Data Processor, will similarly provide reasonable assistance in relation to any data protection impact assessments or prior consultations required under any applicable Data Protection Legislation.
In each case such assistance shall be solely in relation to Processing of Personal Data by Data Processor on behalf of Data Controller and taking into account the nature of the Processing and information available to Data Processor.
Personal Data Breach
4.1.9 notify Data Controller promptly and without undue delay, and in any event within twenty-four (24) hours, upon becoming aware of a Personal Data Breach or circumstances that are likely to give rise to a Personal Data Breach, providing Data Controller with sufficient information and documentation and in a timescale that allows Data Controller to meet any obligations to report a Personal Data Breach under the Data Protection Legislation. Such notification shall as a minimum:
220.127.116.11 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
18.104.22.168 communicate the name and contact details of the Data Protection Officer or other relevant contact from whom more information may be obtained;
22.214.171.124 describe the likely consequences of the Personal Data Breach; and
126.96.36.199 describe the measures taken or proposed to be taken to address the Personal Data Breach,
except where statutory guidance indicates that a Personal Data Breach is not required to be notified by a Processor to a Controller.
4.1.10 in the event of a Personal Data Breach, not inform any third party, except as may be strictly required by applicable law, without first obtaining Data Controller’s prior written consent.
Request from Data Subjects
4.1.11 notify Data Controller within seventy-two (72) hours if it receives a request from a Data Subject under any Data Protection Legislation in respect of the Personal Data, including requests by a Data Subject to exercise rights in Chapter III of GDPR.
4.1.12 cooperate as requested by Data Controller to enable Data Controller or any Affiliate of Data Controller to comply with the exercise of such rights by a Data Subject and/or to comply with any assessment, enquiry, notice or investigation under any Data Protection Legislation in respect of the Personal Data or the Agreement, to include:
188.8.131.52 provision of all data requested by Data Controller in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to a Data Subject; and
184.108.40.206 where applicable, providing such assistance as is reasonably requested by Data Controller to enable Data Controller complies with the relevant request within the Data Protection Legislation statutory timescales.
Request from Data Subjects
4.1.13 appoint and identify to Data Controller a Data Protection Officer (or such other role or designation within Data Processor organisation performing the same or similar role as a DPO) who shall be a named individual within Data Processor to act as a point of contact for any enquiries from Data Controller relating to Personal Data (including in respect of Restricted Transfers).
4.1.14 notify and update Data Controller of any changes to the identity and/or contact details of the individual acting as Data Protection Officer (or equivalent) so as to enable Data Controller to make direct contact at all times, acknowledging that the initial contact details are set out in Appendix A to this DTA.
4.1.15 where a transfer of Personal Data involves a Restricted Transfer, when requested by Data Controller, promptly enter into (or procure that any relevant Sub-processor enters into) an agreement with Data Controller or an Affiliate of Data Controller including, or on such provisions as, the Standard Contractual Clauses, which terms shall take precedence over those in this DTA.
4.1.16 subject to the requirements of any applicable exit plan, immediately cease to Process the Personal Data.
4.1.17 comply with any written request by Data Controller notifying Data Processor within thirty (30) days of the Relevant Date to procure the Deletion of all copies of the Personal Data Processed by Data Processor or any Sub-processor. Data Processor shall comply with any such written request promptly and in any event within sixty (60) calendar days of the Relevant Date. Data Processor may retain the Personal Data to the extent maintained in backup and/or recovery media, or as may be required by applicable Data Protection Legislation and only to the extent and for such period as required by applicable Data Protection Legislation. Data Processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the applicable Data Protection Legislation requiring its storage and for no other purpose; and
4.1.18 certify within a reasonable time but in any event not later than sixty (60) days after the Relevant Date that all copies of the Personal Data have been Deleted or returned in compliance with this DTA and paragraph 4.1.18.
Notification and Information Obligation
4.2 Data Processor shall cooperate fully with and assist Data Controller and/or any Affiliate of Data Controller, at Data Controller’s expense, with any notifications or prior approvals that Data Controller and/or any Affiliate of Data Controller may be required to effect or obtain as Data Controller from a regulator, including without limitation the preparation of supporting documentation to be submitted to the relevant regulator and provision of supporting documentation sufficient to evidence that Data Processor is legally bound by the terms of the Agreement.
4.3 Data Processor shall immediately notify Data Controller if any complaint, allegation or request is made (including by any regulator) relating to Data Processor’s processing of the Personal Data. Data Processor shall provide all such cooperation and assistance as Data Controller may reasonably require in relation to any such complaint, allegation or request including by providing full details of any such complaint, allegation or request together with a copy of the Personal Data held by it in relation to the individual within forty-eight (48) hours of receipt of the request for such Personal Data to enable Data Controller to comply with its obligations in relation thereto.
4.4 Once every calendar year and upon reasonable notice, Data Processor shall make available to Data Controller all information necessary to demonstrate compliance with this DPA, as well as provide evidence of any procedures and documentation that relate to the processing of Personal Data, so Data Processor may ascertain compliance with the terms of this DPA. Data Controller shall bear all costs incurred by Data Processor in compliance with this paragraph 4.4.
4.5 Data Processor warrants that it has and its agents, Sub-processors and employees have the necessary legal authority in any country where any Processing of Personal Data shall take place under the Agreement in order to carry out the Processing, and undertakes to comply with any Data Protection Legislation that is applicable in such country.
5.1 This DPA (including its attachments) is effective as of the DPA Effective Date and terminates on the Relevant Date, which shall be the date the Agreement terminates.
5.2 If any provision of this DPA is held by any competent authority to be invalid or unenforceable, in whole or in part, it shall (to the extent that it is invalid or unenforceable) be deemed to be severable and the validity of the other provisions of this DPA and the remainder of the provision in question shall not be affected. The Parties shall work together in good faith to replace such offending provisions.
5.3 Any amendment to this DPA shall only be valid if made in writing and signed by each of the Parties hereto.
5.4 This DPA shall be deemed to have been made and accepted in the state of Delaware and any dispute arising hereunder shall be resolved in accordance with the laws of Delaware, without reference to its conflict of laws principles. The Parties agree to submit any dispute relating to this DPA to the exclusive personal and subject matter jurisdiction of the courts of Delaware.
Appendix A: On Details of the Processing of the Personal Data
This Appendix A includes certain details of the Processing of the Personal Data as required by Article 28(3) GDPR or equivalent provisions of any Data Protection Legislation.
Subject matter and duration of the Processing of the Personal Data
Pursuant to the Prefect Cloud Software as a Service (SaaS) Agreement agreed to by the Parties, the subject matter and duration of the Processing of the Personal Data are as follows:
The only Personal Data that is collected on demand by Prefect includes the Data Controller’s name, email address and some basic digital information surrounding usage such as, e.g., last login time. This data is held indefinitely until the Data Controller either updates such information or deletes their account.
Other processing of Personal Data may take place by the execution of program flows written by the Data Controller. Prefect remotely instructs the data controller as to the execution of a given program flow; the processing of any personal information contained therein in strictly in accordance with the instructions of the Data Controller.
The nature and purpose of the Processing of the Personal Data
The personal data transferred will be subject to the following basic processing activities:
The only internal processing of user’s Personal Data that occurs is in service of accessing the Data Controller’s personal user interface (via email address) and displaying the above information in the Data Controller’s user interface. Otherwise, no processing occurs on the information outlined above.
As indicated above, Other processing of Personal Data may take place by the execution of program flows written by the Data Controller, which is required for the remote monitoring and execution of workflows that the Prefect Cloud SaaS provides.
The types of the Personal Data to be Processed1
The personal data transferred concern the following categories of data (please specify):
- Full name
- Email address
- Company name
- Digital information2
Processing of Personal Data may take place by the execution of program flows written by the Data Controller. Prefect remotely instructs the data controller as to the execution of a given program flow; the processing of any personal information contained therein is strictly in accordance with the instructions of the Data Controller.
Term of the Services and Retention Period3 of Personal Data
Personal Data is retained for as long as the Data Controller has an account with Prefect. Corresponding personal data is deleted when the Data Controller deletes the respective account.
The obligations and rights of the Data Controller
- Personal data collected for customers working through Prefect's sales team to also include address and telephone number.
- Includes login information, IP address, MAC address, web cookies, hosting information, pages visited, services used, etc.
- Means the duration of time for which the information should be maintained or retained, irrespective of format (paper, electronic, or other).