Data Processing Addendum
Hydrolix, Inc. Data Processing Addendum
This Data Processing Addendum (this “DPA”) forms a part of the Hydrolix – Proof of Concept Agreement found at https://docs.hydrolix.io/legal/terms-of-service, unless Customer has entered into a superseding written master subscription agreement with Hydrolix, Inc. (“Hydrolix”), in which case, it forms a part of such written agreement (in either case, the “Agreement”).
By signing the DPA or executing an Agreement that explicitly states that the DPA is incorporated by reference, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of any Affiliates (defined below) who are authorized to use the Services. If you are entering into this DPA on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that company or legal entity to this DPA. In that case, “Customer” will refer to that company or other legal entity. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services under the Agreement, Hydrolix may process certain Customer Data (such terms defined below) on behalf of Customer and where Hydrolix processes such Customer Data on behalf of Customer the Parties agree to comply with the terms and conditions in this DPA in connection with such Customer Data.
HOW TO EXECUTE THIS DPA
This DPA consists of two parts: the main body of the DPA, and Annexes A, B and C. This DPA has been pre-signed on behalf of Hydrolix. The Standard Contractual Clauses are entered into by Hydrolix, Inc. as the data importer. This DPA will be null and void if any changes are made to it beyond filling out the sections described below. If you execute an Agreement that explicitly states that this DPA is incorporated, you do not need to take any further action to execute this DPA; your execution of the Agreement is sufficient. If you have not executed an Agreement that explicitly states this DPA is incorporated, to complete this DPA, Customer must do each of the following:
a. Complete the information in the signature box and sign just after section 13 in the main document.
b. Complete the information as the data exporter in Annex A in this document.
c. Complete the information as the data exporter in Annex C and executed Annex C.
d. Send the completed and signed DPA to Hydrolix by email to [email protected].
Upon the earlier of (i) the execution of an Agreement that explicitly states that the DPA is incorporated into the Agreement by reference; or (ii) receipt of the validly completed DPA by Hydrolix at the above email address, this DPA will become legally binding.
HOW THIS DPA APPLIES TO CUSTOMER AND ITS AFFILIATES
If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case, the Hydrolix entity that is party to the Agreement is party to this DPA. If the Customer entity signing this DPA has executed an Order Schedule with Hydrolix pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Schedule and applicable renewal Order Schedules, and the Hydrolix entity that is party to such Order Schedule is party to this DPA. If the Customer entity signing this DPA is neither a party to an Order Schedule nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.
1. Definitions.
1.1. “Affiliate” means, with respect to the identified party, any entity that is directly or indirectly controlled by, controlling or under common control with such party.
1.2. “Applicable Data Protection Laws” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, (a) EU Data Protection Law, (b) UK Data Protection Law, (c) Swiss Data Protection Law, and (d) the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 to 1798.199), as amended from time to time, including the California Privacy Rights Act, and any related regulations and guidance provided by the California Attorney General pertaining to same (the “CCPA”).
1.3. “Authorized User(s)” means any person who processes Customer Data on Hydrolix’s behalf, including Hydrolix’s employees, officers, partners, principals, contractors and Subprocessors.
1.4. “Cloud Provider” means a 3rd party vendor such as Amazon Web Services, Google Cloud Services, Microsoft Azure, or similar, as specified in an Order Schedule or the Agreement.
1.5. “Customer Cloud Environment” means the cloud environment provided by the Cloud Provider into which the Hydrolix platform is deployed.
1.6. “Customer Content” has the meaning given to it in the Agreement, or if not therein defined, means all Customer Data, Customer Configuration Data, and Customer Query Results.
1.7. “Customer Data” means the data, other than Customer Configuration Data, made available by Customer and its Authorized Users for processing by, or use within, the Services, including without limitation Personal Data to the extent therein contained. For the avoidance of doubt, Customer Data does not include Usage Data or the Hydrolix Platform.
1.8. “Customer Configuration Data” has the meaning given to it in the Agreement, or if not therein defined, means information other than Customer Data that Customer inputs into the Hydrolix Platform to direct how the Hydrolix Platform processes Customer Data, including without limitation the code and any libraries (including third party libraries) Customer utilizes within the Hydrolix Service.
1.9. “Customer Query Results” has the meaning given to it in the Agreement, or if not therein defined, means any output Customer or its Authorized Users generate from their use of the Hydrolix Service.
1.10. “Data Subject” means an individual to whom the Personal Data relates.
1.11. “Hydrolix Group” means Hydrolix, Inc. and its Affiliates.
1.12. “Hydrolix Platform ” has the meaning given to it in the Agreement, or if not therein defined, means the Hydrolix cloud-based unified data analytics platform and related services to be provided under the Agreement.
1.13. “EEA” means, for the purposes of this DPA, the European Economic Area.
1.14. “EEA Data” means Personal Data subject to EU Data Protection Law.
1.15. “EU Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).
1.16. “Personal Data” means information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. For the avoidance of doubt, Personal Data includes any data protected as personal data, personal information, personally identifiable information or similar term under Applicable Data Protection Laws.
1.17. “Security Breach” means a breach of security leading to any accidental, unauthorized or unlawful loss, disclosure, destruction, alteration, or access to Customer Data.
1.18. “Sensitive Data” means any unencrypted (i) bank, credit card or other financial account numbers or login credentials, (ii) social security, tax, driver’s license or other government-issued identification numbers, (iii) health information identifiable to a particular individual; or (iv) any “special” or “sensitive” categories of data as those terms are defined according to EU Data Protection Law or any similar category under other Applicable Data Protection Laws, including “Sensitive Personal Information” under the CCPA. For the purposes of the prior sentence, “unencrypted” means a failure to utilize industry standard encryption methods to prevent Hydrolix and its personnel, including any subcontractors, from accessing the relevant data in unencrypted form.
1.19. “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj, specifically sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).
1.20. “Subprocessor” means any third party (including any Hydrolix’s Affiliate) engaged by Hydrolix to process any Customer Data that may contain Customer Data on behalf of Customer or who may receive Customer Data provided by Customer through the Services pursuant to the terms of the Agreement.
1.21. “Services” means the Services provided pursuant to the Agreement.
1.22. “UK Data” means Personal Data subject to the UK Data Protection Laws.
1.23. “UK Data Protection Laws” means the United Kingdom Data Protection Act of 2018 and the United Kingdom’s implementation of GDPR (“UK GDPR”).
1.24. “Usage Data” means usage data and telemetry collected by Hydrolix relating to the use of the Services by Customer. Usage Data may occasionally contain Customer Configuration Data (e.g., it may contain the queries entered by an Authorized User) but will not contain Customer Data or Customer Query Results.
1.25. “Swiss Data” means Personal Data subject to the Swiss Data Protection Laws.
1.26. “Swiss Data Protection Laws” means the Federal Data Protection Act, including any amendments thereto.
1.27. The terms “Controller”, “Processor”, and “process” and “processing” have the meanings given to them in Applicable Data Protection Laws. If and to the extent that Applicable Data Protection Laws do not define such terms, then the definitions given in EU Data Protection Law will apply.
2. Responsibility of the Parties.
2.1. The responsibilities of the Parties will vary based on the type of Services being
a. Shared Deployment: If the Services involve a shared deployment, Customer acknowledges that the Hydrolix Platform is implemented in a manner that divides the Hydrolix Platform between the Customer Cloud Environment and the Hydrolix Control Plane, and that accordingly each party must undertake certain technical and organizational measures in order to protect the Hydrolix Platform and the Customer Content. Without limiting the foregoing, and except to the extent otherwise set forth in the Agreement, Customer acknowledges and agrees that (1) in order to utilize the Hydrolix Service, Customer must have an account with the Cloud Provider; (2) Hydrolix does not host the Customer Cloud Environment into which the Hydrolix Platform are deployed or the systems in which your Customer Data may be stored (e.g., an AWS S3 bucket) and is not responsible for the security or processing of Personal Data or Customer Data in such Customer Cloud Environment; (3) while certain Customer Data may occasionally be present within the Hydrolix Platform (e.g., within the Customer Query Results), the Hydrolix Platform are not designed to archive or permanently retain Customer Data, but merely to provide an environment to facilitate Customer’s processing of Customer Data within the Customer Cloud Environment by permitting Customer to generate and execute Customer Configuration Data and view Customer Query Results; and (4) Hydrolix and the Hydrolix Platform do not provide backup services or disaster recovery to enable recovery of Customer Data.
b. Hosted Services: If the Hydrolix Platform is provided by Hydrolix as a hosted service, Customer acknowledges that the Hydrolix Platform is a “database as a service” (“DBaaS”)-based service(s) provided by Hydrolix and that Hydrolix will host the Customer Content in its own cloud environment. In this set-up, the Service is an append-only database for real-time analytics solution into which Customer uploads Customer Data to a cloud environment provided by Hydrolix. However, Customer agrees and acknowledges that Hydrolix and the Hydrolix Platform do not provide backup services or disaster recovery to enable recovery of Customer Data even in this hosted solution. Customer is responsible for making any necessary back-ups of Customer Data for ensuring that it has secure connections to the hosted Service.
c. Supported Services: These are Services where Hydrolix is merely providing support to Customer use of the Hydrolix Platform is not providing any hosting or shared deployment. In this set-up, the Customer has the entire responsibility for uploading, managing and storing the Customer Data. The Parties agree that Hydrolix has no obligations to process the Customer Data or any Personal Data and the Parties do not intend for Hydrolix to receive or have access any Customer Data or Personal Data; the Customer shall have sole responsibility for the security and privacy, and processing of Customer Data and Personal Data, including implementing and maintaining any Cloud Environments. The Parties are only entering this DPA to ensure that if for some reason Hydrolix has a need to review or process Customer Data or Personal Data on a limited basis to provide the Services, such Customer Data or Personal Data will be processed in accordance with this DPA. The Parties agree that except to the extent required by Applicable Data Protections Laws, the obligations in Sections 5, 6 and 8 does not apply to these Services.
2.2. Without limiting the foregoing, and except to the extent otherwise set forth in the Agreement, Customer acknowledges and agrees that subject to any limitations under the DPA or the Agreement regarding what Customer Data may contain, the choice of which Customer Data you process within the Hydrolix Platform and manner in which you choose to process it are under the control of Customer and that accordingly Hydrolix will generally be unaware of the types of or details regarding the Personal Data you may process within the Services.
3. Purpose; Ownership of Data.
3.1. Customer and Hydrolix have entered into the Agreement pursuant to which Customer is being provided the Hydrolix Platform and Services. In using the Services, Customer may submit through the Services or otherwise provide access to Hydrolix certain Customer Data. This DPA applies where and only to the extent that Hydrolix Processes Customer Data on behalf of Customer as a Processor in the course of providing Services pursuant to the Agreement.
3.2. Customer specifically authorizes and instructs Hydrolix to process Customer Data and Personal Data in providing the Services set forth in the Agreement.
3.3. Additionally, when using the Services, Hydrolix will collect Usage Data. Where Hydrolix is acting as Customer’s processor under Applicable Data Protection Law and such Customer Data or Usage Data contains Personal Data, it will be subject to the applicable terms and conditions of this DPA.
3.4. As between the Parties, all Customer Data processed under the terms of this DPA and the Agreement shall remain the property of Customer. Under no circumstances will any member of the Hydrolix Group act, or be deemed to act, as a “Controller” (or equivalent concept) of the Customer Data processed within the Services under any Applicable Data Protection Laws. Usage Data, except to the extent such Usage Data contains Personal Data collected from Customer, is and shall remain the property of Hydrolix, provided that Hydrolix will not share or publicly make available any Usage Data that identifies Customer, or any of its Authorized Users, other data subjects, or customers, nor use any Usage Data in a manner that derives its value from the unique aspects of your Customer Configuration Data.
4. Subprocessing.
4.1. Customer agrees that Hydrolix may appoint Subprocessors to assist it in providing the Hydrolix Services by processing Customer Data solely for the purpose of providing the Hydrolix Services, provided that such Subprocessors:
a. agree to act only on Hydrolix’s instructions when processing the Customer Data (which instructions shall be consistent with Customer's processing instructions to Hydrolix); and
b. agree to protect the Customer Data to a standard consistent with the requirements of this DPA, including by implementing and maintaining appropriate technical and organizational measures to protect the Customer Data they process consistent with the Security Standards described in Annex B.
4.2. Hydrolix remains fully liable for any breach of this DPA or the Agreement(s) that is caused by an act, error or omission of such Subprocessor to the extent Hydrolix would have been liable for such act, error or omission had it been caused by Hydrolix.
4.3. Hydrolix shall maintain an up-to-date list (and make it available upon written request to [email protected]) of all Subprocessors used in the provision of the Hydrolix Services who may have access to or process (a) Customer Data (which may contain Personal Data) or (b) other Personal Data received by Hydrolix from Customer through the Services under the Agreement (the “Subprocessor List”).
4.4. Prior to the addition or change of any Subprocessors, Hydrolix shall provide notice to Customer, which may include by updating the Subprocessor List on the website listed above, not less than 30 days prior to the date on which the Subprocessor shall commence processing Personal Data. Hydrolix will make available a means by which Customer may subscribe to receive notifications of changes to the Subprocessor List (which may include without limitation the provision of an RSS feed). It is Customer’s responsibility to check this website for changes.
4.5. In the event that Customer objects to the processing of its Personal Data by any newly appointed Subprocessor as described in Section 4.4, it shall inform Hydrolix in writing within 10 calendar days after notice has been provided by Hydrolix. In the event that Customer timely objects on reasonable grounds relating to the protection of Personal Data Hydrolix will either, at Hydrolix option (a) work with Customer to address Customer’s reasonable objections and thereafter proceed to use the Subprocessor to perform such processing; (b) instruct the Subprocessor to not process Customer's Personal Data, which Customer acknowledges and agrees may result in new or improved Services features enabled by the Subprocessor not being available to Customer; or (c) allow Customer to terminate this DPA and the Agreement with Hydrolix immediately on notice and upon receipt of such notice provide Customer with a pro rata reimbursement of any sums Customer may have paid in advance for Services to be provided but not yet received by Customer.
4.6. Customer acknowledges that any third party services that may be linked to or used within the Services (e.g., Customer may use Grafana to visualize data processed by Hydrolix) (“Non-Hydrolix Services”) are governed solely by the terms and conditions and privacy policies of such Non-Hydrolix Services, and Hydrolix does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such Non-Hydrolix Services, including, without limitation, their content or the manner in which they handle your Customer Data (including Personal Data) or any interaction between Customer and the provider of such Non-Hydrolix Services. Hydrolix is not liable for any damage or loss caused or alleged to be caused by or in connection with Customer’s enablement, access or use of any such Non-Hydrolix Services, or Customer’s reliance on the privacy practices, data security processes or other policies of such Non- Hydrolix Services. The providers of Non-Hydrolix Services shall not be deemed Subprocessors for any purpose under this Agreement.
5. Cooperation.
5.1. Customer acknowledges that the Services provide Customer with a number of controls that Customer may use to retrieve, delete or restrict Customer Data, which Customer may use to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Customer is required to respond to a DSR (as defined below) under Applicable Data Protection Law and is unable to access the relevant Customer Data within the Services using such controls or otherwise, Hydrolix shall reasonably cooperate with Customer (at Customer’s request and expense) to enable Customer (or its third party Controller) to respond to any requests, complaints or other communications from Data Subjects and regulatory or judicial bodies relating to the processing of Personal Data under the Agreement(s), including requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Laws (a ‘data subject request’ or “DSR”) insofar as this is possible. In the event that any such DSR, complaint or communication is made directly to Hydrolix, Hydrolix shall promptly pass such communication on to Customer and shall not respond to such communication without Customer’ express authorization. For the avoidance of doubt, the foregoing shall not prohibit Hydrolix from communicating with a Data Subject if it is not reasonably apparent on the face of the communication to which customer of Hydrolix the DSR relates.
5.2. If Hydrolix receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Customer Data, Hydrolix shall not disclose any information but shall promptly notify Customer in writing of such request, and reasonably cooperate with Customer if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.
5.3. To the extent Hydrolix is required under Applicable Data Protection Laws, Hydrolix will assist Customer (or its third party Controller), at Customer’s request and expense, to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that present a high risk to Data Subjects. Because the need for a data protection impact assessment, if any, will arise from the choices made by Customer regarding what Customer to be processed and the processing activities to perform, Customer shall be responsible for any costs arising from Hydrolix’s provision of such assistance.
5.4. At Customer’s written request, and to the extent required by Applicable Data Protection Laws, Hydrolix will make reasonable efforts to provide Customer with all information necessary to demonstrate its compliance with Applicable Data Protection Laws.
5.5. Customer acknowledges that Hydrolix is required under GDPR and UK GDPR to: (a) collect and maintain records of certain information, including the name and contact details of each Processor and/or Controller on behalf of which Hydrolix is acting and, where applicable, of such Data Processor’s or Data Controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if GDPR or UK GDPR applies to the processing of Personal Data, Customer will, where requested, provide such information to Hydrolix via the Services or other means provided by Hydrolix, and will ensure that all information provided is kept accurate and up-to-date.
5.6. The Parties agree to discuss in good faith and modify this Agreement to accommodate changes to Applicable Data Protection Laws or when the Personal Data is subject to new Applicable Data Protection Laws, provided that Hydrolix may charge additional fees or terminate the Agreement if such changes would increase the cost of providing the Services. Additionally, if reasonably required by Customer, Hydrolix shall enter into a Business Associate Agreement to enable Customer to comply with its obligations under HIPAA/HITECH ACT (“BAA”). Hydrolix may charge additional fees for the entering into a Business Associate Agreement.
6. Data Access & Security Measures.
6.1. Hydrolix shall ensure that Hydrolix administrators are subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they process the Customer Data only for the purpose of delivering the Hydrolix Services under the Agreement(s) to Customer.
6.2. Hydrolix will implement and maintain appropriate technical and organizational security measures to protect against Security Breaches and to preserve the security, availability, integrity and confidentiality of Customer Data (“Security Measures”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Customer agrees that Hydrolix’s implementation of the Security Measures identified at Annex B shall be deemed to be sufficient for the purposes of complying with its obligations under this Section, as of the date of this DPA, provided that Hydrolix shall review the Security Measures on at least an annual basis.
7. Security Incidents.
7.1. In the event of a Security Breach, unless prohibited by law or governmental authority, Hydrolix shall inform Customer without undue delay and provide written details of the Security Breach, including the type of data affected and the identity of affected person(s) as soon as such information becomes known or available to Hydrolix.
7.2. Furthermore, in the event of a Security Breach, Hydrolix shall:
a. provide timely information and cooperation as Customer may reasonably require to fulfill Customer’s data breach reporting obligations under Applicable Data Protection Laws; and
b. take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Breach and shall keep Customer up-to-date about all developments in connection with the Security Breach.
7.3. The decision whether to provide notification, public/regulatory communication or press release (each, a “Notification”) concerning the Security Breach shall be solely at Customer’s discretion, but the content of any Notification that names Hydrolix or from which Hydrolix’s identity could reasonably be determined shall be subject to the prior approval of Hydrolix, which approval shall not be unreasonably withheld, conditioned or delayed, except as otherwise required by applicable laws and provided that conditioning of the Notification on Hydrolix’s approval shall not prevent Customer from complying with Applicable Data Protection Laws.
8. Security Reports & Inspections; Audits.
8.1. The Parties acknowledge that Hydrolix uses external auditors to verify the adequacy of its Security Measures. This audit:
a. will be performed at least annually;
b. will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001;
c. will be performed by independent third party security professionals at Hydrolix’s selection and expense; and
d. will result in the generation of an audit report identifying any areas in which Hydrolix’s data security controls have not yet achieved industry standards under Service Organization Controls No. 2 (SOC2) in accordance with AT-C 205 or such other alternative standards that are substantially equivalent to SOC 2 Type 2 (“Report”).
8.2. At Customer’s written request, Hydrolix will provide Customer with copies of its Report so that Customer can reasonably verify Hydrolix’s compliance with the security and audit obligations under this Agreement. The Report and any summaries thereof will constitute Hydrolix’s Confidential Information under the confidentiality provisions of the Agreement.
8.3. Hydrolix will respond in a commercially reasonable timeframe to any requests for additional information or clarification from Customer related to such report.
9. Data Processing and Transport.
9.1 Hydrolix will at all times provide an adequate level of protection for the Customer Data, wherever processed, in accordance with the requirements of Applicable Data Protection Laws. Customer acknowledges that Hydrolix and its Subprocessors may maintain data processing operations in countries that are outside of the EEA, UK and Switzerland. As such, both Hydrolix and its Subprocessors may process Personal Data in non-EEA, non-US and non-Swiss countries. This will apply even where Customer has agreed with Hydrolix to use cloud instances of the Services located in the EEA, UK or Switzerland if such processing outside such jurisdictions is necessary to provide support-related or other services requested by Customer.
9.2. Hydrolix shall process Customer Data (i) containing Personal Data submitted to Hydrolix by Customer through the Services only as a Processor acting on behalf of Customer (whether as Controller or itself a Processor on behalf of third party Controllers); and (ii) only in accordance with Customer’s documented instructions as set forth in this DPA, the Agreement(s) or as otherwise necessary to provide the Services; provided that Hydrolix shall inform Customer if, in its opinion, Customer’s processing instructions infringe any law or regulation; in such event, Hydrolix is entitled to refuse processing of Personal Data that it believes to be in violation of any law or regulation.
9.3. Customer acknowledges that the Services are data-type agnostic, and that Hydrolix does not have any knowledge of the actual data or types of data contained in the Customer Data. Accordingly, Customer shall notify Hydrolix prior to providing any Sensitive Data. Hydrolix may impose additional requirements on Customer prior to the use of the Services by Customer to process any Sensitive Data, which may include additional fees.
9.4. To the extent that Hydrolix processes any EEA Data, UK Data or Swiss Data on behalf of Customer, the parties agree that Hydrolix makes available the transfer mechanisms listed below for any transfers of EEA Data, UK Data or Swiss Data to Hydrolix located in a country which does not ensure an adequate level of protection (within the meaning of Applicable Data Protection Laws):
a. Hydrolix agrees to abide by and process EEA Data in compliance with the Standard Contractual Clauses,, and subject to the interpretations set forth in Appendix 3, and for these purposes Hydrolix agrees that it is a "data importer" and Customer and/or its Affiliates, as applicable is/are the "data exporter" under the Standard Contractual Clauses (notwithstanding that Customer and/or its Affiliates may be an entity/ies located outside of the EEA).
b. Hydrolix agrees to abide by and process UK Data in accordance with Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses ("Approved Addendum"), subject to the interpretations in Appendix 3.
c. Hydrolix agrees to abide by and process Swiss Data in accordance with the Standard Contractual Clauses, subject to the interpretations in Appendix 3.
9.5. Hydrolix acknowledges that Customer may disclose this DPA and any relevant privacy or data protection provisions of the Agreement(s) to the US Department of Commerce, European supervisory authorities, or any other US or EU judicial or regulatory body with jurisdiction (each, a “Data Regulatory Authority”) upon their request, provided that for the avoidance this DPA shall remain Confidential Information subject to the restrictions in the Agreement notwithstanding any requirement to share it with a Data Regulatory Authority.
10. Obligations of Customer.
Regardless of the type of Services provided (as described in Section 2), Customer acknowledges that Hydrolix does not provide data backup services, and that it is Customer’s obligation to backup any Customer Data that Customer may process through the Services. As part of Customer receiving the Hydrolix Services under the Agreement, Customer agrees and declares as follows:
a. that the processing of Personal Data by Customer, including instructing processing by Processor in accordance with this Agreement, is and shall continue to be in accordance with all the relevant provisions of the Applicable Data Protection Laws, particularly with respect to the security, protection and disclosure of Personal Data;
b. if Customer is itself a Processor acting on behalf of a third-party Controller, Customer warrants to Hydrolix that Customer's instructions and actions with respect to that Personal Data, including its appointment of Hydrolix as another Processor, have been authorized by the relevant Controller;
c. it has provided all notices and obtained all consents necessary for Hydrolix to process the Customer Data and Personal Data and has the taken all steps necessary to ensure the accuracy, completeness and legality of the Customer Data and Personal Data;
d. that if processing by Processor involves any Sensitive Data, Customer has collected such Sensitive Data in accordance with Applicable Data Protection Laws, including obtaining consents from Data Subjects;
e. that Customer will inform its Data Subjects as legally required:
(i) about its use of data processors to Process their Personal Data, including Hydrolix; and
(ii) that their Personal Data may be processed outside of their jurisdiction of residence in a jurisdiction which may have less protection for their Personal Data than their jurisdiction of residence;
f. that it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the processing of their Personal Data by Customer, and to give appropriate instructions to Processor in a timely manner; and
g. that it shall respond in a reasonable time to enquiries from a Data Regulatory Authority regarding the processing of relevant Personal Data by Customer.
11. Deletion & Return.
Upon Customer’s request upon termination or expiry of the Agreement, Hydrolix shall destroy all Customer Data in its possession or control. This requirement shall not apply to the extent that Hydrolix is required by any applicable law to retain some or all of the Personal Data, in which event Hydrolix shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
12. Additional Terms Applicable to CCPA.
12.1. Additional Definitions.
a. “Contracted Business Purposes” means the Services described in the Agreement.
12.2. Terms defined in the CCPA, including “personal information”, “collected”
and “business purposes” carry the same meaning in this DPA. Hydrolix is a “service provider” under the CCPA.
12.3. Hydrolix’s CCPA Obligations.
a. Hydrolix will only collect, use, retain, or disclose personal information for the Contracted Business Purposes as set forth in the Agreement.
b. Hydrolix will not retain, use or disclose personal information outside of the direct business relationship between Customer and Hydrolix, except as authorized in the Agreement or under the CCPA.
c. Hydrolix will not collect, use, retain, disclose, sell, or otherwise make personal information available or process personal information (or allow any third party to process or access personal information) for Hydrolix’s own commercial purposes or in a way that does not comply with the CCPA.
d. Hydrolix will limit personal information collection, use, retention, processing and disclosure (including through its service providers, suppliers, contractors or subcontractors) to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes.
Hydrolix shall not engage in any activity that may be considered a sale or sharing of personal information pursuant to the CCPA.
12.4. Assistance with Customer’s CCPA Obligations.
a. Hydrolix will reasonably cooperate and assist Customer with meeting its CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests.
b. Both parties will comply with all applicable requirements of the CCPA when collecting, using, retaining, sharing or disclosing personal information.
c. Customer shall have the right to take reasonable and appropriate steps to ensure that Hydrolix uses the personal information that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CCPA.
d. Hydrolix shall notify Customer promptly after it makes a determination that it can no longer meet its obligations under the CCPA.
Customer shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate Hydrolix’s unauthorized use of personal information collected pursuant to the Agreement.
12.5. Subcontracting.
a. Hydrolix may use subcontractors to provide the Contracted Business Services as set forth in the Agreement and subject to the terms of this DPA. Any such subcontractor used must qualify as a “service provider” under the CCPA and Hydrolix will not make any disclosures to the subcontractor that the CCPA would treat as a sale.
b. Hydrolix remains fully liable to the Customer for the subcontractor’s actions or inactions.
13. General.
13.1. The parties agree that DPA shall replace any existing DPA (including the Stndardc Contractual Clauses (as applicable)) the parties may have previously entered into in connection with the Services.
13.2. This DPA shall be effective on the date of the last signature set forth below. The obligations placed upon the Hydrolix under this DPA shall survive so long as Hydrolix and/or its Subprocessors processes Customer Data on behalf of Customer.
13.3. This DPA may not be modified except by a subsequent written instrument signed by both Parties.
13.4. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
13.5. In the event of any conflict between this DPA and any data privacy provisions set out in any Agreements the Parties agree that the terms of this DPA shall prevail. Notwithstanding the foregoing, if there is any conflict between this DPA and a BAA applicable to any patient, medical or other protected health information regulated by HIPAA or any similar U.S. federal or state laws, rules or regulations (“HIPAA Data”), then the BAA shall prevail to extent the conflict relates to such HIPAA Data.
13.6. Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, any Order or the Agreement, whether in contract, tort or under any other theory of liability, shall remain subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and this DPA, including all Annexes hereto. Without limiting either of the parties’ obligations under the Agreement, Customer agrees that any regulatory penalties incurred by Hydrolix in relation to the Customer Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any Applicable Data Protection Laws shall count toward and reduce Hydrolix’s liability under the Agreement as if it were liability to the Customer under the Agreement.
13.7. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
13.8. This DPA and the Standard Contractual Clauses will terminate simultaneously and automatically with the termination or expiry of the Agreement.
[Signature Page Follows]
In Witness Whereof, the parties’ authorized representatives executed this DPA, as of the Effective Date. By signing below, each party acknowledges that it has read and understood the terms of this DPA and agrees to be bound by them
Annex A
Details of the Processing
A. List of Parties
Description of Data Exporter
The data exporter is the entity identified as the "Customer" in the DPA and Agreement in place between data exporter and data importer and to which this Annex is appended.
The Activities relevant to the Personal Data transferred under the Agreement are the Services provided by Hydrolix.
As between the Parties, Customer shall be the Controller of certain Personal Data provided to Hydrolix related to its use of the Services.
The Customer’s contact information and details are set forth in the Agreement or Order Form.
Description of Data Importer
Hydrolix, Inc., [insert address]
Contact person’s name, position and contact details: [insert]
The activities relevant to the Personal Data transferred under the Agreement are the Services provided by Hydrolix. Hydrolix, as the data importer, provides a cloud-based unified data analytics platform and related services.
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
The Personal Data transferred concern the following categories of data subjects (please specify):
IF CUSTOMER HAS NOT FILLED OUT THE ABOVE SECTION: Customer shall be deemed to have declared that that categories of data subjects include: Prospects, customers, business partners and vendors of Customer (who are natural persons); (ii) Employees or contact persons of Customer’s prospects, customers, business partners and vendors; (iii) Employees, agents, advisors, freelancers of Customer (who are natural persons); and/or (iv) Customer’s Authorized Users by Customer to use the Services.
Categories of Personal Data Processed and Transferred
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following types of Personal Data:
IF CUSTOMER HAS NOT FILLED OUT THE ABOVE SECTION: Customer shall be deemed to have declared that the types of Personal Data may include but are not limited to the following types of Personal Data: (i) Name, address, title, contact details; and/or (ii) IP addresses, usage data, cookies data, location data.
Special categories of data (if appropriate)
The Personal Data transferred concern the following special categories of data (please specify):
n/a. You may not use the Services to process any special categories of data unless the Order Form you have executed with Hydrolix explicitly allows such processing.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
The Personal Data will be transferred on a continuous basis as needed to provide the Services.
Nature of Processing
The Personal Data transferred will be subject to the following basic processing activities (please specify):
General big data analytics processing. Any use of the Services shall be deemed an instruction to Hydrolix to process such data.
Purpose(s) of the data transfer and further processing
To provide the Services to Customer as set forth in the Agreement.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
The Personal Data will be retained for the duration of the Agreement and the provision of the Services, and thereafter only to the extent required by applicable law or legal process.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter, nature and duration of the processing is for the specific services provided that Subprocessor to Hydrolix in connection with Hydrolix’s provision of the Services to the Customer.
C. COMPETENT SUPERVISORY AUTHORITY
See Annex X, Section 9.
Annex B
Security Measures
This Annex describes the technical and organizational security measures and procedures Hydrolix shall maintain to protect the security of Customer Data created, collected, received, or otherwise obtained during the performance of the Hydrolix Services (as defined in the Agreements).
Customer acknowledges that the Services operate pursuant to a shared responsibility model, which requires, among other things, that Customer take certain steps such as encryption and backup with respect to its own data (which remains stored within Customer’s environment under Customer’s control). Additionally, Customer acknowledges its obligation under applicable law not to provide more Personal Data to Hydrolix than is reasonably necessary to enable Hydrolix to perform the Hydrolix Services.
Hydrolix will (i) when any Customer Data is under its control, comply with the measures identified below with respect to such Customer Data; and (ii) keep documentation of such measures to facilitate audits and for the conservation of evidence.
Access Control to Processing Areas
Hydrolix implements suitable measures designed to prevent unauthorized persons from gaining access to the data processing equipment where Customer Data is processed or used. This is accomplished by Hydrolix or its cloud services provider (e.g., Amazon Web Services or Microsoft Azure Web Services):
i. establishing security areas, with 24 hour security service provided by the property owner;
ii. protecting and restricting access paths;
iii. securing data processing equipment;
iv. establishing and documenting access authorizations for staff and third parties;
v. maintaining appropriate processes applicable to the use of card-keys;
vi. logging and monitoring access to data centers where Customer Data is hosted; and
vii. securing data centers where Customer Data is hosted with a security alarm system, and other appropriate physical security measures.
Access Control to Data Processing Systems
Hydrolix implements suitable measures designed to prevent the systems used for data processing from being used by unauthorized persons, and that Customer Data cannot be read or removed without authorization. This is accomplished by:
i. identification of the client machine and/or the user of the Hydrolix systems;
ii. automatic disabling of user IDs when several erroneous passwords are entered and maintenance of a log file of events (i.e., monitoring of break-in-attempts);
iii. issuing and safeguarding credentials;
iv. dedication of individual client machines and/or users to specific functions where appropriate;
v. implementation and maintenance of staff policies in respect of each staff member’s access rights to Customer Data (if any), where such policies inform staff about their obligations and the consequences of any violations of such obligations, to ensure that staff will only access Customer Data and resources to the extent necessary to perform their job duties;
vi. implementation and maintenance of staff policies in respect of each staff member's access rights to Customer Data
vii. training staff on applicable policies, privacy duties and liabilities;
viii. logging all access to Customer Data;
ix. use of industry standard encryption technologies.
x. conducting audits, at least yearly, of authorization profiles;
xi. implementation and maintenance of data retention policies; and
xii. use of industry standard encryption technologies.
Transmission Control
Hydrolix implements suitable measures designed to prevent Customer Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
i. use of industry standard firewall and encryption technologies to protect data while it travels; and
ii. logging of data transmissions.
Input Control
Hydrolix implements suitable measures designed to ensure that it is possible to check and establish whether and by whom Customer Data has been input into or removed from systems. This is accomplished by:
i. maintenance of an authorization policy for the input of data, and for the reading, alteration and deletion of stored data;
ii. authentication of authorized personnel;
iii. requiring individual authentication credentials such as user IDs that, once assigned, are not re- assigned to another person;
iv. use of protective measures for any data input into Hydrolix systems, including the reading, alteration and deletion of stored data;
v. utilization of user credentials (passwords) of at least twelve characters or the system maximum permitted number and modification at first use and thereafter at least every 90 days;
vi. providing that entries to its cloud provider data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked;
vii. automatic log-off of user IDs (requiring re-entry of the user’s password to use the relevant workstation) that have not been used for a substantial period of time; and
viii. electronic recording of entries.
Job Control
Hydrolix implements suitable measures designed to ensure that Customer Data may only be processed in accordance with written instructions issued by Customer. This is accomplished by:
i. binding policies and procedures for Hydrolix' employees;
ii. maintaining agreements with external entities responsible for the protection or processing of Customer Data hereunder that require substantial compliance with the measures described hereunder;
iii. individual appointment of system administrators; and
iv. keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned.
Availability Control
Hydrolix implements suitable measures designed to ensure that Customer Data is protected from accidental destruction or loss. This is accomplished by:
i. enabling Customer to backup Customer’s data by utilizing infrastructure redundancy options (e.g., multi-region replication within Amazon Web Services) to ensure data access is restorable on demand; and
ii. requiring that the Customer authorize the restoration of backups (if any), held by Customer.
Appendix 3 to the Standard Contractual Clauses
This Appendix 3 sets out the parties' interpretations of their respective obligations under specific provisions within the Standard Contractual Clauses, as identified below. Where a party complies with the interpretations set out in this Appendix 3, that party shall be deemed by the other party to have complied with its commitments under the Clauses. When used below, the terms "data exporter" and "data importer" shall have the meaning given to them in the Clauses.
Nothing in the interpretations below is intended to vary or modify the Standard Contractual Clauses or conflict with either party's rights or responsibilities under the Standard Contractual Clauses and, in the event of any conflict between the interpretations below and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail to the extent of such conflict.
- Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the Standard Contractual Clauses are set out in Annex A.
- Docking clause. The option under clause 7 shall not apply.
- Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to Hydrolix for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data are set out in section 3.1 of this DPA and include onward transfers to a third party located outside the EEA for the purpose of the performance of the Services.
- Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Hydrolix to Customer only upon Customer's written request.
- Security of Processing. For the purposes of clause 8.6(a), Customer is solely responsible for making an independent determination as to whether the technical and organisational measures set forth in the Annex A meet Customer’s requirements and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by Hydrolix provide a level of security appropriate to the risk with respect to its Personal Data. For the purposes of clause 8.6(c), personal data breaches will be handled in accordance with section 7 (Security Incidents) of this DPA.
- Audits. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with section 8 of this DPA as supplemented below. Should a Data Regulatory Authority finally determine that this mechanism is not legally sufficient under the Clauses:
a. the parties agree that data exporter audits conducted pursuant to Clause 5(f) will be (i) scoped to only matters not reasonably covered by the Report, unless a Data Regulatory Authority determines that the scope of such audit is not legally sufficient to enable data importer to comply with its obligations under Clause 5(f); and (ii) conducted no more than annually unless (a) the data exporter reasonably believes that data importer is failing to fulfil its obligations under these Clauses; or (b) there has been a confirmed Security Breach, in which case data exporter may perform an audit at data exporter’s request provided it makes such request known to data importer in writing within 30 days after being notified of a Security Breach or the occurrence of any facts giving rise to a belief data importer is failing to fulfil its obligations under these Clauses.
b. Data exporter will endeavour to provide data importer with reasonable notice of its intent to conduct an audit and to cooperate reasonably with data importer in scheduling such audit. Data exporter will use reasonable endeavours to minimise any business disruption to data importer when conducting such audit.
c. Any audit will be conducted at data exporter's expense and the data importer may charge reasonable day rates for any support it provides data exporter in connection with such audit (such rates to be agreed with the data importer in advance or, if no such agreement, then at the data importer's normal professional day rates). In the event that such audit reveals a material breach of these Standard Contractual Clauses by the data importer, then the data importer shall bear the costs of such audit.
d. Any auditor, whether internal to data exporter or a third party appointed by the data exporter, must execute a non-disclosure agreement in a form reasonably acceptable to data importer prior to accessing data importer's facilities or otherwise receiving confidential information from data importer in connection with such audit. - General authorisation for use of Subprocessors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), Hydrolix has Customer’s general authorisation to engage Subprocessors in accordance with section 5 of this DPA. Hydrolix shall make available to Customer the current list of Subprocessors in accordance with section 4 of this DPA.
- Notification of New Subprocessors and Objection Right for new Subprocessors. Pursuant to clause 9(a), Customer acknowledges and expressly agrees that Hydrolix may engage new Subprocessors as described in section 4 of this DPA. Hydrolix shall inform Customer of any changes to Subprocessors following the procedure provided for in section 4.4 of this DPA.
- Complaints - Redress. For the purposes of clause 11, and subject to section 5.1 of this DPA, Hydrolix shall inform data subjects on its website of a contact point authorised to handle complaints. Hydrolix shall inform Customer if it receives a complaint by, or a dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer. Hydrolix shall not otherwise have any obligation to handle the request (unless otherwise agreed with Customer). The option under clause 11 shall not apply.
- Liability. Hydrolix's liability under clause 12(b) shall be limited to any damage caused by its Processing where Hydrolix has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 GDPR.
- Supervision. Clause 13 shall apply as follows:
a. Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
b. Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
c. Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, Commission nationale de l'informatique et des libertés (CNIL) - 3 Place de Fontenoy, 75007 Paris, France shall act as competent supervisory authority.
d. Where Customer is established in the United Kingdom or falls within the territorial scope of application of the UK Data Protection Laws, the Information Commissioner's Office (“ICO”) shall act as competent supervisory authority.
e. Where Customer is established in Switzerland or falls within the territorial scope of application of the Swiss Data Protection Laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws. - Notification of Government Access Requests. For the purposes of clause 15(1)(a), Hydrolix shall notify Customer (only) and not the Data Subject(s) in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.
- Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the Governing Law section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of France; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of England and Wales.
- Choice of Forum and Jurisdiction. The courts under clause 18 shall be those designated in the Venue section of the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) France; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the courts of England and Wales shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.
- Appendices. The Appendices shall be completed as follows:
- The contents of section A of Annex A shall form Annex I.A to the Standard Contractual Clauses.
- The contents of Section B for Annex A shall form Annex I.B to the Standard Contractual Clauses.
- The contents of section 11 of this Annex C shall form Annex I.C to the Standard Contractual Clauses.
- The contents of Annex B shall form Annex II to the Standard Contractual Clauses.
- The list of Subprocessors for Annex III to the Standard Contractual Clauses are set forth in the Subprocessor List as provided in the DPA.
- Data Exports from the United Kingdom under the Standard Contractual Clauses. For data transfers governed by UK Data Protection Laws, the Mandatory Clauses of the Approved Addendum shall apply. The information required for Tables 1 to 3 of Part One of the Approved Addendum is set out in Annex A of this DPA (as applicable). For the purposes of Table 4 of Part One of the Approved Addendum, neither party may end the Approved Addendum when it changes.
- Data Exports from Switzerland under the Standard Contractual Clauses. For data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity. In such circumstances, general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in Swiss Data Protection Laws.
DATA EXPORTER [insert Customer name]
Name: ___
Authorized Signature: ___
DATA IMPORTER (Hydrolix, Inc.)
Name: __
Authorized Signature: ___
Updated 6 months ago