Current Data Protection Addendum for Customers
Teleport Data Protection Addendum for Customers
This Data Protection Addendum (“DPA”) is incorporated into and forms part of (and if applicable, amends the current version of) the Agreement between Gravitational, Inc. (“Teleport”), and the company using the Software and/or SaaS Services (as applicable in each instance, the “Services”) as set forth in the Agreement (“Customer”), each a “Party” and collectively the “Parties”. Customer enters into this DPA on behalf of itself and, to the extent applicable, its Affiliates. This DPA applies to and takes precedence over the Agreement between the Parties, to the extent of any conflict. Capitalized terms not defined herein are defined as in the Agreement and applicable Data Protection Laws. Customer and Teleport agree as follows:
Definitions. For purposes of this DPA:
a. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party to this DPA, where “control” refers to direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
b. “Agreement” means the contractual documents between Teleport and Customer together with any associated sales order (“Sales Order”), statement of work or any similar document.
c. “Data Protection Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”), privacy laws passed by other U.S. states (together with the CCPA, “U.S. Privacy Laws”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”), and the Swiss Federal Act on Data Protection (“FADP”). For the avoidance of doubt, if Teleport’s Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.
d. “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, and includes “consumer” as defined in Data Protection Laws.
e. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein.
f. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Protection Laws, that Customer submits to the Software and/or SaaS Services (as applicable).
g. “Process” and its cognates “Processing,” “Processed,” etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
h. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
i. “Subprocessor” means any third party that Teleport engages to Process Personal Data.
j. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office, located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-DPA.pdf and completed as set forth herein.
k. The terms “Business,” “Controller,” “Processor,” and “Service Provider” are defined as in Data Protection Laws. “Controller” is deemed to also refer to “Business,” and “Processor” is deemed to also refer to “Service Provider.”
Roles of the Parties; Scope and Purposes of Processing.
a. This DPA applies to all Personal Data Processed byTeleport.
b. The Parties agree that to the extent that Customer is the Controller of Personal Data, Teleport is its Processor. To the extent that Customer is a Processor of Personal Data, Teleport is its Subprocessor.
c. Teleport will Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA; (2) on Customer’s behalf; (3) in compliance with Data Protection Laws; and (4) for the purpose(s) set forth in Section B of Exhibit A of this DPA. Teleport will:
i. not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Teleport, or for any purpose (including any commercial purpose) other than the business purposes specified in this DPA;
ii. not “sell” or “share” any Personal Data, as such terms are defined in applicable U.S. Privacy Laws, to any third party;
iii. not attempt to (1) re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data, or (2) link, identify, or otherwise create a relationship between Personal Data and any other data, without Customer’s express written permission;
iv. comply with any applicable restrictions under Data Protection Laws on combining Personal Data with personal data that Teleport receives from, or on behalf of, another person or persons, or that Teleport collects from any interaction between it and any individual;
v. comply with all applicable provisions of the CCPA, including by providing the level of protection required by the CCPA to Personal Data subject to the CCPA; and
vi. not otherwise engage in any Processing of Personal Data that is prohibited or not permitted by Processors or Service Providers under Data Protection Laws.
i. Is solely responsible for complying with its obligations as a Controller under Data Protection Laws;
ii. Represents and warrants that it has taken all legally required steps (including providing any notices and obtaining any consents) to ensure that its provision of Personal Data to Teleport for the Processing contemplated under the Agreement and this DPA is compliant with Data Protection Laws;
iii. Will not instruct Teleport to Process Personal Data in violation of applicable law, including Data Protection Laws. Teleport will promptly inform Customer if, in Teleport’s opinion, an instruction from Customer infringes applicable law, including Data Protection Laws; and
iv. Retains the right to take reasonable and appropriate steps to (1) ensure that Teleport uses Personal Data in a manner consistent with Customer’s obligations under the CCPA, and (2) upon reasonable notice, to stop and remediate unauthorized use of Personal Data.
Personal Data Processing Requirements. Teleport will:
a. Provide the same level of protection for the Personal Data as is required under Data Protection Laws applicable to Customer, to the extent and as required by Data Protection Laws.
b. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. Promptly notify Customer of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Teleport’s Processing of Personal Data on Customer’s behalf (collectively, “Personal Data Request”), unless prohibited by applicable law from making such notification. If Teleport receives a Personal Data Request, except to the extent that applicable law requires Teleport to take any action with regard to the Personal Data Request, Teleport will await written instructions from Customer on how, if at all, to assist in responding.
d. On Customer’s reasonable request and at Customer’s cost, provide reasonable assistance to Customer for:
i. The fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) to exercise their rights under Data Protection Laws (such as rights to access or delete Personal Data), to the extent that Customer is unable to fulfill these obligations on its own.
ii. Customer’s (i) performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by Data Protection Laws; and/or (ii) consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any applicable obligation upon Teleport to consult with a regulatory authority in relation to Teleport’s Processing or proposed Processing of Personal Data.
e. Promptly notify Customer if Teleport determines that it can no longer meet its obligations under this DPA or Data Protection Laws.
Data Security. Teleport will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Exhibit B.
Security Breach. Teleport will notify Customer of any Security Breach without undue delay. Teleport will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation by:
a. Taking steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
b. Providing Customer with the following information, to the extent known:
i. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
ii. The likely consequences of the Security Breach; and
iii. Measures taken or proposed to be taken by Teleport to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
a. Customer acknowledges and agrees that Teleport may use Subprocessors to Process Personal Data in accordance with the provisions within this DPA and Data Protection Laws. Where Teleport sub-contracts any of its rights or obligations concerning Personal Data to a Subprocessor, Teleport will: (i) take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Protection Laws; and (ii) enter into a written agreement with each Subprocessor requiring it to comply with obligations at least as restrictive as those imposed on Teleport under this DPA.
b. Teleport will maintain an up-to-date list of its Subprocessors. The initial list is available at https://goteleport.com/legal/subprocessors/, and Customer consents to Teleport’s use of the Subprocessors on this list. Teleport will provide Customer with ten (10) days’ notice of any new Subprocessor added to the list prior to providing the new Subprocessor with Personal Data or access thereto, except in exigent circumstances such as if the Services will be severely disrupted if Teleport does not engage a new Subprocessor in fewer than 10 days. If Customer reasonably objects to a new Subprocessor within that 10-day period, Teleport will not provide the Subprocessor with Personal Data or access thereto, and the Parties will cooperate to resolve the objection. If the Parties cannot resolve the objection within 10 days, the Customer’s sole and exclusive remedy is to terminate the Services or that portion of the Services involving the objected-to Subprocessor on written notice to Teleport.
c. Teleport will provide copies of the Subprocessor agreements that must be sent to Customer pursuant to the EU SCCs upon Customer’s reasonable request. Teleport may remove or redact all commercial information or clauses unrelated to the EU SCCs or their equivalent before providing such agreements to Customer.
a. Teleport may not engage in any cross-border Processing of Personal Data, or transmit (directly or indirectly) any Personal Data to any country not deemed “adequate” by the relevant authorities, or any country outside of the country from which such Personal Data was provided to Teleport, unless it complies with Data Protection Laws. To the extent required by Data Protection Laws, Teleport shall ensure that a lawful data transfer mechanism is in place prior to engaging in any onward transfers of Personal Data.
b. To the extent legally required, by entering into this DPA, Customer and Teleport are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Sections 7(c) and (d) below) are deemed completed as follows:
i. Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a Controller) to Teleport (as a Processor), and Module 3 of the EU SCCs applies to transfers of Personal Data from Customer (as a Processor) to Teleport (as a Subprocessor);
ii. Clause 7 (the optional docking clause) is not included;
iii. Clause 9 (Use of sub-processors): The Parties select Option 2 (General written authorization). Section 6(b) of this DPA sets forth the initial list of Subprocessors and process for updating that list;
iv. Clause 11 (Redress): The optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body is not included;
v. Clause 17 (Governing law): The Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights) and select the law of Ireland;
vi. Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of Ireland;
vii. Annexes I (List of Parties) and II (Technical and organizational measures) are completed as set forth in Exhibits A and B of this DPA, respectively; and
viii. Annex III (List of subprocessors) is not applicable because the Parties have chosen General Authorization under Clause 9.
c. To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK Addendum, which forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK Addendum. The Tables within the UK Addendum are deemed completed as follows:
i. Table 1: The Parties’ details shall be the Parties and their Affiliates to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in the applicable Sales Order.
ii. Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed in Section 7(b) of this DPA.
iii. Table 3: Annexes I and II are set forth in Exhibits A and B below, respectively. Annex III is inapplicable.
iv. Table 4: Either Party may end this DPA as set out in Section 19 of the UK Addendum.
d. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP:
i. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as data transfers are subject exclusively to the FADP and not to the GDPR, and references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of FADP revisions that eliminate this broader scope.
ii. The term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
iii. The relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
Additional Safeguards. To the extent that Teleport Processes Personal Data of Data Subjects located in or subject to the applicable Data Protection Laws in the EEA, UK, or Switzerland, Teleport agrees to notify Customer of any government request for Personal Data that Teleport receives and provide the Customer with details such as the type and scope of such request to the extent legally permitted. In addition, Teleport will notify Customer if Teleport can no longer comply with the EU SCCs or UK Addendum (as applicable) or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.
a. Teleport uses external auditors to verify the adequacy of its security measures with respect to its Processing of Personal Data and is SOC 2 Type II, ISO 27001, and HIPAA Security Rule compliant. Such audits are performed at least once annually by independent third-party security professionals and result in the generation of a confidential audit report (“Audit Report”).
b. Upon Customer’s reasonable written request, subject to reasonable confidentiality controls, and no more than once every twelve (12) calendar months, Teleport will make available to Customer a copy of Teleport’s most recent Audit Report. To the extent that the Audit Report does not provide reasonably sufficient information to demonstrate Teleport’s compliance with this DPA and Data Protection Laws and on prompt notice from Customer, Teleport will provide such additional information as Customer reasonably requests to demonstrate Teleport’s compliance with this DPA and Data Protection Laws, provided that Customer will be subject to appropriate confidentiality requirements and Teleport may redact information not related to its Processing of Personal Data under the Agreement. Customer agrees that the procedures set forth in this Section 9(b) satisfy its audit rights, if any, under Data Protection Laws.
Return or Destruction of Personal Data. Except to the extent required otherwise by applicable, Teleport will delete all Personal Data within sixty (60) days of Customer’s written request or termination of the Agreement. Notwithstanding the foregoing, Customer understands that Teleport may retain Personal Data as necessary for backup purposes, and Teleport will delete such Personal Data in accordance with its retention policies for archival media. To the extent not prohibited by applicable law, Teleport will inform Customer if it is unable to delete Personal Data for some other reason. Teleport will abide by this DPA with respect to any Personal Data for as long as such Personal Data is retained.
Indemnification and Limitation of Liability. To the extent permitted by Data Protection Laws, the indemnification provisions and limitations of liability in the Agreement apply to this DPA.
Survival. The provisions of this DPA survive the termination or expiration of the Agreement for so long as Teleport or its Subprocessors Process Personal Data.
ANNEX I TO THE EU SCCS
A. LIST OF PARTIES
Name: Customer, as identified in the applicable Sales Order.
Address: As provided in the applicable Sales Order.
Contact person’s name, position, and contact details: As provided in the applicable Sales Order.
Activities relevant to the data transferred under these Clauses: The data exporter receives the data importer’s Services pursuant to their underlying Agreement.
Signature and date: The Parties agree that execution of the Sales Order shall constitute execution of these EU SCCs by both parties.
Address: 440 North Barranca Avenue, No. 8219 Covina, CA 91723.
Contact person’s name, position, and contact details: [email protected].
Activities relevant to the data transferred under these Clauses: The data importer provides Services to the data exporter pursuant to their underlying Agreement.
Signature and date: The Parties agree that execution of the Sales Order shall constitute execution of these EU SCCs by both parties.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: The Personal Data transferred concerns Customer’s personnel and end users.
Categories of personal data transferred: The Personal Data transferred concern the following categories of data: Full name, email address.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous for the duration of the Agreement.
Nature of the processing: Data importer’s Processing activities shall be limited to those discussed in the Agreement and the DPA.
Purpose(s) of the data transfer and further processing: The purpose of the transfer to and further Processing of Personal Data by Teleport is for Teleport to provide the Software and/or SaaS Services (as applicable) to Customer and as otherwise specified in an applicable Sales Order .
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for the period of time necessary for Teleport to provide the Services to Customer under the Agreement and/or in accordance with applicable legal requirements.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above to the extent that Personal Data is provided to Subprocessors for purposes of providing the Services.
C. COMPETENT SUPERVISORY AUTHORITY
To the extent legally permitted, the competent supervisory authority is the Irish Data Protection Commission.
TELEPORT DATA SECURITY MEASURES
Teleport will implement and maintain the administrative, technical, physical, and organizational security measures for the Processing of Personal Data that are stated at https://goteleport.com/security/.