Data Processing Addendum
-
SCOPE AND APPLICATION
This Addendum will apply, if required by Data Protection Legislation (as defined below) and only to the extent that, in providing the Ververica Cloud Services to You, Ververica processes as a processor of personal data contained in or generated in relation to the data that you run on the Ververica Cloud Services, cause to interface with the Ververica Cloud Services, submit to or upload into the Ververica Cloud Services for processing under your Account (the “Data”). This Addendum forms part of the Terms of Service and capitalised terms not defined herein will have the meaning given in the Terms of Service. In the event and to the extent of a conflict between the other terms of the Terms of Service and this Addendum, this Addendum shall prevail.
-
DEFINITIONS
In this Addendum:
- “controller”, “data subject”, “personal data”, “process”, “processor” and “supervisory authority” each has the meaning given in the GDPR.
- “Data Protection Legislation” means, as applicable: (i) GDPR, and in each case, any related national laws, legislation, rules or regulations, related to privacy and data protection (including legislation made under or in relation to (i)). For clarity, a reference to Data Protection Legislation, includes a reference to Data Protection Legislation as amended, modified, extended, re-enacted, consolidated or replaced from time to time.
- “GDPR” means Regulation (EU) 2016/679.
- “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914/EU of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (or any subsequent decisions) or as referred to in Article 46 GDPR. A copy of the Standard Contractual Clauses can be obtained at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc,or by contacting us at help@ververica.cloud.
-
DESCRIPTION OF PROCESSING
For the purposes of this Addendum, You (the controller or processor) appoint Ververica as Your processor to process the Data, for the duration of the Terms of Service, for the purpose of providing the Ververica Cloud Services to You (the “Permitted Purpose”).
-
DATA PROCESSING
In processing the Data under the Terms of Service, Ververica shall:
- only process the Data on Your documented instructions unless required otherwise by applicable law;
- ensure that all personnel authorised by Ververica to process the Data are subject to suitable confidentiality obligations;
- implement and maintain appropriate technical and organisational measures, designed to protect the Data processed by Ververica against a personal data breach affecting such Data arising from a breach of Ververica’s security (a “Security Incident”). Ververica may change those measures from time to time, but not so as to reduce the level of protection for Data. In the event of a confirmed Security Incident, Ververica shall notify You without undue delay and shall provide reasonable information and cooperation to You so that You can fulfil any data breach reporting obligations You may have under (and in accordance with the timescales required by) applicable Data Protection Legislation. Ververica shall further take any reasonably necessary measures and reasonably necessary actions to remedy or mitigate the effects of the Security Incident, and shall keep You informed of all material developments in connection with the Security Incident;
- be generally authorised to engage third party subcontractors to process the Data for the Permitted Purpose, provided that Ververica
- shall remain fully liable for any of its subcontractors;
- shall maintain an up-to-date list of such subcontractors (if any), which it shall update with details of any change in such subcontractors at least 10 days’ before any such change; and
- shall impose data protection terms on any subcontractor it appoints to process any Data, that require it to protect such Data to at least the standard required by applicable Data Protection Legislation. You may object to Ververica’s appointment or replacement of such a subcontractor before its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Ververica will either not appoint or replace the relevant subcontractor or, if this is not possible, You may terminate the relevant Ververica Cloud Services and this Addendum to the extent it applies to the Ververica Cloud Services, but without prejudice to any fees or costs incurred by You for the Ververica Cloud Services before that termination and without prejudice to the Terms of Service, any other services provided to You, and any fees or costs in relation to those other services;
- assist You to respond to data subjects’ requests to exercise their rights regarding any Data under applicable Data Protection Legislation by providing You with technical measures to enable You, to the extent consistent with the functionality of the Ververica Cloud Services and Ververica’s role as a processor, to access, rectify, erase, restrict or export Data directly (and You agree that, taking into account the nature of the processing, this paragraph reflects the extent to which it is possible for Ververica to provide You with such assistance). If a data subject, supervisory authority or any other party directly approaches Ververica with any request, query or complaint regarding any Data, Ververica shall, promptly notify You accordingly or notify that person that they should approach You instead;
- If Ververica believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, promptly inform You and provide reasonable cooperation to You (at Your expense) in connection with any data protection impact assessment that You may be required under applicable Data Protection Legislation to undertake for Your use of Ververica Cloud Services;
- at Your choice, delete or return all Data in Ververica’s possession or control following the termination of the Terms of Service. This requirement shall not apply to the extent that Ververica is required or permitted by applicable law to retain some or all of the Data, or Data archived on back-up systems, in which event Ververica shall securely isolate and protect such Data from any further processing except to the extent required by such law until deletion is possible; and
- use independent qualified third-party security professionals and auditors, at Ververica’s selection and expense, to (at appropriate regular or irregular intervals) verify the adequacy of its security measures, including the security of the data centers from which Ververica provides the Ververica Cloud Services, and generating audit reports and certifications thereof (“Report and Certification”). Upon Your written request, and subject to Your execution of a non-disclosure agreement covering the Report and Certification (and verification that you are not a competitor of Ververica), Ververica will make available to you a summary copy of the Report and Certification demonstrating Ververica’s compliance with the obligations set forth in this Addendum. If the Standard Contractual Clauses apply to You, then You agree to exercise Your audit right by instructing Ververica to execute the audit as described in this section. If You desire to change this instruction, then You have the right to do so as set forth in the Standard Contractual Clauses which change shall be requested in writing (for clarity, nothing in the foregoing shall require Ververica to make available any data, material or information of any of Ververica’s other customers).
-
YOUR RESPONSIBILITIES
You agree:
- To comply with your obligations under all applicable Data Protection Legislation in relation to Your use of Ververica Cloud Services for processing any personal data comprised within the Data.
- That this Addendum, the Terms of Service, Your other applicable agreements with Ververica and Your configuration and use of the Ververica Cloud Services will together comprise Your complete and final documented instructions to Ververica on the processing of Data.
- That You shall not give Ververica as Your processor any instructions, nor shall You use the Ververica Cloud Services in any way, that in any such case could infringe any Applicable Data Protection Legislation or could cause Ververica or any of its affiliates to infringe any Applicable Data Protection Legislation.
-
INTERNATIONAL TRANSFERS
If the processing of Data involves transfers out of the EEA, Ververica will take such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Legislation. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with applicable Data Protection Legislation, or to a recipient that has executed Standard Contractual Clauses together with any supplementary measures that may be necessary.
-
MISCELLANEOUS
- For clarity, the total aggregate liability of Ververica and all its affiliates, employees, agents, affiliates, representatives or anyone acting on its behalf together, arising from or in connection with the Terms of Service and/or this Addendum or any matter arising therefrom shall not exceed the maximum liability of Ververica as limited by the paragraphs under Clause 13 of the Terms of Service.
- Ververica may modify the terms of this Addendum, for example to comply with applicable law or to implement any standard contractual clauses adopted by the European Commission or a supervisory authority under Article 28 of the GDPR, but it will not do so in a way that would reduce the protections required to be afforded to You under Article 28 of the GDPR. If it does so, it an amended and restated version on the Ververica Cloud Website, providing at least 15 days prior written notice of any material amendments to the Addendum to You (which may be posted on the Ververica Cloud Website or displayed in your Account). By continuing to use the Ververica Cloud Services after the receipt of written notification of such changes by Ververica, you agree to be bound by the amended and restated Addendum.