| 1. | This Data Processing Addendum (“Addendum”) forms part of the Cloud Terms of Service (“Principal Agreement”) between: (i) Ctera Networks Ltd. (“CTERA”) acting on its own behalf and as agent for each CTERA affiliate; and (ii) the customer which is counterparty to the Principal Agreement (“Customer”). |
| 2. | In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement in the event that Customer Personal Data (as defined below) is processed by CTERA. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Principal Agreement, the provisions of this Addendum shall prevail. |
| 3. | Under the Principal Agreement the nature and purposes of processing Personal Data by CTERA as data processor shall be limited to those set forth in Schedule 1. |
| 4. | Definitions |
| | | 4.1 | In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly: | | | | 4.1.1 | “Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data which is subject to EU Data Protection Laws; (b) the California Consumer Privacy Act of 2018 (“CCPA”) with respect to any Customer Personal Data which is subject to the CCPA, and (c) any other Data Protection Laws with respect to any Customer Personal Data which is subject to such other Data Protection Laws; | | 4.1.2 | “Customer Personal Data” means any Personal Data Processed by CTERA on behalf of Customer pursuant to or in connection with the Principal Agreement and this Addendum; | | 4.1.3 | “Data Protection Laws” means EU Data Protection Laws, the CCPA and, to the extent applicable, the data protection or privacy laws of any other state in the USA; | | 4.1.4 | “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; | | 4.1.5 | “GDPR” means EU General Data Protection Regulation 2016/679; | | 4.1.6 | “Restricted Transfer” means: | | | | 4.1.6.1 | a transfer of Customer Personal Data from Customer to CTERA; or | | 4.1.6.2 | an onward transfer of Customer Personal Data from CTERA to a Sub-processor, or between two establishments of CTERA, |
| | | in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under Section 16.1 below; | | 4.1.7 | “Services” means the services and other activities to be supplied to or carried out by or on behalf of CTERA for Customer pursuant to the Principal Agreement; | | 4.1.8 | “Standard Contractual Clauses” means the contractual clauses issued by the Commission from time to time, and if applicable, as adapted by an addendum issued by a regulator in a country outside the EU; | | 4.1.9 | “Sub-processor” means any person (including any third party and any CTERA affiliate, but excluding an employee of CTERA or any of its sub-contractors) appointed by or on behalf of CTERA to Process Personal Data on behalf of Customer in connection with the Principal Agreement; and | | 4.1.10 | “CTERA” means CTERA and any entity that owns or controls, is owned or controlled by or is or under common control or ownership with CTERA, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise. | | 4.1.11 | “Party”/”Parties” means Customer and CTERA separately, or jointly, as the case may be; | | 4.1.12 | “Purpose” means as described in Schedule 1; and | | 4.1.13 | “Supervisory Authority” means any court, regulatory agency or authority which, according to Applicable Laws and/or regulations, supervises privacy issues and/or the processing of personal data. |
| | 4.2 | The terms, “commission”, “controller”, “business”, “data subject”, “consumer”, “member state”, “personal data” or “personal information”, “personal data breach”, “processing”, “processor”, “service provider”, “business purpose”, “sale” and “supervisory authority” shall have the same meaning as in the GDPR or in the CCPA, as applicable, and their cognate terms shall be construed accordingly. In addition, each of the terms defined in this section 4.2 shall have the meaning of its equivalent term in the GDPR or in the CCPA, as applicable. |
|
| 5. | Special undertakings of the Parties |
| | | 5.1 | Roles, ownership of personal data, processing and purpose | | | | 5.1.1 | Customer shall be considered as either the controller or processor of the Customer Personal Data in the context of the GDPR, and as either the business or service provider in the context of the CCPA, and CTERA shall be considered a processor of the Customer Personal Data in the context of the GDPR, and as the service provider in the context of the CCPA, on behalf of Customer. | | 5.1.2 | CTERA may only process the Customer Personal Data for the Purpose and to the extent it is necessary for the fulfilment of CTERA’s obligations under this Addendum or the Principal Agreement. | | 5.1.3 | Customer pays CTERA service fees in consideration for the Services to be provided by CTERA pursuant to the Principal Agreement. CTERA does not receive from Customer and Customer does not pay CTERA any monetary or other valuable consideration for the collection of Customer Personal Data. | | 5.1.4 | CTERA is prohibited from: (i) Selling Customer Personal Data; and (ii) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between CTERA and Customer or for any purpose other than for the purpose of performing the Services. CTERA understands the above restrictions and will comply with them. | | 5.1.5 | This Addendum shall apply to the actions of any of CTERA or Customer’s affiliates performing tasks and obligations in the context of this Addendum and any such affiliates shall have all rights and obligations set forth in this Addendum as if they were CTERA or Customer, as applicable. |
| | 5.2 | Special undertakings of Customer | | | 5.2.1 Customer undertakes to: | | | | | | (a) | Ensure that there is a legal ground for processing of the Customer Personal Data; | | (b) | Ensure that any disclosure or transfer of Customer Personal Data to CTERA conforms to the Applicable Laws. | | (c) | Inform CTERA about any erroneous, rectified, updated or deleted Customer Personal Data subject to CTERA’s processing; and | | (d) | Fully comply with any request of data subjects and with any data subject rights under Applicable Laws. | | (e) | Provide CTERA with documented instructions regarding CTERA’s processing of the Customer Personal Data, as may be required from time to time. | | (f) | With respect to the Customer Personal Data processed by CTERA under this Addendum, or otherwise made available to CTERA, Customer (i) collects, obtains and processes the Customer Personal Data lawfully, without violating any third parties’ rights, contractual obligations or Data Protection Laws; (ii) it has all rights, consents, authorization and title to grant the rights and permissions to access, use and process the Customer Personal Data under the terms of the Principal Agreement and this Addendum; and (iii) its processing and use of the Customer Personal Data will not violate the rights of consumers and other third parties, including without limitation privacy, data protection, goodwill, good name, publicity, confidentiality and intellectual property rights. | | (g) | Ensure that employees that are handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA, have received appropriate training and instructions regarding the CCPA and especially sections 1798.100, 1798.105, 1798.110, 1798.115 and 1798.125 of the CCPA, and how to direct consumers to exercise their rights under such sections. |
|
| | 5.3 | Special undertakings of CTERA | | | 5.3.1 CTERA undertakes to: | | | | | | (a) | Only process Customer Personal Data in accordance with Applicable Laws that are applicable to CTERA’s processing of the Customer Personal Data and Customer’s documented instructions, as set forth herein, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Applicable Laws; in such a case, CTERA shall inform Customer of that legal requirement before processing the personal data, unless such information is prohibited by the Applicable Laws on important grounds of public interest; | | (b) | Taking into account the nature of CTERA’s processing of the Customer Personal Data and without derogating from Customer’s obligations regarding data security under the Principal Agreement, implement appropriate technical and organisational measures to reasonably ensure a level of security appropriate to the risk as specified in Section 8.1 herein, and reasonably assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligations in Applicable Laws, as a controller or as a business, as applicable, to respond to requests for exercising the rights of data subjects or consumers, as applicable, or with respect to data breaches; and | | (c) | Make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this Addendum. |
|
|
|
| 6. | Processing of Customer Personal Data |
| | | 6.1 | Customer: | | | 6.1.1 instructs CTERA (and authorises CTERA to instruct each Sub-processor) to: | | | | | | 6.1.1.1 | process Customer Personal Data; and | | 6.1.1.2 | in particular, transfer Customer Personal Data to any country or territory, | | as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and |
|
| | 6.2 | Schedule 1 to this Addendum sets out certain information regarding CTERA’s processing of Customer Personal Data. Customer shall immediately inform CTERA of any required amendments to Schedule 1 by written notice to CTERA, and the Parties shall negotiate in good-faith the amendment of Schedule 1. |
|
| 7. | Confidentiality |
| | | 7.1 | CTERA shall take reasonable steps to ensure the reliability of any employee, agent or contractor of CTERA who may have access to the Customer Personal Data, and to ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. |
|
| 8. | Data Security |
| | | 8.1 | Without derogating from Customer’s obligations regarding data security under the Principal Agreement, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing by CTERA as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CTERA shall in relation to processing by CTERA of the Customer Personal Data implement appropriate technical and organizational measures to reasonably ensure a level of security appropriate to that risk. |
|
| 9. | Sub-processing |
| | | 9.1 | Customer authorises CTERA to appoint (and permit each Sub-processor appointed in accordance with this Section 9 to appoint) Sub-processors in accordance with this Section 9 and any restrictions in the Principal Agreement. | | 9.2 | CTERA may continue to use those Sub-processors already engaged by CTERA as at the date of this Addendum, as listed in Schedule 2, subject to CTERA meeting the obligations set out in Section 9.4. | | 9.3 | CTERA shall give Customer prior written notice of the appointment of any new Sub-processor. If, within 30 days of receipt of that notice, Customer notifies CTERA in writing of any objections (on reasonable grounds) to the proposed appointment, then Customer may terminate that portion of the Services which require the use of the new Sub-processor to whom Customer objects. If CTERA receives no notice of objection from Customer in the period specified above, Customer will be deemed to accept and consent to the appointment of the new Sub-processor. | | 9.4 | With respect to each Sub-processor, CTERA shall: | | | | | | 9.4.1 | ensure that the arrangement between the CTERA, and the Sub-processor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum; and | | 9.4.2 | if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between on the one CTERA and the Sub-processor. |
|
| | 9.5 | CTERA shall ensure that each Sub-processor performs the obligations under this Addendum, as they apply to processing of Customer Personal Data carried out by that Sub-processor, as if it were party to this Addendum in place of CTERA. |
|
| 10. | Data subject rights |
| | |
| | | | | 10.1.1 | promptly notify Customer if CTERA receives a request from a data subject or consumer, as applicable, under any Data Protection Law in respect of Customer Personal Data; and | | 10.1.2 | ensure that CTERA does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which CTERA is subject. |
|
|
| 11. | Personal Data Breach |
| | | 11.1 | CTERA shall notify Customer without any delay but no later than within 48 hours, in writing, upon CTERA or any Sub-processor becoming aware or has reasons to believe of a Personal Data Breach affecting Customer Personal Data, providing Customer with reasonably sufficient information that is available to CTERA to allow Customer to meet its obligations to report or inform Data Subjects or consumers, as applicable, of the Personal Data Breach under the Data Protection Laws. | | 11.2 | Immediately following CTERA’s notification to Customer of a Personal Data Breach, the Parties shall coordinate with each other to investigate the breach. CTERA agrees to reasonably cooperate with Customer, at Customer’s expense, in the investigation, mitigation and remediation of a Personal Data Breach. | | 11.3 | Insofar as and to the extent that it is necessary and cannot be reasonably attained without CTERA’s assistance, CTERA agrees to assist Customer in advising the Supervisory Authority and data subjects or consumers, as applicable, about Personal Data Breach. It shall not, however, inform any third party of any Personal Data Breach without first obtaining Customer’s prior written consent, other than to inform a complainant (if any) that the matter has been forwarded to Customer, or if otherwise required under any Applicable Law. | | 11.4 | Customer shall reimburse CTERA for actual reasonable costs incurred by CTERA in responding to, and mitigating damages caused by any security incident or Personal Data Breach, including all costs of notice and/or remediation. | | 11.5 | 11.5 CTERA’s obligation to notify and cooperate in the investigation of a Personal Data Breach under this Section 11 is not, and will not, be construed as an acknowledgement by CTERA of any fault or liability of CTERA with respect to such Personal Data Breach. |
|
| 12. | Data Protection Impact Assessment and Prior Consultation |
| | | 12.1 | CTERA shall provide reasonable assistance to Customer, at Customer’s expense, with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, in each case solely in relation to processing of Customer Personal Data by, and taking into account the nature of the processing and information available to, CTERA. |
|
| 13. | Cooperation and Coordination |
| | | 13.1 | Upon reasonable request by Customer, CTERA shall as promptly and as reasonably practicable provide Customer with a written report containing information reasonably requested by Customer relating to: (i) any security event and Personal Data Breach; or (ii) actual or reasonably suspected non-compliance with this Addendum. In addition, CTERA shall provide Customer with any documents reasonably requested by Customer related to the foregoing, including without limitation, any information security assessment and security control audit reports. |
|
| 14. | Deletion or return of Customer Personal Data |
| | | 14.1 | Subject to Section 14.2 , upon a reasonable time after the date of termination or expiration of any Services involving the processing of Customer Personal Data CTERA shall either return or delete that Customer Personal Data, at Customer’s choice. | | 14.2 | With respect to any Customer Personal Data stored by CTERA on behalf of Customer as part of the Services, during thirty (30) days following termination or expiration of those Services, CTERA will not delete that Customer Personal Data in order to enable Customer to transfer the Customer Personal Data to a new private or public storage device or service, at Customer’s sole responsibility, cost and expense, subject to the terms and conditions of the Principal Agreement. After said thirty (30) days period, CTERA may delete the Customer Personal Data without further notice. | | 14.3 | Notwithstanding any of the foregoing, CTERA may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that CTERA shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose. |
|
| 15. | Audit rights |
| | | 15.1 | At the request of Customer and on its expense, but not more than once per year, CTERA shall conduct site audits of the information technology and information security controls for all facilities used in complying with its obligations under this Addendum. Customer shall treat such audit reports as CTERA’s confidential information. | | 15.2 | Customer shall have the right to perform audits, not more than once per calendar year and upon prior written notice of at least thirty (30) days to CTERA, of CTERA’s processing of the Customer Personal Data in order to verify CTERA’s, and any Sub-processor’s, compliance with this Addendum. The audit shall be confined to processing documentation prepared by CTERA and logged and documented information regarding its information security measures, and in any event will not entitle Customer to conduct technological investigations on CTERA’s information systems. | | 15.3 | Customer shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to CTERA’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. | | 15.4 | If any Supervisory Authority: (i) contacts CTERA with respect to its systems or any processing of Customer Personal Data carried out by CTERA, (ii) conducts, or gives notice of its intent to conduct, an inspection of CTERA with respect to the processing of Customer Personal Data, or (iii) takes, or gives notice of its intent to take, any other regulatory action alleging improper or inadequate practices with respect to any processing of Customer Personal Data carried out by CTERA, then CTERA shall immediately notify the Customer and shall subsequently supply Customer with all information pertinent thereto to the extent permissible by law. | | 15.5 | Customer shall bear all costs for audits set out herein. |
|
| 16. | Restricted Transfers |
| | | 16.1 | In the event that the processing activities under this Addendum are considered Restricted Transfer, Customer (as “data exporter”) and CTERA, (as “data importer”) hereby enter into the applicable Standard Contractual Clauses in respect of any Restricted Transfer from Customer to CTERA. | | 16.2 | CTERA warrants and represents that, before the commencement of any Restricted Transfer to a Sub-processor, CTERA will downstream the obligations for transferring Personal Data under this Section 16, as required under applicable Data Protection Laws, by entering into an appropriate onward transfer agreements with all relevant Sub-processors. |
|
| 17. | General Terms |
| | Governing law and jurisdiction |
| | | 17.1 | This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement. The Parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and |
|
| | Assignment of rights or obligations |
| | | 17.2 | Neither Party may assign its rights or obligations under this Addendum without the prior written consent of the other Party, except as provided in the Principal Agreement. |
|
| | Notices |
| | | 17.3 | All notices to a Party under this Addendum shall be in writing and sent to its address as set forth at the beginning of this Addendum, or to such other address as such Party has provided the other in writing for such purpose. Notices may be sent by post, courier, fax or email. | | 17.4 | Notices shall be deemed to have been duly given (i) on the day of delivery when delivered in person or by courier, (ii) three (3) business days after the day when the notice was sent when sent by post, and (iii) on the day when the receiver has manually confirmed that it is received when sent per fax or email. |
|
| | Term and termination |
| | | 17.5 | 1This Addendum shall enter into force on the effective date of the Principal Agreement, and unless terminated earlier due to a material breach of the terms of this Addendum, in which case this Addendum shall be terminated with immediate effect if the other Party fails to cure such breach in a satisfactory manner within fifteen (15) days after the other Party’s written demand thereof, shall remain in force until the termination or expiration of the Principal Agreement, whereupon it shall terminate automatically without further notice. | | 17.6 | Either Party may terminate this Addendum by giving the other Party thirty (30) days written notice. |
|
| | Limitation of Liability |
| | | 17.7 | The Parties’ liability for any losses or damages related to a breach of this Addendum or any Data Protection Laws shall be subject to the limitations of liability in the Principal Agreement. |
|
| | Modifications |
| | | 17.8 | CTERA reserves the right to modify this Addendum in accordance with the “Modifications” provision in the Principal Agreement, except that any modification required due to a change or development in any Applicable Law shall apply immediately upon being posted at CTERA DPA. |
|
