Last modified: 26 June 2024
I Background
This Data Processing Agreement (this “DPA”) is incorporated into and shall become a part of the Agreement (as defined below), pursuant to which Customer purchased the right to use the Software and/or Services. Pursuant to the Agreement, Denodo may provide Services as agreed in detail between Denodo and Customer from time to time. Denodo's Services may include the processing of personal data, including personal data relating to Customer and Users on behalf of Customer. To the extent applicable, the data processing terms in this DPA shall apply to any such processing.
Definitions:
For purposes of these terms, “Agreement” shall be as defined in the applicable software license and/or services agreement, purchase order, order form or any other agreement between the parties.
"Adequate Country" means a country or territory recognised as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the Information Commissioner's Office ("ICO") and/or Secretary of State under applicable UK Data Protection Laws, or (ii) the European Commission under EU Data Protection Laws.
"Applicable Data Protection Laws" means (as applicable to Customer and Denodo) EU Data Protection Laws, UK Data Protection Laws and any other legislation or regulation from time to time relating to privacy, data protection and/or the collection, use and/or sharing of personal data anywhere in the world.
"EU Data Protection Laws" means (i) Regulation 2016/679 (the European General Data Protection Regulation (“GDPR”)); (ii) the European e-Privacy Directive (Directive 2002/58/EC) (“e-Privacy Directive”); (iii) all national implementations of (i) and (ii); and (iv) the Swiss Federal Data Protection Act of 19 June 1992 and, when in force, the Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances in each case, as may be amended, superseded or replaced from time to time.
"EU SCCs" means standard contractual clauses contained in the annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and currently available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en and the corresponding annexes, attached at schedule 1 of this DPA.
"Processor Module" means all clauses contained in module 2 (transfer controller to processor) of the SCCs, unless stated otherwise.
"UK Data Protection Laws" means the Data Protection Act 2018 and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (as the latter is implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, as amended), in each case, as may be amended, superseded or replaced from time to time.
"UK SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries set out in the European Commission's Decision 2010/87/EU of 5 February 2010 and currently available at http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087 and the corresponding appendices attached at Schedule 2 of this DPA.
Capitalized terms used but not defined herein shall have the meanings set forth in the Agreement.
II Description of processing
The processing to be carried out by Denodo is as follows:
(a) the subject matter of the processing is the provision of Services to Customer;
(b) the duration of the processing will be throughout the period within which Denodo performs the relevant Services under the Agreement;
(c) the nature of the processing is as described in the applicable Order;
(d) the purpose of the processing is to enable Denodo to perform the relevant Services under the Agreement;
(e) categories of data are those relating to individuals provided to Denodo by the Customer and the categories of data subjects include Customer's staff, Users or suppliers are as described in clause I above.
III Compliance with the Applicable Data Protection Laws
Both Customer and Denodo will comply with (and shall ensure that its staff and/or subcontractors comply) with Applicable Data Protection Laws in relation to their processing of Customer personal data.
IV Responsible individuals and enquiries
Customer and Denodo will each notify the other of the individual within its organisation authorised to respond from time to time to enquiries regarding the personal data and the processing which is the subject of the Agreement. Customer and Denodo shall each deal promptly and reasonably with all such enquiries.
V Processing of personal data by Denodo
In relation to the processing of personal data under the Agreement, Denodo shall:
(a) process the personal data (including when making an international transfer of the personal data) only to the extent necessary in order to provide the Services and then only in accordance with:
i. the terms of this Agreement;
ii. Customer's written instructions from time to time which shall be those instructions set out in the Order; unless otherwise required by law. Where Denodo is required by law to process the personal data otherwise than as provided by the Agreement, it will notify Customer before carrying out the processing concerned (unless applicable law also prevents Denodo from doing so for reasons of important public interest);
(b) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed under the Agreement;
(c) take all reasonable steps to ensure that only authorised personnel have access to the personal data and that any persons whom it authorises to have access to the personal data will respect and maintain all due confidentiality in relation to the personal data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);
(d) not knowingly do, or omit to do, anything, which would cause Customer to be in breach of its obligations under the Applicable Data Protection Laws;
(e) as soon as reasonably practicable notify Customer if, in Denodo's opinion, any instruction given to Denodo infringes Applicable Data Protection Laws;
(f) where applicable in respect of any personal data processed under the Agreement, co-operate with and assist Customer in ensuring compliance with:
i. Customer's obligations to respond to requests from any data subject(s) seeking to exercise their rights under Applicable Data Protection Laws, including by notifying Customer of any written subject access requests Denodo receives relating to Customer's obligations under Applicable Data Protection Laws; and
ii. the Customer's obligations under Applicable Data Protection Laws to:
A. ensure the security of the processing;
B. notify the relevant supervisory authority, and any data subject(s), where relevant, of any personal data breaches;
C. carry out any data protection impact assessments (each a "DPIA") of the impact of the processing on the protection of personal data; and
D. consult the relevant supervisory authority prior to any processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by Controller to mitigate the risk.
VI Sub-processors
Denodo will ensure that any sub-processor it engages to provide any services on its behalf in connection with the Agreement does so only on the basis of a written contract which imposes on such sub-processor terms equivalent to those imposed on Denodo in this schedule subject to any standard data processing terms sub- processors may impose on Denodo where Denodo sees no reasonable prospect of successfully negotiating alternative terms (the "Relevant Terms"). Denodo shall procure the performance by the sub-processor of the Relevant Terms and shall be directly liable to Customer for:
(a) any breach by the sub-processor of any of the Relevant Terms;
(b) any act or omission of the sub-processor which causes:
i. Denodo to be in breach of this Agreement; or
ii. Customer or Denodo to be in breach of Applicable Data Protection Laws.
Customer gives its general authorisation to Denodo's engagement of sub-processors provided such engagement is subject to the terms above. Denodo will maintain a list of sub-processors at a https://www.denodo.com/en/page/denodo-authorised-sub-processors and will add the names of new and replacement sub-processors to the list ten (10) days prior to them starting sub-processing of Personal Data.
Company may subscribe to updates to this list. Customer shall have the opportunity to object to the use of any new sub-processors, and must object within 10 days of notification of the sub-processor. Where Customer objects within this time period, Customer shall suggest an alternative sub-processor but shall be responsible for any increased cost as a result of engaging an alternative sub-processor. Where Denodo requires use of the sub- processor in its discretion and is unable to satisfy Customer as to the suitability of the sub-processor or the documentation and protections in place between Customer and the sub-processor within ninety (90) days from Customer's notification of objections, Customer may within thirty (30) days following the end of the ninety (90) day period referred to above, terminate the Agreement and this DPA with at least thirty (30) days' written notice. If Customer does not provide a timely objection to any new or replacement sub-processor in accordance with this clause VI, Customer will be deemed to have waived its right to object. Denodo may use a new or replacement sub-processor whilst the objection procedure in this clause VI is in process.
VII Monitoring of Denodo's performance
(a) Denodo will, subject to the confidentiality terms in the Agreement, provide Customer such information in Denodo’ possession or control as may be necessary to demonstrate compliance with its obligations under this DPA or in order to respond to requests from an applicable Supervisory Authority. Where Customer suspects, acting reasonably, that Denodo is in material breach of this DPA or Customer is subject to a written requirement from its Supervisory Authority to conduct an audit (and can provide reasonable evidence thereof), Customer may itself or through appropriately-qualified personnel conduct, or commission a third party auditor to conduct, an audit into Denodo's compliance with this DPA on the terms set out below.
(b) Audits will (i) be on no less than fourteen days’ prior written notice unless otherwise agreed, (ii) be conducted during normal business hours; (iii) not unreasonably interfere with Denodo’s business activities; (iv) not take place more than once in any year except where required at law or as agreed between the parties; (v) involve reasonable access to personnel and Customer personal data; (vi) not compromise the security of (or grant access to) any data that is not Customer personal data; (vii) be subject to such reasonable security measures and limitations as Denodo may prescribe to protect its systems and its and third party information and (viii) be at Customer’s sole cost and expense.
VIII Data Transfers
Customer acknowledges that Denodo will transfer personal data:
(a) outside the European Economic Area ("EEA") and/or the United Kingdom ("UK"); or
(b) to third parties (which shall include any affiliates of Denodo) where such third party is located outside the EEA and/or the UK.
To the extent that Denodo processes Customer personal data to which EU Data Protection Laws apply, or transfers such personal data to a third party, outside the EEA (except if in a country or territory regarded as adequate pursuant to EU Data Protection Laws), the parties agree that the Processor Module of the EU SCCs will apply and are incorporated into this DPA, and that Denodo is the 'data importer' and will comply with the obligations of the 'data importer' and the Customer is the 'data exporter' and will comply with the obligations of the 'data exporter' in the EU SCCs. (c) The following terms shall apply to the EU SCCs:
(i) The parties agree that the Docking Clause 7 shall be included in the EU SCCs and the optional wording in Clause 11 of the EU SCCs relating to an independent dispute resolution body shall not be included
(ii) Option 2 of Clause 9 (general authorisation of sub-processors) of the Processor Module shall apply in relation to Customer's authorisation of the use of Subprocessors and Denodo shall notify the Customer writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 days in advance and in accordance with clause VI of this DPA;
(iii) Clause 13(a) (Supervision) of Section II shall apply as follows:
Where the data exporter is established in the EU, clause 13(a) shall apply as follows: "the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority"
Where the data exporter is established outside of the EU but within the extraterritorial scope of the GDPR and has appointed an EU Representative, clause 13(a) shall apply as follows: "The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority"
Where the data exporter is established outside of the EU but within the extraterritorial scope of the GDPR, but is not required to appoint an EU Representative, clause 13(a) shall apply as follows: "The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located shall act as competent supervisory authority."; and
(iv) Option 1 of Clause 17 of the EU SCCs shall apply and the parties agree that the governing law shall be the law of the Agreement.
(d) To the extent that Denodo processes personal data to which UK Data Protection Laws applies, or transfers such personal data to a third party, outside the UK (except if in a country or territory regarded as adequate pursuant to UK Data Protection Laws), the parties agree that the UK SCCs will apply and that Denodo is the 'data importer' and will comply with the obligations of the 'data importer' and Customer is the 'data exporter' and will comply with the obligations of the 'data exporter' in the UK SCCs.
(e) The following terms shall apply to the UK SCCs:
(i) Customer may exercise its right of audit under clause of 5(f) of the UK SCCs as set out in and subject to the requirements of clause VII of this DPA; and
(ii) Denodo may appoint sub-processors as set out in and subject to the requirements of clause VI of this DPA.
(f)The parties agree that Denodo may (i) replace the UK SCC and/or the EU SCCS generally or in respect of the UK and/or the EEA only (as appropriate) with any alternative or replacement transfer mechanism in compliance with Applicable Data Protection Laws, including any standard contractual clauses approved by an applicable
Supervisory Authority or competent government body, and (ii) make reasonably necessary changes to this clause VII by notifying the Customer of the new transfer mechanism or content of any new alternative standard contractual clauses or approved addendum applying the EU SCC to transfers to which UK Data Protection Legislation applies (provided their content is in compliance with the relevant decision or approval), as applicable.
IX Completion of Services
Upon completion of the Services, Denodo will at Customer's discretion:
(a) delete; or
(b) return to the Customer (as directed by Customer);
all personal data (including copies) processed under the Agreement, except to the extent that Denodo is required by law to retain any copies of the personal data.
SCHEDULE 1
ANNEX I TO THE EU SCCS
A. LIST OF PARTIES
Transfer controller to processor
Data exporter(s): The Customer identified in the Agreement.
Role: controller
Data importer(s): Denodo
Address: As set out in the Agreement.
Contact person’s name, position and contact details: Denodo Privacy, privacy@denodo.com Activities relevant to the data transferred under the DPA.
Role: processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Personal data relating to Customer or staff of Customer or other individuals with whom the Customer deals in the course of its business.
Categories of personal data transferred:
This may include: name; contact details; contact/ links within the organization; relevant employment information such as type of client; company name; role within the business; log data, as required for the provision of Services; and certain online activity information
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Occasional - Denodo only processes Personal Data if the Customer sends them it in connection with the ordinary course of business in communications between Customer and Denodo to manage the relationship and as part of a support request
Nature of the processing
is as described in the applicable Order.
Purpose(s) of the data transfer and further processing
The provision of the Services under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For as long as necessary to comply with a support request from a Customer.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Transfers to (sub-)processors comprise the same categories of data subjects and personal data and duration as set out above. The sub-processors provide services to Denodo in connection with the delivery of the Services under the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority is identified pursuant to clause VIII (c)(iv) of this DPA
…
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Please see the security measures set out in Appendix 2 to the UK SCCs below.
SCHEDULE 2
Appendix 1
to the UK SCCs
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
Data exporter
The data exporter shall be the Customer (the Controller) who is purchasing items as set out in the Service Order pursuant to the Agreement.
Data importer
Data subjects
The personal data transferred concern the following categories of data subjects:
Categories of data
The personal data transferred concern the following categories of data:
This may include: name; contact details; contact/ links within the organization; relevant employment information such as type of client; company name; role within the business; log data, as required for the provision of Services; and certain online activity information.
Special Categories of personal data (if appropriate)
The personal data transferred may concern the following special categories of personal data:
N/A
Processing operations
The personal data transferred will be subject to the following basic processing activities:
This will be subject to the processing activities which the Services being purchased are depending upon, as set out in the completed Order and the Terms and Conditions of the Agreement.
Appendix 2
to the UK SCCs
UK SCCS
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Denodo currently observes the security practices described in this Appendix.
Notwithstanding any provision to the contrary otherwise agreed to by data exporter, Denodo may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices.
a)Access Control
Outsourced processing: Denodo hosts services with outsourced cloud infrastructure providers. Additionally, Denodo maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement. Denodo relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: Denodo hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for some security international standard like SOC 2 Type II or ISO 27001 compliance, among other certifications.
Access controls: Access controls apply at all levels of Denodo's Information Systems architecture and topology. This includes: networks, platforms or operating systems and applications. The attributes of each of them reflect some form of identification and authentication, access authorization, verification of information resources and logging and monitoring of activities. Users will have access only to those resources that are necessary for the performance of their job duties.
Physical controls: Denodo implements measures to prevent unauthorized persons from gaining access to the data processing equipment where the personal data is processed or used in Denodo facilities: establishing security areas; procuring 24-hour security service; requiring all doors to be locked before and after entry; restricting and protecting access paths; securing the data processing equipment; establishing access authorizations for staff and third parties, including the respective documentation; restricting issuance of card- keys; regulating card-keys once issued; and logging, monitoring and tracking all access to systems.
Authentication: Denodo defined a uniform password policy. Users who interact with Denodo applications via the user interface must authenticate before accessing non-public customer data. User IDs are individual and cannot be reassigned to another person.
Authorization: The authorization model in each of Denodo’s services is designed to ensure that only the appropriately assigned individuals can access to only that data relevant to the scope of each individual’s role or responsibility. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
b) Transmission Control
In-transit: Denodo uses firewall and encryption technologies to protect the gateways and pipelines through which personal data travels. Denodo makes encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Denodo products. Denodo’s encryption implementation uses industry standard algorithms and certificates.
At-rest: Denodo stores user passwords following policies that follow industry standard practices for security. Denodo has implemented technologies to ensure, where it is reasonable possible, that stored data is encrypted at rest.
Denodo uses commercially reasonable efforts to log, monitor and track data transmissions to prevent unauthorized persons from reading, copying, altering or deleting data.
Input Control
Detection: Denodo designed its services to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of anomalous activities. Denodo personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: Denodo maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Denodo will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.
Communication: If Denodo becomes aware of unlawful access to Customer data stored within its applications, Denodo will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Denodo is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Denodo deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts.
Availability Control
Infrastructure availability: Denodo and Denodo providers use commercially reasonable efforts to ensure Denodo services are available all time. This is implemented through reasonable infrastructure availability and backups. The services are also architected to assist Denodo operations in maintaining and updating applications and backend while limiting downtime.
Fault tolerance: Backup strategies are designed to ensure protections during a significant processing failure. Data is backed up to multiple durable data stores and located in outside the main location. All databases are backed up and maintained using industry standard methods and ensuring they are readily available for restoration in case of failure of storage infrastructure or database services.