DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) is incorporated into and forms part of (and if applicable, amends the current version of) the Agreement between Customer and/or its affiliates identified in the Agreement (“Customer”) and Redpanda Data, Inc. (“Redpanda”), each a “Party” and collectively the “Parties”. This DPA applies to and takes precedence over the agreement between the Parties and any associated contractual document between the Parties, such as an order form, statement of work, or data processing agreement thereunder (collectively, the “Agreement”), to the extent of any conflict. Capitalized terms not defined herein are defined as in applicable Data Protection Laws.
Customer and Redpanda agree as follows:
- Definitions. For purposes of this DPA:
- “Business and Usage Data” means (1) Customer and its authorized users’ business contact information (specifically, business addresses, phone numbers, and email addresses, including Customer’s contact persons’ names used to facilitate the Parties’ communications for administration of the Agreement); and (2) general information about Customer’s usage of the Services, including logins and other actions taken, time stamps, and IP address.
- “Data Protection Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the United Kingdom Data Protection Act of 2018; the Swiss Federal Act on Data Protection (“FADP”); and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act and related regulations (“CPA”), and any other similar state law governing the Processing of Personal Data (collectively, “U.S. State Privacy Laws”). For the avoidance of doubt, if the Parties’ Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.
- “Data Subject,” "Processor," "Service Provider," "Controller," and "Business" shall be defined as provided in applicable Data Protection Laws.
- “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as set forth below.
- “Personal Data” refers to any information relating to an identified or identifiable natural person that Redpanda Processes on behalf of Customer under the Agreement. For purposes of this DPA, the term “Personal Data” includes “personal information,” “personally identifiable information,” and similar terms defined under Data Protection Laws. For clarity, Personal Data does not include Business and Usage Data.
- “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data occurring on Redpanda's systems or otherwise under Redpanda's control.
- "UK SCCs" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).
- Scope and Purposes of Processing.
- The scope, nature, purposes, and duration of the processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this DPA, including its Schedule A. The details provided in Schedule A are deemed to satisfy any requirement to provide such details under any Data Protection Law.
- Redpanda will Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA, or otherwise on Customer’s documented instructions; (2) on Customer’s behalf; and (3) in compliance with Data Protection Laws. Redpanda will not “sell” Personal Data (as such term in quotation marks is defined in applicable Data Protection Laws), “share” or Process Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable Data Protection Laws), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Customer. For the avoidance of doubt, Redpanda will Process Personal Data solely to fulfill its obligations to Customer under the Agreement, including this DPA, or otherwise on Customer’s documented instructions, including to provide data transmission services to Customer as set forth in the Agreement, or as otherwise permitted by Data Protection Laws (for example, to comply with Redpanda’s legal obligations). Customer shall be responsible for complying Data Protection Laws when making decisions and issuing instructions for the Processing of Personal Data, including securing all permissions, consents or authorizations that may be required.
- Redpanda will comply with any applicable restrictions under Data Protection Laws on combining the Personal Data with personal data that Redpanda receives from, or on behalf of, another person or persons, or that Redpanda collects from any interaction between it and any Data Subject;
- Redpanda will provide the same level of privacy protection for the Personal Data as is required by the CCPA as applicable to Customer.
- Customer retains the right, upon notice, to take reasonable steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this DPA.
- Personal Data Processing Requirements. Redpanda will, to the extent required by Data Protection Laws:
- Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Reasonably assist Customer through appropriate technical and organizational measures in the fulfillment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws with respect to their Personal Data by making available Personal Data to Customer for Customer to honor Data Subject requests. If Redpanda receives a request from a Data Subject to exercise one or more of its rights under Data Protection Laws related to Personal Data, Redpanda shall, to the extent Redpanda can identify Customer as the controller of the Personal Data, redirect the Data Subject to make its request directly to Customer. Customer shall be solely responsible for responding to Data Subject requests.
- Taking into account the nature of the Processing and information available to Customer, Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to Redpanda’s Processing or proposed Processing of Personal Data, and notify Customer of any government requests for access to or information about Redpanda’s Processing of Personal Data on Customer’s behalf, unless prohibited by applicable law. If Redpanda is prohibited by applicable law from disclosing the details of a government request to Customer, Redpanda shall inform Customer that it can no longer comply with Customer’s instructions under this DPA without providing more details.
- Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data required by Data Protection Laws, at Customer’s expense.
- Notify Customer if it determines that (i) it can no longer meet its obligations under applicable Data Protection Laws; or (ii) in its opinion, an instruction from Customer infringes applicable Data Protection Laws.
- Data Security. Redpanda will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Schedule A, Annex II.
- Security Breach. Redpanda will notify Customer without undue delay of any known Security Breach resulting from Redpanda’s Processing of Personal Data on behalf of Customer. The reporting of any Security Breach is not and will not be construed as an acknowledgment by Redpanda of any fault or liability with respect to the Security Breach. Redpanda will comply with the Security Breach-related obligations directly applicable to it under Data Protection Laws and will provide reasonable assistance to Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation by:
- Taking commercially reasonable steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
- Providing Customer with the following information, to the extent known:
- The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned.
- The likely consequences of the Security Breach; and
- Measures taken or proposed to be taken by Redpanda to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Subprocessors.
- Customer acknowledges and agrees that Redpanda may use Redpanda affiliates and other Subprocessors to Process Personal Data in accordance with the provisions within this DPA and Data Protection Laws. Where Redpanda sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, Redpanda will take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Protection Laws and require that each Subprocessor complies with obligations that are no less restrictive than those imposed on Redpanda under this DPA.
- Redpanda’s current list of Subprocessors is provided in Schedule B hereto, and Customer hereby consents to Redpanda’s use of such Subprocessors. Redpanda will maintain an up-to-date list of its Subprocessors at [https://www.redpanda.com/legal/data-processing-agreement#schedule-b], and it will provide Customer with a mechanism to subscribe to notifications of new Subprocessors and Customer, if it wishes, will subscribe to such notifications where available. Except in an emergency concerning availability or security, such notice shall be provided at least thirty (30) days prior to Redpanda’s use of the new Subprocessor to process Customer’s Personal Data. During the notice period, Customer may provide a commercially reasonable objection to the change in Subprocessor in writing, and Redpanda will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer’s use of the services to avoid Processing of Personal Data by the objected-to Subprocessor. If (a) Redpanda provides Customer written notice that it will not pursue an alternative, or (b) such an alternative cannot be made available by Redpanda to Customer within 90 days of Customer providing notice of its objection, then in either case, and notwithstanding anything to the contrary in the Agreement or order, Customer may terminate the Agreement or order to the extent that it relates to the Offerings which require the use of the proposed Subprocessor.
- Redpanda will provide copies of the Subprocessor agreements that must be sent to Customer pursuant to the EU SCCs upon Customer’s request. Redpanda may remove or redact all commercial information or clauses unrelated to the EU SCCs or their equivalent before providing such agreements to Customer.
- Data Transfers.
- Redpanda will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Protection Laws. Where Redpanda engages in an onward transfer of Personal Data, Redpanda shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
- To the extent legally required, by signing this DPA, Customer and Redpanda are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:
- Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a controller) to Redpanda (as a processor);
- Clause 7 (the optional docking clause) is included;
- Under Clause 9 (Use of subprocessors), the Parties select Option 2 (General written authorization). The initial list of subprocessors is set forth in Schedule B of this DPA and Redpanda shall update that list and provide a notice to Customer in advance of any intended additions or replacements of subprocessors as provided in Section 6.
- Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
- Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;
- Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
- Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A of this DPA;
- Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
- Annex II (Technical and organizational measures) is completed with Schedule A of this DPA; and
- Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9.
- With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows: (i) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer; (ii) the Key Contacts shall be the contacts set forth in Schedule A; (iii) the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties; (iv) Annex 1A, 1B, II, and III shall be set forth in Schedules A and B below; (v) either Party may end this DPA as set out in Section 19 of the UK SCCs; and (vi) by entering into this DPA, the Parties are deemed to be signing the UK SCCs.
- For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (iii) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iv) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
- Audits. To the extent required by applicable Data Protection Law, and upon Customer’s request, Redpanda shall make available all information necessary for Customer to confirm Redpanda’s compliance with this DPA. If Customer has a reasonable basis to conclude that such information provided by Redpanda is not satisfactory to confirm such compliance, Customer may, at Customer’s sole expense, upon reasonable prior notice, conduct an audit subject to the following requirements:
- Audits shall occur not more than once every twelve (12) calendar months, upon reasonable prior written notice, and during Redpanda’s normal business hours.
- If a third party is to conduct the audit, Customer will provide at least thirty (30) days’ advance notice. The third-party auditor must be reasonably agreed to by the Parties (without prejudice to any governmental authority’s audit power). Redpanda will not unreasonably withhold its consent to a third-party auditor requested by Customer, unless such third-party auditor is a competitor or another customer of Redpanda. Any third-party auditor must execute a written confidentiality agreement acceptable to Redpanda.
- Customer must promptly provide Redpanda with the results of any audit, including any third-party audit report. All such results and reports, and any other information obtained during the audit (other than Customer’s Personal Data) are confidential information of Redpanda. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the terms of this DPA.
- Nothing herein will require Redpanda to disclose or make available: (i) any data of any other customer of Redpanda; (ii) Redpanda’s internal accounting or financial information; (iii) any trade secret of Redpanda; (iv) any information that, in Redpanda’s reasonable opinion, could (1) compromise the security of Redpanda systems or premises; or (2) cause Redpanda to breach its obligations under applicable law or its security and/or privacy obligations to Customer or any third party; or (v) any information sought for any reason other than the good faith fulfillment of Customer’s obligations under Data Protection Laws.
- Return or Destruction of Personal Data. Except to the extent required otherwise by Data Protection Laws, upon termination or expiry of the Agreement, Redpanda will (at Customer’s election and written request) delete or make available for return all Personal Data in its possession or control as soon as reasonably practicable if such request is made prior to deletion (such return may be performed by reasonably providing Customer with a means to retrieve Personal Data from the products or services).
- General Terms.
- The provisions of this DPA survive the termination or expiration of the Agreement for so long as Redpanda or its Subprocessors Process the Personal Data.
- If there is a conflict between the Agreement and this DPA, the terms of this DPA will prevail. In the event of a conflict between this DPA and the EU SCCs or UK SCCs, the terms of the EU SCCs or UK SCCs, as relevant, will control.
- Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in the Agreement.
Schedule A
ANNEX I
A. LIST OF PARTIES
Data exporter(s): The exporter (Controller) is Customer and Customer’s contact details and signature are as provided in the Agreement and the DPA.
Data importer(s): The importer (Processor) is Redpanda and Redpanda’s contact details and signature are as provided in the Agreement and the DPA.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Customer, rather than Redpanda, determines which data subjects’ personal data is transferred by Redpanda, through the content provided or made available by Customer to Redpanda, including through the products and services, and may include Customer’s end users, prospective customers, customers, and/or employees.
Categories of personal data transferred: Customer, rather than Redpanda, determines which data subjects’ personal data is transferred by Redpanda, through the content provided or made available by Customer to Redpanda, including through the products and services, and may include
Sensitive data transferred (if applicable): Customer, rather than Redpanda, determines which Data Subjects’ Personal Data is Processed by Redpanda through the Customer content put into, or collected by, the Redpanda products and services.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): On a continuous basis as needed to provide the services to Customer.
Taking into account Redpanda’s Personal Data Processing including the manner of receipt, collection, storage, and use of Personal Data, the frequency of the transfer of Personal Data depends on the nature and scope of the products and services agreed to under the Agreement, Customer’s documented instructions and Redpands’s need to transfer Personal Data for the performance of the products and services. Consequently, transfers may happen on either a continuous or one-off basis, until the termination of the Agreement.
Nature of the processing: The nature of the Processing is set out in the Agreement between the Parties.
Purpose(s) of the data transfer and further processing: The purpose of the data transfer is to provide the products and services chosen by Customer in connection with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above to the extent that Personal Data is provided to Subprocessors for purposes of providing the products and services under the Agreement to Customer.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: The data exporter’s competent supervisory authority will be determined in accordance with the GDPR, and where possible, will be the Irish Data Protection Commissioner.
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Redpanda will implement and maintain the following administrative, technical, and organizational security measures for the Processing of Personal Data:
Schedule B
REDPANDA SUBPROCESSORS
The Parties agree that the following list of Subprocessors are approved: