Data Protection Addendum

Effective Date: March 20th, 2022

1. Introduction.

This Data Protection Addendum (“DPA”) is entered into by and between RudderStack, Inc., a Delaware corporation (“RudderStack”), and forms part of the Master Subscription Agreement (the “Agreement”) to reflect the Parties’ agreement with regard to the Processing of Customer Personal Data.

Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates.

2. Definitions.

Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement or the Applicable Data Protection Laws, or, to the extent they are technical terms, defined in the relevant RudderStack documentations: https://rudderstack.com/docs.

a. “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

b. “Applicable Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the Processing of Personal Data under the Agreement as amended from time to time.

c. "Authorized Affiliates" means any of Customer’s Affiliates that (i) are permitted to use the Services pursuant to the Agreement, but have not signed their own separate agreement with RudderStack and are not a “Customer” as defined under the Agreement, (ii) qualify as a Controller or Processor of Customer Personal Data Processed by RudderStack, and (iii) are subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom.

d. “Customer Data” has the same meaning as defined in the Agreement. This DPA applies to RudderStack’s Processing of Customer Personal Data, which is Customer Data that (i) constitute Personal Data, and (ii) is electronic data and information submitted by or for Customer to the Services.

e. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

f. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

g. “Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by Applicable Data Protection Laws.

h. “Security Incident” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data being Processed by RudderStack. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

i. “Subprocessor” means any third party authorized by RudderStack to Process any Customer Personal Data.

3. General; Term.

a. This DPA forms part of the Agreement and except as expressly set forth in this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will govern.

b. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

c. This DPA will automatically terminate upon expiration or termination of the Agreement.

4. Relationship of the Parties.

a. RudderStack as Processor. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is a controller or processor and RudderStack is a processor. RudderStack will process Customer Personal Data in accordance with Customer’s instructions as outlined in Section 6.

b. Authorized Affiliates. By signing the Agreement, Customer enters into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of Customer and in the name and on behalf of Customer’s Authorized Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer” will include Customer and its Authorized Affiliates. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is a party only to this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.

c. Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Authorized Affiliates.

5. Compliance with Law. Each party will comply with its obligations under Applicable Data Protection Laws with respect to its Processing of Customer Data.

6. Role and Scope of the Processing.

a. Customer Instructions. RudderStack will Process Customer Personal Data only in accordance with Customer’s instructions. By entering into the Agreement, Customer instructs RudderStack to Process Customer Personal Data to provide the Services and pursuant to any other written instructions given by Customer and acknowledged in writing (via email) by RudderStack as constituting instructions for purposes of this DPA. Customer acknowledges and agrees that such instruction authorizes RudderStack to Process Customer Personal Data (a) to perform its obligations and exercise its rights under the Agreement; and (b) to perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement.

b. Customer Personal Data. Customer agrees that, with respect to Customer Personal Data, Customer shall have sole responsibility for (a) the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data; and (b) ensuring Customer has the right to transfer, or provide access to, the Customer Personal Data to RudderStack for Processing in accordance with the terms of the Agreement (including this DPA). Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Customer Personal Data, to the extent applicable under Applicable Data Protection Laws.

c. Sources and Destinations. For clarity, nothing in this DPA limits RudderStack from transmitting Customer Personal Data to and among Sources and Destinations as directed by Customer through the Services. The parties agree that neither Sources nor Destinations are Subprocessors of RudderStack and that, between the parties, Customer is solely responsible for the Processing of Customer Personal Data by, and other acts and omissions of, Sources and Destinations or parties associated therewith.

7. Subprocessing.

a. Appointment of Subprocessors. Customer generally authorizes RudderStack to engage Subprocessors to Process Customer Personal Data. In such instances, RudderStack:

(i) will enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this DPA; and

(ii) remains liable for compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause RudderStack to breach any of its obligations under this DPA.

b. List of Subprocessors. A list of RudderStack’s Subprocessors is as below:

  • Amazon Web Services - USA - Cloud Service Provider

c. Objection to New Subprocessors. When any new Subprocessor is engaged, RudderStack will notify Customer of the engagement, which notice may be given via a message by emailing [email protected] RudderStack will give such notice at least ten (10) calendar days before the new Subprocessor Processes any Customer Personal Data, except that if RudderStack reasonably believes engaging a new Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Customer Personal Data or avoid material disruption to the Services, RudderStack will give such notice as soon as reasonably practicable. If, within five (5) calendar days after such notice, Customer notifies RudderStack in writing that Customer objects to RudderStack’s appointment of a new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement.

8. Security.

a. Security Measures. RudderStack will implement and maintain technical and organizational security safeguards designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with RudderStack’s security standards referenced in the Agreement.

b. Customer Responsibility.

(i) Customer is responsible for reviewing the information made available by RudderStack relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices (but the modifications will not materially decrease RudderStack’s obligations as compared to those reflected in such terms as of the Effective Date).

(ii) Customer agrees that, without limitation to RudderStack’s obligations under this Section 8, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that it uses with the Services; (d) maintaining its own backups of Customer Personal Data.

c. Security Incident. Upon becoming aware of a confirmed Security Incident, RudderStack will notify Customer without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of RudderStack’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notices will describe, to the extent possible, details of the Security Incident, including steps taken to mitigate the potential risks and steps RudderStack recommends Customer take to address the Security Incident. Without prejudice to RudderStack’s obligations under this Section 8.c., Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Security Incidents. RudderStack’s notification of or response to a Security Incident under this Section 8.c. will not be construed as an acknowledgement by RudderStack of any fault or liability with respect to the Security Incident.

9. Audits and Reviews of Compliance.

a. RudderStack’s Audits and Certifications. We have attained System and Organization Controls (SOC) 2 Type II certification through a third-party auditor. The SOC 2 Type II report validates that RudderStack meets the requirements of customers in highly controlled industries who need expert evaluation about how vendors handle the principles of security. For more information on our security practices, please refer to our data transfer impact assessment: https://rudderstack.com/data-transfer-impact-assessment.

b. Audit Reports. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, RudderStack will make available to Customer a copy of RudderStack’s most recent Audit Report. Customer agree that any audit rights granted by Applicable Data Protection Laws will be satisfied by these Audit Reports. To the extent that RudderStack’s provision of an Audit Report does not provide sufficient information for Customer to verify RudderStack’s compliance with this DPA or Customer is required to respond to a regulatory authority audit, Customer agrees, to the extent possible, audit RudderStack’s compliance with its obligations under this DPA through reasonable requests for information, including security and audit questionnaires. RudderStack will provide written responses to the extent the requested information is necessary to confirm RudderStack’s compliance with this DPA. Any information provided by RudderStack under this Section 9.b. constitutes RudderStack’s confidential information under the Agreement.

c. Customer Audit. No more than once during any consecutive 12 month period, Customer may contact RudderStack to request an audit of RudderStack’s Processing activities covered by this DPA (“Customer Audit”) at Customer’s expense. A Customer Audit may be conducted by Customer either itself or through a third-party auditor (as defined below) selected by Customer when:

  • the information available pursuant to Section 9.a. and 9.b. is not sufficient to demonstrate compliance with the obligations set out in this DPA;
  • Customer has received a notice from RudderStack of a Security Incident; or
  • such an audit is required by Applicable Data Protection Laws or by Customer’s competent supervisory authority.

Any Customer Audits will be limited to Customer Personal Data Processing and storage facilities operated by RudderStack or RudderStack’s Affiliates. Customer acknowledges that RudderStack operates a multi-tenant cloud environment. Accordingly, RudderStack shall have the right to reasonably adapt the scope of any Customer Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other RudderStack customers’ information. Customer agrees to conduct any Customer Audit during RudderStack’s normal business hours, under reasonable duration and shall not unreasonably interfere with RudderStack’s day-to-day operations. Before any Customer Audit commences, Customer and RudderStack shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by or on behalf of RudderStack.

If a third party is to conduct an audit under this Section 9.c., RudderStack may object to the auditor if the auditor is, in RudderStack’s reasonable opinion, not independent, a competitor of RudderStack or otherwise unqualified. Such objection by RudderStack will require Customer to appoint another auditor or conduct the audit itself. Prior to the commencement of any audit, the auditor must execute a written confidentiality agreement acceptable to RudderStack.

10. Impact Assessments and Consultations. RudderStack will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require RudderStack to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Laws. Our data transfer impact assessment can be found here: https://rudderstack.com/data-transfer-impact-assessment.

11. Data Subject Requests. RudderStack will, upon Customer’s request and at Customer’s expense, provide Customer with such assistance as it may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection). Customer shall direct assistance requests to [email protected]. If RudderStack receives a request from a Data Subject in relation to their Customer Persona