Rockset Data Processing Addendum

Last Updated: December 1st, 2021

This Data Processing Addendum (“DPA”) is entered into between Rockset, Inc. (“Rockset”) and the entity identified below (“Customer”). Rockset and Customer may each be referred to as a “Party” and collectively referred to as the “Parties.” This DPA is incorporated by reference into the agreement between Customer and Rockset that governs Customer’s use of the Service (“Agreement”). All capitalized terms used in this DPA but not defined shall have the meaning set forth in the Agreement. To the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement, this DPA will govern.

This DPA sets out the terms that apply when Customer Personal Data is Processed by Rockset under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with Applicable Law and respects the rights of individuals whose Personal Data are Processed under the Agreement.

1. Definitions

“Affiliate” means an entity that controls, is controlled by or is under common control with the applicable party. For purposes of this definition, “control” means ownership of more than fifty (50%) percent of the voting stock or other ownership interest in an entity.

“Applicable Law(s)” means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection/security, or the Processing of Personal Data, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and its amendments and implementing regulations (“CCPA”), the United Kingdom Data Protection Act 2018, and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”). For the avoidance of doubt, if Rockset’s processing activities involving Personal Data are not within the scope of an Applicable Law, such law is not applicable for purposes of this Addendum.

“Customer Personal Data” means Personal Data provided by Customer to Rockset that is Processed to provide the Service.

“EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein.

“New EU SCCs” means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.

“Old EU SCCs” means the Standard Contractual Clauses issued pursuant to EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec/2010/87/2016-12-17 and completed as described in the “Data Transfers” section below.

“Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

“Personal Data” includes “personal data,” “personal information,” and “personally identifiable information,” and such terms shall have the same meaning as defined by Applicable Law.

“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making such data available, alignment or combination, restriction, erasure or destruction.

“Service” means the services provided by Rockset to Customer as specified in the Agreement.

“Standard Contractual Clauses” means the New EU SCCs or the Old EU SCCs, as applicable.

2. Relationship of the Parties

2.1 Customer is the data controller as defined under the GDPR and other Applicable Laws, and determines the means and purposes for which Customer Personal Data is Processed by Rockset. To the extent Rockset Processes Customer Personal Data subject to the GDPR or other Applicable Laws, Rockset is a data processor as defined under GDPR and will Process the Customer Personal Data according to the instructions set forth in this DPA, the Agreement and under Applicable Law.

2.2 Customer is a Business and Rockset is a Service Provider, as those terms are defined in the CCPA, of Customer Personal Data Processed by Rockset subject to the CCPA.

2.3 Rockset hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.

3. Customer’s Instructions to Rockset

3.1 Purpose Limitation. Rockset will not sell Customer Personal Data, Process Customer Personal Data for any purpose other than for the specific purposes set forth in this Agreement, or otherwise engage in any Processing of the Customer Personal Data outside of what a processor may engage in under the GDPR or what a Service Provider may engage in under the CCPA, unless obligated to do otherwise by Applicable Law. In such case, Rockset will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Further details regarding Rockset’s Processing operations are set forth in Exhibit B.

3.2 Lawful Instructions. Customer will not instruct Rockset to Process Customer Personal Data in violation of Applicable Law. Rockset will immediately inform Customer if, in Rockset’s opinion, an instruction from Customer infringes Applicable Law. The Agreement, including this DPA, constitutes Customer’s complete and final instructions to Rockset regarding the Processing of Customer Personal Data, including for purposes of the Standard Contractual Clauses.

4. Limitations on Disclosure

4.1 Rockset will not disclose Customer Personal Data to any third party without first obtaining Customer’s written consent, except as provided in Section 5 (Subcontracting), Section 7 (Responding to Individuals Exercising Their Rights Under Applicable Law) or Section 9 (Data Transfers). Rockset will require all employees, contractors and agents that Process Customer Personal Data on Rockset’s behalf to protect the confidentiality of the Customer Personal Data and to comply with the other relevant requirements of this DPA.

5. Subcontracting

5.1 Subprocessors. Rockset may subcontract the collection or other Processing of Customer Personal Data only in compliance with Applicable Law and any additional conditions for subcontracting set forth in the Agreement. Customer acknowledges and agrees that Rockset’s Affiliates and certain third parties may be retained as subprocessors to Process Customer Personal Data on Rockset’s behalf (under this DPA as well as under the Standard Contractual Clauses, if they apply) in order to provide the Service. Rockset’s third-party subprocessors are listed at Exhibit A (the “Subprocessor List”). Prior to a subprocessor’s Processing of Customer Personal Data, Rockset will impose contractual obligations on the subprocessor substantially the same as those imposed on Rockset under this DPA. Rockset remains liable for its subprocessors’ performance under this DPA to the same extent Rockset is liable for its own performance.

5.2 Notification. Rockset shall provide Customers with at least ten (10) days’ written notice of new subprocessors before authorizing such subprocessor(s) to Process Customer Personal Data in connection with the provision of the Service. The subprocessor agreements to be provided under Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or provisions unrelated to the Standard Contractual Clauses, redacted prior to sharing with Customer, and Customer agrees that such copies will be provided only upon written request.

5.3 Right to Object. Customer may object to Rockset’s use of a new subprocessor on reasonable grounds relating to the protection of Customer Personal Data by notifying Rockset promptly in writing at support@rockset.com within ten (10) business days after receipt of Rockset’s notice in accordance with the mechanism set out in Section 5.2. In its notification, Customer shall explain its reasonable grounds for objection. In the event Customer objects to a new subprocessor, Rockset will use commercially reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer’s configuration or use of the Service to avoid Processing of Customer Personal Data by the objected-to new subprocessor without unreasonably burdening Customer. If Rockset is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either Party may terminate without penalty the Processing of Customer Personal Data and/or the Agreement with respect only to those services which cannot be provided by Rockset without the use of the objected-to new subprocessor by providing written notice to the other Party.

6. Assistance & Cooperation

6.1 Security. Rockset will provide reasonable assistance to Customer regarding Customer’s compliance with its security obligations under Applicable Law relevant to Rockset’s role in Processing the Customer Personal Data, taking into account the nature of Processing and the information available to Rockset, by implementing technical and organizational measures set forth in Annex II of Exhibit B, without prejudice to Rockset’s right to make future replacements or updates to the measures that do not lower the level of protection of Customer Personal Data. Rockset will ensure that the persons Rockset authorizes to Process the Customer Personal Data are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.

6.2 Personal Data Breach Notification & Response. Rockset will comply with the Personal Data Breach-related obligations directly applicable to it under Applicable Law. Taking into account the nature of Processing and the information available to Rockset, Rockset will assist Customer by informing it of a confirmed Personal Data Breach without undue delay or within the time period required under Applicable Law, and in any event no later than forty-eight (48) hours following such confirmation. Rockset will notify Customer at the email address provided in the signature block of this DPA for purposes of Personal Data Breach notifications. Any such notification is not an acknowledgement of fault or responsibility. To the extent available, this notification will include Rockset’s then-current assessment of the following, which may be based on incomplete information:

(a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) the likely consequences of the Personal Data Breach; and

(c) measures taken or proposed to be taken by Rockset to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.

Rockset will provide timely and periodic updates to Customer as additional information regarding the Personal Data Breach becomes available. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations related to any Customer Data Incident(s). Nothing in this DPA or in the Standard Contractual Clauses shall be construed to require Rockset to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.

7. Responding to Individuals Exercising Their Rights Under Applicable Law

To the extent legally permitted, Rockset shall promptly notify Customer if Rockset receives any requests from an individual seeking to exercise any rights afforded to them under Applicable Law regarding their Personal Data (a “Data Subject Request”). To the extent Customer, in its use of the Service, does not have the ability to address a Data Subject Request, Rockset shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Rockset is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.

8. DPIAs and Consultation with Supervisory Authorities or other Regulatory Authorities

Upon Customer’s written request, Rockset shall provide Customer with reasonable cooperation and assistance as needed and appropriate to fulfill Customer’s obligations under Applicable Law to carry out a data protection impact assessment related to Customer’s use of the Services. Rockset shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating the data protection impact assessment, and to the extent required under the Applicable Law.

9. Data Transfers

9.1 Customer authorizes Rockset and its subprocessors to make international transfers of the Customer Personal Data in accordance with this DPA so long as Applicable Law for such transfers is respected.

9.2 With respect to Customer Personal Data transferred from the EEA, the New EU SCCs shall apply and form part of this DPA. For purposes of the New EU SCCs, they shall be deemed completed as follows:

(a) Customer acts as a controller and Rockset acts as Customer’s processor with respect to Customer Personal Data subject to the New EU SCCs, and its Module 2 applies.

(b) Clause 7 (the optional docking clause) is not included.

(c) Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth at Exhibit A. Rockset shall update that list at least 10 business days in advance of any intended additions or replacements of sub-processors.

(d) Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.

(e) Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Ireland.

(f) Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.

(g) Annexes I and II of the New EU SCCs are set forth in Exhibit B below.

(h) Annex III of the New EU SCCs (List of subprocessors) is inapplicable.

9.3 With respect to Customer Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, and such law permits use of the Old EU SCCs but not use of the New EU SCCs, the Old EU SCCs form part of this DPA until such time that the United Kingdom adopts new standard contractual clauses, in which case the new standard contractual clauses will control. For purposes of the Old EU SCCs, they shall be deemed completed as follows:

(a) The “exporter” is the Customer, and the exporter’s contact information is set forth below.

(b) The “importer” is Rockset, and Rockset’s contact information is set forth below.

(d) The “illustrative indemnification clause” labeled “optional” is deemed stricken.

(e) The content of Appendix 1 and 2 of the Old EU SCCs is set forth in Exhibit C below.

(f) By entering into this DPA, the Parties are deemed to be signing the Old EU SCCs and their applicable Appendices.

To provide additional safeguards, the obligations in Module 2 of Section III of the New EU SCCs (Local Laws and Obligations in Case of Access by Public Authorities) shall form part of this DPA with respect to Customer Personal Data subject to the United Kingdom Data Protection Act 2018, regardless of whether the rest of the New EU SCCs apply to any Customer Personal Data.

9.4 With respect to Customer Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the New EU SCCs shall apply and shall be deemed to have the following differences to the extent required by the Swiss Federal Act on Data Protection (“FADP”):

(a) References to the GDPR in the New EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.

(b) The term “member state” in the New EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the New EU SCCs.

(c) References to personal data in the New EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.

(d) Under Annex I(C) of the New EU SCCs (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the New EU SCCs insofar as the transfer is governed by the GDPR.

10. Audits

Rockset shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer subject to the following conditions: so long as the Agreement remains in effect and at Customer’s sole expense, Customer may request that Rockset provide it with documentation, data, and records (“Records”) no more than once annually relating to Rockset’s compliance with this DPA (an “Audit”), except, in the event of a Personal Data Breach occurring on Rockset’s systems, Customer will also have the right to conduct an Audit within a reasonable period of time following such Personal Data Breach. To the extent Customer uses a third-party representative to conduct the Audit, Customer shall ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this Agreement. Customer shall provide Rockset with fourteen (14) days prior written notice of its intention to conduct an Audit. Customer shall conduct its Audit in a manner that will result in minimal disruption to Rockset’s business operations and shall not be entitled to receive data or information of other clients of Rockset or any other Confidential Information of Rockset that is not directly relevant for the authorized purposes of the Audit. Customer shall reimburse Rockset for any time expended for an Audit at the Rockset’s then-current rates, which shall be made available to Customer upon request.

11. Legal Process

If Rockset is legally compelled by a court or other government authority to disclose Customer Personal Data, then to the extent permitted by law, Rockset will promptly provide Customer with sufficient notice of all available details of the legal requirement and reasonably cooperate with Customer’s efforts to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action, as Rockset deems appropriate.

12. Return or Destruction of Personal Data

Upon termination of the Agreement and written request from Customer, Rockset shall delete or anonymize Customer Personal Data, unless prohibited by Applicable Law. Nothing will oblige Rockset to delete or anonymize Customer Personal Data from files created for security, backup and business continuity purposes sooner than required by Rockset’s data retention processes. If Customer requires earlier deletion of such Customer Personal Data, and such deletion is commercially feasible, Customer must first pay Rockset’s reasonable charges for such deletion, which may include costs for business interruptions associated with such a request. If Customer has not requested return or deletion of Customer Personal Data within ninety (90) days from termination of the Agreement, Rockset shall have the right, but not the obligation, to delete or anonymize the Customer Personal Data.

Subprocessor Amazon Web Services

Purpose Data Hosting

Exhibit B Annexes I and II of the New EU SCCs

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name: ... The exporter is the Customer specified in the Agreement.

Address: ...

Contact person’s name, position and contact details: ...

Activities relevant to the data transferred under these Clauses: Obtaining the

Services from Data Importer

Role (controller/processor): Controller

Data importer(s):

Name: Rockset, Inc.

Address: 100 S Ellsworth Ave., Suite 100, San Mateo, CA 94401

Contact person’s name, position and contact details: _

Activities relevant to the data transferred under these Clauses: Providing the Services to Data Exporter.

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

Categories of data subjects whose personal data is transferred

Data exporter’s users and third parties whose personal data is entered into the Rockset service.

Categories of personal data transferred

The data exporter may submit personal data to Rockset, the extent of which is determined and controlled by the data exporter in its sole discretion. Such personal data may include the names and email addresses of data exporter’s users, as well as any other types of personal data data exporter or its users may enter into the service.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None anticipated.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuously, for the length of the Agreement between the parties.

Nature of the processing

Personal data transferred will be processed to (i) provide Rockset services to the data exporter and fulfil the data importer’s obligations under the Agreement; (ii) provide customer support to the data exporter; and (iii) compliance with applicable law.

Purpose(s) of the data transfer and further processing

To (i) provide Rockset services to the data exporter and fulfil the data importer’s under the Agreement; (ii) provide customer support to the data exporter; and (iii) compliance with applicable law.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal data shall be retained for the length of time necessary to provide Rockset services under the Agreement, or as otherwise required by applicable law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Rockset’s subprocessors will process personal data to assist Rockset in providing the Rockset services pursuant to the Agreement, for as long as needed for Rockset to provide the Rockset services.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13.

The parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

See https://rockset.com/whitepapers/rockset-security-design

Exhibit C Appendix 1 to the Old EU SCCs

This Appendix forms part of the Clauses.

Data exporter

The data exporter is the legal entity that has executed the Standard Contractual Clauses as the data exporter (also referred to herein as the Customer). Data importer

The data importer is Rockset, Inc., a provider of software and related services, and which from time to time processes personal data upon the instruction of the data exporter in accordance with the terms of the Agreement.

Data subjects

The personal data transferred concern the following categories of data subjects (as determined by the data exporter):

Data exporter’s users and third parties whose personal data is entered into the Rockset service.

Categories of data

The personal data transferred concern the following categories of data:

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data: None anticipated.

Processing operations

The personal data transferred will be subject to the following basic processing activities:

Appendix 2 to the Old EU SCCs

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

See Annex II of Exhibit B.