Data Privacy Addendum
Last Updated: September 30th, 2019
This Data Privacy Addendum (“Addendum”) is hereby incorporated into the current version of the Terms of Service between Customer and Rockset, Inc. (“Rockset”), each a “Party” and collectively the “Parties.” This Addendum applies to and takes precedence over that document and any associated contractual document between the Parties, such as an order form, statement of work or data protection addendum thereunder (collectively, the “Agreement”), to the extent of any conflict.
Definitions. For purposes of this Addendum:
- “Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”). For the avoidance of doubt, if Rockset’s processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum.
- “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
- “Personal Data” includes “personal data,” “personal information,” and “personally identifiable information,” and such terms shall have the same meaning as defined by the applicable Data Privacy Laws.
- “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- Any capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement.
Scope and Purposes of Processing.
- Rockset will Process all Personal Data solely to fulfill its obligations to Customer under the Agreement, including this Addendum, and on Customer’s behalf, and for no other purposes, unless required to do otherwise by Data Privacy Laws to which Rockset is subject. In such case, Rockset will inform Customer of that legal requirement before Processing, unless that law prohibits Customer from providing such information on important grounds of public interest within the meaning of Data Privacy Laws.
Without limiting the foregoing, Customer directs Rockset to Process Personal Data in accordance with Customer’s written instructions, as may be provided by Customer to Rockset from time to time, and in the following manner.
- Subject matter, nature, and purpose of Processing: Rockset will process data solely to provide Customer with services and to fulfill its purposes under the Agreement, which may include any lawful processing or business purposes as provided for under applicable Data Privacy Laws.
- Anticipated duration of Processing: For the term of the Agreement or to the extent that Rockset continues to Process Personal Data, whichever is longer.
- Categories of Personal Data typically subject to Processing under the Agreement: All types of Personal Data, except for special categories of data, as that term is defined under the GDPR. Customer represents and warrants to Rockset that Customer shall not upload or otherwise transfer to Rockset any Personal Data that may constitute special categories of personal data.
- Typical categories of Data Subjects: All types of Data Subjects.
- Rockset will immediately inform Customer if, in Rockset’s opinion, an instruction from Customer infringes Data Privacy Laws.
Rockset will not:
- Sell Personal Data. For purposes of this paragraph, “sell” shall have the meaning set forth in the CCPA.
- Process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, Rockset will not Process Personal Data outside of the direct business relationship between Customer and Rockset.
- Attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Customer.
Information that has been de-identified is not Personal Data. Rockset may de-identify Personal Data only if it:
- Has implemented technical safeguards that prohibit reidentification of the Data Subject to whom the information may pertain;
- Has implemented business processes that specifically prohibit reidentification of the information;
- Has implemented business processes to prevent inadvertent release of deidentified information; and
- Makes no attempt to reidentify the information.
Compliance with Data Privacy Laws.
- Rockset will only Process Personal Data as set forth in this Addendum and in compliance with Data Privacy Laws.
- Rockset hereby certifies that it understands its restrictions and obligations set forth in this Addendum and will comply with them.
Personal Data Processing Requirements. Rockset will:
- Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Upon written request of Customer, assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights under Data Privacy Laws (such as rights to access or delete Personal Data).
- Promptly notify Customer of (i) any third-party or Data Subject requests or complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Rockset’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Privacy Laws. If Rockset receives a third-party, Data Subject, or governmental request, Rockset will await written instructions from Customer on how, if at all, to assist in responding to the request. Rockset will provide Customer with reasonable cooperation and assistance in relation to any such request.
- Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data.
- Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Rockset under Data Privacy Laws to consult with a regulatory authority in relation to Rockset’s Processing or proposed Processing of Personal Data.
- Data Security. Rockset will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data.
- Security Breach. Rockset will promptly notify Customer of any Security Breach. Rockset will comply with the Security Breach-related obligations directly applicable to it under Data Privacy Laws and will provide reasonable assistance to Customer in Customer’s compliance with its Security Breach-related obligations.
- Customer acknowledges and agrees that Rockset may use Rockset affiliates and other subcontractors to Process Personal Data in accordance with the provisions within this Addendum and Data Privacy Laws. Rockset shall provide Customer with a current list of subcontractors upon Customer’s request.
- Where Rockset sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, Rockset will (i) take steps to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with Data Privacy Laws; and (ii) enter into a written agreement with each subcontractor that imposes obligations on the subcontractor that are no less restrictive than those imposed on Rockset under this Addendum.
- Rockset will maintain an up-to-date list of its subcontractors, which it will provide to Customer upon Customer’s request. Customer shall raise any objection to the appointment of new subcontractors within ten (10) days of Rockset’s notice. In the event Customer objects to a new subcontractor, Rockset will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to Customer’ use of the services to avoid Processing of Personal Data by the objected-to subcontractor.
- Data Transfers. In the event Customer transfer Personal Data to Rockset in the United States, Rockset agrees to be bound by the standard contractual clauses for the transfer of personal data to processors established in third countries (Commission Decision 2010/87/EC) (“Model Clauses”) located here, to the extent that Rockset Processes Personal Data of Data Subjects located in the European Economic Area. In case of conflict between the Model Clauses and this Addendum, the Model Clauses will prevail. Following Brexit, the relevant terms shall be deemed amended as necessary to legitimize transfers of Personal Data of Data Subjects located in the United Kingdom to and from the United Kingdom and subsequent onward transfers. The Standard Contractual Clauses shall not apply where Rockset Processes Personal Data in a country that the European Commission has decided provides adequate protection for Personal Data.
- Audits. Upon Customer’s request, Rockset will make available to Customer all information necessary to demonstrate compliance with this Addendum and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Customer shall provide Rockset thirty (30) days’ notice of such an audit. The audit firm and the scope, timing and duration of the audit shall be separately agreed upon between the Parties. The audits shall be at Customer’s expense and shall be conducted no more than once per calendar year.
- Return or Destruction of Personal Data. Except to the extent required otherwise by Data Privacy Laws, Rockset will, at the choice of Customer, return to Customer and/or securely destroy all Personal Data upon (a) written request of Customer or (b) termination of the Agreement. Except to the extent prohibited by Data Privacy Laws, Rockset will inform Customer if it is not able to return or delete the Personal Data.
- Limitation of Liability. The Rockset’s liability arising out of or related to this Addendum is subject to the provisions on limitation of liability stated in the Agreement.
- Term. The effective date of this Addendum shall be the date on which the term of the Agreement commences.
- Survival. The provisions of this Addendum survive the termination or expiration of the Agreement for so long as Rockset or its subcontractors Process the Personal Data.