Data Processing Addendum
1. This Data Processing Addendum (“Addendum”) forms part of the Subscription Agreement and End User License (“Principal Agreement”) between: (i) CTERA Networks Ltd. (“CTERA”) acting on its own behalf and as agent for each CTERA affiliate; and (ii) the customer listed on the Principal Agreement (“Customer”).
2. In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement in the event that Customer Personal Data (as defined below) is processed by CTERA. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Principal Agreement, the provisions of this Addendum shall prevail.
3. Under the Principal Agreement the nature and purposes of processing Personal Data by CTERA as data processor shall be limited to those set forth in Schedule 1.
4.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
4.1.1 “Applicable Laws” means (a) European Union or Member State laws with respect to any Customer Personal Data in respect of which any Customer is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Customer Personal Data in respect of which Customer is subject to any other Data Protection Laws;
4.1.2 “Customer Personal Data” means any Personal Data Processed by CTERA on behalf of Customer pursuant to or in connection with the Principal Agreement and this Addendum;
4.1.3 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
4.1.4 “EEA” means the European Economic Area;
4.1.5 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
4.1.6 “GDPR” means EU General Data Protection Regulation 2016/679;
4.1.7 “Restricted Transfer” means:
188.8.131.52 a transfer of Customer Personal Data from Customer to CTERA; or
184.108.40.206 an onward transfer of Customer Personal Data from CTERA to a Sub-processor, or between two establishments of CTERA,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under Section 16.1 below;
4.1.8 “Services” means the services and other activities to be supplied to or carried out by or on behalf of CTERA for Customer pursuant to the Principal Agreement;
4.1.9 “Standard Contractual Clauses” means the contractual clauses issued by the Commission from time to time;
4.1.10 “Sub-processor” means any person (including any third party and any CTERA affiliate, but excluding an employee of CTERA or any of its sub-contractors) appointed by or on behalf of CTERA to Process Personal Data on behalf of Customer in connection with the Principal Agreement; and
4.1.11 “CTERA” means CTERA and any entity that owns or controls, is owned or controlled by or is or under common control or ownership with CTERA, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
4.1.12 “Party”/”Parties” means Customer and CTERA separately, or jointly, as the case may be;
4.1.13 “Purpose” means as described in Schedule 1; and
4.1.14 “Supervisory Authority” means any court, regulatory agency or authority which, according to Applicable Laws and/or regulations, supervises privacy issues and/or the processing of personal data.
4.2 The terms, “commission”, “controller”, “data subject”, “member state”, “personal data”, “personal data breach”, “processing”, “processor” and “supervisory authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
5. Special undertakings of the Parties
5.1 Roles, ownership of personal data, processing and purpose
5.1.1 Customer may be considered as either the controller or processor of the Customer Personal Data and CTERA shall be considered a processor of the Customer Personal Data on behalf of Customer.
5.1.2 CTERA may only process the Customer Personal Data for the Purpose and to the extent it is necessary for the fulfilment of CTERA’s obligations under this Addendum or the Principal Agreement.
5.1.3 This Addendum shall apply to the actions of any of CTERA or Customer’s affiliates performing tasks and obligations in the context of this Addendum and any such affiliates shall have all rights and obligations set forth in this Addendum as if they were CTERA or Customer, as applicable.
5.2 Special undertakings of Customer
5.2.1 Customer undertakes to:
Ensure that there is a legal ground for processing of the Customer Personal Data;
Ensure that any disclosure or transfer of Customer Personal Data to CTERA confirms to the Applicable Laws.
Inform CTERA about any erroneous, rectified, updated or deleted Customer Personal Data subject to CTERA’s processing; and
Fully comply with any request of data subjects and with any data subject rights under Applicable Laws.
Provide CTERA with documented instructions regarding CTERA’s processing of the Customer Personal Data, as may be required from time to time.
5.3 Special undertakings of CTERA
5.3.1 CTERA undertakes to:
Only process Customer Personal Data in accordance with Applicable Laws and Customer’s documented instructions, as set forth herein, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Applicable Laws; in such a case, CTERA shall inform Customer of that legal requirement before processing the personal data, unless such information is prohibited by the Applicable Laws on important grounds of public interest;
Taking into account the nature of CTERA’s processing of the Customer Personal Data, implement appropriate technical and organisational measures to reasonably ensure a level of security appropriate to the risk and reasonably assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights or with respect to data breaches in Applicable Laws; and
Make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this Addendum.
6. Processing of Customer Personal Data
6.1.1 instructs CTERA (and authorises CTERA to instruct each Sub-processor) to:
220.127.116.11 process Customer Personal Data; and
18.104.22.168 in particular, transfer Customer Personal Data to any country or territory,
as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and
6.2 Schedule 1 to this Addendum sets out certain information regarding CTERA’s processing of Customer Personal Data. Customer shall immediately inform CTERA of any required amendments to Schedule 1 by written notice to CTERA, and the Parties shall negotiate in good-faith the amendment of Schedule 1.
7.1 CTERA shall take reasonable steps to ensure the reliability of any employee, agent or contractor of CTERA who may have access to the Customer Personal Data, and to ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
8. Data Security
8.1 Without derogating from Customer’s obligations regarding data security under the Principal Agreement, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CTERA shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to reasonably ensure a level of security appropriate to that risk.
9.1 Customer authorises CTERA to appoint (and permit each Sub-processor appointed in accordance with this Section 9 to appoint) Sub-processors in accordance with this Section 9 and any restrictions in the Principal Agreement.
9.2 CTERA may continue to use those Sub-processors already engaged by CTERA as at the date of this Addendum, as listed in Schedule 2, subject to CTERA meeting the obligations set out in Section 9.4.
9.3 CTERA shall give Customer prior written notice of the appointment of any new Sub-processor. If, within 30 days of receipt of that notice, Customer notifies CTERA in writing of any objections (on reasonable grounds) to the proposed appointment, then Customer may terminate that portion of the Services which require the use of the new Sub-processor to whom Customer objects. If CTERA receives no notice of objection from Customer in the period specified above, Customer will be deemed to accept and consent to the appointment of the new Sub-processor.
9.4 With respect to each Sub-processor, CTERA shall:
9.4.1 ensure that the arrangement between the CTERA, and the Sub-processor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum; and
9.4.2 if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between on the one CTERA and the Sub-processor.
9.5 CTERA shall ensure that each Sub-processor performs the obligations under this Addendum, as they apply to processing of Customer Personal Data carried out by that Sub-processor, as if it were party to this Addendum in place of CTERA.
10. Data subject rights
10.1 CTERA shall:
10.1.1 promptly notify Customer if CTERA receives a request from a data subject under any Data Protection Law in respect of Customer Personal Data; and
10.1.2 ensure that CTERA does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which CTERA is subject.
11. Personal Data Breach
11.1 CTERA shall notify Customer without any delay but no later than within 48 hours, in writing, upon CTERA or any Sub-processor becoming aware or has reasons to believe of a Personal Data Breach affecting Customer Personal Data, providing Customer with reasonably sufficient information that is available to CTERA to allow Customer to meet its obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
11.2 Immediately following CTERA’s notification to Customer of a Personal Data Breach, the Parties shall coordinate with each other to investigate the breach. CTERA agrees to reasonably cooperate with Customer, at Customer’s expense, in the investigation, mitigation and remediation of a Personal Data Breach.
11.3 Insofar as and to the extent that it is necessary and cannot be reasonably attained without CTERA’s assistance, CTERA agrees to assist Customer in advising the Supervisory Authority and data subjects about Personal Data Breach. It shall not, however, inform any third party of any Personal Data Breach without first obtaining Customer’s prior written consent, other than to inform a complainant (if any) that the matter has been forwarded to Customer, or if otherwise required under any Applicable Law.
11.4 Customer shall reimburse CTERA for actual reasonable costs incurred by CTERA in responding to, and mitigating damages caused by any security incident or Personal Data Breach, including all costs of notice and/or remediation.
11.5 CTERA’s obligation to notify and cooperate in the investigation of a Personal Data Breach under this Section 11 is not, and will not, be construed as an acknowledgement by CTERA of any fault or liability of CTERA with respect to such Personal Data Breach.
12. Data Protection Impact Assessment and Prior Consultation
12.1 CTERA shall provide reasonable assistance to Customer, at Customer’s expense, with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, CTERA.
Cooperation and Coordination
13.1 Upon reasonable request by Customer, CTERA shall as promptly and as reasonably practicable provide Customer with a written report containing information reasonably requested by Customer relating to: (i) any security event and Personal Data Breach; or (ii) actual or reasonably suspected non-compliance with this Addendum. In addition, CTERA shall provide Customer with any documents reasonably requested by Customer related to the foregoing, including without limitation, any information security assessment and security control audit reports.
14. Deletion or return of Customer Personal Data
14.1 Subject to Section 14.2 CTERA shall promptly and in any event within fourteen (14) days of the date of termination or expiration of any Services involving the Processing of Customer Personal Data (the “End Date”), or of the date of a written notice by Customer, delete and procure the deletion of all copies of those Customer Personal Data.
14.2 CTERA may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that CTERA shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
15. Audit rights
15.1 At the request of Customer and on its expense, but not more than once per year, CTERA shall conduct site audits of the information technology and information security controls for all facilities used in complying with its obligations under this Addendum. Customer shall treat such audit reports as CTERA’s confidential information.
15.2 Customer shall have the right to perform audits, not more than once per calendar year and upon prior written notice of at least thirty (30) days to CTERA, of CTERA’s processing of the Customer Personal Data in order to verify CTERA’s, and any Sub-processor’s, compliance with this Addendum. The audit shall be confined to processing documentation prepared by CTERA and logged and documented information regarding its information security measures, and in any event will not entitle Customer to conduct technological investigations on CTERA’s information systems.
15.3 Customer shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to CTERA’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
15.4 If any Supervisory Authority: (i) contacts CTERA with respect to its systems or any processing of Customer Personal Data carried out by CTERA, (ii) conducts, or gives notice of its intent to conduct, an inspection of CTERA with respect to the processing of Customer Personal Data, or (iii) takes, or gives notice of its intent to take, any other regulatory action alleging improper or inadequate practices with respect to any processing of Customer Personal Data carried out by CTERA, then CTERA shall immediately notify the Customer and shall subsequently supply Customer with all information pertinent thereto to the extent permissible by law.
15.5 Customer shall bear all costs for audits set out herein.
16. Restricted Transfers
16.1 In the event that the processing activities under this Addendum are considered Restricted Transfer, Customer (as “data exporter”) and CTERA, (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from Customer to CTERA.
16.2 CTERA warrants and represents that, before the commencement of any Restricted Transfer to a Sub-processor, CTERA’s entry into the Standard Contractual Clauses under Section 16.1, as agent for and on behalf of that Sub-processor will have been duly and effectively authorised (or subsequently ratified) by that Sub-processor.
17. General Terms
Governing law and jurisdiction
17.1 This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement. The Parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
Assignation of rights or obligations
17.2 Neither Party may assign its rights or obligations under this Addendum without the prior written consent of the other Party.
17.3 All notices to a Party under this Addendum shall be in writing and sent to its address as set forth at the beginning of this Addendum, or to such other address as such Party has provided the other in writing for such purpose. Notices may be sent by post, courier, fax or email.
17.4 Notices shall be deemed to have been duly given (i) on the day of delivery when delivered in person or by courier, (ii) three (3) business days after the day when the notice was sent when sent by post, and (iii) on the day when the receiver has manually confirmed that it is received when sent per fax or email.
Term and termination
17.5 This Addendum shall enter into force on the date hereof. Unless terminated earlier (i) due to a material breach of the terms of this Addendum, in which case this Addendum shall be terminated with immediate effect if the other Party fails to cure such breach in a satisfactory manner within fifteen (15) days after the other Party’s written demand thereof, or (ii) this Addendum shall remain in force until the termination or expiration of the Principal Agreement, whereupon it shall terminate automatically without further notice. The termination or expiration of this Addendum shall immediately terminate any processing agreement entered into between CTERA and any Sub-processor.
17.6 Either Party may terminate this Addendum by giving the other Party thirty (30) days written notice.
Liability and indemnification
17.7 Each Party shall indemnify and hold the other Party harmless from and against all losses due to claims from third parties including government/authority fines and penalties resulting from, arising out of or relating to any breach by such first-mentioned Party of the this Addendum or the applicable Data Protection Laws.
17.8 Without derogating from the foregoing, the Parties’ liability for any losses or damages (including fines and penalties) related to a breach of this Addendum or any Data Protection Laws shall be governed by the provisions regarding liability and limitations of liability in the Principal Agreement.
- subject matter
The subject matter of the Processing under this Addendum is Customer Personal Data.
- purpose of the personal data processing
The purpose of the Processing of Customer Personal Data is the provision by CTERA of Cloud File Services and use by Customer of the Connection Software (as such terms are defined in the Principal Agreement).
- nature of Processing
The Personal Data processed will be subject to the following basic processing activities: Compute, storage and such other related activities as described in the Principal Agreement.
- types of personal data
CTERA may collect certain contact information of Customer’s employees or other representatives provided to CTERA by Customer, such as: name, title, phone number and email address, in order to enable the provision of the Services. The Services are not designed or intended for CTERA to access Customer Personal Data, and therefore CTERA has no knowledge as to what types of Customer Personal Data, other than the aforementioned contact information, are processed by it on behalf of Customer. The types of Personal Data processed by CTERA shall be determined solely by Customer and may or may not contain special categories of data, in Customer’s sole discretion.
- categories of Data subjects
CTERA may collect certain contact information of Customer’s employees or other representatives, as may be provided to CTERA by Customer, in order to enable the provision of the Services. The Services are not designed or intended for CTERA to access Customer Personal Data, and therefore CTERA has no knowledge as to what categories of data subjects the Customer Personal Data may relate to, other than employees and other representatives as aforementioned. The categories of data subjects shall be determined solely by Customer and may include: Customer’s end users, employees, consultants, contractors, agents, clients, suppliers and any other third parties with whom Customer conducts business.
- duration of processing
As between CTERA and Customer, the duration of the Processing under this Addendum shall be determined by Customer.
- Security measures
Without derogating from Customer’s obligations regarding data security under the Principal Agreement, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, CTERA shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to reasonably ensure a level of security appropriate to that risk.
list of Sub-processors
Amazon Web Services, Inc.
Cloud service provider
Cloud-based customer relationship management