Data Processing Agreement

Last Updated: January 2021

This Data Processing Agreement (“DPA”) is hereby entered by and between AKEYLESS Security LTD. and its Affiliates (“Akeyless” or “Company”) and its Customers (“Customer” or “you”), for the purpose of using the Services, as defined under the Terms of Service, available at:  {link} (“Terms”).

This DPA forms an integral part of the Terms. Capitalized terms not defined herein shall have the respective meanings given to them in the Terms.

This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data during the course of the engagement between the parties.

  1. Definitions

1.1 “Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.

1.2 “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, as may be amended as well as all regulations promulgated thereunder from time to time.

1.3 The terms “Controller”, “Processor”, “Data Subject”, “Processing” (and “Process“), “Personal Data Breach” shall all have the same meanings as ascribed to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such terms defined in the CCPA.

1.4 “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law and the CCPA) as may be amended or superseded from time to time.

1.5 “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (iv) any legislation replacing or updating any of the foregoing (v) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.

1.6 “ID” means (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) an online identifier associated with a device.

1.7 “Personal Data” or “Personal Information” means any information which (i) can be related, describes, is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual or Data Subject; and; (ii) processed by the Company pursuant to the Agreement, including by way of access to the data, and may include, inter alia, demographic data, device information, IDs, cookies, browsing URLs, events, and geo localization data.

1.8 “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. Any Personal Data Breach will comprise a Security Incident.

2. Parties’ Roles

2.1 The parties agree and acknowledge that under the performance of their obligations set forth in the Terms, and with respect to the Processing of Personal Data, Akeyless is acting as a Data Processor and Customer is acting as a Data Controller. For the purpose of the CCPA (and to the extent applicable), Customer is the Business and Akeyless is the Service Provider. Each party shall be individually and separately responsible for complying with the obligations that apply to under applicable Data Protection Law. Without derogating from the above, in addition to the Akeyless’ capacity as a Processor of the Data, Akeyless is also a Controller of certain Personal Data related to the Customer, such as Customer’s personnel contact details, and such Personal Data shall be used in accordance with Company’s privacy policy available at:  {link}  (“Privacy Policy”).

2.2 The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Schedule 1 attached hereto.

3. Representations and Warranties

3.1 The Customer represents and warrants that: (a) its Processing instructions shall comply with applicable Data Protection Law, and the Customer acknowledges that, taking into account the nature of the Processing, Akeyless is not in a position to determine whether the Customer’s instructions infringe applicable Data Protection Law; and (b) it will comply with EU Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data, as well as the CCPA provisions.

3.2 Akeyless represents and warrants that it shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Customer, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Customer’s written instructions including the Terms and this DPA. Notwithstanding the above, in the event Akeyless is required under applicable laws to Process Personal Data other than as instructed by Customer, Akeyless shall make its best efforts to inform the Customer of such requirement prior to Processing such Personal Data, unless prohibited under applicable law.

4. Processing of Personal Data and Compliance with Data Protection Law

4.1 The Customer represents and warrants that Special Categories of data shall not be Processed or shared in connection with the performance of the Services, unless agreed in writing by Akeyless. Unless otherwise agreed to in writing by the parties, the Customer shall not share any Personal Data with Akeyless that contains Personal Data relating to children under 16 years old.

4.2 As between the parties, the Customer undertakes, accepts and agrees that the Data Subjects do not have a direct relationship with Akeyless and that Akeyless relies on Customer’s lawful basis (as required under Data Protection Law). In the event consent is needed under Data Protection Law, the Customer shall ensure that it obtains a proper act of consent from Data Subjects and present all necessary and appropriate notices in accordance with applicable Data Protection Law and other relevant privacy requirements in order to Process Personal Data and enable lawful transfer and Processing of Personal Data to and by the Company, as well as where applicable, provide the Data Subjects with the ability to opt out. In the event Data Subject consent is required under Data Protection Law, Customer shall be fully responsible to support and transmit to the Company, the parameter of consent, or opt-out, as applicable. The Customer shall maintain a record of all consents obtained from Data Subject, including the time and data on which consent was obtained, the information presented to Data Subject in connection with their giving consent, and details of the mechanism used to obtain consent, as well as a record of the same information in relation to all withdrawals of consent by Data Subject. Customer shall make these records available to Akeyless promptly upon request.

5. Rights of Data Subjects and Parties Cooperation Obligations

It is agreed that where Akeyless receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by Akeyless, where relevant, Akeyless will direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Akeyless shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.

6. No Sale of Personal Information

It is hereby agreed that any share of Personal Data between the parties is made solely for fulfilling a Business Purpose and Akeyless does not receive or process any Personal Data in consideration for the Services. Thus, such Processing of Personal Data shall not be considered as a “Sale” of Personal Information under the CCPA.

7. Sub-Processor

The Customer acknowledges that Akeyless may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). The Customer hereby authorizes Akeyless to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Akeyless may continue to use those Sub-Processors already engaged by Akeyless and Akeyless may engage an additional or replace an existing Sub-Processor to process Personal Data provided that it notifies the Customer of its intention to do so. Akeyless shall, where it engages any Sub-Processor, impose, through a legally binding contract between Akeyless and the Sub-Processor, data protection obligations as required under applicable Data Protection Laws. Akeyless shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Laws.

8. Technical and Organizational Measures

Akeyless hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Personal Data as required under Data Protection Laws to ensure lawful processing of Personal Data and safeguard Personal Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.

9. Security Incident

Akeyless will notify the Customer upon becoming aware of any confirmed Security Incident involving the Personal Data in Akeyless’ possession or control. Akeyless’ notification regarding or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by Akeyless of any fault or liability with respect to the Security Incident. Akeyless will, in connection with any Security Incident affecting the Personal Data: (i) take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; and (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.

10. Audit Rights

Akeyless shall make available, solely upon prior reasonable written notice and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Personal Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Akeyless may object to an auditor appointed by the Customer in the event Akeyless reasonably believes the auditor is not suitably qualified or independent, is a competitor of Akeyless or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Akeyless. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Akeyless’ premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to Akeyless immediately.

11. Indemnification

The Customer shall indemnify and hold the Company harmless from and against any and all claims, costs, damages, losses, liabilities and expenses (including reasonable attorneys’ fees) arising out of or in connection with any third party’s claim due to the Customer’s breach of this DPA.

12. Data Transfer

Where EU Data Protection Law applies, neither party shall transfer Personal Data to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data, signing Standard Contractual Clauses (“SCC”), obtaining consent, etc.

13. Conflict

In the event of a conflict between the terms and conditions of this DPA and the Terms, this DPA shall prevail.

SCHEDULE 1

DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA

This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.

Subject matter and duration of the Processing of Personal Data:

Processing shall be carried out in connection with the provision of the Services. The duration shall be for the duration of the engagement between the Parties.

The nature and purpose of the Processing of Personal Data:

To provide the Services to the Customer.

The types of Personal Data Processed:

●      A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers

The categories of Data Subjects to whom the Personal Data or Special Categories of Personal Data relates:

Data Subjects whose Personal Data are being processed in connection with the Services.