This Data Processing Agreement (“DPA”), effective as of _________, 202_ (“Effective Date”), is by and between Tigera, Inc. (“Tigera”), a Delaware limited liability company with offices at 2890 Zanker Road, Suite 205, San Jose, CA 95134 U.S.A and _________________________, a _________________________ with offices at _________________________(“Customer”) and documents the parties’ agreement regarding the Processing of Personal Data by Tigera pursuant to the End User Subscription Agreement For Calico Cloud entered into between the parties (the “Subscription Agreement”).
Customer enters into this DPA for itself and, if any of its affiliates act as Controllers of Personal Data, on behalf of those affiliates. All capitalized terms not defined herein will have the meaning set forth in the Subscription Agreement.
In the course of providing the Solutions to Customer under the Subscription Agreement, Tigera may Process Personal Data on behalf of Customer. The parties agree to the following terms with respect to such Processing.
1. DEFINITIONS
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et. seq., as amended by the California Privacy Rights Act of 2020 and together with any implementing regulations.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data and is deemed to also refer to a “business” as defined in the CCPA.
“Customer” means the entity named above and its Affiliates.
“Data Subject” means the identified or identifiable person to whom Personal Data relates and includes “consumer” as defined in Privacy Laws and Regulations.
“Europe” means the European Union, the European Economic Area, Switzerland, and the United Kingdom. Additional provisions applicable to Outside Europe Transfers are contained in Clause 12 below.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Outside Europe Transfer” means transfers of Personal Data from Europe to one or more countries that do not ensure an adequate level of data protection within the meaning of the Privacy Laws and Regulations.
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data, personal information, or personally identifiable information under applicable Privacy Laws and Regulations), where for each (i) or (ii), such data is uploaded to the Solutions (as defined in the Subscription Agreement).
“Privacy Laws and Regulations” means all laws and regulations of the European Union and its member states, the European Economic Area and its member states, the United Kingdom, Switzerland, the United States, Canada, New Zealand, Australia, and their respective political subdivisions, applicable to the Processing of Personal Data. These include, but are not limited to, the following, to the extent applicable: the GDPR, UK Data Protection Law, the CCPA and CPRA.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
“Standard Contractual Clauses” means the Annex to the European Commission’s implementing decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union and subject to required amendments for Switzerland further described in Appendix 4.
“Sub-processor” means any Processor engaged by Tigera, by a member of the Tigera Group or by another Sub-processor.
“Supervisory Authority” means a governmental or government-chartered regulatory body having binding legal authority over Customer.
“Tigera Group” means Tigera and its affiliates engaged in the Processing of Personal Data.
“UK Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses available as of 21 March 2022, completed as described in Appendix 4.
“UK Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as may be amended from time to time by the Privacy Laws and Regulations of the United Kingdom.
2. PROCESSING OF PERSONAL DATA
2.1. Scope. The parties agree that this DPA will apply only to the Processing of Personal Data within the Solutions.
2.2. Roles of the Parties. In relation to the Processing of Personal Data resulting from the provision of the Solutions under the Subscription Agreement, Customer is the Controller and Tigera is the Processor.
2.3. Tigera’s Processing of Personal Data. Tigera will treat Personal Data as Confidential Information and will Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Subscription Agreement and applicable Order Form(s); (ii) Processing resulting from Customer personnel’s use of the Solutions; and (iii) Processing to comply with other documented reasonable written instructions provided by Customer, where such instructions are consistent with the terms of the Subscription Agreement.
2.4. Processing Restrictions. Tigera will not: (i) “sell” or “share” Personal Data, as such terms are defined in Privacy Laws and Regulations; (ii) retain, use, disclose or Process Personal Data for any commercial or other purpose other than to perform the Solutions; or (iii) retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Tigera. Where applicable, Tigera will comply with applicable restrictions under Privacy Laws and Regulations on combining Personal Data with personal data that Tigera receives from, or on behalf of, another person or persons, or that Tigera collects from any interaction between it and any individual.
2.5. Notification of Unlawful Instructions; Unauthorized Processing. Tigera will immediately inform Customer if, in its opinion, an instruction given by Customer infringes any Privacy Laws and Regulations. Customer retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including uses of Personal Data not authorized in this DPA.
2.6. Details of Processing. The subject matter of the Processing of Personal Data by Tigera is the performance of the Solutions pursuant to the Subscription Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Appendix 2 (Details of the Processing).
2.7. Data Protection Impact Assessment. Upon Customer’s request, Tigera will reasonably assist Customer in fulfilling Customer’s obligation under Privacy Laws and Regulations to carry out a data protection impact assessment related to Customer’s use of the Solutions, to the extent Customer does not otherwise have access to the relevant information and such information is available to Tigera. Tigera will reasonably assist Customer in its cooperation or prior consultation with a Supervisory Authority regarding any such data protection impact assessment to the extent required under applicable Privacy Laws and Regulations.
2.8. Customer Obligations Regarding Personal Data. In its use of the Solutions, Customer will comply with the Privacy Laws and Regulations, including any applicable requirements to provide notice to and/or obtain consent from Data Subjects for Processing by Tigera. Customer will ensure that its instructions for the Processing of Personal Data comply with Privacy Laws and Regulations. Customer will be solely responsible for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer will ensure that its use of the Solutions will not violate the rights of any Data Subject that has opted-out from sales, sharing, or other disclosures of Personal Data, to the extent applicable.
3. REQUEST FOR CUSTOMER DATA
3.1. Requests from Data Subjects. Tigera will, to the extent legally permitted, promptly notify Customer if Tigera receives a request from a Data Subject to exercise the Data Subject’s right of access, right of rectification, right to restrict Processing, right of erasure (“right to be forgotten”), right of data portability, right to object to the Processing, or right not to be subject to automated individual decision making, each such request being a “Data Subject Request.” To the extent Customer, in its use of the Solutions, does not have the ability to address a Data Subject Request, Tigera will upon Customer’s request use commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Tigera is legally permitted to do so and the response to such Data Subject Request is required under Privacy Laws and Regulations.
b. Requests from Other Third Parties. If Tigera receives a request from a third party other than a Data Subject (including, without limitation, a government agency) for Customer Data, Tigera will, where permitted by law, direct the requesting party to Customer and promptly notify Customer of the request. Where Tigera is not permitted by law to notify Customer of the request, Tigera will only respond to the requesting party if required by law to do so and will make reasonable efforts to work with the requesting party to narrow the scope of the Customer Data request.
4. TIGERA PERSONNEL
a. Confidentiality. Tigera will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to relevant confidentiality obligations. Tigera will ensure that such confidentiality obligations survive the termination of the personnel engagement.
b. Limitation of Access. Tigera will ensure that Tigera’s access to Personal Data is limited to those personnel who require such access to perform the Solutions in accordance with the Subscription Agreement.
c. Data Protection Officer. Members of the Tigera Group will appoint a data protection officer where such appointment is required by Privacy Laws and Regulations.
5. SUB-PROCESSORS
a. Appointment of Sub-processors. Customer grants Tigera a general authorization to appoint third-party Sub-processors in connection with the Solutions, in accordance with the procedures outlined in this DPA. Tigera or a Tigera affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Customer Data, to the extent applicable to the services provided by such Sub-processor.
b. Current Sub-processors and Notification of New Sub-processors. A list of Sub-processors for the Solutions, as of the date this DPA is executed, is attached in Appendix 1. Tigera will notify Customer in writing of any new Sub-processor before authorizing such new Sub-processor to Process Personal Data.
c. Objection Right for New Sub-processors. Customer may object to Tigera’s use of a new Sub-processor by notifying Tigera in writing within 30 days after receipt of a notice described in the preceding paragraph. If Customer objects to a new Sub-processor as permitted in the preceding sentence, Tigera will use commercially reasonable efforts to make available to Customer a change in the Solutions or recommend a change to Customer’s configuration or use of the Solutions, to avoid Processing of Personal Data by the new Sub-processor in question without unreasonably burdening Customer. If Tigera is unable to make available such change in the Solutions, or to recommend such a change to Customer’s configuration or use of the Solutions that is satisfactory to Customer, within a reasonable period of time (which will in no event exceed 30 days), Customer may terminate the applicable Order Form(s) by providing written notice to Tigera.
d. Liability for Sub-Processors. Tigera will be liable for the acts and omissions of its Sub-processors to the same extent Tigera would be liable if performing the services of each Sub-processor directly under the terms of this DPA.
6. SECURITY
a. Controls for the Protection of Customer Data. Tigera will maintain appropriate physical, technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, including Personal Data, in accordance with Appendix 3 (Security Controls).
b. Third-Party Audit Reports and Certifications. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations in the Subscription Agreement, Tigera will make available to Customer a copy of Tigera’s then most recent third-party audit report SOC 2 audit report, and of any other audit reports and certifications that Tigera makes available to customers, provided Customer is not a competitor of Tigera.
7. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
Tigera maintains security incident management policies and procedures and will notify Customer without undue delay after becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Tigera or its Sub-processors of which Tigera becomes aware (a “Customer Data Incident”). Tigera will make reasonable endeavors to identify the cause of such Customer Data Incident and take steps as Tigera deems necessary and reasonable to remediate the cause of such Customer Data Incident to the extent the remediation is within Tigera’s reasonable control. The obligations herein will not apply to incidents that are caused by Customer or its personnel.
8. RETURN AND DELETION OF CUSTOMER DATA
Tigera will return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Subscription Agreement.
9. AUDIT
Upon Customer’s request, and subject to the confidentiality obligations in the Subscription Agreement, Tigera will make available to Customer (or Customer’s third-party auditor and that has signed a nondisclosure agreement reasonably acceptable to Tigera) information necessary to demonstrate the Tigera Group’s compliance with the obligations set forth in this DPA and its obligations as a Processor under Privacy Laws and Regulations in the form of Tigera’s completed standardized security questionnaires, third-party certifications and audit reports (e.g., its completed Standardized Information Gathering (SIG) and Cloud Security Alliance Consensus Assessments Initiative (CSA CAIQ) questionnaires, SOC 2 report and summary penetration test reports) and, for its Sub-processors, the third-party certifications and audit reports made available by them. Following any notice by Tigera to Customer of an actual or reasonably suspected unauthorized disclosure of Personal Data, upon Customer’s reasonable belief that Tigera is in breach of its Personal Data protection obligations under this DPA, or if such audit is required by Customer’s Supervisory Authority, Customer may contact Tigera to request an audit of the procedures relevant to the protection of Personal Data. Any such audit will be conducted remotely, except Customer and/or its Supervisory Authority may conduct on on-site audit at Tigera’s premises if so required by the Privacy Laws and Regulations. Any such request will occur no more than once annually, except in the event of an actual or reasonably suspected unauthorized access to Personal Data. Before the commencement of any audit, Customer and Tigera will mutually agree upon the scope, timing, and duration of the audit. In no event will any audit of a Sub-processor, beyond a review of reports, certifications and documentation made available by the Sub-processor, be permitted without the Sub-processor’s consent.
10. AFFILIATES
a. Contractual Relationship. The Customer entity signing this DPA does so for itself and, as applicable, in the name and on behalf of its affiliates, thereby establishing a separate DPA between Tigera and each such affiliate subject to the provisions of the Subscription Agreement, this Clause 10, and Clause 11 below. Each such affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable for the purposes of this DPA, the Subscription Agreement. For the avoidance of doubt, such affiliates are not and do not become parties to the Subscription Agreement, and are only parties to this DPA. All access to and use of the Solutions by such affiliates must comply with the Subscription Agreement, and any breach of the Subscription Agreement by an affiliate will be deemed a breach by Customer.
b. Communication. The Customer entity signing this DPA will remain responsible for coordinating all communication with Tigera under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its affiliates.
c. Rights of Customer Affiliates. Where a Customer affiliate becomes a party to this DPA with Tigera, it will to the extent required under applicable Privacy Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
i. Except where applicable Privacy Laws and Regulations require the Customer affiliate to exercise a right or seek any remedy under this DPA against Tigera directly, the parties agree that (i) solely the Customer entity that signed this DPA will exercise any such right or seek any such remedy on behalf of the Customer affiliate, and (ii) the Customer entity signing this DPA will exercise any such rights under this DPA not separately for each affiliate individually but in a combined manner for itself and all of its affiliates together (as set forth, for example, in Clause 10.c.ii below).
ii. The Customer entity signing this DPA will, when carrying out a permitted audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Tigera and its Sub-processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its affiliates in one single audit.
11. LIMITATION OF LIABILITY
To the extent permitted by Privacy Laws and Regulations, each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” clause, and such other clauses that exclude or limit liability, of the Subscription Agreement, and any reference in such clauses to the liability of a party means the aggregate liability of that party and all of its affiliates.
12. APPLICABLE TRANSFER MECHANISM
a. All Outside Europe Transfers will be subject to the additional terms set out in Appendix 4.
b. In the event that the Standard Contractual Clauses are invalidated, amended, or replaced the parties will work in good faith to enact such alternative transfer mechanism to enable the continued Processing of Personal Data contemplated by the Subscription Agreement. The use of such alternative transfer mechanism will be subject to each party’s fulfilment of all legal requirements for use of such transfer mechanism.
IN WITNESS WHEREOF, the parties hereto have caused this DPA, including all applicable Appendices incorporated herein, to be executed as of the Effective Date.
TIGERA, INC.
By: __________________________
Name: __________________________
Title: __________________________
CUSTOMER: _____________________________
By: __________________________
Name: __________________________
Title: __________________________
Appendix 1
Current Sub-processor List
|
Solutions |
Sub-Processor Activity |
Sub-Processor Name and Address |
Location of Processing |
|
Calico Cloud |
Enterprise Support |
Tigera |
|
|
Application Hosting Service |
Google Cloud Platform |
|
|
|
Microsoft Azure |
|
||
|
Identity and Authentication Management |
Auth0 |
|
|
|
Database Service |
MongoDB Atlas |
|
Appendix 2
Details of processing
Data Exporter
Full Legal Name: Customer Name as specified above
Main Address: Customer Address as specified above
Contact: If not otherwise provided this will be the primary contact on the Customer account.
Contact Email: If not otherwise provided this will be the primary contact email address on the Customer account.
Data Importer
Full Legal Name: Tigera
Main Address: 2890 Zanker Road, Suite 205, San Jose, CA 95134, U.S.A.
Contact: Tigera Data Protection Officer
Contact Email: privacy@tigera.io
Nature and Purpose of Processing
Tigera will Process Personal Data as necessary to perform the Solutions pursuant to the Subscription Agreement and Order Form(s), and as further instructed by Customer in its use of the Solutions.
Duration of Processing
Tigera will Process Personal Data for the duration stated in the Subscription Agreement, unless otherwise agreed in writing.
Retention
Tigera will retain Personal Data in the Solutions for the duration of the Subscription Agreement, unless otherwise agreed in writing, and for a fixed period following termination of the Subscription Agreement prior to deletion in accordance with the terms of the Subscription Agreement.
Frequency of Transfer
As determined by Customer through its use of the Solutions.
Transfers to Sub-processor(s)
As necessary to perform the Solutions pursuant to the Subscription Agreement and Order Form(s), and as further described in Appendix 1.
Categories of Data Subjects
Customer may submit Personal Data to the Solutions, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to Personal Data relating to the following categories of data subjects:
- Prospects, customers, business partners and vendors of Customer (who are natural persons)
- Customer’s users authorized by Customer to use the Solutions
Type of Personal Data
Customer may submit Personal Data to the Solutions, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to the following categories of Personal Data:
- First and last name
- Title
- Employer
- Contact information (company, email, phone, physical business address)
- ID data
- IP address
- Public Profile URL
- Localisation data
Special categories of data (if appropriate)
Customer may submit special categories of Personal Data to the Solutions, the extent of which is determined and controlled by Customer in its sole discretion, and which for the sake of clarity could include the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning health. See the measures in Appendix 3 for how Tigera protects special categories of data and other personal data.
