Data Processing Addendum
THIS DATA PROCESSING ADDENDUM (“DPA”) is incorporated into the Master Subscription Terms and Conditions or other mutually accepted written (including electronic) agreement between Kumo.ai, Inc., (“Kumo”) and Customer governing the Customer’s use of the Services (“Agreement”) and becomes effective on the effective date of the Agreement. Each party is referred to as “Party” or, collectively, as “Parties.”
- INTERPRETATION
- In this DPA, the following terms will have the meanings set out in this Section 1, unless expressly stated otherwise:
- “Applicable Data Protection Laws” means the privacy, data protection, and data security laws and regulations of any jurisdiction directly applicable to the Kumo’s Processing of Customer Personal Data under the Agreement, including, where applicable, GDPR, CCPA, GLBA, and NYDFS Cybersecurity Regulation.
- “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder.
- “Controller” means the entity which determines the purposes and means of Processing of Personal Data..
- “Customer Personal Data” means any Personal Data Processed by the Kumo or its Sub-Processor on behalf of the Customer to perform the Services under the Agreement.
- “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
- “Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
- “Deidentified Data” means data Processed by the Kumo or its Sub-Processor on behalf of the Customer to perform the Services under the Agreement that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, or device linked to such person.
- “EEA” means the European Economic Area.
- “GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR will be construed accordingly.
- “GLBA” means the Gramm-Leach-Bliley Act of 1999, as amended, and any binding regulations promulgated thereunder.
- “NYDFS Cybersecurity Regulation” means Title 23, Chapter I, Part 500 of the New York Code, Rules and Regulations, entitled Cybersecurity Requirements for Financial Services Companies, as amended.
- “Personal Data” means any information provided to Kumo by Customer that is protected as “personal data,” “personal information,” “personally identifiable information,” or similar term defined in Applicable Data Protection Laws, except that Personal Data does not include the contact information pertaining to Customer’s personnel or representatives who are business contacts of Customer (where Kumo acts as a controller of such information).
- “Personal Data Breach” means a breach of Kumo’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data in Kumo’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
- “Personnel” means a person’s employees, agents, consultants or contractors.
- “Process” and any inflection thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
- “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EEA Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
- “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
- “Services” means those services and activities to be supplied to or carried out by or on behalf of Kumo for Customer pursuant to the Agreement including, for example and not exclusion, services and activities undertaken on a trial basis or otherwise free of charge or purchased by Customer.
- “Sub-Processor” means any third party appointed by or on behalf of the Kumo to Process Customer Personal Data.
- “Supervisory Authority”: (i) in the context of the EEA and the EU GDPR, will have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
- “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the UK Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
- All capitalized terms used in this DPA that are not otherwise defined in this DPA will have the meaning given to them in the Agreement.
- In this DPA, the following terms will have the meanings set out in this Section 1, unless expressly stated otherwise:
- SCOPE OF THIS DATA PROCESSING ADDENDUM
- This DPA generally applies to Kumo’s Processing of Customer Personal Data under the Agreement. The Parties acknowledge and agree that the details of the Kumo’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to this DPA.
- Annex 2 (European Annex) to this DPA applies only if, and to the extent, the Kumo’s Processing of Customer Personal Data under the Agreement is subject to the GDPR.
- Annex 3 (California Annex) to this DPA applies only if, and to the extent, the Kumo’s Processing of Customer Personal Data under the Agreement is subject to the CCPA with respect to which Customer is a “business” (as defined in the CCPA).
- Section 9 (Compliance Assistance; Audits) of this DPA applies to the Kumo’s Processing of Customer Personal Data to the extent required under any requirements concerning contracts with Processors under Applicable Data Protection Laws, and in such cases, only in respect of Processing of Personal Data subject to such laws.
- PROCESSING OF CUSTOMER PERSONAL DATA
- Kumo will Process Personal Data in accordance with the Customer’s written instructions or as required or permitted by Applicable Data Protection Laws. For purposes of the Services and this DPA and as defined by Applicable Data Protection Laws: (a), Kumo will be considered a “Processor” or “service provider;” and, (b) Customer will be considered a “Controller.”
- Customer instructs Kumo to Process Customer Personal Data to provide the Services to Customer and in accordance with the Agreement (including this DPA). The Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding on Kumo only pursuant to any written amendment to this DPA signed by both Parties. Where required by Applicable Data Protection Laws, if Kumo receives an instruction from Customer that, in its reasonable opinion, infringes Applicable Data Protection Laws, Kumo will notify Customer.
- The Parties acknowledge that the Kumo’s Processing of Customer Personal Data authorized by Customer’s instructions stated in the Agreement (including this DPA) is integral to the Services and the business relationship between the Parties. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
- KUMO PERSONNEL
- Kumo will take commercially reasonable steps to ascertain the reliability of any Kumo Personnel who Process Customer Personal Data and, where required by applicable laws, will enter into written confidentiality agreements with all Kumo Personnel who Process Customer Personal Data but are not subject to professional or statutory obligations of confidentiality.
- SECURITY
-
- Kumo will implement and maintain the administrative, technical, and physical safeguards in relation to Customer Personal Data that are designed to protect Customer Personal Data against Personal Data Breaches as described in Annex 4 (Security Measures) (the “Security Measures”).
- Kumo may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
- DATA SUBJECT REQUESTS
- Taking into account the nature of the Processing of Customer Personal Data by the Kumo, Kumo will provide the Customer with such assistance by implementing appropriate technical and organizational measures as the Customer may reasonably request to assist the Customer in fulfilling its obligations under Applicable Data Protection Laws to respond to Data Subject Requests.
- Kumo will:
- promptly notify Customer if it receives a Data Subject Request; and
- not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except on the written instructions of Customer or as required by Applicable Data Protection Laws.
- PERSONAL DATA BREACH
Breach notification and assistance
-
- Kumo will notify Customer without undue delay upon Kumo’s confirmation of a Personal Data Breach affecting Customer Personal Data. The Kumo’s notification of or response to a Personal Data Breach will not be construed as the Kumo’s acknowledgment of any fault or liability with respect to the Personal Data Breach.
- To the extent the Personal Data Breach resulted from Kumo’s breach of its security obligations under the Agreement, Kumo will provide Customer with the reasonably requested information (insofar as such information is within Kumo’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Kumo or the Kumo’s other confidentiality or nondisclosure obligations, including any imposed by law enforcement, a Supervisory Authority, or other governmental authority) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. If the Personal Data Breach did not result from Kumo’s breach of its security obligations under the Agreement, Kumo will reasonably cooperate with Customer; provided, however, Customer will reimburse Kumo for all costs incurred by Kumo. Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
Notification to Kumo
-
- If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority or other governmental authority, any Data Subject(s), the public, or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Kumo, where permitted by applicable laws, Customer agrees to:
- notify Kumo in advance in writing; and
- in good faith, consult with Kumo and consider any clarifications or corrections Kumo may reasonably recommend or request to any such notification, which: (i) relate to Kumo’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with Applicable Data Protection Laws.
- If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority or other governmental authority, any Data Subject(s), the public, or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Kumo, where permitted by applicable laws, Customer agrees to:
- SUB-PROCESSING
- Customer generally authorizes Kumo to appoint Sub-processors in accordance with this Section 8. Without limitation to the foregoing, Customer authorizes the engagement of the Sub-processors listed as of the effective date of the Agreement at the Sub-processor Site, as defined below.
- Information about Sub-processors, including their functions and locations, is available at: www.kumo.ai/legal/sub-processors (as may be updated by Kumo from time to time, subject to Kumo’s obligations pursuant to Section 8.4 below) or such other website address as Kumo may provide to Customer from time to time (the “Sub-processor Site”).
- When engaging any Sub-processor, Kumo will enter into a written contract with such Sub-processor containing data protection obligations not less protective than those in this DPA with respect to Customer Personal Data and to the extent applicable to the nature of the services provided by such Sub-processor. As between the Parties, Kumo will be liable for the acts and omissions of all Sub-processors under or in connection with this DPA to the same extent Kumo would be liable under the terms of this DPA if performing such services itself directly.
- When Kumo engages any Sub-processor after the effective date of the Agreement, Kumo will notify Customer of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform) by updating the Sub-processor Site or by other written means at least 15 days before such Sub-processor Processes Customer Personal Data. If Customer objects to such engagement in a written notice to Kumo within 15 days after being notified of the engagement on reasonable grounds relating to the protection of Customer Personal Data, Customer and Kumo will work together in good faith to consider a mutually acceptable resolution to such objection. If the Parties are unable to reach a mutually agreeable resolution within a reasonable timeframe, Customer may, within 30 days of its initial notification of its objection to Kumo, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Kumo and pay Kumo for all amounts due and owing under the Agreement as of the date of such termination. If Customer does not object to Kumo’s appointment of a Sub-processor during the objection period referred to in this Section 8.4, Customer will be deemed to have approved the engagement and ongoing use of that Sub-processor.
- COMPLIANCE ASSISTANCE; AUDITS
- Taking into account the nature of the Processing of Customer Personal Data by Kumo and the information available to Kumo, Kumo will provide such information and assistance to Customer as Customer may reasonably request (insofar as such information is available to Kumo and the sharing thereof does not compromise the security, confidentiality, integrity or availability of any data Processed by Kumo) to help Customer meet its obligations under Applicable Data Protection Laws, including in relation to the security of Customer Personal Data, the reporting, and investigation of Personal Data Breaches, the demonstration of Customer’s compliance with such obligations and the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to Kumo’s Processing of Customer Personal Data, including those required under Articles 35 and 36 of the GDPR.
- Subject to Section 9.4 below, Kumo will make available to Customer such information as Customer may reasonably request for Kumo to demonstrate compliance with Applicable Data Protection Laws and this DPA. Without limitation of the foregoing, Customer may conduct (in accordance with Section 9.3), at its sole cost and expense, and Kumo will reasonably cooperate with, reasonable audits (including inspections, manual reviews, automated scans, and other technical and operational testing that Customer is entitled to perform under Applicable Data Protection Laws), in each case, whereby Customer or a qualified and independent auditor appointed by Customer using an appropriate and accepted audit control standard or framework may audit Kumo’s technical and organizational measures in support of such compliance and the auditor’s report is provided to Customer and Kumo upon Customer’s request.
- Customer will give Kumo reasonable advance notice of any such audits. Kumo need not cooperate with any audit: (a) performed by any individual or entity who has not entered into a non-disclosure agreement with Kumo on terms acceptable to Kumo in respect of information obtained in relation to the audit; (b) conducted outside of Kumo’s normal business hours at the relevant site; or (c) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits that Customer is required to perform under Applicable Data Protection Laws. The audit must be conducted in accordance with Kumo’s safety, security, or other relevant policies, must not impact the security, confidentiality, integrity, or availability of any data Processed by the Kumo, and must not unreasonably interfere with Kumo’s business activities. Customer will not conduct any scans or technical or operational testing of Kumo’s applications, websites, services, networks, or systems without Kumo’s prior approval (which will not be unreasonably withheld).
- If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST, or similar audit report performed by a qualified and independent third-party auditor pursuant to a recognized industry standard audit framework within twelve (12) months of Customer’s audit request (“Audit Report”) and Kumo has confirmed in writing that there have been no known material changes to the controls audited and covered by such Audit Report(s), Customer agrees to accept the provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures. Kumo will provide copies of any such Audit Reports to the Customer upon request.
- Such Audit Reports and any other information obtained by Customer in connection with an audit under this Section 9 will constitute the confidential information of Kumo, which Customer will use only for the purposes of confirming compliance with the requirements of this DPA or meeting Customer’s obligations under Applicable Data Protection Laws. Nothing in this Section 9 will be construed to obligate Kumo to breach any duty of confidentiality.
- RETURN AND DELETION
- Within 30 days after the expiration or earlier termination of the Agreement, Kumo will, to the fullest extent technically possible in the circumstances, either: (i) return and/or delete all Customer Personal Data in Kumo’s care, custody or control in accordance with Customer’s instructions as to the post-termination return and deletion of Customer Data expressed in the Agreement, or subject to Section 11.5, Customer’s further instructions; or, (ii) irreversibly anonymize or deidentify all Customer Personal Data in Kumo’s care, custody or control.
- Notwithstanding the foregoing, Kumo may retain Customer Personal Data where required by law (or in the case of Customer Personal Data subject to the GDPR, the laws of the UK or European Union, as applicable), provided that Kumo will: (a) maintain the confidentiality of all such Customer Personal Data; and, (b) Process the Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable Data Protection Law requiring such retention.
- CUSTOMER’S RESPONSIBILITIES
- Customer agrees that, without limiting Kumo’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Services, including: (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems, and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Kumo uses to provide the Services; and (d) backing up Customer Personal Data.
- Customer also agrees it is solely responsible for the accuracy, quality, and legality of (a) the Personal Data provided to Kumo by or on behalf of Customer, (b) the means by which Customer acquired any such Personal Data, and (c) the instructions it provides to Kumo regarding the Processing of such Personal Data. Customer will not provide or make available to Kumo any Personal Data in violation of this DPA or otherwise inappropriate for the nature of the Services.
- Customer will ensure:
- that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Kumo of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and
- that (and is solely responsible for ensuring that): (i) all required notices have been given to, and all consents and permissions have been obtained from, Data Subjects and others as required by Applicable Data Protection Laws, relating to the Processing by Kumo of Customer Personal Data; (ii) Processing by Kumo of Personal Data in accordance with this DPA will not cause Kumo to be in breach of the Applicable Data Protection Laws.
- Customer agrees that the Services, the Security Measures, and Kumo’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
- Customer is responsible for ensuring that no special categories of Personal Data (under GDPR Article 9), Personal Data relating to criminal convictions and offenses (under GDPR Article 10), or similarly sensitive Personal Data (defined in Applicable Data Protection Laws) is submitted to Kumo for Processing (together, “Restricted Data”).
- Except to the extent prohibited by applicable law, Customer will compensate Kumo at Kumo’s then-current professional services rates for, and reimburse any costs reasonably incurred by Kumo in the course of providing cooperation, information, or assistance requested by Customer pursuant to Sections 6 (Data Subject Requests), 9 (Compliance Assistance; Audits), and 10.1 (in Return and Deletion) of this DPA, beyond providing self-service features included as part of the Service.
- DEIDENTIFIED, ANONYMIZED OR AGGREGATED DATA
- To the extent Kumo processes or generates any Deidentified Data, Kumo will (i) take reasonable measures to ensure that such data cannot be associated with a natural person, and (ii) publicly commit to maintaining and using Deidentified Data only in a de-identified fashion and without attempting to re-identify such data.
- If Kumo’s creation and/or use of aggregated, anonymized, or deidentified personal information is subject to Applicable Data Protection Laws, then Kumo’s creation and/or use of such data, including but not limited to Deidentified Data, will be permitted only to the extent such data constitutes “aggregate consumer information” or has been “deidentified” (as such terms are defined under the Applicable Data Protection Laws).
- LIABILITY
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and will be subject to any exclusions of, liability and loss agreed by the Parties in Section 9 of the Agreement; provided that, nothing in this Section 13 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
- CHANGE IN LAWS
Kumo may, on notice, vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time, including by varying or replacing the SCCs in the manner described in Paragraphs 2.1 and 2.2 of Annex 2 (European Annex).
- INCORPORATION AND PRECEDENCE
- This DPA is incorporated into and forms a part of the Agreement with effect from the Addendum Effective Date.
- In the event of any conflict or inconsistency between:
- this DPA and the Agreement, this DPA prevail; or
- any SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs prevail in respect of the Restricted Transfer to which they apply.
Annex 1
Data Processing Details
KUMO / ‘DATA IMPORTER’ DETAILS
Name:
Kumo.ai, Inc.
Address:
357 Castro Street, Second Floor |
---|
Mountain View, CA 94041 |
Contact Details for Data Protection:
Contact Person:
Kumo’s contact details are stated in the Agreement.
Kumo’s privacy team can be contacted at: [[email protected]](mailto:[email protected])
Kumo Activities:
Kumo.ai, Inc. provides Services enabling enterprises to leverage predictive analytics.
Role:
Processor
CUSTOMER / ‘DATA EXPORTER’ DETAILS
Name: | As stated in the Agreement |
---|---|
Address: | As stated in the Agreement |
Contact Details for Data Protection: | Name: As stated in the Agreement Role: As stated in the Agreement Email: As stated in the Agreement |
Customer Activities: | Customer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations. |
Role: | Controller – in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and
|
DETAILS OF PROCESSING
Categories of Data Subjects: | The categories of Data Subjects are determined by the Customer’s use case. By way of example, Relevant Data Subjects include: End-users of the Services End-users and other users of Customer’s products and services Each category includes current, past and prospective Data Subjects. |
---|---|
Categories of Personal Data: | No Personal Data is needed or planned to be used except as the parties first agree in writing or which is incidentally disclosed by Customer to Kumo. The categories of Personal Data Kumo transfers, stores, or processes are limited to those Kumo's Customer explicitly agrees to share to use Kumo’s Hosted Services in accordance with Customer’s use case and the applicable business agreement. Notwithstanding, routinely, the following personal data will be disclosed:
|
Sensitive Categories of Data, and associated additional restrictions/safeguards: | Categories of sensitive data: Passwords and other authentication credentials to online accounts. Additional safeguards for sensitive data: N/A |
Frequency of transfer: | Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services. |
Nature of the Processing: | Processing operations required in order to provide, support and improve the Services and enable use of the Services in accordance with the Agreement. |
Purpose of the Processing: | Customer Personal Data will be processed: (i) as necessary to provide and use the Services as initiated by Customer in its use thereof in accordance with the Agreement, (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA; (iii) to comply with obligations under the Agreement including, for example, support; and, (iv) to improve the Services. |
Duration of Processing / Retention Period: | Concurrent with the term of the Agreement and then thereafter pursuant to Section 10 (Return and Deletion) of this DPA. |
Transfers to Sub-processors: | Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List (as may be updated from time to time in accordance with the DPA). |
Annex 2
European Annex
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Taking into account the nature of the Processing of Customer Personal Data by the Kumo and the information available to the Kumo, Kumo will provide reasonable assistance to the Customer, at the Customer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Kumo.
RESTRICTED TRANSFERS
EEA Restricted Transfers
To the extent that any Processing of Customer Personal Data under this DPA involves an EEA Restricted Transfer from Customer to Kumo, the Parties will comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
populated in accordance with Part 1 of Attachment 1 to this Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.
UK Restricted Transfers
To the extent that any Processing of Customer Personal Data under this DPA involves a UK Restricted Transfer from Customer to Kumo, the Parties will comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to this Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.
Adoption of new transfer mechanism
Kumo may on notice vary this DPA and replace the relevant SCCs and/or UK Transfer Addendum with:
any new form of the relevant SCCs and/or UK Transfer Addendum or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
another transfer mechanism,
that enables the lawful transfer of Customer Personal Data by Customer to Kumo under this DPA in compliance with Chapter V of the GDPR.
Provision of full-form SCCs
In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Annex 1 (Data Processing Details); accompanied by suitable supporting evidence of the relevant request), Kumo will provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with Attachment 1 to this Annex 2 (European Annex) in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Data Protection Laws.
OPERATIONAL CLARIFICATIONS
When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it will not provide or otherwise make available, and will take all appropriate steps to protect Kumo’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.
Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Kumo to notify any third-party controller of any Data Subject Request and that any such notification will be the sole responsibility of Customer.
For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it will be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
The terms and conditions of Section 8 of this DPA apply in relation to the Kumo’s appointment and use of Sub-processors under the SCCs. Any approval by Customer of Kumo’s appointment of a Sub-processor that is given expressly or deemed given pursuant to Section 8 constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Sub-processors if and as required under Clause 8.8 of the SCCs.
The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs will be subject to any relevant terms and conditions detailed in Section 9 of this DPA.
Certification of deletion of Customer Personal Data as described in Clauses 8.5 and 16(d) of the SCCs will be provided only upon Customer’s written request.
[REMAINDER OF PAGE INTENTIONALLY BLANK]
- TO EUROPEAN ANNEX
POPULATION OF SCCs
Notes:
In the context of any EEA Restricted Transfer, the SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA).
In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 2.2 of Annex 2 (European Annex) to the DPA).
PART 1: POPULATION OF THE SCCs
- SIGNATURE OF THE SCCs:
Where the SCCs apply in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA, (a) each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs; and (b) those SCCs are entered into by and between the Parties with effect from (i) the Addendum Effective Date; or (ii) the date of the first EU Restricted Transfer to which they apply in accordance with Paragraph 2.1 of Annex 2 (European Annex) to the DPA, whichever is earlier.
- MODULES
- The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 2 (European Annex) to the DPA):
- Module Two of the SCCs applies to any EEA Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right.
- Module Three of the SCCs applies to any EEA Restricted Transfer involving Processing of European Customer Data in respect of which Customer is a Processor acting on behalf of any other person (including its affiliates if and where applicable).
- The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 2 (European Annex) to the DPA):
- POPULATION OF THE BODY OF THE SCCs
- For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
- The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
- In Clause 9:
- OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors will be the advance notice period set out in Section 8.4 of the DPA; and
- OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.
- In Clause 11, the optional language is not used and is deleted.
- In Clause 13, all square brackets are removed and all text therein is retained.
- In Clause 17: OPTION 1 applies, and the Parties agree that the SCCs will be governed by the law of Ireland in relation to any EEA Restricted Transfer; and OPTION 2 is not used and that optional language is deleted.
- For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EEA Restricted Transfer will be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
- In this Paragraph 3, references to “Clauses” are references to the Clauses of the SCCs.
- For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
- POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
- Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with: Customer being ‘data exporter’; and Kumo being ‘data importer.’
- Part C of Annex I to the Appendix to the SCCs is populated as below:
- Where Customer is established in an EU Member State, the competent supervisory authority will be the supervisory authority of that EU Member State in which Customer is established.
- Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority will be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).
- Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority will be the supervisory authority of the EU Member State notified in writing to Kumo’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located.
- Annex II to the Appendix to the SCCs is populated as below:
General:
-
- Please refer to Section 5 of the DPA and the Security Measures described therein.
- In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Kumo, Customer should email Kumo’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA.
- Please refer to Section 5 of the DPA and the Security Measures described therein.
Sub-Processors: When Kumo engages a Sub-Processor under these Clauses, Kumo will enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:
-
- applicable information security measures;
- notification of Personal Data Breaches to Kumo;
- return or deletion of Customer Personal Data as and where required; and
- engagement of further Sub-Processors.
- applicable information security measures;
PART 2: UK RESTRICTED TRANSFERS
- UK TRANSFER ADDENDUM
- Where relevant in accordance with Paragraph 2.2 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
- Part 1 to the UK Transfer Addendum. The Parties agree:
- Tables 1, 2, and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and the foregoing provisions of this Attachment 1 to Annex 2 (European Annex) (subject to the variations effected by the UK Mandatory Clauses described in (b) below); and
- Table 4 to the UK Transfer Addendum is completed by the box labeled ‘Data Importer’ being deemed to have been ticked.
- Part 2 to the UK Transfer Addendum. The Parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.
- Part 1 to the UK Transfer Addendum. The Parties agree:
- As permitted by Section 17 of the UK Mandatory Clauses, the Parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1.1 of this Part 2, provided that the Parties further agree that nothing in the manner of that presentation will operate or be construed so as to reduce the Appropriate Safeguards (as defined in Section 3 of the UK Mandatory Clauses).
- In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, will be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.
- Where relevant in accordance with Paragraph 2.2 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
[REMAINDER OF PAGE INTENTIONALLY BLANK]
Annex 3
California Annex
These CCPA Terms apply when the California Consumer Privacy Act of 2018, Cal. Civ. Code §§1798.100–1798.199.100, as amended, and the CCPA regulations, Cal. Code Regs. §§7000–7304 (together, the “CCPA”) apply to Customer’s use of the Services to process the Personal Information contained in Customer Data (“Covered Information”). For the purpose of these CCPA Terms, the terms “Commercial Purpose,” “Consumer,” “Personal Information,” “Sell,” “Service Provider” and “Share” have the meanings given to them in the CCPA.
- Kumo’s Obligations. Kumo will(a) not Sell or Share Covered Information; (b) process Covered Information only to provide, support, and improve the Services in accordance with the Agreement or Orders, or as otherwise permitted under the CCPA; (c) not retain, use, or disclose Covered Information (i) for any purpose, including any Commercial Purpose, except to provide, support, and improve the Services in accordance with the Agreement or Orders, or as otherwise permitted under the CCPA, (ii) outside the direct business relationship between Kumo and Customer, or (iii) in any way prohibited by the CCPA; (d) not combine the Covered Information it receives from, or on behalf of, Customer with Personal Information it receives from, or on behalf of, another person or from Kumo’s own interactions with the Consumer to whom the Personal Information relates, except to the extent a Service provider is permitted to do so under the CCPA; (e) comply with all applicable obligations under, and provide the same level of privacy protection to Covered Information as required by, the CCPA; (f) notify Customer if it believes it cannot meet its obligations under the CCPA; and (g) on Customer’s request and taking into account the nature of the Covered Information processed, provide reasonable assistance to Customer in fulfilling consumer requests made under the CCPA to the extent Customer is unable through its use of the Services to address a particular request on its own.
- Customer’s Obligations and Rights. Customer may(a) only disclose Covered Information to Kumo for the limited purpose of using the Services in accordance with the Agreement; (b) audit Kumo’s compliance with its obligations under these CCPA terms by requesting and reviewing (i) copies of or extracts from Kumo’s audit reports related to the security of the Services, or (ii) other information Kumo deems is reasonably necessary to demonstrate Kumo’s compliance; and (c) upon notice to Kumo, take reasonable and appropriate steps to stop and remediate any unauthorized use of Covered Information by Kumo.
[REMAINDER OF PAGE INTENTIONALLY BLANK]
Annex 4
Security Measures
As from the Addendum Effective Date, Kumo will implement and maintain the Security Measures as set out in this Annex 4.
Access Control:
-
Kumo restricts access to Customer Personal Data to employees with a defined need-to-know or a role requiring such access.
-
Kumo maintains user access controls that address timely provisioning and de-provisioning of user accounts.
Audit:
- Kumo will maintain SSAE 18 SOC 2 certification, or comparable certification, for the term of the Agreement. This certification will be renewed on an annual basis. Upon Customer’s request, Kumo will provide a summary of its most recent SOC 2 report once every 12 months of the term of the Agreement.
- Kumo follows guidelines from ISO 27001, NIST and other industry-standard practices.
Business Continuity:
- Kumo maintains business continuity, backup, and disaster recovery plans (“BC/DR Plans”) in order to minimize the loss of service and comply with Applicable Laws.
The BC/DR Plans address threats to the Services and any dependencies, and have an established procedure for resuming access to, and use of, the Services.
The BC/DR Plans are tested at regular intervals.
Change Control. - Kumo maintains policies and procedures for applying changes to the Services, including underlying infrastructure and system components, to ensure quality standards are being met.
- Kumo undergoes a penetration test of its network and Services on an annual basis. Any vulnerabilities found during this testing will be remediated in accordance with Kumo’s Vulnerability Management Policies and Procedures, and will be assessed on the basis of Kumo’s Risk Management Framework.
- Kumo regularly performs vulnerability scans of its network and any vulnerabilities found will be addressed in accordance with Kumo’s Vulnerability Management Policies and Procedures, and will be assessed on the basis of Kumo’s Risk Management Framework.
- Security patches are applied in accordance with Kumo’s patching schedule.
- Kumo maintains an environment for testing and development separate from the production environment.
Data Security:
- Kumo maintains technical safeguards and other security measures to ensure the security and confidentiality of Customer Personal Data.
Kumo logically segregates Customer Personal Data in the production environment.
Encryption and Key Management
Kumo maintains policies and procedures for the management of encryption mechanisms and cryptographic keys in Kumo’s cryptosystem.
Kumo enlists encryption at rest and in transit between public networks, as applicable, according to industry-standard practice.
Governance and Risk Management:
Kumo maintains an information security program that is reviewed at least annually
- Kumo maintains a risk management program, with risk assessments conducted at least annually
Administrative Controls:
- Kumo uses a third-party to conduct employee background verifications for all Kumo personnel with access to Customer Personal Data.
Kumo employees are required to complete initial (at-hire) and annual security awareness training.
Kumo may update the Security Measures from time to time in accordance with Section 5.2 (in Security) of the DPA.
Updated 5 months ago