en

Data Processing Addendum

Version Date: November 15, 2023

BACKGROUND

This Data Processing Addendum (“DPA”) is issued under and forms part of the Dataiku Cloud Terms entered into between you (“Customer”) and Dataiku SAS or the Dataiku entity indicated in the applicable Order (also referred to as “Dataiku”). In the event of a conflict between any of the provisions of this DPA and the provisions of the Dataiku Cloud Terms, the provisions of this DPA shall prevail.

 1.  Interpretation

1.1.  Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Dataiku Cloud Terms. In this DPA, unless the context requires otherwise:

Agreement” means, together, the Dataiku Cloud Terms and this DPA.

Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time.

Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses.

CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the effective date of this Data Processing Addendum.

Controller” has the meaning given in the GDPR.

Customer Affiliate” means an affiliate of Customer who is a beneficiary to the Agreement.

Customer Personal Data” means the US Personal Data and the GDPR Personal Data.

Data Processing Services” means the Processing of CCPA Personal Information for any purpose permitted by the CCPA, such as for a permitted “business purpose,” as such term is defined in the CCPA, or for any other purpose expressly permitted by the CCPA.

Data Subject” means the individual or household to whom Customer Personal Data relates.

Deidentified Data” means data created using US Personal Data that cannot reasonably be linked to such US Personal Data, directly or indirectly.

EU Data Protection Laws” means all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of GDPR Personal Data, including (as applicable):

(a) the GDPR;

(b) Swiss Data Protection Laws; and

(c) the UK Data Protection Act 2018.

European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.

GDPR” means Regulation (EU) 2016/679 (the “EU GDPR“) or, where applicable, the “UK GDPR” as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018.

GDPR Personal Data” means the “personal data” (as defined in the GDPR) that Dataiku Processes on behalf of the Customer in connection with Dataiku’s provision of the Service and which is subject to EU Data Protection Laws.

“Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum.

Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.

Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data.

Services” means the service(s) provided by Dataiku to the Customer under the Agreement, including the Data Processing Services.

Standard Contractual Clauses” or “SCCs” means Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.

Subprocessor” means any Processor engaged by Dataiku who agrees to receive from Dataiku any Customer Personal Data.

Supervisory Authority” has the meaning given in the GDPR.

Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.

“UK” means the United Kingdom of Great Britain and Northern Ireland.

US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States.

US Personal Data” means the Personal Data that Dataiku Processes on behalf of the Customer in connection with Dataiku’s provision of the Service subject to the US Data Protection Laws.

1.2.  Applicability to Customer Personal Data. Except as otherwise provided in this DPA, this DPA shall apply to all Processing of Customer Personal Data by or on behalf of Dataiku.

REQUIREMENTS FOR GDPR PERSONAL DATA:

2.  GDPR PERSONAL DATA PROCESSING

2.1. Applicability to GDPR Personal Data. Sections 2 through 4 of this DPA shall only apply to the Processing of GDPR Personal Data by or on behalf of Dataiku

2.2  Role of the Parties. For the purposes of the EU Data Protection Laws, the Parties acknowledge and agree that Dataiku acts as Processor (as defined in the GDPR) and the Customer acts as Controller.

2.3.  Instructions for GDPR Personal Data Processing

Dataiku will only Process GDPR Personal Data in accordance with:

(a) the Agreement, to the extent necessary to provide the Service to the Customer, and

(b) the Customer’s written instructions,

unless Processing is required by EU Data Protection Laws or Member State law to which Dataiku is subject, in which case Dataiku shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before Processing that GDPR Personal Data.

2.4. Processing GDPR Personal Data outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Dataiku on additional instructions for Processing.

2.5.  Required consents and notices

Where required by applicable EU Data Protection Laws, the Customer will ensure that it has obtained/will obtain all necessary consents, and has given/will give all necessary notices to Data Subjects, for the Processing of GDPR Personal Data by Dataiku in accordance with the Agreement.

The Customer acknowledges that Dataiku is reliant on the Customer for direction as to the extent to which Dataiku is entitled to use and process the GDPR Personal Data. Consequently, Dataiku will not be liable for any claim brought against the Customer by a Data Subject arising from any act or omission by Dataiku to the extent that such act or omission resulted from the Customer’s instructions or the Customer’s use of the Service.

3.  STANDARD CONTRACTUAL CLAUSES

3.1. Prohibition on Transfers of Personal Data. To the extent that the Processing of GDPR Personal Data by Dataiku involves the export of such GDPR Personal Data to a country or territory outside the EEA, Switzerland or the UK, other than to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of personal data as determined by the European Commission, or UK Information Commissioner (as applicable) (an “International Transfer“), such transfer shall, subject to Sections 3.4 and 3.5 of this DPA, be governed by the Standard Contractual Clauses. In the event of any conflict between any terms in the Standard Contractual Clauses, this DPA and the Dataiku Cloud Terms, the Standard Contractual Clauses shall prevail. The Standard Contractual Clauses apply where there is an International Transfer to a country or territory that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of GDPR Personal Data as determined by the European Commission, Swiss Federal Data Protection and Information Commissioner or UK Information Commissioner (as applicable).

3.2.  For the purposes of the Standard Contractual Clauses and subject to Sections 3.4 and 3.5 of this DPA:

(a) Annex I.A (List of parties) shall be deemed to refer to the Customer and Dataiku;

(b) Annex I.B (Description of Transfer) shall, for the purposes of the Standard Contractual Clauses, be deemed to incorporate the information in Annex I of this DPA;

(c) Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the French Commission Nationale de l’Informatique et des Libertés) (CNIL);

(d) Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in Annex II of this DPA; and

(e) Annex III (List of Sub-processors) shall be deemed to incorporate the information in Clause 8.1.

3.3.  Subject to Sections 3.4 and 3.5 of this DPA, the parties acknowledge and agree that:

(a) for the purposes of clause 8.1(a) of the Standard Contractual Clauses, the Dataiku Cloud Terms and this DPA shall be the Customer’s instructions for the processing of GDPR Personal Data;

(b) for the purposes of clause 9 of the Standard Contractual Clauses, the Customer gives Dataiku general authorisation to engage Subprocessors and the relevant time period in clause 9(a) shall be thirty (30) days;

(c) for the purposes of clause 12 of the Standard Contractual Clauses, Dataiku’s liability for breach of any terms and conditions under this DPA and the Standard Contractual Clauses shall be subject to the liability limitations agreed in the Dataiku Cloud Terms; and

(d) for the purposes of clause 17 of the Standard Contractual Clauses, the Standard Contractual Clauses shall be governed by the law of the EU Member State in which the data exporter is established.

3.4.  Transfers within the scope of UK GDPR. With respect to any transfers of GDPR Personal Data falling within the scope of the UK GDPR from the Customer (as data exporter) to Dataiku (as data importer):

(a) the Approved Addendum as further specified in this Section 3.4 shall form part of this DPA, and the Standard Contractual Clauses shall be read and interpreted in light of the provisions of the Approved Addendum, to the extent necessary according to Clause 12 of the Mandatory Clauses;

(b) In deviation to Table 1 of the Approved Addendum and in accordance with Clause 17 of the Mandatory Clauses, the parties are further specified in Annex I of this DPA.

(c) The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are further specified in Section 3.3 of this DPA as amended by the Mandatory Clauses.

(d) Annex I A and B of Table 3 to the Approved Addendum are specified by Annex I of this DPA, Annex II of the Approved Addendum is further specified by Annex II of this DPA, and Annex III of the Approved Addendum is further specified by Annex III of this DPA.

(e) Dataiku (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with clause ‎19 of the Mandatory Clauses;

(f) Clause 16 of the Mandatory Clauses shall not apply.

3.5.  Transfers within the scope of Swiss Data Protection Laws. With respect to any transfers of GDPR Personal Data falling within the scope of the Swiss Data Protection Laws from the Customer (as data exporter) to Dataiku (as data importer):

(a) This Section 3.5 will apply to any Processing of Customer Personal Data that is subject to Swiss Data Protection Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR. Where this Section 3.5 uses terms that are defined in the SCCs, those terms will have the same meaning as in the SCCs.

(b) This Section 3.5 will be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that it fulfills the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be. This Section 3.5 will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this DPA has been entered into.

(c) In the event of a conflict or inconsistency between this Section 3.5 and the provisions of the SCCs or other related agreements between the Parties, existing at the time this DPA is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.

(d) In relation to any Processing of GDPR Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Section 3.5 amends the SCCs to the extent necessary so they operate:

(i) for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s Processing when making that transfer; and

(ii) to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.

(e) To the extent that any Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, the SCCs shall be interpreted as follows:

(i) References to the “Clauses” or the “Standard Contractual Clauses” shall mean the SCCs as amended by this Section 3.5.

(ii) Clause 6 (Description of the transfer(s)) is replaced with:

“The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer.”

(iii) References to “Regulation (EU) 2016/679” or “that Regulation” or “GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws to the extent applicable.

(iv) References to Regulation (EU) 2018/1725 are removed.

(v) References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.

(vi) Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Swiss Federal Data Protection and Information Commissioner insofar as the transfers are governed by Swiss Data Protection Laws;

(vii) Clause 17 is replaced to state:

These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws“.

(viii) Clause 18 is replaced to state:

“Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”

(ix) Until the entry into force of the revised Swiss Data Protection Laws, the SCCs will also protect Personal Data of legal entities and legal entities will receive the same protection under the SCCs as natural persons.

(x) To the extent that any Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the SCCs as further specified in this Section 3.5 will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by this Section 3.5, with the sole exception that Clause 17 of the SCCs will not be replaced as stipulated under Section 3.5(e)(vii) above.

(xi) Customer warrants that it and/or Customer Affiliates have made any notifications to the Swiss Federal Data Protection and Information Commissioner which are required under Swiss Data Protection Laws.

4.  ACCESS REQUESTS AND DATA SUBJECT RIGHTS

4.1.  Data Subject Requests

Unless otherwise required by applicable law, Dataiku shall promptly notify the Customer of any request received by Dataiku or any Subprocessor from a Data Subject in respect of the GDPR Personal Data of the Data Subject, and shall not respond to the Data Subject.

4.2.  Dataiku shall, where possible, assist the Customer with ensuring its compliance under applicable EU Data Protection Laws, and in particular shall:

(a) provide the Customer with the ability to correct, delete, block, access or copy the GDPR Personal Data of a Data Subject, or

(b) promptly correct, delete, block, access or copy GDPR Personal Data within the Service at the Customer’s request.

4.3.  Data Subject Rights

Where applicable, and taking into account the nature of the Processing, Dataiku shall use reasonable efforts to assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising Data Subject rights laid down in the GDPR.

REQUIREMENTS FOR US PERSONAL DATA:

5.  US PERSONAL DATA PROCESSING

5.1. Applicability to US Personal Data. Sections 5 through 7 of this DPA shall only apply to the Processing of US Personal Data by or on behalf of Dataiku.

5.2. Role of the Parties. For the purposes of the US Data Protection Laws, the Parties acknowledge and agree that Dataiku will act as a “Service Provider” or “Processor” as such terms are defined in the US Data Protection Laws, as applicable, in its performance of its obligations pursuant to the Agreement.

5.3.  Instructions for US Personal Data Processing

The Agreement and this DPA will generally constitute instructions for the Processing of US Personal Data. Controller may issue further written instructions in accordance with this DPA. Without limiting the foregoing, Dataiku is prohibited from:

(a) selling US Personal Data or otherwise making US Personal Data available to any third party for monetary or other valuable consideration;

(b) sharing US Personal Data with any third party for cross-context behavioral advertising;

(c) retaining, using, or disclosing US Personal Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by US Data Protection Laws;

(d) retaining, using, or disclosing US Personal Data outside of the direct business relationship between the Parties; and

(e) except as otherwise permitted by US Data Protection Laws, combining US Personal Data with Personal Data that Dataiku receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.

5.4. Dataiku will limit access to US Personal Data to personnel who have a business need to have access to such US Personal Data, and will ensure that such personnel are subject to obligations at least as protective of the US Personal Data as the Dataiku Cloud Terms and this DPA.

5.5.  Dataiku will provide Customer with information to enable Customer to conduct and document any data protection assessments required under US Data Protection Laws. In addition, Dataiku will notify Customer promptly if Dataiku determines that it can no longer meet its obligations under US Data Protection Laws.

5.6. Customer will have the right to take reasonable and appropriate steps to ensure that Dataiku uses US Personal Data in a manner consistent with Customer’s obligations under US Data Protection Laws.

5.7.  Required consents and notices

Where required by applicable US Data Protection Laws, the Customer will ensure that it has obtained or will obtain all necessary consents, and has given/will give all necessary notices, for the Processing of US Personal Data by Dataiku in accordance with the Agreement.

5.8. Details of processing

The details of the Processing of US Personal Data under the Agreement (such as subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Dataiku Cloud Terms and in Annex I to this DPA.

6.  US CONSUMER REQUESTS

6.1.  As between the Parties, Customer will have sole discretion and responsibility in responding to the rights asserted by an individual in relation to US Personal Data under US Data Protection Laws (each, a “US Consumer Request”).

6.2.  Dataiku shall, where possible and at Dataiku’s expense, provide Customer with reasonable assistance for Customer to fulfil its obligations to respond to US Consumer Requests.

6.3.  Dataiku will promptly forward to Customer without undue delay any US Consumer Request received by Dataiku or any Subprocessor and may advise the individual to submit their request directly to Customer.

7.  DEIDENTIFIED DATA

If Dataiku receives Deidentified Data from or on behalf of Customer that is subject to US Data Protection Laws, then Dataiku will:

(a) take reasonable measures to ensure the Deidentified Data cannot be associated with a Data Subject.

(b) publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information.

(c) contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and US Data Protection Laws.

REQUIREMENTS FOR ALL CUSTOMER PERSONAL DATA:

8.  SUBPROCESSORS

8.1. Customer agrees that Dataiku may use the following as Subprocessors to Process Customer Personal Data:

8.2.  Customer agrees that Dataiku may use subcontractors to fulfil its contractual obligations under the Dataiku Cloud Terms and Customer generally authorises the engagement of third party Subprocessors. Dataiku shall notify Customer from time to time of the identity of any Subprocessors it engages. If Customer (acting reasonably) does not approve of a new Subprocessor, then without prejudice to any right to terminate the Agreement, Customer may request that Dataiku moves the Customer Personal Data to another Subprocessor and Dataiku shall, within a reasonable time following receipt of such request, use reasonable efforts to ensure that the Subprocessor does not Process any such Customer Personal Data. If it is not reasonably possible to use another Subprocessor, and Customer continues to object for a legitimate reason, either Party may terminate the Dataiku Cloud Terms on thirty (30) days written notice. If Customer does not object within thirty (30) days of receipt of the notice, Customer is deemed to have accepted the new Subprocessor.

8.3.  Except as set out in Sections 8.1 and 8.2, Dataiku shall not permit, allow or otherwise facilitate Subprocessors to Process Customer Personal Data without Customer’s prior written consent.

8.4. With respect to any Subprocessors engaged by Dataiku to Process Customer Personal Data, Dataiku shall:

(a) enter into a written agreement with the Subprocessor which imposes equivalent obligations on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on Dataiku under this DPA; and

(b) at all times remain responsible for compliance with its obligations under the DPA and shall be liable to Customer for the acts and omissions of any Subprocessor as if they were Dataiku’s acts and omissions.

9.  DATA PROTECTION IMPACT ASSESSMENT

9.1.  To the extent required under applicable Applicable Data Protection Laws, Dataiku shall provide reasonable assistance to Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority or other regulatory authority with jurisdiction over Customer, in each case taking into account the nature of the Processing and information available to Dataiku.

10.  SECURITY

10.1.  Security Obligations.

(a)  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Dataiku will implement and maintain the technical and organizational measures set out in ANNEX II. Customer acknowledges and agrees that these measures ensure a level of security that is appropriate to the risk.

(b) Upon request by Customer, Dataiku shall make available any information reasonably necessary to demonstrate compliance with this DPA.

10.2.  Security Incident Notification

If Dataiku becomes aware of a Security Incident, Dataiku will (a) notify Customer of the Security Incident within 72 hours; and (b) investigate the Security Incident and provide Customer (and any law enforcement or regulatory official) with reasonable assistance as required to investigate the Security Incident. Except as required by applicable law, the obligations set out in this Section 10.2 shall not apply to Security Incidents caused by Customer.

10.3.  Dataiku Employees and Personnel

Dataiku shall treat the Customer Personal Data as confidential, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.

10.4. Audits

Dataiku will, upon reasonable request from Customer with at least 60 days’ prior notice, and no more than once per annum, allow for and contribute to audits, including inspections, conducted by Customer (or a third party auditor on behalf of, and mandated by, Customer) provided (i) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (ii) are conducted only during business hours; and (ii) are conducted to cause minimal disruption to Dataiku’s operations and business. Any expenses or costs associated with such audits or inspections shall be incurred by Customer.

10.5.  Government Disclosure

Dataiku shall notify the Customer of any request for the disclosure of any Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by applicable law or a legally binding order of such body or agency.

11.  TERMINATION

11.1. Deletion of data

(a)  Following termination or expiration of the Agreement, Dataiku shall, in accordance with its obligations under the Agreement, delete all Customer Personal Data from Dataiku’s systems.

(b)  Notwithstanding the foregoing, Dataiku may retain Customer Personal Data (i) as required by applicable laws or (ii) in accordance with its standard backup or record retention policies, and always provided that Dataiku shall ensure the confidentiality of all such Customer Personal Data in accordance with this DPA and the Agreement and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in such applicable laws and for no other purpose.

 

ANNEX I

DETAILS OF THE PROCESSING AND TRANSFER OF CUSTOMER PERSONAL DATA

A. LIST OF PARTIES

Data exporter

Customer

Customer’s name and contact details shall be as specified in the Agreement.

Activities relevant to the data transferred under these Clauses: Performance of the Cloud Service pursuant to the Agreement and as further described in the Dataiku Cloud Terms.

Role: Controller

Data importer

Dataiku’s entity name and contact details shall be as specified in the Agreement.

Activities relevant to the data transferred under these Clauses: Performance of the Cloud Service pursuant to the Agreement and as further described in the Dataiku Cloud Terms.

Role: Processor

B.  DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer’s employees, personnel, authorized users and any other data subjects whose data Customer or its authorized users submits, transfers, loads or otherwise provides to Dataiku via the Cloud Service.

Categories of personal data transferred

Business-related datasets that Customer or its authorized users submits to the Cloud Service.

Special categories of personal data (if applicable):

The transferred personal data includes the following special categories of data:

N/A

The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: 

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

The transfer is performed a continuous basis and is determined by Customer’s configuration of the Cloud Service.

Nature of processing:

The Customer Personal Data will be subject to the following basic processing activities: transmitting, collecting, storing and analyzing data in order to provide the Cloud Service to Customer, and any other activities related to the provision of the Cloud Service or specified in the Dataiku Cloud Terms.

Purposes of the data transfer and further processing:

to provide the Cloud Service to Customer pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

For the term of the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

As stipulated in Section 8 of the DPA. The Subprocessors may have access to the Personal Data for the term of this DPA or until the service contract with the respective Sub-processor is terminated or the access by the Subprocessor has been excluded as agreed between Dataiku and Customer.

C.  COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs:

The competent supervisory authority is the supervisory authority specified in Section 3.2(c) of this DPA.

 

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

1.  Dataiku maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:

(a)    secure any Customer Personal Data Processed by Dataiku against accidental or unlawful loss, access or disclosure;

(b)    identify reasonably foreseeable and internal risks to security and unauthorised access to the Customer Personal Data Processed by Dataiku;

(c)    minimise security risks, including through risk assessment and regular testing.

2.  Dataiku will, and will use reasonable efforts to procure that its Subprocessors conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.

3.  Dataiku will, and will use reasonable efforts to procure that its Subprocessors periodically evaluate the security of their network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

 

ANNEX III

LIST OF SUBPROCESSORS

For more information about Dataiku’s subprocessors, please refer to Section 8 of the DPA. The subprocessor’s contact information will be provided by Dataiku upon request.