Data Processing Addendum
This Data Processing Addendum (“DPA”) is made by and between Alation, Inc. (“Alation”), and Customer, pursuant to the Software as a Service Agreement or other written or electronic agreement between the parties (as applicable) (“Agreement“) and is effective at signing of such Agreement.
This DPA forms part of the Agreement and sets out the terms that apply when Personal Data is processed by Alation as a Processor under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data are processed. Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.
Definitions. For purposes of this DPA:
- "Data Protection Laws” means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, when effective, the California Privacy Rights Act amendments (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); and the United Kingdom Data Protection Act of 2018 (“UK GDPR”). For the avoidance of doubt, if Alation’s Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.
- "Data Subject" means an identified or identifiable natural person about whom Personal Data relates.
- "EU SCCs" means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as set forth in Section 7 below.
- "Personal Data" includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, that is processed by Alation in connection with providing services under the Agreement, and such terms shall have the same meaning as defined by applicable Data Protection Laws. For purposes of this Agreement, Personal Data does not include any “personal data,” “personal information,” or “personally identifiable information” that Alation processes as a data controller outside the scope of the Agreement.
- "Process" and "Processing" mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- "Security Breach" means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
Scope and Purposes of Processing
- The scope, nature, purposes, and duration of the processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this DPA, including its Schedule A. The details provided in Schedule A are deemed to satisfy any requirement to provide such details under any Data Protection Law.
- Alation will Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this DPA; (2) on Customer’s behalf pursuant to Customer’s instructions; and (3) in compliance with Data Protection Laws. Alation will not “sell” Personal Data (as such term in quotation marks is defined in applicable Data Protection Laws), “share” or Process Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms in quotation marks are defined in applicable Data Protection Laws), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Customer. Alation will not attempt to link, identify, or otherwise create a relationship between Personal Data and non-personal data or any other data without the express authorization of Customer.
- Customer will ensure that: (1) all such notices have been given, and all such authorizations have been obtained, as required under Applicable Data Protection Law, for Alation (and its Affiliates and sub-processors) to process Personal Data as contemplated by the Agreement and this DPA; (2) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Applicable Data Protection Law; and (3) it has, and will continue to have, the right to transfer, or provide access to, Personal Data to Alation for processing in accordance with the terms of the Agreement and this DPA.
Personal Data Processing Requirements. Alation will:
- Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Taking into account the nature of the processing, assist Customer by implementing appropriate technical and organizational measures to ensure that Customer may at any time respond to request(s) from Data Subjects exercising their rights under Data Protection Laws. Further, any such Data Subject request received by Alation will be referred to Customer promptly.
- Promptly notify Customer of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Alation’s Processing of Personal Data on Customer’s behalf unless prohibited by Data Protection Laws. Alation will provide Customer with reasonable cooperation and assistance in relation to any such request. If Alation is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Customer, Alation shall inform Customer that it can no longer comply with Customer’s instructions under this DPA without providing more details and await Customer’s further instructions. Alation shall use all available legal mechanisms to challenge any demands for data access through national security process that it receives, as well as any non-disclosure provisions attached thereto.
- Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Protection Laws, and at Customer’s reasonable expense.
- Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Alation under Data Protection Laws to consult with a regulatory authority in relation to Alation’s Processing or proposed Processing of Personal Data.
- Comply with any applicable restrictions under applicable Data Protection Laws on combining Personal Data with personal data received from, or on behalf of, another person or persons.
- Promptly notify customer if it determines that (i) it can no longer meet its obligations under this DPA or applicable Data Protection Laws; (ii) it has breached the DPA, and will cooperate to remediate such breach; or (iii) in its opinion, an instruction from Customer infringes applicable Data Protection Laws.
- Alation certifies that it understands its obligations under this DPA (including without limitation the restrictions under Sections 2 and 3 and that it will comply with them.
- Alation will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data. These measures shall at a minimum comply with applicable law and include the measures identified in Schedule A. Customer acknowledges that Alation’s security measures are subject to technical progress and development and that Alation may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
- Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; and (c) backing up Personal Data.
Security Breach. Alation will notify Customer without undue delay (within 48 hours) of any validated Security Breach and will assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation, by:
- Taking commercially reasonable steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
Providing Customer with the following information, to the extent known:
- The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned.
- The likely consequences of the Security Breach; and
- Measures taken or proposed to be taken by Alation to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Customer acknowledges and agrees that Alation may use Alation affiliates and other Subprocessors (as defined in application Data Protection Law) to Process Personal Data in accordance with the provisions within this DPA and Data Protection Laws. Where Alation sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, Alation will take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Protection Laws.
- Alation’s current list of Subprocessors is provided in Schedule B. Alation will maintain an up-to-date list of its Subprocessors, and it will provide Customer with thirty (30) days’ prior notice of any new Subprocessor added to the list. In the event Customer has a commercially reasonable objection to a new Subprocessor, Alation will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to, Customer’s use of the services to avoid Processing of Personal Data by the objected-to Subprocessor without unreasonably burdening the Customer. Customer may, in its sole discretion, terminate the Agreement in the event that Alation is not able to provide a reasonable change to cure Customer’s Subprocessor objection.
- Alation will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Protection Laws. Where Alation engages in an onward transfer of Personal Data, Alation shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
To the extent legally required, by signing this DPA, Customer and Alation are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:
- Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a controller) to Alation (as a processor);
- Clause 7 (the optional docking clause) is included;
- Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization);
- Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
- Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;
- Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
- Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A;
- Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission;
- Annex II (Technical and organizational measures) is completed with Schedule A of this DPA; and
- Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9.
- With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the International Data Transfer DPA to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (“UK SCCs”) forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows: (a) the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer; (b) the Key Contacts shall be the contacts set forth in Schedule A; (c) the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties; (d) either Party may end this DPA as set out in Section 19 of the UK SCCs; and (e) by entering into this DPA, the Parties are deemed to be signing the UK SCCs.
- For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
Audits. To the extent required by applicable Data Protection Law, Alation shall make available all information necessary for Customer to confirm Alation’s compliance with this DPA. If Customer has a reasonable basis to conclude that such information provided by Alation is not satisfactory to confirm such compliance, Customer may, at Customer’s sole expense, upon thirty (30) days’ prior notice, conduct an audit during normal business hours of those Alation systems and records relevant to Alation’s Processing of Personal Data on Customer’s behalf. Customer shall limit its exercise of audit rights to not more than once in any twelve (12) calendar month period, unless (1) required by instruction of a Supervisory Authority; or (2) following a Security Breach.
Return or Destruction of Personal Data. Upon termination or expiry of the Agreement, Alation will (at Customer’s election and written request) delete or return to Customer all Personal Data (including copies) in its possession or control as soon as reasonably practicable and within a maximum period of 30 days of termination or expiry of the Agreement, save that this requirement will not apply to the extent that Alation is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Alation will securely isolate and protect from any further processing, except to the extent required by applicable law.
- Notwithstanding anything else to the contrary in the Agreement, Alation reserves the right to make any modification to this DPA as may be required to comply with Applicable Data Protection Law.
- Except as amended by this DPA, the Agreement will remain in full force and effect.
- If there is a conflict between the Agreement and this DPA, the terms of this DPA will prevail.
- Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in the Agreement.
- Notwithstanding anything in the Agreement or any order form entered in connection therewith, the parties acknowledge and agree that Alation access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
ANNEX IA. LIST OF PARTIES
The exporter (Controller) is Customer and Customer’s contact details and signature are as provided in the Agreement and the DPA.
The importer (Processor) is Alation, Inc. and Alation’s contact details and signature are as provided in the Agreement and the DPA.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Any data subjects contained in Data Exporter’s data being used in the services, as set out in the Agreement which describes the provision of services to the Customer.
Categories of personal data transferred:
Any Personal Data that is provided by Data Exporter to Data Importer in connection with the Agreement and the DPA.
Sensitive data transferred (if applicable): N/A
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
On a continuous basis as needed to provide the Services to Customer for the term of the Agreement.
Nature of the processing:
The nature of the processing is set out in the Agreement between the parties.
Purpose(s) of the data transfer and further processing:
The purposes of the data transfer is for Vendor to provide its services pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Please see Schedule B for a list our Subprocessors and the nature of the services they provide. All transfers will last for the duration of the Agreement between the parties.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: The data exporter’s competent supervisory authority will be determined in accordance with applicable Data Protection Law, and where possible, will be the Irish Data Protection Commissioner.
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
During the Agreement Term, when processing Personal Data on behalf of Customer in connection with the Services, Alation has implemented and shall maintain appropriate technical and organizational security measures for the processing of such data, including the measures specified in this Schedule to the extent applicable to Alation’s processing of Personal Data.
(a) Alation implements and maintains a working network firewall to protect data accessible via the Internet and will keep all Personal Data protected by the firewall at all times.
(b) Alation maintains risks and keeps its systems and software up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications necessary to ensure the security of Personal Data.
(c) Alation uses anti-malware software and keeps the anti-malware software up to date.
Alation requires annual security and privacy training for all employees with access to Personal Data.
Alation’s services and data are hosted in AWS’s facilities in the USA and protected by AWS in accordance with their security protocols.
(a) Alation assigns a unique ID to each employee and leverages an Identity Provider to manage access to systems processing Personal Data.
(b) All access to systems processing Personal Data is protected by Multi-Factor Authentication (MFA).
(c) Alation restricts access to Personal Data to only those people with a “need-to-know” for a Permitted Purpose and following least privileges principles.
(d) Alation regularly reviews quarterly the list of people and systems with access to Personal Data and removes accounts upon termination of employment or a change in job status that results in employees no longer requiring access to Personal Data.
(e) Alation mandates and ensures the use of system-enforced “strong passwords” in accordance with the best practices (described below) on all systems hosting, storing, processing, or that have or control access to Personal Data and will require that all passwords and access credentials are kept confidential and not shared among personnel. Password best practices implemented by Alation’s Identity Provider. Passwords must meet the following criteria:
- contain at least 12 characters;
- must contain lowercase and uppercase letters, numbers and a special character;
- cannot be part of a vendor provided list of common passwords
(f) Alation maintains and enforces “account lockout” by disabling accounts with access to Personal Data when an account exceeds more than ten (10) consecutive incorrect password attempts.
(g) Alation does not operate any internal corporate network. All access to Alation resources is protected by strong passwords and MFA.
(h) Alation monitors their production systems and implements and maintains security controls and procedures designed to prevent, detect and respond to identified threats and risks.
(i) Strict privacy controls exist in the application code that are designed to ensure data privacy and to prevent one customer from accessing another customer’s data (i.e., logical separation).
(a) Background Checks. Alation conducts at its expense a criminal background investigation on all employees who are to perform material aspects of the Services under this Agreement.
(b) Security Policy and Confidentiality. Alation requires all employees to acknowledge in writing, at the time of hire, they will adhere to terms that are in accordance with Alation’s security policy and to protect all Personal Data at all times. Alation requires all employees to sign a confidentiality statement at the time of hire.
(a) All Personal Data is permanently stored in the same region in which Customer is located, and is backed up for disaster recovery.
(b) Alation relies on a reputable Infrastructure-As-A-Service provider. Alation leverages their portfolio of globally redundant services to ensure Services run reliably. Alation benefits from the ability to dynamically scale up, or completely re-provision its infrastructure resources on an as-needed basis, across multiple geographical areas, using the same vendor, tools, and APIs. Alation’s infrastructure scales up and down on demand as part of day-to-day operations and does so in response to any changes in our Customers’ needs. This includes not just compute resources, but storage and database resources, networking, security, and DNS. Every component in Alation’s infrastructure is designed and built for high availability.
(c) Alation’s data security, high availability, and built-in redundancy are designed to ensure application availability and protect information from accidental loss or destruction. Service restoration is within commercially reasonable efforts and is performed in conjunction with AWS’ ability to provide adequate infrastructure at the prevailing failover location. All of Alation recovery and resilience mechanisms are tested regularly and processes are updated as required.
(d) Alation operates a dedicated 24×7 on-call incident management function, ready to immediately respond to, and mitigate, any Customer impacting issues. This is supported by Alation’s broader internal Availability program which is dedicated to ensuring Alation maintains their system availability.
(e) Alation has no direct reliance on specific office locations to sustain operations. All operational access to production resources can be exercised at any location on the Internet. Alation leverages a range of best-of-breed technologies and other critical cloud tools to deliver uninterrupted remote work for all employees.
(f) All Personal Data deleted by Alation is deleted from datastores in accordance with the NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitation December 18, 2014 (available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf) . With respect to Personal Data encrypted in compliance with this security policy, this deletion may be done by permanently and securely deleting all copies of the keys used for encryption.
Alation has implemented a formal procedure for handling security events. When security events are detected they are escalated to an emergency alias, relevant parties are paged, notified and assembled to rapidly address the event. After a security event is contained and mitigated, relevant teams write up a post-mortem analysis, which is reviewed in person and distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.
(a) Personal Data is stored in dedicated datastores.
(b) All data sent to or from Alation is encrypted in transit using TLS 1.2.
(c) Personal Data is encrypted at rest using 256-bit encryption, leveraging current industry standard technology.
(d) All Alation datastores used to process Personal Data are configured and patched using commercially reasonable methods according to industry-recognized system-hardening standards.
Alation regularly tests their security systems and processes to ensure they meet the requirements of this security policy and ensures that the physical and environmental security controls are audited by an external party.
(a) Return or Deletion. Alation will permanently and securely delete all live (online or network accessible) instances of the Personal Data within 90 days upon Customer’s in-app deletion request.
(b) Archival Copies. When required by law to retain archival copies of Personal Data for tax or similar regulatory purposes, this archived Personal Data is stored as a “cold” or offline (i.e., not available for immediate or interactive use) backup stored in a physically secure facility.
(a) Application Scans. Alation performs periodic (but no less than once per month) application vulnerability scans. Vulnerabilities shall be remediated on a risk basis.
(b) Third party penetration tests. Alation employs an independent third-party vendor to conduct periodic (but no less than once per year) penetration tests on their web properties.
Prior to engaging new third-party service providers or vendors who will have access to Alation Data, Alation conducts a risk assessment of vendors’ data security practices.
Alation uses continuous automation for application and operating systems deployment for new releases. Integration testing and unit testing are done upon every build with safeguards in place for availability and reliability. Alation has a process for critical emergency fixes that can be deployed to Customers within minutes. As such Alation can roll out security updates as required based on criticality.