Alation Data Privacy Addendum for Customers
Version: March 15, 2024
This Data Privacy Addendum (“DPA”) is incorporated into and forms part of the Master Cloud Software License and Services Agreement (jointly the “Agreement”) between Customer and Alation. Unless otherwise defined in this DPA, capitalized terms will have the meaning given to them in the Agreement.
1. Definitions. For purposes of this DPA:
1.1 “Business”, “Controller”, “Process”, “Processing”, Processor”, “Service Provider” (or equivalent terms) shall have the meanings set forth in the Data Privacy Laws.
1.2 “Data Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.3 “Data Privacy Laws” means all applicable laws, regulations, and other legal requirements relating to privacy, data protection, data security, breach notification, as applicable to Alation’s Processing of Customer Personal Data under the Agreement, including without limitation, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and any amendments thereto (“CCPA”), the General Data Protection Regulation (“GDPR”), the Swiss Federal Data Protection Act, and the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”).
1.4 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
1.5 “Personal Data” includes “personal data”, “personal information”, “personally identifiable information”, and similar terms, and such terms shall have the same meaning as defined by Data Privacy Laws, that is Processed by Alation in connection with providing Services.
1.6 “SCCs” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set forth at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, with the annexes to them completed as set forth in Schedule A to this DPA.
1.7 “Services” means the cloud computing services delivered by Alation under the Agreement.
2. Scope and Purposes of Processing
2.1 Subject to the applicable Data Privacy Laws, Customer is a Controller or Business and Alation is a Processor or Service Provider with respect to Alation’s Processing of Customer Personal Data to provide Services under the Agreement. This DPA applies to Alation’s Processing of Personal Data on Customer’s or Customer Affiliate’s behalf (as applicable).
2.2 The details of Processing are set forth in Schedule A to this DPA.
2.3 Alation will Process Personal Data solely:
a. on Customer’s or Customer Affiliate’s behalf;
b. to fulfill its obligations under the Agreement; and
c. in compliance with Data Privacy Laws.
2.4 Alation will not “sell” (as such term is defined in applicable Data Privacy Laws) Customer Personal Data or otherwise Process Customer Personal Data for any purpose other than for the specific purposes set forth herein.
3. Personal Data Processing Requirements. Alation will:
3.1 Ensure that the persons it authorizes to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 Upon Customer’s written request and at Customer’s reasonable expense, assist Customer in the fulfillment of Customer’s obligations to respond to requests by Data Subjects for exercising their rights under Data Privacy Laws, unless such functionality and/or information is readily available to Customer in the Services.
3.3 Promptly notify Customer of
a. any third-party or Data Subject complaints regarding the Processing of Customer Personal Data; or
b. any governmental or Data Subject requests for access to or information about Alation’s Processing of Customer Personal Data on Customer’s behalf, unless prohibited by applicable laws. Alation will provide Customer with reasonable cooperation and assistance in relation to any such request. If Alation is prohibited by applicable laws from disclosing the details of a governmental request to Customer, Alation shall inform Customer that it can no longer comply with Customer’s instructions under this DPA, without providing more details, and await Customer’s further instructions.
3.4 Provide reasonable assistance to Customer at Customer’s reasonable expense for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Customer Personal Data under the Agreement, when required by Data Privacy Laws.
3.5 Provide reasonable assistance to Customer for Customer’s consultation with regulatory authorities in relation to Processing or proposed Processing of Customer Personal Data under the Agreement, including complying with any obligation applicable to Alation under Data Privacy Laws to consult with a regulatory authority.
4. Data Security. Alation will assist Customer in its compliance with the security obligations arising out of Data Privacy Laws, as relevant to Alation’s role as a Processor or Service Provider and the nature of Processing under the Agreement, by implementing technical and organizational measures that comply those set forth in Annex II of Schedule A to this DPA, without prejudice to Alation’s right to make future replacements or updates to the measures that do not materially lower the agreed level of protection.
5. Data Breach. Alation will notify Customer without undue delay of any confirmed Data Breach and will assist Customer in the compliance with its Data Breach-related obligations, including, without limitation, by:
5.1 Taking steps to mitigate the effects of Data Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
5.2 Providing Customer with the following information, to the extent known:
a. The nature of Data Breach, including, where possible, how Data Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
b. The likely consequences of Data Breach; and
c. Measures taken or proposed to be taken by Alation to address Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
5.3 Alation’s obligation to report a Data Breach under this DPA is not and will not be construed as an acknowledgement by Alation of any fault or liability of Alation with respect to such Data Breach. Customer is solely responsible for determining whether to notify impacted Data Subjects and for providing such notice, and for determining whether relevant supervisory authorities need to be notified of a Data Breach as may be required for Customer’s own business and activities.
6. Subprocessors
6.1 Customer acknowledges and agrees that Alation may use Affiliates and other subprocessors to Process Customer Personal Data in accordance with the Agreement and Data Privacy Laws.
6.2 Alation will take steps to select and retain subprocessors that are capable of maintaining appropriate privacy and security measures to protect Customer Personal Data consistent with the Agreement and Data Privacy Laws.
6.3 Alation’s current subprocessors are listed at https://www.alation.com/subprocessors. Alation will maintain an up-to-date list of its subprocessors, and it will provide Customer with thirty (30) days’ prior notice of any new subprocessor. In the event Customer has a commercially reasonable objection to a new subprocessor, Alation will use reasonable efforts to make available to Customer a change in Services or recommend a commercially reasonable change to Customer’s use of Services to avoid Processing of Customer Personal Data by the objected-to subprocessor without unreasonably burdening Customer. Customer may, in its sole discretion, terminate the Agreement if Alation is not able to provide a reasonable change to cure Customer’s objection.
7. Data Transfers
7.1 Alation will comply with all applicable Data Privacy Laws, as applicable to Alation in its role as provider of Services.
7.2 Customer will comply with all applicable Data Privacy Laws relevant to use of Services, including by obtaining any consents and providing any notices required under Data Privacy Laws. Customer will ensure that it and its Affiliates are entitled to transfer Personal Data to Alation so that Alation and its subprocessors may lawfully Process such Personal Data in accordance with the Agreement.
7.3 Customer authorizes Alation and its subprocessors to make international transfers of Customer Personal Data in accordance with this DPA.
7.4 With respect to Personal Data transferred from the European Economic Area, SCCs incorporated herein will form part of this DPA and take precedence, as set forth in the SCCs. The following provisions will apply to SCCs:
a. Module 2 of SCCs applies to transfers of Personal Data from Customer (as a Controller) to Alation (as a Processor) and Module 3 applies to transfers of Personal Data from Customer (as a Processor) to Alation (as a subprocessor).
b. Clause 7 (The optional docking clause) is included;
c. Under Clause 9 (Use of subprocessors), the Parties select Option 2 (General written authorization);
d. Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
e. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of The Netherlands;
f. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of The Netherlands;
g. Annex I(A) (List of Parties) and Annex I(B) (Description of Transfer) is completed as set forth in Schedule A to this DPA;
h. Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13;
i. Annex II (Technical and organizational measures) is completed as set forth in Exhibit A to the Agreement (Security Policy); and
j. Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9. Alation’s subprocessor list can be viewed as described in section 6 (“Subprocessors”) of this DPA.
7.5 With respect to Personal Data transferred from the United Kingdom for which the UK law applies, the International Data Transfer Addendum to SCCs (as currently set forth at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (“UK Addendum”) shall form part of this DPA and take precedence. The UK Addendum shall be deemed completed as follows:
a. Each Party shall be deemed to have signed the UK Addendum;
b. SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of Customer Personal Data;
c. In Table 1 of the UK Addendum, the Parties’ key contact information is located in Annex I of Schedule A to this DPA;
d. In Table 2 of the UK Addendum, information about the version of SCCs, modules and selected clauses which the UK Addendum is appended to are located in section 7(c) of this DPA;
e. In Table 3 of the UK Addendum:
f. The list of parties and the description of transfer are located in Annex I of Schedule A to this DPA;
g. Annex II is set forth in Schedule A to this DPA; and
h. The list of subprocessors is set forth in section 6 (“Subprocessors”) of this DPA.
i. In Table 4 of the UK Addendum, both the importer and the exporter may end the UK Addendum in accordance with its terms (and the respective box for each is deemed checked).
7.6 With respect to Personal Data transferred from Switzerland for which Swiss law applies, references to GDPR in Clause 4 of SCCs are, to the extent legally required, amended to refer the Swiss Federal Data Protection Act as amended or replaced, and the supervisory authority shall mean the Swiss Federal Data Protection and Information Commissioner.
8. Additional safeguards for transfer and Processing of Personal Data from the EEA, the United Kingdom and Switzerland. To the extent that Alation Processes Customer Personal Data of Data Subjects located in or subject to the applicable Data Protection Laws of the European Economic Area, the United Kingdom or Switzerland, Alation agrees to the following safeguards to protect such data to an equivalent level as applicable Data Protection Laws:
8.1 Customer and Alation shall encrypt all transfers of Customer Personal Data between them, and Alation shall encrypt any onward transfers it makes of Customer Personal Data, to prevent the acquisition of such data by unauthorized third parties who may gain physical access to the transmission mechanisms (e.g., wires and cables) while the data is in transmission.
8.2 Alation represents and warrants that:
a. As of the date of this DPA, it has not received any directive under Section 702 of the U.S. Foreign Intelligence Surveillance Act, codified at 50 U.S.C. § 1881a (“FISA Section 702”).
b. No court has found Alation to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
c. It is not the type of provider that is eligible to be subject to upstream collection (“bulk collection”) pursuant to FISA Section 702, as described in paragraphs 62 & 179 of the judgment in the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems ("Schrems II"), and that therefore the only FISA Section 702 process it could be eligible to receive, if it is an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4), would be based on a specific “targeted selector” i.e., an identifier that is unique to the targeted endpoint of communications subject to the surveillance.
8.3 Alation will not comply with any request under FISA Section 702 for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
8.4 Alation will use all commercially reasonable legal mechanisms to challenge any demands for data access through a national security process it receives as well as any non-disclosure provisions attached thereto.
8.5 Alation will take no action pursuant to U.S. Executive Order 12333.
8.6 At 12-month intervals or more often if so required by Data Privacy Laws and upon Customer’s prior written request Alation shall provide information indicating the types of binding legal demands for the Customer Personal Data it has received, including national security orders and directives, which shall encompass any process issued under FISA Section 702.
8.7 Alation will promptly notify Customer if Alation can no longer comply with SCCs or this DPA. Alation shall not be required to provide Customer with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle Customer to terminate the Agreement (or, at Customer’s option, affected Order or Statement of Work) and receive a pro-rata refund of any prepaid amounts thereunder.
9. Audits. Within a reasonable timeframe and not more than once per calendar year, Alation shall make available to Customer and any auditor mandated by Customer the information reasonably necessary to demonstrate Alation’s compliance with its obligations in this DPA. Alation shall provide assistance by allowing inspection of relevant documents or records, to the extent such information directly relates to the transaction records for Services. Unless otherwise agreed in the Agreement, upon thirty (30) days advance notice, during regular business hours, subject to the confidentiality provisions of the Agreement and at Customer’s cost, Alation shall allow Customer (or any auditor mandated by Customer) to conduct an on-site audit of the procedures relevant to the protection of Customer Personal Data.
10. Return or Destruction of Personal Data. Except to the extent required otherwise by applicable laws, Alation will, at Customer’s choice and upon Customer’s written request, return to Customer and/or securely destroy all Customer Personal Data upon such request or at termination of the Agreement.
11. Survival. The provisions of this DPA will survive the termination or expiration of the Agreement as long as Alation or its subprocessors Process Customer Personal Data and required by Data Privacy Laws.
Schedule A
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
The data exporter is Customer whose information is contained in the applicable Order. The data exporter is Controller. The applicable activities are those set forth in the Agreement.
Data importer(s):
The data importer is Alation, as identified in the applicable Order. The data importer is Processor. The applicable activities are those set out in the Agreement.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Categories of data subjects whose Personal Data are processed are authorized users of Services and include, among others, Customer’s and its Affiliates’ employees and contractors (Named Users).
Categories of personal data transferred:
The categories of Personal Data transferred include: contact information, employment information, user account information.
Specifically, the Personal Data transferred includes: IP address, usage data, name, email address, phone number, company name, job title, username.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Alation does not intentionally process "special categories" of Personal Data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous for the length of time that Alation provides Services.
Nature of the processing:
Customer provides Personal Data to Alation to store and use the data to provide Services in providing data intelligence solutions.
Purpose(s) of the data transfer and further processing:
For Alation to provide Services as a data processor under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal Data will be retained for the length of the Agreement or in accordance with applicable Data Privacy Laws.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Please see section 6 (“Subprocessors”) of the DPA for information about how to access a list of Alation’s subprocessors and the nature of the services they provide. All transfers will last for the duration of the Agreement or in accordance with applicable Data Privacy Laws.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
As set forth in Clause 13 of SCCs.
ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
When processing Customer Personal Data to deliver Services, Alation has implemented and will maintain the appropriate technical and organizational measures for Processing of such data, including the measures specified in the Alation Security Policy as set forth in Exhibit A to the Agreement found at https://www.alation.com/msa/, unless otherwise agreed by the Parties.