This GDPR Data Processing Addendum ("GDPR DPA") is an addendum to the ScaleGrid End User License (EULA) and Terms of Service Agreement ("Service Agreement"), available here entered into by and between you (hereinafter referred to as "Customer") and ScaleGrid, Inc., a Washington State corporation located at 2225 E Bayshore Rd, Palo Alto, CA 94303 on behalf of itself and its Affiliates (hereinafter referred to as "ScaleGrid"). Customer and ScaleGrid shall be referred to jointly as the "Parties" and individually as a "Party". Pursuant to the Service Agreement, Processor provides to Controller certain database management and hosting services (the "Services").
This GDPR DPA is effective, as applicable:
With respect to the General Data Protection Regulation ((EU) 2016/679) and any applicable national implementing laws ("GDPR"):
- 1. May 25, 2018 to any Customer who has signed up for our Services on or before that date; or
- 2. the date on which Customer signed up for our Services and agreed to the EULA, Service Agreement, and this GDPR DPA, if such date is after May 25, 2018.
This GDPR DPA will only apply to the extent that the Data Protection Legislation applies to the processing of Customer Personal Data (defined below), including if:
- 1. the processing is in the context of the activities of an establishment of Customer in the EEA; and/or
- 2. Customer Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA.
- 1. The Customer and ScaleGrid entered into the Service Agreement that may require the ScaleGrid to process Personal Data on behalf of the Customer.
- 2. This GDPR DPA sets out the additional terms, requirements and conditions on which the Processor will process Personal Data when providing services under the Service Agreement. This GDPR DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between Controllers and Processors.
- 1. DEFINITIONS AND INTERPRETATION. The following definitions and rules of interpretation apply in this GDPR DPA; other definitions have the meaning given to them elsewhere in this GDPR DPA.
- 1.1 Definitions:
- a. Adequate Country: means a country or territory that the recognized under Data Protection Legislation from time to time as providing adequate protection for Personal Data.
- c. Data Subject, Special Categories, Controller, Processor, Sub-Processor, Personal Data, Process, and Processing: have the meanings giving in the Data Protection Legislation.
- d. Data Protection Legislation: the General Data Protection Regulation ((EU) 2016/679) and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
- e. Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- f. Standard Contractual Clauses (SCC): the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to Processors established in third countries (Controller-to-Processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, a completed copy of which comprises Annex C.
- 1.2 This GDPR DPA is subject to the terms of the Service Agreement and is incorporated into the Service Agreement. Interpretations and defined terms set forth in the Service Agreement apply to the interpretation of this GDPR DPA. Except as amended by this GDPR DPA, the Serviced Agreement will remain in full force and effect. If there is a conflict between the Service Agreement and this GDPR DPA, the terms of this GDPR DPA will control. Any claims brought under this GDPR DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Service Agreement.
- 1.3 The Annexes form part of this GDPR DPA and will have effect as if set out in full in the body of this GDPR DPA. Any reference to this GDPR DPA includes the Annexes.
- 1.4 A reference to writing or written includes faxes and email.
- 1.5 In the case of conflict or ambiguity between:
- (a) any provision contained in the body of this GDPR DPA and any provision contained in the Annexes, the provision in the body of this GDPR DPA will prevail;
- (b) the terms of any accompanying invoice or other documents annexed to this GDPR DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail;
- (c) any of the provisions of this GDPR DPA and the provisions of the Service Agreement, the provisions of this GDPR DPA will prevail; and
- (d) any of the provisions of this GDPR DPA and any executed SCC, the provisions of the executed SCC will prevail.
- 2. PERSONAL DATA TYPES; PROCESSING PURPOSES; AND CUSTOMER'S INSTRUCTIONS
- 2.1 Relationship. The Customer and ScaleGrid acknowledge that for the purpose of the Data Protection Legislation, the Customer is a Controller or Processor and ScaleGrid is the Processor of Customer Personal Data. Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to ScaleGrid. Except as set forth herein, all provisions of the Services Agreement apply to this GDPR DPA, including the limitations of liability.
- 2.2 Personal Data And Processing Purposes. Annex A describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which ScaleGrid may process to provide the Services pursuant to the Service Agreement. Customer acknowledges that it determines the categories of Personal Data, if any, that it processes through the Services.
- 2.3 Customer's Instructions. Customer hereby instructs ScaleGrid to (i) process Customer's Personal Data for the purposes of providing services under the Service Agreement; and (ii) transfer Customer's Personal Data to any country or territory, all as necessary for the provision of the Services, subject to the provisions in this GDPR DPA. Customer authorizes ScaleGrid to instruct each Sub-Processor within the scope of the above or any other future instruction from Customer.
- 2.4 Warranty And Authorization. Customer warrants and represents that its use of the Services and ScaleGrid's use of the Personal Data as permitted by this GDPR DPA will comply with the Data Protection Legislation. Customer further warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions on behalf of each relevant Customer Affiliate, if applicable. If Customer is a Processor, Customer represents and warrants that Customer's instructions and actions with respect to Customer Personal Data, including the appointment of ScaleGrid as another Processor, have been authorized by the relevant Controller.
- 2.5 Customer's Security Responsibilities And Assessment.
- (a) Customer agrees that, without prejudice to ScaleGrid's obligations under Sections 4 (Security) and 5 (Personal Data Breach): (i) Customer is solely responsible for its use of the Services, including: (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data that Customer chooses to process through the Services (e.g., choosing whether or not to encrypt the Customer Personal Data); and (2) securing the account authentication credentials, systems, and devices Customer uses to access the Processor Services; and (ii) ScaleGrid has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of ScaleGrid's and its Sub-Processors' systems (for example, if you use the Services in connection with Customer's own hosting environment, whether provided by Customer directly or through a third party, ScaleGrid is not responsible for that environment).
- (b) Customer acknowledges and agrees that the security measures implemented and maintained by ScaleGrid as described in Section 4 provide a level of security appropriate to the risk in respect to the Customer Personal Data that Customer chooses to process through the Service.
- (c) If Customer uses the Services in connection with a cloud services provider, such as Amazon Web Services where Customer (and not ScaleGrid) has a direct contractual relationship which that provider, then Customer must enter into a direct data processing agreement with that vendor, if required by the Data Protection Legislation, and this GDPR DPA does not apply to that processing.
- 3. SCALEGRID'S OBLIGATIONS
- 3.1 Processing Instructions. ScaleGrid will only process the Personal Data to the extent, and in such a manner, as is necessary for providing the Services in accordance with the Customer's documented or written instructions (including as set forth in this GDPR DPA). ScaleGrid will not process the Personal Data for any other purpose or in a way that does not comply with this GDPR DPA or the Data Protection Legislation, unless required by applicable laws. ScaleGrid shall notify Customer if, in its opinion, Customer's instruction would not comply with the Data Protection Legislation. An instruction, approval, request or similar, given via the ScaleGrid online platform is considered a documented or written data processing instruction from Customer.
- 3.2 ScaleGrid shall use commercially reasonable efforts to promptly comply, within 30 days, with any Customer request or instruction requiring the ScaleGrid to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized processing, to the extent required by the Data Protection Legislation.
- 3.3 Assistance. ScaleGrid will reasonably assist Customer, at Customer's expense based on ScaleGrid's standard rates, with meeting Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of ScaleGrid's processing and the information available to ScaleGrid, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation. The scope of such assistance shall be limited to the processing of the Customer Personal Data by ScaleGrid.
- 4. SECURITY
- 4.1 Personnel. ScaleGrid shall ensure that all employees or contractors ("ScaleGrid Personnel") of ScaleGrid who may have access to the Customer Personal Data, have such access only as necessary for the purposes of providing the Services and complying with applicable laws. Furthermore, all ScaleGrid Personnel shall be subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- 4.2 Technical And Organizational Security Measures. ScaleGrid shall in relation to the Customer Personal Data implement, or provide options for Customer to implement, appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to the GDPR. In assessing the appropriate level of security, each Party shall take into account the risks that are presented by processing, in particular from a Personal Data Breach. ScaleGrid's current security measures are described in Annex B, attached hereto, which ScaleGrid may modify from time to time provided that such modifications do not result in degradation of the overall security of the Services. For the avoidance of doubt, Customer determines the categories of Personal Data, if any, that are processed by the Services, and where ScaleGrid makes available different security options (e.g., whether or not to encrypt certain data), Customer is solely responsible for, and shall fully indemnify, defend, and hold ScaleGrid harmless from such choices.
- 4.3 Confidentiality. ScaleGrid will take appropriate steps to maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless Customer or this GDPR DPA specifically authorizes the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires ScaleGrid to process or disclose Personal Data, ScaleGrid shall first inform Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
- 5. PERSONAL DATA BREACH
- 5.1 Notification. ScaleGrids shall notify Customer without undue delay, and within 36 hours, upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data. ScaleGrid shall provide Customer with sufficient information to the extent in the possession of ScaleGrid to allow Customer to meet any obligations to report or inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Data Protection Legislation. Customer shall not issue any public statements regarding ScaleGrid unless ScaleGrid has first agreed in writing to the issuance of the public statement. Customer shall notify ScaleGrid in advance of any written statements it makes to regulators or law enforcement regarding ScaleGrid, unless otherwise prohibited by law. ScaleGrid's notification of or response to a Data Breach shall not be construed as acknowledgement by ScaleGrid of any fault or liability with respect to the Data Breach.
- 5.2 Cooperation. ScaleGrid shall cooperate with Customer and take such commercially reasonable steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Customer's sole expense, to the extent required by Data Protection Legislation.
- 5.3 Remediation. Notwithstanding the above, ScaleGrid may take any steps to remediate or respond to Personal Data Breach, as required by applicable law, including providing notifications to the data subjects and/or relevant authorities.
- 6. CROSS-BORDER TRANSFERS OF PERSONAL DATA
ScaleGrid is located in the United States and to the extent any processing of Personal Data of Data Subjects located in the EEA by ScaleGrid takes place in any country outside the EEA (other than exclusively in an Adequate Country), there must be a lawful basis for this transfer as required by the Data Protection Legislation. The Customer undertakes that it has received and can demonstrate that it has received the necessary consents and authorizations from the respective data subjects for the transfer of personal data to a country outside the EEA (other than to an Adequate Country). To the extent that the Customer does not wish to rely on consent for the transfer, it may request ScaleGrid [EMAIL] provide a draft of the Standard Contract Clauses, in the form set out at Annex C. These Standard Contract Clauses, once agreed between the parties, will apply in respect of that processing. If, in the performance of the GDPR DPA, ScaleGrid transfers any Personal Data of Data Subjects located in the EU to a Sub-Processor (which shall include without limitation any affiliates of ScaleGrid) and without prejudice to Section 7, where such Sub-Processor will process such Personal Data outside the EEA (other than exclusively in an Adequate Country), ScaleGrid shall ensure that a mechanism to achieve adequacy in respect of that processing is in place such as: (a) the requirement for ScaleGrid to execute or procure that the third party execute on behalf of standard contractual clauses approved by the EU authorities under Data Protection Legislation; (b) the requirement for the third party to be certified under the Privacy Shield framework; or (c) the existence of any other specifically approved safeguard for data transfers (as recognized under the Data Protection Legislation) and/or a European Commission finding of adequacy.
- 7. SUBCONTRACTORS
Customer grants ScaleGrid general authorization to engage Sub-Processors to provide the Services (including without limitation data center operators, hosting services, providers of anti-fraud and reporting services and other outsourced providers), provided that (a) ScaleGrid and the Sub-Processor enter into a contract on terms that are materially at least as protective as this GDPR DPA; and (b) ScaleGrid keeps Customer informed of any intended additions to or replacements of Sub-Processors, as currently listed on the ScaleGrid user interface and/or wiki (currently located here), which may be updated by us from time to time, giving Customer no less than thirty (30) days' opportunity to object to such changes on reasonable grounds of non-compliance or material risk of non-compliance by Customer with Data Protection Legislation. Should Customer object to ScaleGrid's use of a Sub-Processor, Customer may within a reasonable time after notice of any intended additions or replacements of a Sub-Processor terminate any Service Agreement related to an affected Service upon written notice without liability for such termination. Subject to the terms of the applicable Service Agreement, ScaleGrid shall remain fully liable to Customer for the performance of the Sub-Processor's obligations.
- 8. COMPLAINTS, DATA SUBJECT REQUESTS, AND OTHER REQUIRED ASSISTANCE
- 8.1 Customer Obligations. Customer is and shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Legislation (e.g., for access, rectification, deletion of Customer Personal Data, etc.) ScaleGrid shall reasonably assist Customer to the extent feasible in responding to requests to exercise Data Subject rights under the EU Data Protection Laws. As part of the Services, Customer may download Customer's Personal Data through the Services ("Data Portability Right"). This Data Portability Right shall be provided as part of the service at no additional charge for the Customer.
- 8.2 ScaleGrid Obligations. ScaleGrid shall:
- (a) promptly notify Customer if it receives a request from a Data Subject under Data Protection Legislation in respect of Customer Personal Data; and
- (b) ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which the ScaleGrid is subject.
- 9. AUDIT RIGHTS
- 9.1 ScaleGrid shall make available to Customer, upon prior written request, all information necessary to reasonably demonstrate compliance with this GDPR DPA. ScaleGrid may provide industry-standard third-party audit certifications to demonstrate compliance.
- 9.2 ScaleGrid shall allow for and contribute to audits, including inspections, by a reputable auditor mandated by Customer. The scope, duration and methods of such audit will be determined by both Parties in good faith. In any event, a third-party auditor shall be subject to confidentiality obligations. ScaleGrid may object to the selection of the auditor if it reasonably believes that an auditor does not guarantee confidentiality, security or otherwise puts at risk the ScaleGrid business.
- 9.3 Provisions of information and audits are at Customer's sole expense, including fees charged by third party auditors appointed by Customer.
- 10. TERM AND TERMINATION
- 10.1 This GDPR DPA will remain in full force and effect so long as:
- (a) the Service Agreement remains in effect, or
- (b) ScaleGrid retains any Personal Data related to the Service Agreement in its possession or control ("Term").
- 10.2 Any provision of this GDPR DPA that expressly or by implication should come into or continue in force on or after termination of the Service Agreement in order to protect Personal Data will remain in full force and effect.
- 10.3 Either Party's failure to comply with the terms of this GDPR DPA is a material breach of the Service Agreement. In such event, the non-breaching Party may terminate the Service Agreement effective immediately on written notice to the non-breaching Party without further liability or obligation.
- 10.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Service Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 30 days, they may terminate the Service Agreement on written notice to the other party.
- 11. DATA RETURN AND DESTRUCTION
- 11.1 Upon termination of the provision of Services, ScaleGrid shall promptly delete or return all copies of Customer Personal Data, except as authorized or required to be retained in accordance with applicable law.
- 11.2 Upon Customer's prior written request, ScaleGrid shall provide written certification to Customer that it has fully complied with this section.
- 12. NOTICE
- 12.1 Any notice or other communication given to a party under or in connection with this GDPR DPA must be in writing and delivered to:
For Customer: The contact information on file for Customer, including via email.
For ScaleGrid: 2225 E Bayshore Rd, Palo Alto, CA 94303
- 12.2 Section 12.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
- 12.3 A notice given to ScaleGrid under this GDPR DPA is not valid if sent by email unless the receipt of such email has been confirmed.
- 13. CHANGES TO THIS GDPR DPA
- 13.1 ScaleGrid may change this GDPR DPA if the change:
- (a) reflects a change in the name or form of a legal entity;
- (b) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or
- (c) does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on, ScaleGrid's processing of Customer Personal Data; and (iii) otherwise have a material adverse impact on Customer's rights under this GDPR DPA, as reasonably determined by ScaleGrid.
- 13.2 Notification of Changes. If ScaleGrid intends to change this GDPR DPA under Section 13.1(b) or (c), ScaleGrid will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface for the Services. If Customer objects to any such change, Customer may terminate the Agreement by giving written notice to ScaleGrid within 90 days of being informed by ScaleGrid of the change.
PERSONAL DATA PROCESSING PURPOSES AND DETAILS
Subject matter of processing: ScaleGrid's provision of database management services and any related technical support to Customer. Duration of Processing: The Term plus the period from the expiration of the Term until the deletion of all Customer Personal Data by ScaleGrid in accordance with this GDPR DPA. Nature of Processing: ScaleGrid provides database management services to assist its customers manage their own databases, including computing, storage, reporting, deleting. Personal Data Categories: Customer determines the categories of personal data that it processes through the Services. Data Subject Types: Data subject about whom personal data is transferred to ScaleGrid in connection with the Services by, at the direction of, or on behalf of Customer. Identify the Processor's legal basis for processing Personal Data outside the EEA in order to comply with cross-border transfer restrictions (select one):
Approved Subcontractors: List
- Physical access controls.
- We currently don't have any Physical datacenters/facilities of our own. All our servers are located on AWS.
- ScaleGrid physical office entry requires keypad access
- ScaleGrid uses SSL VPN with two factor authentication to enable support access to any underlying ScaleGrid infrastructure machines
- Host firewall rules and Cloud provider network security groups are used to restrict access to infrastructure
- For more information on available ScaleGrid information security please refer to our ScaleGrid infrastructure document.
- System access controls.
- See section above on Physical Access control
- Data access controls.
- ScaleGrid provides several options to control access to your data
- Authentication is enabled and required on all database clusters
- Firewall options are provided to restrict access to the database
- Encryption at rest options are provided to encrypt your data and backups
- For more information on available ScaleGrid feature please refer to our Security features document.
- Transmission controls.
- ScaleGrid provides Encrypting in transit options to enable SSL on database during creation. This ensures all traffic in and out of the database nodes is suitably encrypted in transit. For more information on available ScaleGrid feature please refer to our Security features document.
- Input controls.
- ScaleGrid console provides Two factor authentication options to improve the security of access to our console
- Provided it is supported by the database ScaleGrid console also provides the option to create specific users with restricted permissions on the database. This enables customers to create role based permissions on their database.
- Authentication is enabled and required on all databases
- Firewall rules can also be configured to restrict access to the database.
- For more information on available ScaleGrid feature please refer to our Security features document.
- Data backups.
- ScaleGrid data backups are stored in the same Cloud provider as the database cluster and are subject to the same data access controls as the original database
- If Encryption at rest is enabled the backups are also encrypted and can only be mounted on the database machines
- All database clusters are set by default to backup once a day and keep 7 backups.
- Data segregation.
- ScaleGrid is a multitenant application and all process flows are designed to enforce segregation of customer data. In case of dedicated plans each customers data is stored in a separate virtual machine(s). In case of our shared plans each customer data is stored in separate docker container(s)
- The appropriate security measures are in place to ensure that each customer has only access to their underlying virtual machine (s) or docker containers (s)