Skytap Omnibus General Data Protection Addendum

Last updated December 16, 2024

This Omnibus General Data Protection Addendum (“Addendum”) is between: (i) Customer (“Customer, “Controller”) acting on its own behalf and as agent for each Controller Affiliate; and (ii) Kyndryl, Inc., or its affiliate located in your country (“Processor”) acting on its own behalf and as agent for each Processor Affiliate. For a list of Kyndryl affiliates, please see: https://www.kyndryl.com/us/en/about-us/locations. This Addendum applies to each agreement between Processor (or any Processor Affiliate) and Controller (or any Controller Affiliate) under which Processor actually Processes Personal Data as part of performing under that agreement (“Agreement”), and the Addendum applies and is effective only if, under GDPR (defined below), Controller qualifies as a Data Controller and Processor qualifies as a Data Processor for Controller, in which case the Addendum then is incorporated into and is made a part of the Agreement effective when Processor processes Controller Personal Data (“Addendum Effective Date”).

This Addendum modifies and supplements the terms and conditions in the Agreement as they relate to Kyndryl’s Processing of Customer Personal Data and compliance with Data Protection Law. The terms used in this Addendum will have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement will remain in full force and effect.

Contact Information

Data Controller: Signatory to the Agreement between the parties

Data ProcessorSee Controller and Representative Information at https://www.kyndryl.com/us/en/privacy.

Term

Expiration Date: Coterminous with the Agreement

1. DEFINITIONS

1.1 “Controller/Customer Personal Data” means any Personal Data provided by or on behalf of Controller/Customer to Processor under or pursuant to the Agreement or otherwise made available to, or collected as authorized pursuant to the Agreement, and as required for Processor in providing its services to the Controller under the Agreement. For the avoidance of any doubt, Customer Personal Data does not include any Personal Data for which Kyndryl is a data controller as defined by GDPR and this Addendum.

1.2 “CCPA” means The California Consumer Privacy Act, codified at Cal. Civ. Code §1798.100 et seq., as amended by the “California Privacy Rights Act“ or “CPRA”, and as may be further amended, and any final implementing regulations promulgated by the California Privacy Protection Agency and the State of California Department of Justice Office of The Attorney General.

1.3 “Commercial Purposes” has the meaning given to it under CCPA, which may be changed by amendment.

1.4 “Consumer” a resident of California to whom Personal Information under CCPA relates.

1.5 “Data Controller” or “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.6 “Data Processor” or “Processor” means the entity that Processes Personal Data on behalf of and on the instructions of the Data Controller, and that is bound by this Addendum.

1.7 “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.8 “Data Protection Legislation” means the (a) Data Protection Act 1998, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, GDPR, UK GDPR, and all applicable laws and regulations relating to processing Personal Data and privacy to the extent they are still in force, including where applicable the guidance and codes of practice issued by the Information Commissioner, and (b) CCPA as amended by CPRA.

1.9 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data as applicable as of 25 May 2018, as may be amended from time to time. For convenience, references to GDPR also will refer to the UK General Data Protection Regulation (“UK GDPR”) as appropriate where these two forms of distinct and potentially applicable Data Protection Legislation are substantially the same.

1.10 “Personal Information” has the meaning given to it under CCPA and that is provided by or on behalf of Customer to the Data Processor under or pursuant to the Agreement or otherwise made available to, or collected by, the Data Processor as required to provide its services to the Customer under the Agreement. Personal Information does not include Aggregate Consumer Information or Deidentified information as defined under CCPA.

1.11 “Processing” or “Process” means any operation or set of operations which is performed on Regulated Data or on sets of Regulated Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.12 “Regulated Data” means both of Personal Information under CCPA and Customer Personal Data under GDPR.

1.13 “Security Incident” means unauthorized acquisition, access, use or disclosure of Controller Regulated Data.

1.14 “Sub-Processor” means another Data Processor engaged by Processor for carrying out processing activities in respect of the Regulated Data on behalf of Processor.

2. GENERAL

2.1 Each party will comply with Data Protection Legislation with regards to the processing of Regulated Data under the Agreement and this Addendum. Moreover, Kyndryl will receive and process the Regulated Data of Customer only on and in accordance with lawful instructions from the Customer.

2.2 The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controler, Kyndryl is the Processor and that Kyndryl will engage Sub-Processors pursuant to Section 5 below.

2.3 As Data Processor in respect of the Customer Personal Data processed under the Agreement and this Addendum, Kyndryl will:

2.3.1 process the Customer Personal Data only to the extent, and in such manner as is necessary for, the provision of services to the Customer;

2.3.2 inform the Customer of any legal requirement under any applicable law that would require Kyndryl to process the Customer Personal Data other than the processing instructions, or if any Customer instruction infringes with applicable Data Protection Legislation; and

2.3.3 ensure any Sub-Processor that has access to Customer Personal Data from Kyndryl will comply with Kyndryl’s obligations under this Addendum.

2.4 The scope, purpose and duration of Customer Personal Data and Processing (including the type of Personal Data, categories of Data Subjects and security details) covered by the Agreement and this Addendum is set out in Schedule 1 of this Addendum.

2.5 This Addendum and the Agreement are Customer’s complete and final instructions to Kyndryl for the Processing of Customer Personal Data. Any additional or alternate instructions must be agreed upon separately and in writing by both the Customer and Kyndryl.

2.6 To the extent the Data Processor processes any Personal Information under the Agreement, the Data Processor shall comply with the requirements of a “Service Provider” under CCPA including but not limited to the following requirements.

2.6.1 Service provider appointment:Customer is a Business and appoints Kyndryl as its Service Provider to receive and process the Personal Information for the Business Purpose. Kyndryl acknowledges that it does not receive Personal Information as consideration for any services provided to Customer. Kyndryl is responsible for: (i) compliance with its obligations under this Addendum, (ii) for compliance with its obligations as a Service Provider under the CCPA and (iii) shall provide the same level of privacy protection as required by the CCPA. Kyndryl shall notify Customer if it reasonably determines that it cannot meet its obligations under the CCPA, and in such circumstances, and upon providing notice to Kyndryl, Customer shall be entitled to take reasonable and appropriate steps to remediate unauthorized use of Personal Information. Customer is responsible for compliance with its own obligations as a Business under the CCPA and shall ensure that it has provided notice and obtains any required consents and rights necessary under CCPA for Kyndryl to receive and process the Personal Information for the Business Purpose.

2.6.2 Business purpose:Kyndryl shall only receive and process Personal Information of the Customer as a Service Provider upon lawful documented instructions from Customer, including those in the Agreement, this Addendum, and Customer’s configuration of the Services or as otherwise necessary to provide the Services (the “Business Purpose“). Kyndryl must not process the Personal Information for any purpose other than for the Business Purpose, except to the extent CCPA otherwise permits.

2.6.3 Service provider certification:Kyndryl shall not: (a) Sell or Share the Personal Information; (b) retain, use, or disclose the Personal Information for any purpose other than for the Business Purpose, including to retain, use, or disclose the Personal Information for a Commercial Purpose other than providing its Services under the Agreement unless permitted by the CCPA; (c) retain, use, or disclose the Personal Information outside of the direct business relationship between the Kyndryl and Customer; (d) process the Personal Information for targeted and/or cross context behavioral advertising; (e) combine Personal Information with any other data if and to the extent this would be inconsistent with the limitations on service providers under the CCPA or other laws. Kyndryl certifies that it understands the restrictions set out in this Section 2.6 and otherwise in the Addendum and will comply with them.

2.6.4 Consumer’s rights: Kyndryl will, upon Customer’s instructions (and at Customer’s expense): (a) use reasonable efforts to assist Customer in deleting Personal Information in accordance with a Consumer’s request (and shall instruct any service providers it has appointed to do the same) except where and to the extent permitted to retain the Personal Information pursuant to an exemption under the CCPA and/or the CPRA; and (b) use reasonable efforts to assist Customer in responding to verified Consumer requests received by Customer to provide information as it relates to the collection of Personal Information for the Business Purpose.

2.6.5 Assistance: Kyndryl will, upon Customer’s instruction and upon proof of such a communication, provide reasonable assistance to Customer to enable Customer to respond to any correspondence, enquiry or complaint received from a Consumer, the California Attorney General and/or the California Privacy Protection Agency in connection with the Collection and processing of the Personal Information.

2.6.6 Security and Security Incidents. Kyndryl shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information it will process to protect the Personal Information from and against a Security Incident in line with Kyndryl’s then-current security policy. Kyndryl shall notify Customer without undue delay (and in time to fulfil any Security Incident reporting obligations) after becoming aware of a Security Incident and provide timely information relating to the Security Incident as it becomes known or is reasonably requested by Customer.

2.6.7 Monitoring. To the extent required by the CCPA, Customer may take reasonable and appropriate steps to help ensure that the Personal Information is Processed by Kyndryl in a manner consistent with Customer’s obligations under the CCPA. Customer may audit Kyndryl’s compliance with the terms of this Addendum in the manner set out in this Addendum once annually. Customer may elect to perform such an audit on its own behalf or pursuant to a formal direction or request for information from the California Privacy Protection Agency. Customer must send Kyndryl notice in writing of a request to conduct an audit. Once requested by Customer, subject to the confidentiality obligations set forth in the Agreement, Kyndryl shall make available to Customer (or Customer’s independent third-party auditor) information regarding Kyndryl’s compliance with the obligations set forth in this Addendum, which the parties agree may be in the form of the third-party certifications and audits that Kyndryl receives and maintains. Upon review of such materials, If Customer identifies areas that have not been covered that it is lawfully permitted to audit under this Addendum, then Customer may submit reasonable requests for information security and audit questionnaires that are necessary to confirm Kyndryl’s compliance with this Addendum, provided that Customer shall not exercise this right more than once per year.

2.6.8 Subcontractors. Customer agrees that Kyndryl may engage third party subcontractors to process Personal Information in connection with the provision of the Services. Kyndryl shall enter into written agreements with such subcontractors that contain substantially similar obligations as this Addendum. Provided that Customer signs up for notifications at using the process described in Section 5.2 related to GDPR Sub-Processor notifications.

3. CUSTOMER RESPONSIBILITIES

3.1 Customer is the sole Controller of Customer Personal Data or has been instructed by, and obtained the authorization of, the relevant Controller(s) to agree to the Processing of Customer Personal Data by Kyndryl, as set out in this Addendum.

3.2 Customer will, in its use of the Services, process Customer Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data prior to uploading such Personal Data for Kyndryl to Process.

3.3 Customer acknowledges that it is responsible for properly implementing access and use controls and configuring certain features and functionalities of Skytap service that Customer may elect to use and in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Customer Personal Data.

4. SECURITY

4.1 Kyndryl will implement and maintain, at its cost and expense, appropriate technical and organizational measures in relation to its processing of Customer Personal Data so as to ensure a level of security in respect of Customer Personal Data processed by it is appropriate to the risks that are presented by the processing, including from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed.

4.2 With respect to any Security Incident involving Customer Personal Data, Kyndryl will, in accordance with Art. 28 paragraph 3 of GDPR, provide Customer with a) a description of the security incident and the approximate amount of data subjects and datasets involved, b) name and contact of a contact person for further information, c) a description on the probable consequences of the incident, and d) a description of the measures taken in order to remedy or reduce the incident.

4.3 Kyndryl will take reasonably appropriate measures to ensure that its personnel processing Customer Personal Data are subject to equivalent terms protecting Customer Personal Data, including training specific to the GDPR requirements.

5. SUB-PROCESSORS

5.1 Customer authorizes Kyndryl to engage another entity (a “Sub-Processor”) to perform specific processing activities in respect to the Customer Personal Data.

5.2 This Exhibit will be updated for any intended additional or replacement Subprocessors, including Kyndryl Companies and Third-Party Subprocessors. Kyndryl Companies Subprocessors’ details can be found at: https://www.kyndryl.com/terms/subprocessors. Additional details for each Third-Party Subprocessor are available upon request.

5.3 Where and to the extent Customer is established within the European Economic Area, Switzerland, the United Kingdom, or where otherwise required by Data Protection Laws and Regulations applicable to Customer, Customer may reasonably object to the use of a new Sub-Processor (e.g., if making Customer Personal Data available to the Sub-Processor may violate applicable Data Protection Law or weaken the protections for such Customer Personal Data) by providing written notification to Kyndryl within 10 days of receiving notice per Section 5.2 above. Customer must include the reasonable grounds for the objection. In the event Customer objects to a new Sub-Processor, Kyndryl will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services, to avoid Processing of Customer Personal Data by the objected-to new Sub-Processor without unreasonably burdening Customer. If Kyndryl is unable to make available such change within a reasonable period of time, either party may terminate the Services which cannot be provided by Kyndryl without the use of the objected-to new Sub-Processor. Such notice of termination by Customer must be made in writing to Kyndryl. If Kyndryl determines that Customer’s objection was reasonable and in good faith, Kyndryl will refund Customer a prorated portion of pre-paid charges for remainder of the term Customer’s subscription under the Agreement following the effective date of termination.

5.4 Kyndryl will remain liable to the Customer for the Sub-Processor’s performance, as well as for any acts or omissions of the Sub-Processor regarding its processing of Customer Personal Data, to the same extent Kyndryl would be liable if performing the Services of the Sub-Processor directly under the terms of this Addendum.

6. OTHER OBLIGATIONS

6.1 Kyndryl will forward to the Customer and otherwise cooperate with and assist the Customer with any requests received from Data Subjects of any Customer Personal Data under GDPR (i.e., “Data Subject Access Request”) or Consumers under CCPA (e.g., “Right to Know”) of any Regulated Data (generally referred to together in this Section 6 as, “Regulated Data Access Request”. Business Provider will specifically perform the following.

6.2 Kyndryl will provide reasonable assistance, information and cooperation to the Customer to ensure compliance with the Customer’s obligations under Data Protection Legislation in relation to the processing of Customer Personal Data under the Agreement and this Addendum. This includes assistance with any data protection impact assessments and consultations with (or notifications to) relevant data protection regulators.

6.3 Upon Customer’s written request at reasonable intervals, Kyndryl will make available to the Customer such information as is reasonably required by the Customer to demonstrate Kyndryl’s compliance with its obligations under Data Protection Legislation and this Addendum.

6.4 Pursuant to GDPR, Kyndryl will permit audits at reasonable intervals conducted by the Customer, or another auditor mandated by the Customer, solely for demonstrating Kyndryl’s compliance with its obligations under Data Protection Legislation and this Data Protection Addendum. This will be subject to the Customer giving Kyndryl reasonable prior notice of such audit and/or inspection and ensuring that any auditor is subject to binding obligations of confidentiality, is not a competitor of Kyndryl, and that such audit or inspection is undertaken so as to cause minimal disruption to Kyndryl’s business.

6.5 Kyndryl will, without undue delay, at the Customer’s request, either securely delete or return all the Customer Personal Data to the Customer at the end of the Agreement and this Addendum, or if earlier, as soon as processing by Kyndryl of any Customer Personal Data is no longer required for Kyndryl’s performance of its obligations under the Agreement, and securely delete existing copies (unless retention of any data is required by applicable law).

7. INTERNATIONAL DATA TRANSFERS

7.1 If Customer is established with the European Economic Area, Switzerland, the United Kingdom, or where otherwise required by Data Protection Laws and Regulations, Customer acknowledges that Kyndryl will transfer Customer Personal Data outside of the EEA or UK as applicable for Processing. Kyndryl is certified and registered under the EU (and by extension the UK) Data Privacy Framework (“EU/UK DPF”).

7.2 If for any reason the EU/UK DPF cannot legally be employed as a mechanism for governing restricted transfers between the parties, the parties also will enter into the standard SCCs with Modules 1-3 for Controller-to-Controller, Controller-to-Processor, and Processor-to-Subprocessor EU Model Clauses, UK addendum and Swiss addendum, all of which can be provided on request to legal@kyndryl.com as the “SCC Addendum”.

The parties agree that other than as set out herein, all other terms of any Agreement remain in force. In the event of any discrepancy between this Addendum and the remainder of the Agreement, the terms of this Addendum shall prevail.

Schedule 1: Data Processing Details

1) Subject-matter, nature and purpose of the Processing:

Kyndryl provides self-service public cloud infrastructure services to enterprise customers, also known as Infrastructure as a Service (IaaS). Upon contracting for services, Kyndryl provisions the Customer an account in the Customer’s chosen geographic region and provides login credentials for the Customer Primary Administrator to use a web portal and/or programmatically via REST API based on Personal Data provided by the Customer. Kyndryl manages the application infrastructure it provisions. The Customer is responsible for provisioning and managing additional user accounts for their Skytap Cloud instance, as well as the workloads running on the cloud infrastructure provided by Kyndryl, i.e., Kyndryl does not manage the Customer’s workloads, nor any data stored within them.

2) Duration of Processing:

Processing of the Customer Personal Data by Kyndryl will be for the term of the Agreement of for provision of the Services, provided that Customer Personal Data will not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).

3) Customer Personal Data in Scope:

Kyndryl collects only the minimal personal information necessary to provision accounts, provide the services of Skytap Cloud, and provide audit capabilities to Skytap Cloud customers: User First/Last Names, Usernames/IDs, Email Addresses, Login Credentials, IP Addresses, Browser Type, Machine OS (via browser user agent), Employer (Customer association), User Region/Location (via IP Address).

As the Customer is responsible for provisioning and managing additional user accounts for their Skytap Cloud instance, as well as the workloads running on the cloud infrastructure provided by Kyndryl, i.e., Kyndryl does not manage the Customer’s workloads, nor any data stored within them. As Kyndryl does not have visibility into and relies on the Customer for any access to such workloads and data processed therein, Kyndryl does not know what Personal Data is in scope.

4) Technical and Organizational Measures for Customer Personal Data in Scope:

Description of the technical and organizational measures implemented by Kyndryl (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Kyndryl is Certified pursuant to SOC 2 and ISO 27001. On executing a customary confidentiality agreement (NDA), Importer will provide its most recent audit reports to Exporter.

*Technical and Organisational Measures*	*Kyndryl Controls*
Measures of pseudonymisation and encryption of personal data	Kyndryl follows industry standard practices regarding encrypting data in transit and at rest. Kyndryl systems use encryption to protect transmitted records and files containing data that will travel across public networks, with encryption at a strength that is commercially reasonable given the nature of the data transmitted and the transmission method(s). Kyndryl requires that systems used to process sensitive data, including personally identifiable information (PII), passwords, account information, etc., support encryption when in transit on the network and implement industry-standard practices regarding encryption of sensitive data stored at rest. Encryption use and applicable encryption standards are documented. The encryption strength of confidential information in transmission is defined. Cryptographic key management procedures are documented and automated. Products or solutions are deployed to keep the data encryption keys encrypted.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Kyndryl continuously gathers and analyses information regarding new and existing threats and vulnerabilities, actual attacks on the organisation or others, and the effectiveness of the existing security controls. Monitoring controls include related policy and procedures, virus and malicious code detection, intrusion prevention and detection, and event and system health and state monitoring. Related logging process provides an effective control to highlight and investigate security events. Robust controls are implemented over Kyndryl communication networks to safeguard data, tightly control access to network devices through management approval and subsequent audits, disable remote communications if no business need exists, log and monitor remote access, secure remote access devices, and use strong authentication and encryption to secure communications. Defined Access Control Lists (ACLs) to restrict traffic on routers and/ or firewalls are reviewed and approved by network administrators. IP addresses in the ACLs are specific and only authorised devices connect to the Kyndryl internal networks. Firewall management processes are documented. All changes firewalls are performed via documented change management processes. Firewall access is restricted to a small set of authorized. Periodic network vulnerability scans are performed, and any critical vulnerabilities identified are promptly remediated.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Protections against fire and power outages are implemented in data centers and include offsite backups. Effective controls are in place to protect against physical penetration by malicious or unauthorised people. Components supporting the physical and environmental security plan are based on the nature of the facility (e.g., data center, office facility). Protections for data centers include the following: Climate control systems; Thermostat sensors; Raised floors; Smoke detectors; Heat detectors; Fluid or water sensors; CCTV monitoring; Fire suppression systems; Uninterruptible power supplies (UPS); Batteries; Generators. Backup, redundancy/failover and offsite storage procedures are documented and tested regularly. Procedures cover the ability to fully restore or utilise redundant platform resources for applications and operating systems. Periodic testing of successful restoration from backup media and redundant failover solutions are demonstrated.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing	Kyndryl engages, no less than annually, independent auditors to conduct SOC 2 Type 2, ISO 27001:2013, and PCI DSS audits to measure the effectiveness of security controls for the Skytap cloud platform. Additionally, Kyndryl engages with independent third party security firms to conduct regular penetration tests against the Skytap cloud platform, no less than annually.
Measures for user identification and authorisation	Authentication and authorisation controls are appropriately robust for the specific levels of risk to the information, data, application and platform. Access rights are monitored to ensure that access adheres to the ‘least privilege’ principle commensurate with the user’s job responsibilities. All access and security events are logged, and software is used that enables rapid analysis of, and anomaly detection in user activities. Access Control policy and corresponding procedures are documented. Access procedures define the request, approval, access provisioning, and de-provisioning, and monitoring processes. The access processes restrict user access (local or remote) based on user job function (role/ profile based, appropriate access) for applications, databases and systems to ensure segregation of duties. User access reviews are performed periodically (e.g., quarterly) for business-critical applications, to confirm that permissions and privileges are appropriate. Procedures are documented for the timely onboarding and offboarding of users who have joined, left, or changed roles within the organisation. Processes for management of privileged user accounts is defined. A review/governance process is in place and privileged accounts are reviewed periodically (e.g., quarterly) to ensure that access is restricted, appropriate and documented (requests, approvals) prior to account creation. Documented password policy covers all applicable systems, applications and databases. Password best practices are deployed to protect against unauthorised use of passwords. The password policy includes the following components: Password is communicated separately from user ID; Initial passwords are unique to each user and must be reset upon initial login; Minimum password length; Password complexity; Password history; Password lockout for failed password attempts; passwords are checked against a list that contains values known to be commonly used, expected, or compromised. Passwords are saved only as one-way hash/encrypted files. Access to password files is restricted only to system administrators. If the authentication engine for application fails, the default action is always to deny access.
Measures for the protection of data during transmission	Confidential information transmission over the public internet always utilises an encrypted channel. Confidential information is encrypted while in transit over any network using secure protocols like HTTPS, SSL, SFTP, etc. VPN transmissions are performed over an encrypted channel. Electronic transmission of data to and from off-site locations is performed over an encrypted channel. Wireless Access Points only allows authorised users to connect. Policies and procedures are established and adhered to for proper control of electronic mail and/or instant messaging systems. Preventative and detective controls block malicious emails/ attachments. Emails are encrypted via Transport Layer Security (TLS). Encryption technology used adheres to all legal requirements governing the use of such technology.
Measures for the protection of data during storage	Servers and devices containing confidential information are encrypted leveraging system level encryption. Use of any portable media (e.g., laptops, removable hard drives, flash drives, removable disks, or tapes) is restricted, and requires encryption of any confidential data stored on this media. Customer information is not stored on any unencrypted portable media. Backups are encrypted and stored on protected systems. Secure transportation procedures (e.g., inventory tracking, signed checklists) of media to and from off-site location are defined.
Measures for ensuring physical security of locations at which personal data are processed	Kyndryl inherits physical security controls from its hosting providers. Kyndryl reviews SOC 2 and other audit reports for its hosting providers regularly to ensure the following physical security controls are in place and operating effectively. Physical access to hosting provider facilities is restricted by using access control procedures for authorised users (e.g. badge access, security guards, etc.). Visitor access must be logged in a physical access log and visitors are escorted through restricted areas in the facility. Physical security plan for offsite facilities is documented. Access control is enforced at entry points and in storage rooms. Access to the off-site facility is restricted and there is an approval process to obtain access. Monitoring cameras (e.g., CCTVs) cover sensitive areas within the facility. The monitoring equipment (e.g., CCTV) feed is monitored by a qualified team. Alerting procedures are defined and notification is given to qualified personnel. Security guards are trained regarding their response to security events. Additionally, Kyndryl requires that all employees, employee candidates, contractors and third parties complete suitable background validation checks in accordance with applicable laws and regulations. Kyndryl maintains a clean desk/clear screen policy. Workstations are configured to lock after 15 minutes of inactivity, requiring users to re-authenticate to return to the existing session. Locked sessions are configured to obscure all session details. Documents containing confidential information are secured in a locked file cabinet or office with access granted to only those individuals with a business need for such information.
Measures for ensuring events logging	Security events are logged, monitored and addressed through timely and documented action. Network components, workstations, applications and monitoring tools are enabled to monitor and detect anomalous user activity. Organisational responsibilities for responding to events are defined. Configuration checking tools and logs are utilised to record critical system configuration changes. Audit logs are stored on a secured logging infrastructure with access restricted to only necessary personnel. Retention schedules for various logs are defined and enforced. Workstations updated automatically with latest antivirus/antimalware definitions. Defined procedure highlights all anti-virus updates. Alert events include the following attributes: Unique identifier; Date; Time; Priority level identifier; Source IP address; Destination IP address; Event description; Notification sent to security team.
Measures for ensuring system configuration, including default configuration	Information systems are deployed with appropriate security configurations and reviewed periodically for compliance with security policies and standards. Standard security configuration is documented. Security hardening and procedures include security patches, vulnerability management, and system hardening standards. Security patch process and procedures, including patch prioritisation, are documented. Penetration testing of the external perimeter is performed at least annually. For most recent testing results/report, follow-up is performed to eliminate or mitigate any issues rated as critical, high and medium risk. Tools/processes are in place to perform vulnerability monitoring, penetration testing, antivirus definition updates, firewall deployment and maintenance. Documented operating system versions are implemented. Minimum Security Baselines (MSB) are established for various operating systems and versions.
Measures for internal IT and IT security governance and management	Policies and procedures that regulate the use of information, including its processing, receipt, transmission, storage, distribution, access and deletion are documented and implemented, and address how confidential information is managed and protected. Policies and procedures are designed to comply with all applicable laws, rules and regulations in the countries in which Kyndryl conducts business. The Policies and Procedures are approved by senior management, reviewed and updated to remain compliant with the law and current industry practices. Documented IT operational procedures ensure secure operation of IT assets. IT operational procedures include the following components: Scheduling requirements; Handling errors; Generating and handling special output; Maintenance and troubleshooting of systems; managing service availability to required SLAs/KPIs. Problem Remediation Management Process/Procedures are documented. The problem management lifecycle includes the following discrete steps: Identification; Assignment of severity to each problem; Communication; Resolution; Training (if required); Testing/validation; Reporting. Changes to systems, networks, applications, data files structures, other system components, and physical/ environmental changes are monitored and controlled through a formal change control process. Changes are tested, reviewed, approved, and monitored to ensure that changes are operating as intended. Change management policies and procedures cover all changes to applications, operating systems and network infrastructures, including firewalls. Change management policies and procedures include the following attributes: Clearly identified roles and responsibilities, including separation of duties; Impact or risk analysis of the change request; Testing prior to implementation of change; Security implications review; Authorisation and approval; Post installation validation; Back-out or recovery plans; Management signoffs.
Measures for certification/assurance of processes and products	Kyndryl maintains documented Secure System Development Life Cycle (“SSDLC”) policies and procedures for defining, acquiring, developing, enhancing, modifying, testing and implementing information systems. Software development processes are documented and includes version control and release management procedures as wells as validation of security requirements (e.g., Information Security [IS] sign-offs, periodic IS reviews, static/dynamic scanning). System documentation is managed by appropriate access controls. Software vulnerability assessments are conducted internally or using external experts. Any vulnerability gaps identified are remediated in a timely manner. All product teams are required to follow Kyndryl’s secure development procedure which provides security standards, strategies and tactics for each phase of the product development lifecycle. These procedures include guidelines and requirements on what, when and how security activities should take place. Specifically, they include activities for all phases of the Secure System Development Lifecycle, such as Training, Coding Guidelines, Architectural Risk Analysis, Code Analysis, Penetration Testing, as well as Vulnerability Response. In addition, Kyndryl has processes to build privacy into products and services from the initial design phase and continuously improves its Privacy by Design (PbD) and Privacy by Default practices. Kyndryl solutions are required to adhere to technical security standards and safeguards that are appropriate for their intended use and benefit. Security standards are determined after a review is conducted that assesses the type of data that will be handled by the solution, how and where the solution is implemented, relevant industry requirements and applicable laws and regulations. Penetration testing of the internal/external networks and/or applications is performed at least annually. The tests are usually performed externally by a reputable external organisation. Automated vulnerability scans of confidential information are performed periodically to identify, mitigate and remediate any vulnerabilities. Assets covered by such scanning include all production systems, applications, and network devices. All issues identified from the penetration tests and vulnerability scans rated as high or medium risks are addressed through timely and documented remediation. Kyndryl maintains ISO/IEC 27001:2013 and PCI DSS certifications as well as conducting annual SOC 2 Type 2 audits. Kyndryl will provide certifications and audit reports to customers upon request.
Measures for ensuring data minimisation	Where Kyndryl acts as a Data Controller, it only collects personal data as necessary for, and proportionate to the purposes of the processing, pursuant to the terms of the Privacy Policy published at https://www.skytap.com/terms/privacy-policy/. Kyndryl’s products and services are developed and operated following the principle of Privacy by Design, so that such products and services will only collect and process the data necessary for, and proportionate to the fulfilment of their intended functionalities.
Measures for ensuring data quality	Where Kyndryl acts as a Data Controller, it takes technically feasible and commercially reasonable steps to ensure that the personal data it processes is accurate and relevant, pursuant to the terms of the Privacy Policy published at https://www.skytap.com/terms/privacy-policy/. Where Kyndryl acts as a Data Processor, it makes available technical and organisational means for the relevant Data Controller to perform through self-service facilities, or to obtain via service requests, the maintenance (e.g., rectification or erasure) of any personal data processed by Kyndryl on its behalf.
Measures for ensuring limited data retention	Kyndryl embeds the principle of limited data retention into the design and operation of the services and systems it develops and maintains and adheres to a defined record retention policy. Retention timelines for data in various systems, products and services will depend on the nature, scope and purpose of the system, product or service considered and of the data held therein; on the applicable contractual commitments; on the applicable legal and regulatory requirements; on the existence of a valid business need or legal obligation to retain the data.
Measures for ensuring accountability	Kyndryl operates a global privacy program managed by the privacy team. The program includes the creation and maintenance of records of data processing operations, fulfilment of data subject rights, handling of inquiries and complaints, enforcement of privacy by design and privacy by default principles, the provision of up-to-date transparency information about Kyndryl’s data processing practices and of the data processing practices involved in the use of specific Skytap products and services, response to privacy events and incidents, and privacy training. More detailed information about these practices may be found in the documentation published at https://www.skytap.com/terms/privacy-policy/.
Measures for allowing data portability and ensuring erasure	Procedures are defined for instructing personnel on the proper methods for destroying media and storage devices on which confidential information is stored. Media and storage devices containing confidential information are wiped utilising U.S. Department of Defense 5220.22-M or like industry standard procedures, which relate to the permanent and non-recoverable removal of data. Media and storage device destruction by a third party is accompanied by documented procedures (e.g., certificate of destruction) for destruction confirmation

For (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor.

This Table under Section 5 below includes a list of subprocessors involved in provisions of services under Agreement(s) and hyperlinks to their websites where the subprocessor’s technical and organizational measures are described:

5. LIST OF Sub-Processors

EXPLANATORY NOTE:

Controller (and Exporter for purposes of Standard Contractual Clauses) has authorized the use of the following sub-processors(FN1) by Processor/Importer:

*Country*	*Subprocessor*	*Services*	*Specific Technical and Organisational Measures*
USA, EU, UK and AIPAC	Microsoft Azure One Microsoft Way Redmond, WA 98052-7329	Hosting provider	See (Sub)-Processor Website
USA, EU, UK and AIPAC	IBM Cloud 1 New Orchard Road Armonk, New York 10504-1722 United States	Hosting provider	See (Sub)-Processor Website
USA	Cyxtera Technologies BAC Colonnade Office Towers 2333 Ponce De Leon Blvd, Suite 900 Coral Gables, FL 33134	Hosting provider	See (Sub)-Processor Website
USA	Equinix One Lagoon Drive, Redwood City, California, 94065	Hosting provider	See (Sub)-Processor Website

FN1 Processor/Importer relies on GDPR’s definitions of Data Controllers and Data Processors for purposes of identifying Data Sub-processors.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-preferences	1 year	This cookie is set by the GDPR Cookie Consent plugin to check if the user has given consent to use cookies under the "Preferences" category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
55d66ab20f0ad28a_cfid	2 years	Set by ChatFunnels to store chat sessions
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
sc_anonymous_id	9 years	Cookie is placed by SoundCloud to provide functions across pages.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc		The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle the request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.
_gat_UA-4086838-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_uetsid	1 day	Bing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid	1 year 24 days	Bing Ads sets this cookie to engage with a user that has previously visited the website.
YSC		This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gcl_au	2 months	This cookie is placed by Google Tag Manager to place and track conversions.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_uv_id	2 years	Slideshare: Collects data on the user's visits to the website, such as which pages have been read.
browser_id	5 years	This cookie is used for identifying the visitor browser on re-visit to the website.
bscookie	2 years	This cookie is placed by Linkedin to store performed actions on the website.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
GPS	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
li_sugr	2 months	This cookie is placed by Linkedin to store browser details.
lissc	1 year	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
MR	1 week	This cookie is used to measure the use of the website for analytics purposes.
pardot		The cookie is set when the visitor is logged in as a Pardot user.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.
vuid	2 years	Vimeo

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
IDE	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
MUID	1 year	Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.
SRM_B	1 year	Bing.com
SRM_I	1 year	Bing.com
u	2 months	Collects data on user visits to the website, such as what pages have been accessed. The registered data is used to categorize the user's interest and demographic profiles in terms of resales for targeted marketing
uid	1 year	This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
UserMatchHistory	1 month	This cookie is place by Linkedin to enable ad delivery or retargeting.
VISITOR_INFO1_LIVE	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Skytap Omnibus General Data Protection Addendum

1. DEFINITIONS

2. GENERAL

3. CUSTOMER RESPONSIBILITIES

4. SECURITY

5. SUB-PROCESSORS

6. OTHER OBLIGATIONS

7. INTERNATIONAL DATA TRANSFERS

Product

Help