Skytap, Inc. Omnibus General Data Protection Addendum

Last updated January 21, 2022

Skytap, Inc. Omnibus General Data Protection Addendum

This Omnibus General Data Protection Addendum (“Addendum”) is between: (i) Customer (“Customer, “Controller”) acting on its own behalf and as agent for each Controller Affiliate; and (ii) Skytap, Inc. (“Processor”) acting on its own behalf and as agent for each Processor Affiliate. This Addendum applies to each agreement between Processor (or any Processor Affiliate) and Controller (or any Controller Affiliate) under which Processor actually Processes Personal Data as part of performing under that agreement (“Agreement”), and the Addendum applies and is effective only if, under GDPR (defined below), Controller qualifies as a Data Controller and Processor qualifies as a Data Processor for Controller, in which case the Addendum then is incorporated into and is made a part of the Agreement effective when Processor processes Controller Personal Data (“Addendum Effective Date”).

This Addendum modifies and supplements the terms and conditions in the Agreement as they relate to Skytap’s Processing of Customer Personal Data and compliance with Data Protection Law. The terms used in this Addendum will have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement will remain in full force and effect.

Contact Information

Data Controller: Signatory to the Agreement between the parties

Data Processor: Skytap, Inc. | 255 South King Street, Ste 800, Seattle, WA, 98104 | +1 (206) 866-1162

Term

Expiration Date: Coterminous with the Agreement

1. Definitions

1.1 “Controller/Customer Personal Data” means any Personal Data provided by or on behalf of Controller/Customer to Processor under or pursuant to the Agreement or otherwise made available to, or collected by, Processor as required in providing its services to the Controller under the Agreement.

1.2 “CCPA” means The California Consumer Privacy Act, codified at Cal. Civ. Code §1798.100 et seq., and as may be amended, and any final implementing regulations promulgated by the State of California Department of Justice Office of The Attorney General.

1.3 “Commercial Purposes” has the meaning given to it under CCPA, which may be changed by amendment, but as of January 1, 2020 means (1) to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction, but excludes any purpose (2) that does not include for the purpose of engaging in speech that state or federal courts have recognized as non-commercial speech, including political speech and journalism.

1.4 “Consumer” a resident of California to whom Personal Information under CCPA relates.

“Data Controller” or “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.5 “Data Processor” or “Processor” means the entity that Processes Personal Data on behalf of the Data Controller, and that is bound by this Addendum.

1.6 “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.7 “Data Protection Legislation” means the (a) Data Protection Act 1998, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, GDPR, UK GDPR, and all applicable laws and regulations relating to processing Personal Data and privacy to the extent they are still in force, including where applicable the guidance and codes of practice issued by the Information Commissioner, and (b) CCPA.

1.8 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data as applicable as of 25 May 2018, as may be amended from time to time. For convenience, references to GDPR also will refer to the UK General Data Protection Regulation (“UK GDPR”) as appropriate where these two forms of distinct and potentially applicable Data Protection Legislation are substantially the same.

1.9 “Personal Information” has the meaning given to it under CCPA and that is provided by or on behalf of Customer to the Data Processor under or pursuant to the Agreement or otherwise made available to, or collected by, the Data Processor as required to provide its services to the Customer under the Agreement. Personal Information does not include Aggregate Consumer Information or Deidentified information as defined under CCPA.

1.10 “Regulated Data” means both of Personal Information under CCPA and Customer Personal Data under GDPR.

1.11 “Security Incident” means unauthorized acquisition, access, use or disclosure of Controller Regulated Data.

1.12 “Sub-Processor” means another Data Processor engaged by Processor for carrying out processing activities in respect of the Regulated Data on behalf of Processor.

2. General

2.1 Each party will comply with Data Protection Legislation with regards to the processing of Regulated Data under the Agreement and this Addendum.

2.2 The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller, Skytap is the Processor and that Skytap will engage Sub-Processors pursuant to Section 5 below.

2.3 As Data Processor in respect of the Customer Personal Data processed under the Agreement and this Addendum, Skytap will:

2.3.1 process the Customer Personal Data only on and in accordance with lawful instructions from the Customer;

2.3.2 process the Customer Personal Data only to the extent, and in such manner as is necessary for, the provision of services to the Customer;

2.3.3 inform the Customer of any legal requirement under any applicable law that would require Skytap to process the Customer Personal Data other than the processing instructions, or if any Customer instruction infringes with applicable Data Protection Legislation; and

2.3.4 ensure any Sub-Processor that has access to Customer Personal Data from Skytap will comply with Skytap’s obligations under this Addendum.

2.4 The scope, purpose and duration of Customer Personal Data and Processing (including the type of Personal Data, categories of Data Subjects and security details) covered by the Agreement and this Addendum is set out in Schedule 2 of this Addendum.

2.5 This Addendum and the Agreement are Customer’s complete and final instructions to Skytap for the Processing of Customer Personal Data. Any additional or alternate instructions must be agreed upon separately and in writing by both the Customer and Skytap.

2.6 To the extent the Data Processor processes any Personal Information under the Agreement, the Data Processor shall comply with the requirements of a “Service Provider” under CCPA including but not limited to the following requirements.

2.6.1 Data Processor will only Process Personal Information for the limited purposes of providing services to Customer as described in the Agreement, as amended by this Addendum.

2.6.2 Data Processor will not retain, use, or disclose any Personal Information for any purpose other than for the specific purpose of providing the services specified in the Agreement as amended by this Addendum, including retaining, using, or disclosing the Personal Information for any “Commercial Purpose” as defined by CCPA. (For the avoidance of doubt, the foregoing prohibits Data Processor from retaining, using, or disclosing Personal Information outside of the direct business relationship between Data Processor and Customer.)

2.6.3 Data Processor will not sell Personal Information, as the term “Sell” and “Sale” are defined by CCPA.

2.6.4 Data Processor certifies that it understands the obligations under Subsections 2.6.1 and 2.6.2 and will comply with them.

3. Customer Responsibilities

3.1 Customer is the sole Controller of Customer Personal Data or has been instructed by, and obtained the authorization of, the relevant Controller(s) to agree to the Processing of Customer Personal Data by Skytap, as set out in this Addendum.

3.2 Customer will, in its use of the Services, process Customer Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.

3.3 Customer acknowledges that it is responsible for properly implementing access and use controls and configuring certain features and functionalities of Skytap that Customer may elect to use and in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Customer Personal Data.

4. Security

4.1 Skytap will implement and maintain, at its cost and expense, appropriate technical and organizational measures in relation to its processing of Customer Personal Data so as to ensure a level of security in respect of Customer Personal Data processed by it is appropriate to the risks that are presented by the processing, including from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed.

4.2 With respect to any Security Incident involving Customer Personal Data, Skytap will, in accordance with Art. 28 paragraph 3 of GDPR, provide Customer with a) a description of the security incident and the approximate amount of data subjects and datasets involved, b) name and contact of a contact person for further information, c) a description on the probable consequences of the incident, and d) a description of the measures taken in order to remedy or reduce the incident.

4.3 Skytap will take reasonably appropriate measures to ensure that its personnel processing Customer Personal Data are subject to equivalent terms protecting Customer Personal Data, including training specific to the GDPR requirements.

5. Sub-Processors

5.1 Customer authorizes Skytap to engage another entity (a “Sub-Processor”) to perform specific processing activities in respect to the Customer Personal Data.

5.2 To receive Skytap’s current list of Sub-Processors and/or notifications of changed or new Sub-Processors, Customers may email subprocessors+subscribe@skytap.com with the subject “Subscribe”. Once Customer is subscribed, Skytap will provide subscriber with advance notice of any changed or new Sub-Processors in connection with the provision of the applicable Services.

5.3 Where and to the extent Customer is established with the European Economic Area, Switzerland, or where otherwise required by Data Protection Laws and Regulations applicable to Customer, Customer may reasonably object to the use of a new Sub-Processor (e.g., if making Customer Personal Data available to the Sub-Processor may violate applicable Data Protection Law or weaken the protections for such Customer Personal Data) by providing written notification to Skytap within 10 days of receiving notice per Section 5.2 above. Customer must include the reasonable grounds for the objection. In the event Customer objects to a new Sub-Processor, Skytap will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services, to avoid Processing of Customer Personal Data by the objected-to new Sub-Processor without unreasonably burdening Customer. If Skytap is unable to make available such change within a reasonable period of time, either party may terminate the Services which cannot be provided by Skytap without the use of the objected-to new Sub-Processor. Such terminations must be made in writing to Skytap. Skytap will refund Customer a prorated portion of pre-paid charges for remainder of the term of such Order Form(s) following the effective date of termination.

5.4 Skytap will remain liable to the Customer for the Sub-Processor’s performance, as well as for any acts or omissions of the Sub-Processor regarding its processing of Customer Personal Data, to the same extent Skytap would be liable if performing the Services of the Sub-Processor directly under the terms of this Addendum.

6. Other Obligations

6.1 Skytap will forward to the Customer and otherwise cooperate with and assist the Customer with any requests received from Data Subjects of any Customer Personal Data under GDPR (i.e., “Data Subject Access Request”) or Consumers under CCPA (e.g., “Right to Know”) of any Regulated Data (generally referred to together in this Section 5 as, “Regulated Data Access Request”. Business Provider will specifically perform the following.

6.2 Skytap will provide reasonable assistance, information and cooperation to the Customer to ensure compliance with the Customer’s obligations under Data Protection Legislation in relation to the processing of Customer Personal Data under the Agreement and this Addendum. This includes assistance with any data protection impact assessments and consultations with (or notifications to) relevant data protection regulators.

6.3 Upon Customer’s written request at reasonable intervals, Skytap will make available to the Customer such information as is reasonably required by the Customer to demonstrate Skytap’s compliance with its obligations under Data Protection Legislation and this Addendum.

6.4 Skytap will permit audits at reasonable intervals conducted by the Customer, or another auditor mandated by the Customer, solely for demonstrating Skytap’s compliance with its obligations under Data Protection Legislation and this Data Protection Schedule. This will be subject to the Customer giving Skytap reasonable prior notice of such audit and/or inspection and ensuring that any auditor is subject to binding obligations of confidentiality, is not a competitor of Skytap, and that such audit or inspection is undertaken so as to cause minimal disruption to Skytap’s business.

6.5 Skytap will, without undue delay, at the Customer’s request, either securely delete or return all the Customer Personal Data to the Customer at the end of the Agreement and this Addendum, or if earlier, as soon as processing by Skytap of any Customer Personal Data is no longer required for Skytap’s performance of its obligations under the Agreement, and securely delete existing copies (unless retention of any data is required by applicable law).

7. International Data Transfers

7.1 If Customer is established with the European Economic Area, Switzerland, or where otherwise required by Data Protection Laws and Regulations, Customer acknowledges that Skytap will transfer Customer Personal Data outside of the EEA for Processing. Skytap is certified and registered under Privacy Shield. However, until a version of Privacy Shield is agreed, reinstated and legally applicable under Data Protection Laws again, Section 7.2 explains how Skytap will comply with Data Protection Laws and Regulations related to International Data Transfers.

7.2 Skytap will enter into the standard Controller-To-Processor EU Model Clauses in the event where Skytap is no longer (i) entitled to rely on its registration and certification or (ii) registered and certified under Privacy Shield and Customer Personal Data is processed outside the EU; or in countries which do not ensure adequate level of data protection. In the event of any inconsistency between the Addendum and the Controller-To-Processor EU Model Clauses, the Controller-To-Processor EU Model Clauses will override the Addendum, to the extent terms in both are in conflict. If the Controller-To-Processor EU Model Clauses apply, the parties agree that the standard Controller-To-Processor EU Model Clauses may be amended from time to time, to the extent that they relate to a Restricted Transfer which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws (iii) by the Commission to or of the equivalent contractual clauses approved by the Commission under Data Protection Legislation (in the case of the Data Protection laws of the European Union or a Member State); or (iv) by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under another Data Protection Law (otherwise). As a Customer, you may request Skytap arrange to execute the applicable Model Clauses by sending an email to skytapDPA@skytap.com.

Schedule 2: Data Processing Details

1) Subject-matter, nature and purpose of the Processing:

Skytap provides self-service public cloud infrastructure services to enterprise customers, also known as Infrastructure as a Service (IaaS). Upon contracting for services, Skytap provisions the Customer an account in the Customer’s chosen geographic region and provides login credentials for the Customer Primary Administrator to use a web portal and/or programmatically via REST API based on Personal Data provided by the Customer. Skytap manages the application infrastructure it provisions. The Customer is responsible for provisioning and managing additional user accounts for their Skytap Cloud instance, as well as the workloads running on the cloud infrastructure provided by Skytap, i.e., Skytap does not manage the Customer’s workloads, nor any data stored within them.

2) Duration of Processing:

Processing of the Customer Personal Data by Skytap will be for the term of the Agreement of for provision of the Services, provided that Customer Personal Data will not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).

3) Customer Personal Data in Scope:

Skytap collects only the minimal personal information necessary to provision accounts, provide the services of Skytap Cloud, and provide audit capabilities to Skytap Cloud customers: User First/Last Names, Usernames/IDs, Email Addresses, Login Credentials, IP Addresses, Browser Type, Machine OS (via browser user agent), Employer (Customer association), User Region/Location (via IP Address).

As the Customer is responsible for provisioning and managing additional user accounts for their Skytap Cloud instance, as well as the workloads running on the cloud infrastructure provided by Skytap, i.e., Skytap does not manage the Customer’s workloads, nor any data stored within them. As Skytap does not have visibility into and relies on the Customer for any access to such workloads and data processed therein, Skytap does not know what Personal Data is in scope.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-preferences	1 year	This cookie is set by the GDPR Cookie Consent plugin to check if the user has given consent to use cookies under the "Preferences" category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
55d66ab20f0ad28a_cfid	2 years	Set by ChatFunnels to store chat sessions
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
sc_anonymous_id	9 years	Cookie is placed by SoundCloud to provide functions across pages.

Cookie	Duration	Description
__utma	2 years	This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb	30 minutes	The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc		The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt	10 minutes	The cookie is set by Google Analytics and is used to throttle the request rate.
__utmz	6 months	This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.
_gat_UA-4086838-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_uetsid	1 day	Bing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid	1 year 24 days	Bing Ads sets this cookie to engage with a user that has previously visited the website.
YSC		This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gcl_au	2 months	This cookie is placed by Google Tag Manager to place and track conversions.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_uv_id	2 years	Slideshare: Collects data on the user's visits to the website, such as which pages have been read.
browser_id	5 years	This cookie is used for identifying the visitor browser on re-visit to the website.
bscookie	2 years	This cookie is placed by Linkedin to store performed actions on the website.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
GPS	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
li_sugr	2 months	This cookie is placed by Linkedin to store browser details.
lissc	1 year	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
MR	1 week	This cookie is used to measure the use of the website for analytics purposes.
pardot		The cookie is set when the visitor is logged in as a Pardot user.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.
vuid	2 years	Vimeo

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
IDE	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
MUID	1 year	Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.
SRM_B	1 year	Bing.com
SRM_I	1 year	Bing.com
u	2 months	Collects data on user visits to the website, such as what pages have been accessed. The registered data is used to categorize the user's interest and demographic profiles in terms of resales for targeted marketing
uid	1 year	This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
UserMatchHistory	1 month	This cookie is place by Linkedin to enable ad delivery or retargeting.
VISITOR_INFO1_LIVE	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Skytap, Inc. Omnibus General Data Protection Addendum