Skytap, Inc. Omnibus General Data Protection Addendum
Last updated January 21, 2022
Skytap, Inc. Omnibus General Data Protection Addendum
This Omnibus General Data Protection Addendum (“Addendum”) is between: (i) Customer (“Customer, “Controller”) acting on its own behalf and as agent for each Controller Affiliate; and (ii) Skytap, Inc. (“Processor”) acting on its own behalf and as agent for each Processor Affiliate. This Addendum applies to each agreement between Processor (or any Processor Affiliate) and Controller (or any Controller Affiliate) under which Processor actually Processes Personal Data as part of performing under that agreement (“Agreement”), and the Addendum applies and is effective only if, under GDPR (defined below), Controller qualifies as a Data Controller and Processor qualifies as a Data Processor for Controller, in which case the Addendum then is incorporated into and is made a part of the Agreement effective when Processor processes Controller Personal Data (“Addendum Effective Date”).
This Addendum modifies and supplements the terms and conditions in the Agreement as they relate to Skytap’s Processing of Customer Personal Data and compliance with Data Protection Law. The terms used in this Addendum will have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement will remain in full force and effect.
Contact Information
Data Controller: Signatory to the Agreement between the parties
Data Processor: Skytap, Inc. | 255 South King Street, Ste 800, Seattle, WA, 98104 | +1 (206) 866-1162
Term
Expiration Date: Coterminous with the Agreement
1. Definitions
1.1 “Controller/Customer Personal Data” means any Personal Data provided by or on behalf of Controller/Customer to Processor under or pursuant to the Agreement or otherwise made available to, or collected by, Processor as required in providing its services to the Controller under the Agreement.
1.2 “CCPA” means The California Consumer Privacy Act, codified at Cal. Civ. Code §1798.100 et seq., and as may be amended, and any final implementing regulations promulgated by the State of California Department of Justice Office of The Attorney General.
1.3 “Commercial Purposes” has the meaning given to it under CCPA, which may be changed by amendment, but as of January 1, 2020 means (1) to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction, but excludes any purpose (2) that does not include for the purpose of engaging in speech that state or federal courts have recognized as non-commercial speech, including political speech and journalism.
1.4 “Consumer” a resident of California to whom Personal Information under CCPA relates.
“Data Controller” or “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
1.5 “Data Processor” or “Processor” means the entity that Processes Personal Data on behalf of the Data Controller, and that is bound by this Addendum.
1.6 “Data Subject” means the identified or identifiable person to whom Personal Data relates.
1.7 “Data Protection Legislation” means the (a) Data Protection Act 1998, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, GDPR, UK GDPR, and all applicable laws and regulations relating to processing Personal Data and privacy to the extent they are still in force, including where applicable the guidance and codes of practice issued by the Information Commissioner, and (b) CCPA.
1.8 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data as applicable as of 25 May 2018, as may be amended from time to time. For convenience, references to GDPR also will refer to the UK General Data Protection Regulation (“UK GDPR”) as appropriate where these two forms of distinct and potentially applicable Data Protection Legislation are substantially the same.
1.9 “Personal Information” has the meaning given to it under CCPA and that is provided by or on behalf of Customer to the Data Processor under or pursuant to the Agreement or otherwise made available to, or collected by, the Data Processor as required to provide its services to the Customer under the Agreement. Personal Information does not include Aggregate Consumer Information or Deidentified information as defined under CCPA.
1.10 “Regulated Data” means both of Personal Information under CCPA and Customer Personal Data under GDPR.
1.11 “Security Incident” means unauthorized acquisition, access, use or disclosure of Controller Regulated Data.
1.12 “Sub-Processor” means another Data Processor engaged by Processor for carrying out processing activities in respect of the Regulated Data on behalf of Processor.
2. General
2.1 Each party will comply with Data Protection Legislation with regards to the processing of Regulated Data under the Agreement and this Addendum.
2.2 The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller, Skytap is the Processor and that Skytap will engage Sub-Processors pursuant to Section 5 below.
2.3 As Data Processor in respect of the Customer Personal Data processed under the Agreement and this Addendum, Skytap will:
2.3.1 process the Customer Personal Data only on and in accordance with lawful instructions from the Customer;
2.3.2 process the Customer Personal Data only to the extent, and in such manner as is necessary for, the provision of services to the Customer;
2.3.3 inform the Customer of any legal requirement under any applicable law that would require Skytap to process the Customer Personal Data other than the processing instructions, or if any Customer instruction infringes with applicable Data Protection Legislation; and
2.3.4 ensure any Sub-Processor that has access to Customer Personal Data from Skytap will comply with Skytap’s obligations under this Addendum.
2.4 The scope, purpose and duration of Customer Personal Data and Processing (including the type of Personal Data, categories of Data Subjects and security details) covered by the Agreement and this Addendum is set out in Schedule 2 of this Addendum.
2.5 This Addendum and the Agreement are Customer’s complete and final instructions to Skytap for the Processing of Customer Personal Data. Any additional or alternate instructions must be agreed upon separately and in writing by both the Customer and Skytap.
2.6 To the extent the Data Processor processes any Personal Information under the Agreement, the Data Processor shall comply with the requirements of a “Service Provider” under CCPA including but not limited to the following requirements.
2.6.1 Data Processor will only Process Personal Information for the limited purposes of providing services to Customer as described in the Agreement, as amended by this Addendum.
2.6.2 Data Processor will not retain, use, or disclose any Personal Information for any purpose other than for the specific purpose of providing the services specified in the Agreement as amended by this Addendum, including retaining, using, or disclosing the Personal Information for any “Commercial Purpose” as defined by CCPA. (For the avoidance of doubt, the foregoing prohibits Data Processor from retaining, using, or disclosing Personal Information outside of the direct business relationship between Data Processor and Customer.)
2.6.3 Data Processor will not sell Personal Information, as the term “Sell” and “Sale” are defined by CCPA.
2.6.4 Data Processor certifies that it understands the obligations under Subsections 2.6.1 and 2.6.2 and will comply with them.
3. Customer Responsibilities
3.1 Customer is the sole Controller of Customer Personal Data or has been instructed by, and obtained the authorization of, the relevant Controller(s) to agree to the Processing of Customer Personal Data by Skytap, as set out in this Addendum.
3.2 Customer will, in its use of the Services, process Customer Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.
3.3 Customer acknowledges that it is responsible for properly implementing access and use controls and configuring certain features and functionalities of Skytap that Customer may elect to use and in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Customer Personal Data.
4. Security
4.1 Skytap will implement and maintain, at its cost and expense, appropriate technical and organizational measures in relation to its processing of Customer Personal Data so as to ensure a level of security in respect of Customer Personal Data processed by it is appropriate to the risks that are presented by the processing, including from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed.
4.2 With respect to any Security Incident involving Customer Personal Data, Skytap will, in accordance with Art. 28 paragraph 3 of GDPR, provide Customer with a) a description of the security incident and the approximate amount of data subjects and datasets involved, b) name and contact of a contact person for further information, c) a description on the probable consequences of the incident, and d) a description of the measures taken in order to remedy or reduce the incident.
4.3 Skytap will take reasonably appropriate measures to ensure that its personnel processing Customer Personal Data are subject to equivalent terms protecting Customer Personal Data, including training specific to the GDPR requirements.
5. Sub-Processors
5.1 Customer authorizes Skytap to engage another entity (a “Sub-Processor”) to perform specific processing activities in respect to the Customer Personal Data.
5.2 To receive Skytap’s current list of Sub-Processors and/or notifications of changed or new Sub-Processors, Customers may email subprocessors+subscribe@skytap.com with the subject “Subscribe”. Once Customer is subscribed, Skytap will provide subscriber with advance notice of any changed or new Sub-Processors in connection with the provision of the applicable Services.
5.3 Where and to the extent Customer is established with the European Economic Area, Switzerland, or where otherwise required by Data Protection Laws and Regulations applicable to Customer, Customer may reasonably object to the use of a new Sub-Processor (e.g., if making Customer Personal Data available to the Sub-Processor may violate applicable Data Protection Law or weaken the protections for such Customer Personal Data) by providing written notification to Skytap within 10 days of receiving notice per Section 5.2 above. Customer must include the reasonable grounds for the objection. In the event Customer objects to a new Sub-Processor, Skytap will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services, to avoid Processing of Customer Personal Data by the objected-to new Sub-Processor without unreasonably burdening Customer. If Skytap is unable to make available such change within a reasonable period of time, either party may terminate the Services which cannot be provided by Skytap without the use of the objected-to new Sub-Processor. Such terminations must be made in writing to Skytap. Skytap will refund Customer a prorated portion of pre-paid charges for remainder of the term of such Order Form(s) following the effective date of termination.
5.4 Skytap will remain liable to the Customer for the Sub-Processor’s performance, as well as for any acts or omissions of the Sub-Processor regarding its processing of Customer Personal Data, to the same extent Skytap would be liable if performing the Services of the Sub-Processor directly under the terms of this Addendum.
6. Other Obligations
6.1 Skytap will forward to the Customer and otherwise cooperate with and assist the Customer with any requests received from Data Subjects of any Customer Personal Data under GDPR (i.e., “Data Subject Access Request”) or Consumers under CCPA (e.g., “Right to Know”) of any Regulated Data (generally referred to together in this Section 5 as, “Regulated Data Access Request”. Business Provider will specifically perform the following.
6.2 Skytap will provide reasonable assistance, information and cooperation to the Customer to ensure compliance with the Customer’s obligations under Data Protection Legislation in relation to the processing of Customer Personal Data under the Agreement and this Addendum. This includes assistance with any data protection impact assessments and consultations with (or notifications to) relevant data protection regulators.
6.3 Upon Customer’s written request at reasonable intervals, Skytap will make available to the Customer such information as is reasonably required by the Customer to demonstrate Skytap’s compliance with its obligations under Data Protection Legislation and this Addendum.
6.4 Skytap will permit audits at reasonable intervals conducted by the Customer, or another auditor mandated by the Customer, solely for demonstrating Skytap’s compliance with its obligations under Data Protection Legislation and this Data Protection Schedule. This will be subject to the Customer giving Skytap reasonable prior notice of such audit and/or inspection and ensuring that any auditor is subject to binding obligations of confidentiality, is not a competitor of Skytap, and that such audit or inspection is undertaken so as to cause minimal disruption to Skytap’s business.
6.5 Skytap will, without undue delay, at the Customer’s request, either securely delete or return all the Customer Personal Data to the Customer at the end of the Agreement and this Addendum, or if earlier, as soon as processing by Skytap of any Customer Personal Data is no longer required for Skytap’s performance of its obligations under the Agreement, and securely delete existing copies (unless retention of any data is required by applicable law).
7. International Data Transfers
7.1 If Customer is established with the European Economic Area, Switzerland, or where otherwise required by Data Protection Laws and Regulations, Customer acknowledges that Skytap will transfer Customer Personal Data outside of the EEA for Processing. Skytap is certified and registered under Privacy Shield. However, until a version of Privacy Shield is agreed, reinstated and legally applicable under Data Protection Laws again, Section 7.2 explains how Skytap will comply with Data Protection Laws and Regulations related to International Data Transfers.
7.2 Skytap will enter into the standard Controller-To-Processor EU Model Clauses in the event where Skytap is no longer (i) entitled to rely on its registration and certification or (ii) registered and certified under Privacy Shield and Customer Personal Data is processed outside the EU; or in countries which do not ensure adequate level of data protection. In the event of any inconsistency between the Addendum and the Controller-To-Processor EU Model Clauses, the Controller-To-Processor EU Model Clauses will override the Addendum, to the extent terms in both are in conflict. If the Controller-To-Processor EU Model Clauses apply, the parties agree that the standard Controller-To-Processor EU Model Clauses may be amended from time to time, to the extent that they relate to a Restricted Transfer which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws (iii) by the Commission to or of the equivalent contractual clauses approved by the Commission under Data Protection Legislation (in the case of the Data Protection laws of the European Union or a Member State); or (iv) by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under another Data Protection Law (otherwise). As a Customer, you may request Skytap arrange to execute the applicable Model Clauses by sending an email to skytapDPA@skytap.com.
Schedule 2: Data Processing Details
1) Subject-matter, nature and purpose of the Processing:
Skytap provides self-service public cloud infrastructure services to enterprise customers, also known as Infrastructure as a Service (IaaS). Upon contracting for services, Skytap provisions the Customer an account in the Customer’s chosen geographic region and provides login credentials for the Customer Primary Administrator to use a web portal and/or programmatically via REST API based on Personal Data provided by the Customer. Skytap manages the application infrastructure it provisions. The Customer is responsible for provisioning and managing additional user accounts for their Skytap Cloud instance, as well as the workloads running on the cloud infrastructure provided by Skytap, i.e., Skytap does not manage the Customer’s workloads, nor any data stored within them.
2) Duration of Processing:
Processing of the Customer Personal Data by Skytap will be for the term of the Agreement of for provision of the Services, provided that Customer Personal Data will not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).
3) Customer Personal Data in Scope:
Skytap collects only the minimal personal information necessary to provision accounts, provide the services of Skytap Cloud, and provide audit capabilities to Skytap Cloud customers: User First/Last Names, Usernames/IDs, Email Addresses, Login Credentials, IP Addresses, Browser Type, Machine OS (via browser user agent), Employer (Customer association), User Region/Location (via IP Address).
As the Customer is responsible for provisioning and managing additional user accounts for their Skytap Cloud instance, as well as the workloads running on the cloud infrastructure provided by Skytap, i.e., Skytap does not manage the Customer’s workloads, nor any data stored within them. As Skytap does not have visibility into and relies on the Customer for any access to such workloads and data processed therein, Skytap does not know what Personal Data is in scope.