Cloudera Partner Data Processing Addendum
This Partner Data Protection Addendum (“DPA”) forms part of and is incorporated into the Cloudera Partner Network Terms, Partnership Terms and Conditions, or similar contract, agreement, or legal document (“Agreement”) between Cloudera, Inc. and any Cloudera affiliates, and the Partner and any Partner affiliates. Cloudera and Partner are each a “Party” and, together, “the Parties.” This DPA forms a legally binding contract between Cloudera and Partner and applies to the extent that the Parties Process Personal Data for purposes of and pursuant to the Agreement. This DPA shall prevail over any prior data protection addendum or similar agreement entered into or executed by the Parties.
I. Cloudera and Partner intend and agree to process Personal Data, as separate and independent Controllers, subject to the terms and conditions of this DPA, for their own respective purposes.
II. Cloudera and Partner have entered into this DPA to set out the framework for the Processing of Personal Data by the Parties, including the sharing of such data, each acting in the capacity as a Controller, and to define the procedures, obligations, responsibilities, liabilities, and rights of the Parties in connection with the Agreement and to manage and further the partner relationship (aka partnership).
In relation to the Processing of Personal Data, the following terms, and their cognate words, shall have the same meaning as set forth and defined in and by Data Protection Law:
“Business”; “Collect”; “Consent”; “Consumer”; “Controller”; “Data Subject”; “Personal Data”; “Personal Data Breach”; “Personal Information”; “Process(es)” or “Processing”; “Processor”; “Recipient”; “Sell”; “Sensitive Personal Data”; “Service Provider”; “Share”; “Special categories of Personal Data”; and “Third party”.
The following terms shall have the meanings set forth below and cognate terms shall be construed in accordance with these definitions and Data Protection Law:
“Applicable Law” means any law, rule, or regulation to which a Party is subject.
“Data Protection Law” means all data protection and privacy laws, rules, and regulations (as may be amended, updated, superseded, or replaced from time to time) applicable to the Processing and protection of Personal Data under the Agreement and this DPA, including, among others, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [General Data Protection Regulation (“GDPR”)]; Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“ePrivacy Directive”); the United Kingdom Data Protection Act 2018; Switzerland’s Federal Act on Data Protection (“FADP”); the California Consumer Privacy Act of 2018; the Virginia Consumer Data Protection Act; Canada’s Personal Information Protection and Electronic Documents Act; the Australia Privacy Act 1988; Hong Kong’s Personal Data (Privacy) Ordinance; Singapore’s Personal Data Protection Act; and Brazil’s Lei Geral de Proteção de Dados Pessoais; as well as any marketing, consumer protection, and data breach notification laws.
“Data Protection Authority” means the relevant or competent government or public authority in charge of regulating the Processing of Personal Data and enforcing Data Protection Law.
“Restricted Data Transfer” means any transfer of Personal Data from the European Union (EU), the European Economic Area (EEA), Switzerland, or the United Kingdom (UK) to a third country outside of any of those regions, countries, or jurisdictions that does not ensure an adequate level of data protection (e.g., a country without an “adequacy decision”) according to the respective governmental authority, including any Data Protection Authority. A Restricted Data Transfer includes an onward transfer, i.e., a subsequent transfer of the Personal Data initially transferred outside the relevant jurisdictions.
“EU Standard Contractual Clauses (EU SCCs)” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council
2. DPA Purpose, Scope, and Description of Processing
2.1 Parties as Independent Controllers
Each Party shall act as an independent Controller with respect to the Processing of Personal Data under or pursuant to the Agreement.
2.2 Purpose and Scope of the DPA
This DPA’s purpose is to ensure that the Processing of Personal Data by each Party, including, among other things, any transfer, sharing, transmission, or dissemination of Personal Data between the Parties, for the purposes set forth in section 2.3 of this DPA, complies with Data Protection Law. This DPA shall govern such Processing. The disclosure or exchange of Personal Data between the Parties for purposes of the Agreement shall not constitute a “sale” or “sharing” as those terms are defined under applicable Data Protection Law.
2.3 Description of the Processing
Exhibit II of this DPA specifies the details of the Processing. The Parties may make reasonable amendments to Exhibit II as the Parties reasonably consider necessary to meet requirements of Data Protection Law or explicit guidance or a direct mandate issued by a Data Protection Authority by executing a signed addendum.
3. Controller Obligations
3.1 General Obligations
3.1.1 Each Party shall Process Personal Data in compliance with Data Protection Law and according to this DPA, unless required to do so otherwise by Applicable Law to which each or either Party is subject. In particular, each Party shall have all permissions, authorizations, consents, and/or other rights, including a lawful basis, for each Processing activity.
3.1.2 Neither Party shall knowingly perform its respective obligations in a manner that causes the other Party to breach any of its own respective obligations under Data Protection Law and/or this DPA.
3.1.3 Each Party shall implement and maintain appropriate technical and organizational measures to ensure that the Processing of Personal Data complies with Data Protection Law, considering the nature, scope, context, and purposes of Processing, as well as the risks to Data Subjects’ fundamental rights and freedoms.
3.1.4 Each Party shall at all times remain responsible for the acts and omissions of each Party’s respective personnel and vendors, suppliers, contractors, and agents in respect of the Personal Data.
3.2.1 Each Party hereby provides the required permissions, authorizations, consents, and other rights to permit and allow each Party to send messages to and otherwise communicate with the other Party’s own respective employees, personnel, staff, and other representatives for purposes of and in connection with the partnership, including, but not limited to, communications regarding products and services of each Party, surveys, news, reports, invites, and transactions that are relevant to the partnership.
3.3 Purpose Limitation
Each Party shall Process the Personal Data only for the specific purposes set out in Exhibit II. A Party may Process the Personal Data for another purpose if permitted or required by Data Protection Law, such as where:
3.3.1 it has obtained the Data Subject’s prior consent for the subsequent or new purpose;
3.3.2 necessary to establish, exercise, or defend legal claims;
3.3.3 necessary to protect the vital interests of the Data Subject or another person;
3.3.4 necessary to comply with (A) federal, state, or local laws, (B) a court order or subpoena to provide information, or (C) a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
3.3.5 necessary to cooperate with law enforcement agencies concerning conduct or activity that the Party reasonably and in good faith believes may violate federal, state, or local law; or
3.3.6 otherwise permitted by Data Protection Law.
To enable Data Subjects to effectively exercise their rights under Data Protection Law, each Party shall inform the Data Subjects, either directly or through the other Party, at a minimum:
3.4.1 of the Party’s identity and contact details;
3.4.2 of the categories of Personal Data Processed; and
3.4.3 where the Party intends to make an onward transfer of the Personal Data to any third party/ies, of the recipient(s) or categories of recipients, the purpose(s) of such onward transfer(s), and the ground(s) of such transfer(s).
The foregoing shall not apply where the Data Subject already has the above information, including when such information has already been provided by the Party, or providing the information proves impossible or would involve a disproportionate effort for that Party. In the latter case, the Party shall, to the extent possible, make the information publicly available (such as through a privacy notice or statement).
3.5 Data Accuracy and Data Minimization
3.5.1 Each Party shall ensure that the Personal Data is accurate and, where necessary, kept up to date. Having regard to the purpose(s) of Processing, each Party shall take every reasonable step to ensure that Personal Data that is inaccurate or incomplete is erased or rectified or made complete without delay.
3.5.2 If a Party becomes aware that the Personal Data it has disclosed to the other Party is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
3.5.3 Each Party shall ensure that the Personal Data is adequate, relevant, and limited to what is necessary in relation to the purpose(s) of the Processing.
3.6 Processing under the authority of the Controller
3.6.1 Each Party shall ensure that any person acting under its authority, including, among others, employees, personnel, staff, and/or Processors, Processes the Personal Data only according to the Party’s instructions.
3.6.2 Each Party shall grant access to the Personal Data undergoing Processing to members of its personnel or staff only to the extent strictly necessary for fulfilling the terms of this DPA and purposes set forth herein.
3.6.3 Each Party shall ensure that persons authorized to access, use, or otherwise Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory or professional obligation of confidentiality.
3.7 Duration of Processing
Processing shall only take place for the duration specified in Exhibit II.
3.8 Direct Marketing
To the extent that a Party intends to Process the Personal Data for direct marketing, that Party shall do the following:
3.8.1 ensure that the appropriate types of any necessary consents have been obtained from the relevant Data Subjects or otherwise establish a lawful basis to allow the Personal Data to be used for direct marketing in compliance with Data Protection Law;
3.8.2 implement effective procedures and communications to allow a Data Subject to exercise the right to opt out from or object to direct marketing; and
3.8.3 implement effective procedures to enable the Party to notify relevant third parties of any Data Subject’s choice to opt-out of or object to such marketing.
4.Technical and Organizational Measures
4.1 Security Measures
Each Party shall implement technical and organizational measures to ensure the security, confidentiality, integrity, and availability of the Personal Data, including protecting such data against a Personal Data Breach. In assessing the appropriate level of security, each Party shall take account of the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks of varying likelihood and severity for Data Subjects’ rights and freedoms.
Each Party shall keep accurate records of the technical and organizational security measures which each Party has implemented and maintains, and each Party shall make such records available to the Data Protection Authority upon request.
5. Data Retention and Deletion
Each Party shall retain the Personal Data for no longer than is necessary to carry out the purpose(s) of Processing set forth in this DPA and do so in accordance with Data Protection Law. Each Party shall implement appropriate technical or organizational measures to ensure compliance with this obligation, including appropriate data retention policies and procedures, and mechanisms to securely delete, erase, destroy, dispose of, or anonymize the Personal Data.
Each Party may continue to retain the Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and/or industry, any documented backup policies and procedures, and/or as otherwise permitted by Data Protection Law. During this retention period, the Party shall continue to treat the Personal Data in accordance with Data Protection Law and shall not Process such data for purposes other than those set forth in this DPA.
6. International Personal Data Transfers
If the Parties engage in cross-border transfers of Personal Data, they shall comply with Data Protection Law, including ensuring that the third country of destination has data protection requirements that are equivalent, comparable, or substantially similar to, or commensurate with, the Data Protection Law that governs the Personal Data (i.e., the Data Protection Law to which the Personal Data is initially subject) and that Processing in the third country will not contravene said Data Protection Law. Likewise, the Parties shall ensure that any onward transfer of the Personal Data to other third parties or third countries complies with the same requirements under the Data Protection Law.
In particular, if the Parties engage in a Restricted Data Transfer, the Parties shall ensure compliance with Data Protection Law by using a lawful transfer mechanism (e.g., the EU SCCs set forth in the Exhibits), provided that the conditions for the use of the transfer mechanism are met and that any required modifications are made. Likewise, the Parties shall ensure that any onward transfer (of Personal Data that was part of the Restricted Data Transfer) to another party (such as to an affiliate or a Processor) complies with the conditions for lawful data transfers under Data Protection Law by using a lawful transfer mechanism.
7. Data Subjects
7.1.1 Each Party shall inform Data Subjects in a transparent and easily accessible format, through individual notice or on their websites, of a contact point authorized to handle complaints, inquiries, and privacy rights requests.
7.1.2 In case of a dispute between a Data Subject and one of the Parties as regards compliance with Data Protection Law, that Party shall use its best efforts to resolve the issue amicably in a timely fashion.
7.1.3 Each Party shall, without undue delay, deal with any inquiries and requests it receives from Data Subjects relating to the Processing of their Personal Data and the exercise of their rights under Data Protection Law. Each Party shall take appropriate measures to facilitate such inquiries, requests, and the exercise of Data Subjects’ rights. Any information provided to the Data Subjects shall be in an intelligible and easily accessible form, using clear and plain language.
7.1.4 Each Party shall, upon the Data Subject’s request, fulfill the rights request free of charge, unless otherwise permitted under Data Protection Law.
7.1.5 Where a Party Processes the Data Subject’s Personal Data for direct marketing purposes, the Party shall cease Processing for such purposes if the Data Subject objects to or opts out of such marketing.
7.1.6 A Party may refuse a Data Subject’s request if Data Protection Law allows such refusal. In this case, the Party shall inform the Data Subject of the reasons for the refusal and, if applicable, of the Data Subject’s right to contest the refusal and/or lodge a complaint with the Data Protection Authority and/or seek judicial redress.
7.2 Mutual Assistance
The Parties agree that the responsibility for complying with a Data Subject’s rights request belongs to the Party receiving such a request in respect of the Personal Data held by that Party.
However, the Parties shall provide each other reasonable assistance, as is necessary, to enable each Party to comply with their obligations to respond to Data Subjects’ requests to exercise their rights and to respond to any other queries or complaints from Data Subjects. The Parties shall, as is necessary, keep each other informed about such disputes and, where appropriate, reasonably cooperate in resolving them.
8.1 General Documentation and Compliance
8.1.1 Each Party shall be able to demonstrate compliance with its respective obligations under this DPA and Data Protection Law. In particular, each Party shall keep appropriate documentation of the Processing activities carried out under its responsibility pursuant to this DPA.
8.1.2 Each Party shall deal promptly and adequately with reasonable inquiries from the other Party about the Processing under this DPA.
8.1.3 The Parties shall make documentation about the Processing under this DPA and required under Data Protection Law available to the Data Protection Authority on request.
8.1.4 The Parties agree to submit themselves to the jurisdiction of and cooperate with the Data Protection Authority in any procedures aimed at ensuring compliance with this DPA. In particular, the Parties agree to respond to inquiries, submit to audits, and comply with the measures adopted or mandated by the Data Protection Authority, including remedial and compensatory measures. Where applicable and necessary, the Parties shall provide such authority with written confirmation that the necessary actions have been taken.
8.2 Compliance Assistance
8.2.1 In the event of a dispute or claim brought by a Data Subject or the Data Protection Authority concerning the Processing of Personal Data by the Parties under this DPA against either or both Parties, the Parties will inform each other about any such disputes or claims and cooperate with a view to settling them amicably in a timely fashion.
8.2.2 In respect of breaches relating to this DPA, each Party shall abide by a decision of a competent, independent court of the other Party’s country of establishment or of any binding decision of the Data Protection Authority.
8.2.3 Taking into account the nature of the Processing, each Party shall provide each other with reasonable assistance to the other Party in ensuring compliance with legal obligations, if applicable and only if required by Data Protection Law.
9. Personal Data Breach
In the event a Party experiences a Personal Data Breach concerning the Personal Data subject to Processing under this DPA, that Party shall take appropriate measures to address the Personal Data Breach, including adopting measures to mitigate the breach’s possible adverse effects.
9.2 Data breach notification
9.2.1 In case of a Personal Data Breach that is likely to result in a risk to the rights and freedoms of Data Subjects or that otherwise requires notification under Data Protection Law, the Party that has experienced the breach shall, without undue delay, notify the Data Protection Authority. The notification shall contain, at a minimum, the following information:
184.108.40.206 A description of the nature of the breach (including, where possible or appropriate, the categories and approximate number of Data Subjects and records concerned);
220.127.116.11 The details of a contact point where or from whom the other Party can obtain more information about the breach;
18.104.22.168 The breach’s likely consequences;
22.214.171.124 The measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.To the extent that the Party is unable to provide all the information at the same time, it may do so in phases without undue further delay.
9.2.2 In case of a Personal Data Breach that is likely to result in a high risk to the rights and freedoms of affected Data Subjects, the Party shall, in addition to complying with 9.2.1., notify, without undue delay, the affected Data Subjects of the Personal Data Breach and provide the relevant information referred to in 126.96.36.199. through 188.8.131.52., unless the Party has implemented measures to significantly reduce the risk to the rights or freedoms of said Data Subjects, or notification would involve disproportionate efforts. However, the Party must provide such notification if otherwise required by Data Protection Law.
9.2.3 The Party that has experienced the Personal Data Breach shall (A) document all relevant facts relating to the breach, including its effects and any remedial action taken, and keep a record thereof; and (B) notify the other Party of the breach with the information in 9.2.1., to the extent required by Data Protection Law or where such notification is reasonably necessary or appropriate given the relationship between the Parties and the nature and context of the Processing under this DPA.
9.3 Data breach assistance
Where necessary and appropriate, the Parties shall provide reasonable assistance to each other to facilitate the handling of a Personal Data Breach in a timely manner and to comply with their respective obligations under Data Protection Law, including taking steps to assist each other in the investigation, mitigation, remediation, and notification(s) of the breach.
10. Government or Law Enforcement Request for Cloudera Personal Data
If a Party receives a legally binding request, demand, or other order from a government (including judicial) or law enforcement authority for the disclosure of Personal Data, the Party shall not disclose such data requested until required to do so under the applicable procedural rules and shall provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. The Party shall attempt to redirect the request to the Data Subject(s) or to notify the Data Subject(s) of the request to the extent permitted by applicable law. The Party agrees to preserve and document the information related to the request.
11. Non-Compliance, Termination, and Liability
Each Party shall inform the other Party if it is unable to comply with this DPA, for whatever reason.
If a Party is in violation of its obligations under this DPA or unable to comply with the DPA, the other Party may suspend the Processing under this DPA until that Party complies with the DPA or the DPA is terminated.
A Party shall be entitled to terminate this DPA if:
11.3.1 The Party has suspended the Processing pursuant to 11.2. and if the other Party does not restore compliance with this DPA within a reasonable time and no later than thirty (30) days following suspension;
11.3.2 The other Party is in substantial or persistent breach of this DPA based on documented evidence; or
11.3.3 The other Party fails to comply with a binding decision of an independent competent court or a Data Protection Authority regarding its obligations pursuant to this DPA.
11.4.1 Each Party shall be liable to the other Party for any damages it causes the other Party by any violation of this DPA. Each Party’s (and each of its affiliate’s) liability, taken together in the aggregate, arising out of or related to this DPA, including without limitation under the EU SCCs, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability under the Agreement, and any reference in such section(s) to the liability of a Party means the aggregate liability of that Party and all of its affiliates under the Agreement, this DPA, and the EU SCCs together.
11.4.2 Each Party shall be liable to a Data Subject if it violates the Data Subject’s rights in relation to this DPA and/or under Data Protection Law. The Data Subject shall be entitled to receive compensation, for any material or non-material damages, from the Party that causes(ed) the Data Subject by breaching the Data Subject’s rights under this DPA and/or Data Protection Law, to the extent permitted by Data Protection Law.
11.4.3 Where more than one Party is responsible for any damage caused to the Data Subject as a result of a violation of Data Protection Law in relation to this DPA, all responsible Parties shall be jointly and severally liable and the Data Subject is entitled to bring an action in a competent, independent court against any Party to the extent permitted by Data Protection Law.
184.108.40.206 The Parties agree that if one Party is held liable under paragraph 11.4.3., it shall be entitled to claim back from the other Party that part of the compensation corresponding to its responsibility for the damage.
11.4.4 The liable Party or Party in breach may not invoke the conduct of a Processor or sub-processor to avoid its own liability.
A Party that is in breach of its obligations under this DPA shall indemnify the other Party against any claims by a third party or Data Protection Authority that arise as a result of the breaching Party.
12. General Terms
12.1.1 From time to time, Cloudera may amend this DPA when it reasonably considers amendments to be necessary to address Data Protection Law or guidance or requirements issued by a Data Protection Authority. Cloudera shall publish the updated DPA and, upon its publication, the updated DPA shall supersede and take precedence over the prior DPA.
12.1.2 If Partner has any proposed changes to the DPA required by Data Protection law, it may notify Cloudera. Upon receipt of such notice, the Parties shall cooperate and negotiate in good faith with a view to agreeing to and implementing the proposed amendments or alternatives, if required and appropriate, as soon as is reasonably practicable. The Parties shall not unreasonably withhold or delay agreement to any consequential variations to this DPA that places a Party at risk of infringing Data Protection Law.
12.2 No Waivers
No failure or delay by a Party to exercise any right or remedy provided under this DPA or by Applicable Law or Data Protection Law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
In the event of any conflict or contradiction with respect to Processing of Personal Data between this DPA and related agreements, including the Agreement, this DPA shall prevail, except where explicitly agreed otherwise in writing and signed on behalf of by both Parties.
In the event of any conflict or inconsistency between this DPA and the EU SCCs, the EU SCCs shall prevail.
This DPA does not and will not establish any joint venture between any of the Parties, constitute any Party the agent of another Party, or authorize any Party to make or enter into any commitments for or on behalf of any other Party.
Should an independent, competent court within a country, jurisdiction, or territory in which the Parties are subject to Data Protection Law deem any provision of this DPA to be invalid or unenforceable, then the remainder of the DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (A) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible; or (B), if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
This DPA shall take effect on the date the Parties execute or enter into the Agreement and shall remain in effect for the term of the Agreement, or until terminated by a Party on ninety (90) days’ written notice to the other Party.
14. Governing Law and Jurisdiction
14.1 Governing Law
The laws of the country or territory stipulated in the Agreement shall govern this DPA and all non-contractual or other obligations arising out of or in connection with it.
14.2 Forum and Jurisdiction
The Parties shall submit to the jurisdiction stipulated in the Agreement with respect to any disputes or claims arising out of or in connection with this DPA, including disputes regarding its existence, validity, or termination or the consequences of its nullity.
15. Data Controller - Data Processor Relationship
If the Partner has a direct contractual relationship with a customer or an end-customer that subscribes to Cloudera’s public cloud products (i.e., platform as a service) and said customer requires a data processing agreement between itself and the Partner, the Parties acknowledge that such circumstances may necessitate that the Parties execute a separate data processing addendum, with Partner acting as a Processor and Cloudera acting as a Sub-processor (i.e., the Partner’s Processor). In such a case, the Parties shall cooperate and negotiate in good faith to execute an appropriate data processing addendum.
Exhibit I - List of Parties to this DPA
Address: 5470 Great America Pkwy, Santa Clara, CA 95054 USA
Partner: The Partner signing, entering into, or executing the Agreement
Address: The Partner’s principal place of business or headquarters
Exhibit II - Description of the Data Processing
Categories of Data Subjects
- Employees, Personnel, and/or Staff
- Customers, Clients, and/or End-Customers and their users
- Vendors, Suppliers, and/or Third-party Service Providers
- Prospective Customers and/or Clients (prospects)
- Event or Webinar Audience Members, Attendees, Registrants, and/or Participants
Categories of Personal Data
The categories of Personal Data may include:
- Name: First name and last name
- Business contact information: email, telephone or mobile number, office/mailing/billing address/location
- Professional information: Employer (company) name; Job title, role, position, and/or function
- Other Identifiers: System username; user ID; IP address
- Account Data
Nature and Purpose(s) for which the Personal Data are Processed
- Purpose: To process personal data for purposes of the partner relationship as set forth in the Agreement. The relationship involves, among other things, account creation, administration, and management; business activities necessary to operate the partnership program and manage the partner relationship, including communications; advertising, promotional, marketing, and/or sales related activities; contract or customer relationship management; execution of contracts, completion of business transactions, and performance of contractual obligations; compliance with applicable legal obligations, cooperating with legal and regulatory authorities, and exercising or defending legal claims; internal auditing, research, and development; activities related to product and service quality, enhancement, and improvement; and other relevant legitimate interests and business purposes of the parties.
- Nature: collecting, obtaining, recording, managing, organizing, storing, using, transmitting, disclosing, transferring, and exchanging personal data.
Frequency of the Processing
- As determined by the Parties in accordance with the Agreement
Duration of Processing
The duration of the Data Processing is stipulated in provision 13 of this DPA.
Data Retention Period
The data retention period is set forth in provision 5 of this DPA.
Cloudera affiliates and Processors
The Cloudera affiliates and Processors engaged or involved in the Processing of Personal Data depend on the terms and conditions of the Agreement, any other contractual arrangements made between the Parties, and the geographical location of the Processing. Refer to Cloudera's Authorized Sub-processors and Affiliates for more information.
Exhibit III - Technical & Organizational Measures
In accordance with subsection 4.1 of this DPA, the Parties each agree to implement and maintain technical and organizational measures (“TOMs”) that ensure the security, confidentiality, integrity, and availability of the Personal Data, including protecting such data against a Personal Data Breach. In doing so, the Parties agree to implement and maintain commercially reasonable and accepted industry standards and practices, e.g., ISO 27001 standards, for the protection of personal data.
Cloudera’s Relevant Information Security-related Evidence
- ISO/IEC 27001:2013 Certificate for Information technology — Security techniques — Information security management systems — Requirements
- SOC 2 Type 2 Report on Controls at a Service Organization
- UK Cyber Essentials (cert. No. IASME-CE-040382) and UK Cyber Essentials Plus (cert. No. IASME-CEP-009475)
For more information on Cloudera’s TOMs, refer to Cloudera’s Trust Center.
Exhibit IV - EU Standard Contractual Clauses
By entering into this DPA, the Parties are hereby executing the European Commission Standard Contractual Clauses (“EU SCCs”) as a legally binding contract with respect to any transfer of Personal Data outside of the European Economic Area or the European Union, or otherwise subject to the EU GDPR, to a third country (without an adequacy decision or its equivalent). The Parties agree to the EU SCCs for MODULE ONE: Transfer controller to controller, as follows:
- Depending on the circumstances, (a) Cloudera may be the data exporter and Partner may be the data importer or (b) Cloudera may be the data importer and Partner may be the data exporter.
- The optional Clause 7 [Docking Clause] shall NOT apply.
- For Clause 8.5(b), the technical and organisational measures are set out in Exhibit III of this DPA.
- The optional provision and language in Clause 11(a) [Redress] shall NOT apply.
- For Clause 17 [Governing Law], the laws of the Republic of Ireland shall govern the EU SCCs.
- For Clause 18(b), [Choice of forum and jurisdiction], the courts of the Republic of Ireland shall resolve any disputes arising from these SCCs.
- Annex I.A [List of Parties] is set forth in Exhibit I of this DPA.
- Annex I.B [Description of Transfer] is set forth in Exhibit II of this DPA.
- For Annex I.C, the Competent Supervisory Authority is the Data Protection Commission of the Republic of Ireland in accordance with Clause 13.
- Annex II [Technical and Organisational Measures] is set forth in Exhibit III of this DPA.
- Annex III [List of Sub-Processors]: Not Applicable.
Exhibit V - UK International Data Transfer Addendum
With respect to any transfer of Personal Data outside of the United Kingdom (“UK”) or of Personal Data subject to UK data protection legislation to a third country (without an adequacy decision or its equivalent), the Parties agree that the UK International Data Transfer Addendum (“IDTA”) to the EU SCCs (Version B1.0) issued by the UK Information Commissioner for Parties making Restricted Transfers (as may be amended, updated, or superseded from time to time) shall apply to the EU SCCs in Exhibit IV of this DPA as follows:
Table 1: Parties
The Start Date is the date of the execution of the Agreement.
As set forth in Exhibit I of this DPA.
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs: The version of the Approved EU SCCs to which this IDTA is appended, including the Appendix Information, applies.
Table 3: Appendix Information
Annex 1A: List of Parties: As set forth in Exhibit I of this DPA.
Annex 1B: Description of Transfer: As set forth in Exhibit II of this DPA.
Annex II: Technical and organisational measures: As set forth in Exhibit III of this DPA.
Annex III: List of Sub processors: Not Applicable.
Table 4: Ending this Addendum when the Approved Addendum Changes:
Cloudera, whether acting as the Exporter or Importer, may end this IDTA as set out in Section 19 of the IDTA.
Part 2 of the IDTA is incorporated herein by reference. However, the Alternative Part 2 Mandatory Clauses will not apply, unless legally required.
By entering into this DPA and the EU SCCs in Exhibit IV, the Parties are hereby entering into the UK IDTA as a legally binding contract.
Exhibit VI - Switzerland Data Transfers
With respect to any transfer of Personal Data outside of Switzerland or of Personal Data governed by the Switzerland FADP to a third country (without an adequacy decision or its equivalent), the Parties agree that the EU SCCs in Exhibit IV of this DPA shall apply, subject to the following terms and conditions:
- References: The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the FADP.
- Clause 13: Insofar as the Personal Data transfer is solely subject to the FADP, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland is the exclusive supervisory authority. Insofar as the transfer of Personal Data is governed by both the GDPR and the FADP, the competent supervisory authority with parallel supervision (in accordance with Annex I.C of the EU SCCs) is the FDPIC and the criteria of Clause 13(a) for the selection of the competent authority must be observed for the transfer governed by the GDPR.
- Clause 17: The EU SCCs shall be governed by Swiss law, if the transfer is solely subject to the FADP, or, in other cases, the law of one of the EU Member States, which shall be Ireland.
- Clause 18(b): Disputes arising from the EU SCCs shall be resolved by the courts of Switzerland if the transfer is solely subject to the FADP, or, in other cases, an EU Member State, which shall be Ireland.
- Clause 18(c): The term “Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.