This Data Processing Addendum (this “Addendum”) reflects the parties’ agreement with respect to the Processing of Customer Personal Data by Fermyon on your behalf under the Services Agreement available at www.fermyon.com/online-services-agreement (the “Agreement”).
This Addendum supplements and forms part of the Agreement and is effective upon its incorporation into the Agreement (the “Addendum Effective Date”), as specified in the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws with regard to the relevant Customer Personal Data, if applicable.
Capitalized terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms used but not otherwise defined herein shall have the meanings given to them in the Agreement. Except as expressly modified below, the terms of the Agreement shall remain in full force and effect.
-
DEFINITIONS
1.1 “Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
1.2 “Customer Personal Data” means Personal Data Processed by Fermyon on your behalf to perform the Services under the Agreement.
1.3 “Data Protection Laws” means the data privacy and security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data, including, in each case to the extent applicable, European Data Protection Laws and United States Data Protection Laws.
1.4 “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
1.5 “European Data Protection Laws” means, in each case to the extent applicable: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FADP”); and (d) any other applicable law, rule, or regulation related to the protection of Customer Personal Data in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this Addendum.
1.6 “Personal Data” means information that constitutes “personal information,” “personal data,” “personally identifiable information,” or similar term under Data Protection Laws.
1.7 “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
1.8 “Processor” means an entity that Processes Personal Data on behalf of a Controller.
1.9 “Security Incident” means a breach of Fermyon’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Fermyon’s possession, custody, or control. “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.10 “Services” means the services that Fermyon has agreed to provide to you under the Agreement.
1.11 “Standard Contractual Clauses” means, as applicable, Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) of the standard contractual clauses approved by the European Commission’s implementing decision (C(2021)3972) of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 or the European Parliament and of the Council (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en, as supplemented or modified by Appendix 3.
1.12 “Subprocessor” means any Processor appointed by Fermyon to Process Customer Personal Data on behalf of you under the Agreement.
1.13 “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
1.14 “United States Data Protection Laws” means, in each case to the extent applicable: (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, when effective, and its implementing regulations (collectively, “CCPA”); (b) the Virginia Consumer Data Protection Act (“VCPDA”), when effective; (c) the Colorado Privacy Act and its implementing regulations (“CPA”), when effective; (d) the Utah Consumer Privacy Act (“UCPA”), when effective; (e) Connecticut SB6, An Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”); and (f) any other applicable law or regulation related to the protection of Customer Personal Data in the United States that is already in force or that will come into force during the term of this Addendum.
-
PROCESSING OF CUSTOMER PERSONAL DATA.
2.1 Roles of the Parties; Compliance. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Customer Personal Data under the Agreement, you are a Controller and Fermyon is a Processor. In some circumstances, the parties acknowledge that you may be acting as a Processor to a third-party Controller in respect of Customer Personal Data, in which case Fermyon will remain a Processor with respect to you in such event. Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Customer Personal Data.
2.2 Your Instructions. Fermyon will Process Customer Personal Data only in accordance with your documented instructions unless otherwise required by applicable law, in which case Fermyon will inform you of such Processing unless notification is prohibited by applicable law. You hereby instruct Fermyon to Process Customer Personal Data: (a) to provide the Services; (b) to perform its obligations and exercise its rights under the Agreement and this Addendum; and (c) as necessary to prevent or address technical problems with the Services. We will notify you if, in our opinion, your instructions infringe upon Data Protection Laws. Your instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. You shall be responsible for: (i) giving adequate notice and making all appropriate disclosures to Data Subjects regarding your use and disclosure and our Processing of Customer Personal Data; and (ii) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to us to permit the Processing of such Customer Personal Data by us for the purposes of performing our obligations under the Agreement or as may be required by Data Protection Laws. You shall notify us of any changes in, or revocation of, the permission to use, disclose, or otherwise Process Customer Personal Data that would impact our ability to comply with the Agreement, this Addendum, or Data Protection Laws.
2.3. Details of Processing. The parties acknowledge and agree that the nature and purpose of the Processing of Customer Personal Data, the types of Customer Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Customer Personal Data are as set forth in Appendix 1.
2.4 Processing Subject to the CCPA. As used in this Section 2.4, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Customer Personal Data. Fermyon will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between you and Fermyon; or (c) combine Personal Information received from, or on behalf of, you with Personal Data received from or on behalf of any third party, or collected from our own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA. Fermyon hereby certifies that it understands the foregoing restrictions under this Section 2.4 and will comply with them. The parties acknowledge that the Personal Information you disclose to Fermyon is provided to Fermyon only for the limited and specified purposes set forth in Appendix 1. Fermyon will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. You have the right to take reasonable and appropriate steps to help ensure that Fermyon uses the Personal Information transferred in a manner consistent with your obligations under the CCPA by exercising your audit rights in Section 8. We will notify you if we make a determination that we can no longer meet our obligations under the CCPA. If we notify you of unauthorized use of Personal Information, including under the foregoing sentence, you will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with us, terminating the portion of the Agreement relevant to such unauthorized use, or such other steps mutually agreed between the parties in writing.
-
CONFIDENTIALITY. Fermyon shall take reasonable steps to ensure that our personnel who Process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality with respect to such Customer Personal Data.
-
SECURITY.
4.1 Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Fermyon shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, in accordance with the security standards in Appendix 2 (the “Security Measures”). You acknowledge that the Security Measures may be updated from time to time to reflect process improvements or changing practices, provided that the modifications will not materially decrease Fermyon’s security obligations hereunder.
4.2. Security Incidents. Upon becoming aware of a confirmed Security Incident, Fermyon will: (a) notify you of the Security Incident without undue delay after becoming aware of the Security Incident; and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm, and prevent a recurrence. Fermyon will take reasonable steps to provide you with information available to us that you may reasonably require to comply with its obligations under Data Protection Laws. Fermyon’s notification of or response to a Security Incident under this Section 4.2 will not be construed as an acknowledgement by Fermyon of any fault or liability with respect to the Security Incident.
4.3 Your Responsibilities. You agree that, without limitation of Fermyon’s obligations under this Section 4, you are solely responsible for your use of the Services, including: (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; and (b) securing any account authentication credentials, systems, and devices you use to access or connect to the Services, where applicable. You are responsible for reviewing the information made available by Fermyon relating to data security and making an independent determination as to whether the Services meet your requirements and legal obligations under Data Protection Laws.
-
SUBPROCESSING. Subject to the requirements of this Section 5, you generally authorize Fermyon to engage Subprocessors as we consider reasonably appropriate for the Processing of Customer Personal Data. A list of Fermyon’s Subprocessors is available at https://www.fermyon.com/sub-processors (the “Subprocessor List”) and may be updated by Fermyon from time to time in accordance with this Section 5. If you subscribe for updates to the Subprocessor List (via the RSS feed towards the bottom of this page), you will be informed of the addition or replacement of any Subprocessor at least ten (10) days prior to such engagement. You may object to such changes on reasonable data protection grounds by providing Fermyon written notice of such objection within ten (10) days. Upon receiving such an objection, where practicable and at Fermyon’s sole discretion Fermyon will use commercially reasonable efforts to: (a) work with you in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; or (b) take corrective steps that you request in your objection and proceed to use the new Subprocessor. If Fermyon informs you that such change or corrective steps cannot be made, you may, as your sole and exclusive remedy available under this Section 5, terminate the relevant portion of the Agreement involving the Services which require the use of the proposed Subprocessor by providing written notice to Fermyon. When engaging any Subprocessor, Fermyon will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this Addendum. Fermyon shall be liable for the acts and omissions of the Subprocessor to the extent Fermyon would be liable under the Agreement and this Addendum.
-
DATA SUBJECT RIGHTS. Fermyon will, taking into account the nature of the Processing of Customer Personal Data and the functionality of the Services, provide reasonable assistance to you by appropriate technical and organizational measures, insofar as this is possible, as necessary for you to fulfill your obligations under Data Protection Laws to respond to requests by Data Subjects to exercise their rights under Data Protection Laws. Fermyon reserves the right to charge you on a time and materials basis in the event that Fermyon considers that such assistance is onerous, complex, frequent, or time consuming. If Fermyon receives a request from a Data Subject under any Data Protection Laws with respect to Customer Personal Data, Fermyon will advise the Data Subject to submit the request to you and you will be responsible for responding to any such request.
-
ASSESSMENTS AND PRIOR CONSULTATIONS. In the event that Data Protection Laws require you to conduct a data protection impact assessment, transfer impact assessment, or prior consultation with a Supervisory Authority in connection with Fermyon’s Processing of Customer Personal Data, following written request from you, Fermyon shall use reasonable commercial efforts to provide you with relevant information and assistance to fulfill such request, taking into account the nature of Fermyon’s Processing of Customer Personal Data and information available to Fermyon. Fermyon reserves the right to charge you on a time and materials basis in the event that Fermyon considers that such assistance is onerous, complex, frequent, or time consuming.
-
RELEVANT RECORDS AND AUDIT RIGHTS.
8.1 Review of Information and Records. Upon your reasonable written request, Fermyon will make available to you all information in Fermyon’s possession reasonably necessary to demonstrate Fermyon’s compliance with Data Protection Laws and Fermyon’s obligations set out in this Addendum. Such information will be made available to you no more than once per calendar year and subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.
8.2 Audits. If you require information for your compliance with Data Protection Laws in addition to the information provided under Section 8.1, at your sole expense and to the extent you are unable to access the additional information on your own, Fermyon will allow for, cooperate with, and contribute to reasonable assessments and audits, including inspections, by you or your mandated auditor (“Mandated Auditor”), provided that (a) you provide Fermyon with reasonable advance written notice of any audit request and the parties mutually agree upon a reasonable audit plan, which will include the anticipated date of the audit, the proposed scope of the audit, and the identity of any Mandated Auditor, which shall not be a competitor of Fermyon; (b) you will be responsible for all costs, expenses, and fees associated with any assessment, audit, or inspection; (c) the audit is conducted during normal business hours and in a manner that does not have any adverse impact on Fermyon’s normal business operations; (d) you and any Mandated Auditor comply with Fermyon’s standard safety, confidentiality, and security policies or procedures in conducting any such audits; (e) any records, data, or information accessed by you or any Mandated Auditor in the performance of any such audit, or any results of any such audit, will be deemed to be the Confidential Information of Fermyon and subject to a nondisclosure agreement to be provided by Fermyon; and (f) you may initiate such audit not more than once per calendar year unless otherwise required by a Supervisory Authority or Data Protection Laws.
8.3 Results of Audits. You shall promptly notify Fermyon of any non-compliance discovered during the course of an audit and provide Fermyon any reports generated in connection with any audit under this Section, unless prohibited by Data Protection Laws or otherwise instructed by a Supervisory Authority. You may use the audit reports solely for the purposes of meeting your audit requirements under Data Protection Laws to confirm that Fermyon’s Processing of Customer Personal Data complies with this Addendum.
-
DATA TRANSFERS.
9.1 Data Processing Facilities. Fermyon may, subject to Sections 9.2 and 9.3, Process Customer Personal Data in the United States or anywhere Fermyon or its Subprocessors maintains facilities. You are responsible for ensuring that your use of the Services complies with any cross-border data transfer restrictions of Data Protection Laws.
9.2 European Transfers. If you transfer Customer Personal Data to Fermyon that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then you (as “data exporter”) and Fermyon (as “data importer”) agree that the applicable terms of the Standard Contractual Clauses shall apply to and govern such transfer and are hereby incorporated herein by reference. In furtherance of the foregoing, the parties agree that: (a) the execution of this Addendum shall constitute execution of the applicable Standard Contractual Clauses as of the Addendum Effective Date; (b) the relevant selections, terms, and modifications set forth in Appendix 3 shall apply, as applicable; and (c) the Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis.
9.3 Other Jurisdictions. If you transfer Customer Personal Data to Fermyon that is subject to Data Protection Laws other than European Data Protection Laws which require the parties to enter into standard contractual clauses to ensure the protection of the transferred Customer Personal Data, and the transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then the parties agree that the applicable terms of any standard contractual clauses approved or adopted by the relevant Supervisory Authority pursuant to such Data Protection Laws shall automatically apply to such transfer and, where applicable, shall be completed on a mutatis mutandis basis to the completion of the Standard Contractual Clauses as described in Section 9.2.
-
DELETION OR RETURN OF CUSTOMER PERSONAL DATA. Following termination or expiration of the Agreement, Fermyon shall, at your option, delete or return Customer Personal Data and all copies to you, except as required by applicable law. If Fermyon retains Customer Personal Data pursuant to applicable law, Fermyon agrees that all such Customer Personal Data will continue to be protected in accordance with this Addendum.
-
GENERAL TERMS. This Addendum will, notwithstanding the expiration or termination of the Agreement, remain in effect until, and automatically expire upon, Fermyon’s deletion or return of all Customer Personal Data. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement in relation to the Processing of Customer Personal Data, this Addendum will govern. Unless otherwise expressly stated herein, the parties will provide notices under this Addendum in accordance with the Agreement, provided that all such notices may be sent via email. Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
The subject matter and duration of the Processing are as described in the Agreement and the Addendum.
The nature and purpose of the Processing are those activities reasonably required to facilitate or support the provision of the Services as described in the Agreement and the Addendum, specifically including Fermyon’s provision of its cloud-native WebAssembly microservices execution service, and such other services as may be incorporated into Fermyon’s proprietary platform from time to time under the Agreement.
The categories of Data Subjects shall be as is contemplated or related to the Processing described in the Agreement, and may include your own customers, end users or other individuals whose Personal Data is Processed by Fermyon via provision of the Services at your instructions pursuant to the Agreement.
The categories of Customer Personal Data Processed are those categories contemplated in and permitted by Agreement, and may include such data as you upload or otherwise Process via Fermyon’s provision of the Services at your instructions pursuant to the Agreement.
The special or sensitive categories of Customer Personal Data Processed are those categories contemplated in and permitted by Agreement, and may include such data as you upload or otherwise Process via Fermyon’s provision of the Services at your instructions pursuant to the Agreement.
On a continuous basis for the term of the Agreement.
As set forth in the Addendum or the Agreement.
As set forth above.