Cockroach Labs

Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Cockroach Labs SaaS Agreement and/or other applicable agreement between Cockroach Labs, Inc., and Company with respect to use of the Services (the "Agreement"). This DPA sets out the requirements for Cockroach Labs’ processing of Personal Data on behalf of Company for the purposes of providing the Services.

This DPA is effective on the date of the Agreement, unless this DPA is separately executed in which case it is effective on the date of last signature. Each of Cockroach Labs and Company may be referred to as a "party" and together as "parties".

1. Definitions

"Adequate Country" means a country or territory recognised as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the Information Commissioner's Office and/or under applicable UK law (including the UK GDPR), or (ii) the European Commission under the GDPR.

"Data Protection Laws" means all data protection and privacy laws, including guidance issued by any applicable data protection authority, applicable to any Personal Data, including without limitation:

1. in the European Union, the General Data Protection Regulation 2016/679 (the "GDPR"),
2. in the UK, the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (the "UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Directive 2002/58/EC (as the same may be superseded by the Regulation on Privacy and Electronic Communications,("ePrivacy Regulation")),
3. In California, the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as may be amended, including any rules or regulations implementing the foregoing (“CCPA”).

"Data Subject Request" means a request from or on behalf of a data subject to exercise any rights in relation to their Personal Data under Data Protection Laws.

"EEA" means the European Economic Area and Switzerland.

"EU SCCs" means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the approved version of which is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en, incorporating Module Two for Controller to Processor transfers and Module Three for Processor-to-Processor transfers, and which form part of this DPA in accordance with Schedule 1.

"Personal Data" means all personal data which is uploaded into the Services by Company and accessed, stored or otherwise processed by Cockroach Labs as a processor.

"Security Breach" means any breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data by any of Cockroach's staff or sub-processors, or any other identified or unidentified third party;

"Supervisory Authority" means in the UK, the Information Commissioner's Office ("ICO") (and, where applicable, the Secretary of State or the government), and in the EEA, an independent public authority established pursuant to the GDPR.

"UK" means the United Kingdom.

"UK Approved Addendum" means the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and in force on 21 March 2022.

"controller", "data subject", “personal data” and "processor" have the meanings ascribed to them in the Data Protection Laws.

2. Any defined terms which are not defined in this DPA are as defined in the Agreement.

2. Roles & compliance with Data Protection Laws

1. Company is the controller of Personal Data, and Cockroach Labs is the processor of Personal Data.
2. Each party will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply), with Data Protection Laws applicable to Personal Data. As between the parties, Company shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Personal Data was acquired, such that the processing described hereunder may be lawfully undertaken by Company and Cockroach Labs.

3. Description of Processing

1. Subject Matter of the Processing: Personal Data is the subject matter of the processing under this DPA.
2. Nature and Purposes of the Processing.  The nature and purposes of the processing is the collection, storage, duplication, deletion, analysis and disclosure of Personal Data pursuant to providing the Services to Company and any further instructions by Company in writing.
3. Duration of Processing. Cockroach Labs will process the Personal Data for the duration of the Agreement, or until the processing is no longer necessary for the purposes described in Section 3.2 above.
4. Types of Data. Any Personal Data that Company in its discretion uploads into the Services will be processed under this DPA.
5. Categories of Data Subjects. Data Subjects may include any end users (including without limitation employees, customers, or suppliers) about whom Personal Data is provided to Cockroach Labs via the Services by, or at the direction of, Company.
6. Processing by Cockroach Labs.  Cockroach Labs will only process Personal Data (i) in order to provide the Services to Company or (ii) per Company’s instructions in writing or via the Services.  Cockroach Labs will notify Company (unless prohibited by applicable law) if it is required under applicable law to process Personal Data other than pursuant to Company’s instructions.  As soon as reasonably practicable upon becoming aware, inform the Company if, in Cockroach's opinion, any instructions provided by the Company under clause 3.1 infringe the GDPR or UK GDPR.

4. Technical and Organisational Security Measures

1. Cockroach Labs will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. Such measures include, without limitation, the security measures set out https://www.cockroachlabs.com/security/.
2. Cockroach Labs will take reasonable steps to ensure that only authorised personnel have access to Personal Data and that any persons whom it authorizes to access the Personal Data are under obligations of confidentiality.

5. Security Breaches, Data Subject Requests & Further Assistance

1. Security Breaches. Cockroach Labs will notify Company of any Security Breach without undue delay, and will promptly provide Company with all reasonable information in Cockroach Labs' possession concerning the Security Breach insofar as it affects Company. Cockroach Labs notification of any Security Breach shall not be construed as admission by Cockroach Labs of any fault or liability with respect to the Security Breach.  
2. Data Subject Requests. Cockroach Labs will promptly notify Company if it receives a Data Subject Request.  Cockroach Labs will not respond to a Data Subject Request, provided that Company agrees Cockroach Labs may at its discretion respond to confirm that such request relates to Company. Company acknowledges and agrees that the Services include features which will allow Company to manage Data Subject Requests directly through the Services without additional assistance from Cockroach Labs. If Company does not have the ability to address a Data Subject Request, Cockroach Labs will, upon Company’s written request, provide reasonable assistance to facilitate Company’s response to the Data Subject Request to the extent such assistance is consistent with applicable law; provided that Company will be responsible for paying for any costs incurred or fees charged by Cockroach Labs for providing such assistance.
3. Further Assistance. Taking into account the nature of processing and the information available to Cockroach Labs, Cockroach Labs will provide such assistance as Company reasonably requests logged through the means provided by Cockroach Labs for such purposes in relation to Company’s obligations under Data Protection Laws with respect to (i) data protection impact assessments, (ii) notifications to the Supervisory Authority under Data Protection Laws and/or communications to data subjects by the Company in response to a Security Breach, or (iii) Company’s compliance with its obligations under the GDPR or UK GDPR (as applicable) with respect to the security of processing. Company will pay any costs or fees charged by Cockroach Labs for providing the assistance in this Section 5.3.

6. Sub-processing

1. Company grants a general authorisation to Cockroach Labs to appoint its Affiliates or third parties as sub-processors to support the performance of the Services, including data centre operators, cloud-based software providers, and other outsourced support and service providers. Cockroach Labs will maintain a list of sub-processors through the following URL: https://cockroachlabs.com/cloud-terms-and-conditions/data-processing-addendum/cockroach-labs-sub-processors and will add the names of new and replacement sub-processors to the list thirty (30) days prior to them starting sub-processing of Personal Data. Company may subscribe to updates to this list and Cockroach Labs will consider any of Company’s reasonable objections to a new sub-processor. If Company has a reasonable objection to any new or replacement sub-processor and there is no option available for Company to utilize the Services without use of that sub-processor, Company's sole and exclusive remedy is to cease using the Services to which the proposed new sub-processor's processing of Personal Data relates or would relate, or, if that is not reasonably practicable, to terminate this Agreement, without refund for any prepaid fees, by providing written notice to Cockroach Labs.
2. Cockroach Labs will enter into a written contract with each sub-processor which imposes on such sub-processor terms no less protective of Personal Data than those imposed on Cockroach Labs in this DPA, subject to the standard data processing terms sub-processors may impose on Cockroach Labs (the "Relevant Terms"). Cockroach Labs shall be liable to Company for any breach by such sub-processor of any of the Relevant Terms to the extent required under Data Protection Law.

7. International Transfers

1. Data Transfers. Personal Data will only be stored in the geographic locations that Company specifies through the Services, and Company is solely responsible for any transfers of Personal Data that result from Company making changes to where Personal Data is stored within the Services. Additionally, Company agrees that its use of the Services may involve the transfer of Personal Data to, and processing of Personal Data in, locations outside of the UK and/or EEA from time to time, such as for purposes of providing support to Company, including processing in the United States.       
2. For all such transfers, Cockroach Labs is the 'data importer' and will comply with the obligations of the 'data importer' accordingly and Company is the data exporter and will comply with the obligations of the 'data exporter' accordingly.
3. UK transfers: To the extent Personal Data is transferred to Cockroach Labs and processed by or on behalf of Cockroach Labs outside the UK (except if in an Adequate Country) in circumstances where such transfer would be prohibited by UK GDPR in the absence of a transfer mechanism, the parties agree that the EU SCCs subject to the UK Approved Addendum will apply.

1. The UK Approved Addendum is incorporated into this DPA, and shall apply as follows:

1. the information required for Table 1 is as set out in Schedule 1 of this DPA and the start date shall be deemed dated the same date as the EU SCCs;

5. in relation to Table 2, the version of the EU SCCs to which the UK Approved Addendum applies is Module Two for Controller to Processor or Module Three for Processor to Processor;

6. in relation to Table 3, the list of parties and the description of the transfer are as set out in is set out in Schedule 1 of this DPA, and Cockroach Lab's technical and organisational measures are set out in clause 4 of this DPA, and the list of Cockroach Lab's sub-processors shall be provided pursuant to clause 6.1 of this DPA; and

7. in relation to Table 4, neither party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Approved Addendum.

5. EU transfers: To the extent Personal Data is transferred to Cockroach Labs and processed by or on behalf of Cockroach Labs outside the EEA (except if in an Adequate Country) in circumstances where such transfer would be prohibited by the EU GDPR in the absence of a transfer mechanism the parties agree that the EU SCCs  will apply in respect of that processing and are incorporated into this DPA.

6. The EU SCCs shall apply as follows:

1. Module Two will apply to the extent that Company is a controller of the Personal Data, and Module Three will apply to the extent that Company is itself a processor of the Personal Data on behalf of a customer;
2. Clause 5 (Docking Clause) of Section 1 shall apply;
3. Cockroach will comply with clause 8.6(c) of the EU SCCs as set out in, and subject to the requirements of, clause 5.1 of this DPA;
4. Company may exercise its right of audit under clause 8.9 of the EU SCCs as set out in, and subject to the requirements of, clause 8 of this DPA.
5. The second paragraph of Clause 11(a) (Redress) of Section II (relating to an independent dispute resolution body) shall not apply;
6. Option 2 of Clause 9(a) (general authorisation of sub-processors) shall apply in relation to Company's authorisation of the use of Sub-processors and Cockroach shall notify the Company writing of any intended changes to that list through the addition or replacement of sub-processors in accordance with clause 6.1 of this DPA, including the advance notification time period specified therein. If the Company objects to a change under clause 9(a) of the EU SCCs, Company's only remedy shall be as set out in clause 6.1 of this DPA.
7. Cockroach Labs may provide copies of sub-processor agreements (as amended) under clause 9(c) of the EU SCCs by providing Company with a hyperlink to such information.
8. Clause 13(a) (Supervision) of Section II shall apply as follows:

1. Where the data exporter is established in the EU, clause 13(a) shall apply as follows:

"the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C shall act as competent supervisory authority"

2. Where the data exporter is established outside of the EU but within the extraterritorial scope of the GDPR and has appointed an EU Representative, clause 13(a) shall apply as follows:

"The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C shall act as competent supervisory authority"

3. Where the data exporter is established outside of the EU but within the extraterritorial scope of the GDPR, but is not required to appoint an EU Representative , clause 13(a) shall apply as follows:

"The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority."

9. Clause 17 (Governing Law) of Section IV shall apply as follows:

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.

10. Clause 18(b) (Choice of forum and jurisdiction) of Section IV shall be apply as  follows:

"The Parties agree that those shall be the courts of the Republic of Ireland.

11. Annex I of the EU Clauses shall be deemed completed with the information set out at Schedule 1 to this DPA

7. Cockroach Labs may (i) replace the UK Approved Addendum or the EU SCCs generally or in respect of the UK and/or the EEA only (as appropriate) with any alternative or replacement transfer mechanism in compliance with applicable Data Protection Laws, including any standard contractual clauses or addendum approved by an applicable Supervisory Authority. And (ii) make reasonably necessary changes to this clause 7 by notifying Company of the new transfer mechanism or content of the new standard contractual clauses (provided their content is in compliance with the relevant decision or approval), as applicable.

8. Audit and Records

1. Cockroach Labs will, subject to the confidentiality terms in the Agreement, provide Company such information in Cockroach Labs’ possession or control as may be necessary to demonstrate compliance with its obligations under this DPA or in order to respond to requests from an applicable Supervisory Authority. Company agrees to thoroughly review and provide due consideration to such third-party certifications, audits or reports (such as ISO 27001, SSAE 16 II, SOC1, or SOC2) as Cockroach Labs may provide in order to demonstrate its compliance with its obligations under this DPA before making any request for additional information or inspection hereunder.    

9. Deletion or Return of Data

1. Upon termination of this Agreement, Cockroach Labs will delete the Personal Data as soon as reasonably practicable and no later than thirty (30) days following such termination and Company may download the Personal Data any time prior to it being deleted. Notwithstanding the foregoing, Cockroach Labs may retain Personal Data beyond termination solely if, and for so long as, such Personal Data must be retained in order to comply with applicable law.

10. CCPA

1. In this clause 10 the terms “personal information,” “service provider,” “sale,” and “sell”, as used in this clause 10, are as defined in Section 1798.140 of the CCPA. The parties acknowledge and agree that Cockroach Labs is a service provider for the purposes of the CCPA. Cockroach Labs shall not sell any personal information received from Company that is subject to the CCPA and will not retain, use or disclose any such personal information except as necessary for the specific purpose of performing the Services as set forth in the Agreement with Company, or otherwise as set forth in the Agreement or permitted by the CCPA.  Cockroach Labs certifies that it understands the rules, restrictions, requirements and definitions of the CCPA.

11. General

1. Conflicts. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms (including definitions) of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data. This DPA sets out all of the terms that have been agreed between the parties in relation to the subjects covered by it. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.
2. Limitation of Liability. Cockroach's maximum aggregate liability to Company under or in connection with this DPA shall not under any circumstances exceed the maximum aggregate liability of Cockroach Labs to the Company as set out in the Agreement. Nothing in this DPA will limit Cockroach's liability in respect of personal injury or death in negligence or for any other liability or loss which may not be limited by agreement under applicable law.
3. Rights of third parties excluded: A person who is not a party to this DPA shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 or otherwise to enforce any term of this DPA.
4. Governing Law; Venue. Without prejudice to the provisions of the UK Approved Addendum or the EU SCCs addressing the law which governs them, this DPA shall be governed by and construed in accordance with the laws which govern the Agreement and the venue(s) for disputes and claims under the Agreement shall also apply to disputes and claims under this DPA.

[The remainder of this page is intentionally left blank]

IN WITNESS WHEREOF, the parties hereto have executed this DPA as a sealed instrument, effective as of the date and year of the last signature indicated below.

1.  EU SCCs (Annexes)

COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council

ANNEX I

A.   LIST OF PARTIES

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor (as applicable)

Data exporter(s): 

Data importer(s): 

B.   DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor  (as applicable)

Clause 3 of the DPA describes the categories of data subjects, categories of personal data, special categories of data, processing operations, purposes of the transfer and the retention period (subject always to the restrictions on data categories in the Agreement).

Categories of data subjects whose personal data is transferred:

• The categories of data subjects are as described in clause 3.5 of the DPA.

Categories of personal data transferred:

• The categories of personal data are as described in clause 3.4 of the DPA

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

• The categories of special category personal data are as described in clause 3.4 of the DPA (subject always to the restrictions on data categories in the Agreement)

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

• The transfer will occur on a continuous basis throughout the duration of the Agreement.

Nature of the processing:

• The nature of the processing is as described in clause 3.2 of the DPA

Purpose(s) of the data transfer and further processing:

• The purpose of the processing is as described in clause 3.2 of the DPA

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

• The period of the processing is as described in clause 3.3 of the DPA

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

• The subject matter, nature and duration of the data importer's transfers to sub-processors are as set out at https://cockroachlabs.com/cloud-terms-and-conditions/data-processing-addendum/cockroach-labs-sub-processors.

C.   COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor (as applicable)

Identify the competent supervisory authority/ies in accordance with Clause 13

• The supervisory authority as determined by clause 7.6(h) of the DPA, and which may be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

  ---

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor (as applicable)

EXPLANATORY NOTE:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

• Cockroach Labs, Inc., ("Cockroach" or "Cockroach Labs") will comply with the security policy and requirements for its managed services offering, available at https://www.cockroachlabs.com/security/, as amended from time to time (as also referred to in clause 4.1 of the DPA, set out Cockroach Labs' technical and organisational security measures).