DATA PROCESSING AGREEMENT
The Customer has subscribed to any of the products offered by CNTXT (including SaaS products) (“Subscription Items”) and/or ordered performance of professional services and/or support services and/or consultancy services related to the Subscription Items (collectively “Services”) from CNTXT. The Customer is also referred to as the "Controller" and CNTXT as the "Processor".
This Data Processing Agreement is an integrated part of the Google Cloud Reseller Agreement, Collaboration and Services Agreement, Master Service Agreement, and/or such other agreement entered into between the Controller and Processor pertaining to the subscription to the Subscription Items and/or performance by CNTXT of Services (the “Agreement”). Any capitalized terms not specifically defined in this Data Processing Agreement shall have the meaning as set forth in the Agreement.
This Data Processing Agreement is subject to the Saudi Arabian Personal Data Protection Law including all implementing regulations made under it, (collectively, the “PDPL”), and the Applicable Laws of the Kingdom of Saudi Arabia, including the Cloud Computing Services Provisioning Regulation.
To the extent European Data Protection Legislation applies to CNTXT’s processing of any personal data, then CNTXT is processor, and Customer is the controller of any personal data (as the terms “controller”, “processor” and “personal data” have the meaning given in the European Data Protection Legislation) and CNTXT and Customer shall enter into an amendment to this Data Processing Agreement that complies with the requirements set out in Appendix 2 to this Data Processing Agreement.
In this Data Processing Agreement:
- the Controller shall be a “controller” for the purposes of the PDPL;
- the Processor shall be a “processor” for the purposes of the PDPL;
- "Personal Data" has the meaning given to the term “personal data” in the PDPL;
- “Competent Authority” means the relevant authority for regulation of the PDPL;
- “Data Subject” has the meaning given to the term “data subject” in the PDPL;
- "Processing" has the meaning given to that word in the PDPL, and its cognates shall be construed accordingly;
- “Sub-processor” means a third party engaged by the Processor for carrying out Processing activities on behalf of the Processor; and
- European Data Protection Legislation means, as applicable, (a) any national provisions adopted pursuant to the Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.; (b) the Federal Data Protection Act of 19 June 1992 (Switzerland); (c) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); and/or (d) any other data protection or privacy legislation in force in the EEA or Switzerland).
The Processor’s provision of the Subscription Items and Services may include the Processing of Personal Data on behalf of the Controller.
In accordance with the PDPL, the obligations of the Processor are set out in this Data Processing Agreement.
If Customer has entered into an agreement with a reseller or another party offering Subscription Items or Services from CNTXT, such reseller shall be referred to as the “Processor” and CNTXT, to the extent CNTXT acts as a Sub-processor, shall be referred to as “Sub-processor” for the purpose of this Data Processing Agreement. To the extent applicable, Customer hereby agrees to the engagement of CNTXT as Sub-processor and then this Data Processing Agreement applies equally between reseller as Processor and CNTXT as Sub-processor.
- SCOPE OF DATA PROCESSING
This Data Processing Agreement governs and defines the legal limits of the Processor’s Processing of Personal Data on behalf of the Controller. The limits and obligations set out in this Data Processing Agreement shall be in addition to those imposed by Applicable Laws of the Kingdom of Saudi Arabia, including the PDPL.
The details of the Processor’s Processing of Personal Data are set out in Appendix 1 to this Data Processing Agreement.
The Controller acknowledges that the Processor may Process Personal Data relating to the operation, support, or use of the Subscription Items for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. The Processor is the Controller for such Processing and will Process such data in accordance with PDPL and the Processor’s privacy policy.
2. THE CONTROLLER'S OBLIGATIONS
The Controller confirms that:
- to the extent Controller wishes to purchase Subscription Items or Services, it consents to the Processor having access to and Processing its information (including Personal Data and other sensitive or confidential information) to the extent necessary for the provision of the Subscription Items and the Services;
- Processing of Personal Data is permitted and in accordance with PDPL;
- it has established and will maintain an appropriate legal basis for the Processing of Personal Data to be conducted by the Processor;
- the Controller is responsible for the legality of transfer of Personal Data to the Processor;
- the Controller is responsible for the accuracy, integrity, content, reliability and legality of the Personal Data being Processed; and
- the Controller has provided all necessary notifications and information to the Data Subject in accordance with PDPL.
- THE PROCESSOR'S OBLIGATIONS
The Processor shall Process Personal Data on behalf of the Controller in accordance with the obligations set out in this Data Processing Agreement and specifically in accordance with written instructions from the Controller (including to the extent contained in the Agreement), as stipulated by the PDPL. At minimum, the Processor shall with the respect to all Personal Data that it Processes on Customer’s behalf:
- comply with, and only act on, instructions from or on behalf of that Customer regarding the Processing of the Personal Data;
- not Process that Personal Data for any purpose other than for the performance of its obligations under the Strategic Alliance Agreement between CNTXT and Google or the Agreement;
- ensure that appropriate technical and organisational measures such as those described below, are taken to avoid unauthorised or unlawful processing of that Personal Data and against loss or destruction of, or damage to, that Personal Data;
- ensure the reliability of, and be responsible for, all of the Processor’s employees, agents and Sub-processors who will have access to that Personal Data; and
- not, by any act or omission, place the Controller in breach of the PDPL.
Personal Data Processed by the Processor on behalf of the Controller shall not be disclosed or transferred to third parties in any form, without a written approval from the Controller, unless necessary for the provision of the Subscription Items or the Services in accordance with the Agreement and this Data Processing Agreement or unless required by mandatory law to which the Processor is subject, in either case the third party may only use and access that Personal Data in accordance with the terms of this Data Processing Agreement and is bound by written obligations requiring it to provide at least the level of data protection required under this Data Processing Agreement. Subject to clause 7 below, the Controller acknowledges that Sub-processors may be used and hereby agrees to the transfer of Personal Data to such Sub-processors for the purpose of performance of the Processor’s obligations under this Data Processing Agreement. Personal Data Processed by the Processor on behalf of the Controller shall not be exported to third countries except in compliance with the PDPL.
The Processor shall deploy planned, systematic measures organisationally and technically, aimed at ensuring satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the Processing of Personal Data, including:
- ensuring that IT systems and other systems used in the Processing of Personal Data in relation to this Data Processing Agreement, and any connections between such systems, are configured in a way that secures appropriate information security;
- ensuring that any storage medium, data medium and/or data equipment used to Process Personal Data are protected with reasonable measures aimed to prevent destruction and unauthorized access of or to the Personal Data;
- ensuring that measures are implemented with the aim of protecting against destructive and/or malicious software and/or hacking of the systems used by the Processor in the Processing of Personal Data on behalf of the Controller;
- ensuring that Personal Data Processed according to this Data Processing Agreement is kept separate from the Processor’s own information, information of third parties and/or other information (notwithstanding that such Personal Data may be kept logically separate, and not necessarily physically separate); and
- ensuring that access controls are implemented with the intent of ensuring that no unauthorized persons obtain access to the premises, files or systems where Personal Data which the Processor receives access under this Data Processing Agreement are stored, kept or processed.
The Processor shall, at least once per year, perform security reviews of the systems used to process any Personal Data pursuant to this Data Processing Agreement and the Agreement.
The Processor shall maintain records demonstrating an adequate level of information security for Personal Data, systems and routines which are relevant for the performance of the obligations under this Data Processing Agreement and shall make such records available to the Controller on request. As part of such record keeping, the Processor shall document its routines for authorizing the use of its data processing systems by individuals, in addition to technical and organizational security measures. The documentation shall be kept in a format which may be accessed by the Controller and/or the Competent Authority on request. The Processor shall make such documentation available to the Controller on request. If such documentation is not sufficient to demonstrate compliance and if requested, the Processor shall, on request, make its premises accessible for audits and site visit by the Controller (or by a suitable qualified person nominated by the Controller) and/or the Competent Authority under the PDPL. The Controller shall be entitled to undertake such audits and site visits once per year during the term of this Data Processing Agreement (but for the avoidance of doubt if material deficiencies are identified the Controller shall be entitled to undertake such additional audits and/or site visits as may be required to satisfy the Controller that such deficiencies have been remedied) provided that such audits and visits are conducted as follows:
- The audit shall be limited to such matters as are necessary to assess the compliance of the Processor with this Data Processing Agreement, and the Processor shall be entitled to refuse access to any premises, systems, information or personnel which are not relevant and shall be entitled to redact or withhold any information where disclosure of such information would cause the Processor to be in breach of any confidentiality obligation owed to a third party.
- All persons involved in conducting the audit must enter into a confidentiality undertaking in favour of the Processor.
- No less than thirty (30) days’ advance written notice of the audit must be given.
- No later than ten (10) days before the intended audit, Controller shall provide the Processor with an audit plan indicating any specific aims or concerns relating to the audit and the parties shall discuss, refine and agree the same in good faith with the intent of ensuring the audit is efficiently conducted.
- Any audit shall be conducted during the normal business hours of the Processor, which shall be communicated to the Controller, and shall be conducted in a manner designed to minimise, as far as possible, any disruption to the business of the Processor.
Any audit personnel shall be required to comply with site rules and procedures and must be citizens or residents of the Kingdom of Saudi Arabia and the Processor may immediately require any person to leave its sites or may block the access of such person to systems, personnel or information if it reasonably believes that such person has breached site rules, has not properly identified themselves, has conducted themselves in an unprofessional or negligent manner or has created any threat to security or health and safety.
Records of unauthorized use of information systems and attempts of unauthorized use shall be stored for at least three (3) months. This also applies to all registrations and other events of significance to the level of security.
In the event that system and/or data security measures are not sufficient to allow the Processor to meet is statutory and contractual obligations, the Processor shall, upon identifying such deficiency (or being notified of this by the Controller, the Competent Authority or any other competent person), make the necessary changes to the system or the routines as soon as reasonably practicable and in any event within a reasonable period of time taking account of the level of risk to the security and integrity of Personal Data.
The Processor shall immediately inform the Controller of any suspected or confirmed data protection breaches or unauthorised or unlawful use, processing, loss or destruction of, or damage to, the Controller’s Personal Data. The Controller shall decide whether the Competent Authority shall be notified in accordance with the PDPL.
The Processor shall provide reasonable assistance to the Controller in fulfilling the obligations arising pursuant to PDPL, taking into account the nature of the Processing required and the information available to the Processor. If such assistance will require the Processor to incur non-trivial costs or expenses it may condition its assistance upon the Controller’s agreement to reimburse it.
The Processor shall assist the Controller in taking appropriate technical and organizational measures for the fulfilment of the Controller's obligations to respond to requests arising from the exercise of the Data Subject’s rights laid down in PDPL.
- DELETION OF PERSONAL DATA
The Controller is responsible for ensuring that it has put in place sufficient back-up and recovery processes and facilities for its Personal Data, in light of the importance of the data to it in the context of its activities, and that it extracts data from cloud services in a prudent and timely manner during the term of the Agreement.
Upon termination of this Data Processing Agreement, Controller may request the Processor to make any and all Personal Data of the Controller available to the Controller in a commonly used file format (subject to technical feasibility).
Following termination of the Data Processing Agreement and the expiry of a reasonable period, Processor shall delete or destroy all copies of Personal Data stored on any computer, server or other device or which are otherwise in the Processor’s possession or control, except to the extent the Processor is required to retain such Personal Data by Applicable Laws or has a legitimate basis to continue processing such Personal Data under Applicable Laws.
The Controller acknowledges it is its responsibility to retrieve its Personal Data before deletion occurs.
5. TERMINATION
This Data Processing Agreement shall remain effective for as long as the Processor Processes Personal Data on behalf of the Controller under the Agreement.
6. CONFIDENTIALITY
The Processor shall maintain secrecy concerning the Personal Data received from the Controller. This obligation shall apply also after the termination of this Data Processing Agreement.
The Processor shall therefore:
a) limit the disclosure of, and access to, Personal Data to those of its personnel, licensors, agents and contractors to whom such disclosure is necessary for processing Personal Data in accordance with this Data Processing Agreement;
b) ensure that such personnel acknowledge that Personal Data shall be treated as confidential before it is imparted to them and ensure that such personnel are bound by obligations restricting use and disclosure of Personal Data equivalent to, but in any event no less strict, those set out in this Data Processing Agreement;
c) instruct all such personnel that they shall not use such Personal Data for any purpose other than the fulfilment of this Data Processing Agreement and not to disclose Personal Data to third parties, without the prior written consent of the Controller; and
d) use commercially reasonable efforts to ensure that such personnel abide by such obligations.
- SUB-PROCESSORS
In the event that use of Sub-processors involves transfer of Personal Data outside of the Kingdom of Saudi Arabia, the Processor shall be responsible for ensuring that this transfer is in accordance with the PDPL.
Sub-processing under this provision shall not include ancillary services ordered by the Processor from third parties to assist in the performance of the Processor’s day to day business, e.g. telecommunications services, maintenance, user support, auditing, disposal of media, etc.
APPENDIX 1 – INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA
SERVICES PERFORMED BY PROCESSOR
Provision of Subscription Items and Services as described in the Agreement.
PURPOSE AND NATURE OF THE PROCESSING
Processing Personal Data for the provision of the Subscription Items and Services as described in the Agreement, including providing access to CNTXT products or technology and/or providing Cognite Products or Google Products and support for the same.
CATEGORIES OF PERSONAL DATA
Personal Data transferred by the Controller to enable use of the Subscription Items and Services (including data uploaded to SaaS servers), including but not limited to (depending on the Subscription Items and Services provided):
- Names
- Job title
- national identity numbers
- addresses, e-mail addresses
- log data
- IP addresses
- dates of birth
- telephone numbers
- invoice information
- tax information
- bank account details
Further details of the capabilities of each SaaS product are referred to in the Product Specific Terms.
CATEGORIES OF DATA SUBJECTS
Depending on the Subscription Items and Services in question: Controller’s employees and consultants; Controller’s business contacts; Controllers customers and potential customers; other third parties.
DATA RETENTION
For the duration of the Agreement, unless otherwise agreed. Processor may retain data for longer if there is an overriding legal basis to do so (such as compliance with Applicable Laws, or if necessary to pursue or defend legal claims).
THE FREQUENCY OF THE TRANSFER (E.G. WHETHER THE DATA IS TRANSFERRED ON A ONE-OFF OR CONTINUOUS BASIS)
Personal Data will be transferred on a continuous basis.
IDENTIFY THE COMPETENT SUPERVISORY/AUTHORITY/IES
Competent Authority in the Kingdom of Saudi Arabia as defined by the PDPL and the Communications, Space and Technology Commission for the purposes of the Cloud Computing Regulatory Framework.
APPENDIX 2 – REQUIREMENTS OF EUROPEAN DATA PROTECTION LEGISLATION
To the extent that European Data Protection Legislation applies, this Data Processing Agreement shall be amended by CNTXT and the Customer to reflect the following obligations of CNTXT, or otherwise contains data processing terms that meet the requirements of Article 28(3) of the GDPR:
- To only process personal data in relation to which the Customer is the data controller in accordance with written instructions from or on behalf of that Customer, unless EU or EU Member State law to which CNTXT is subject requires other processing of that personal data, in which case CNTXT will inform the Customer (unless that law prohibits CNTXT from doing so on important grounds of public interest);
- To not process that personal data for any purpose other than for the performance of CNTXT’s obligations under the Strategic Alliance Agreement between CNTXT and Google or the Customer Agreement;
- To ensure that appropriate technical and organisational measures are taken to avoid unauthorised or unlawful processing of that data and against loss or destruction of, or damage to, that personal data;
- To ensure all of CNTXT’s employees, agents and contractors who will have access to that personal data have committed themselves to confidentiality or are otherwise under an appropriate obligation of confidentiality;
- To not, by any act or omission, place that Customer in breach of the European Data Protection Legislation;
- To inform that Customer promptly and without undue delay of any data protection breaches or unauthorised or unlawful processing, loss, or destruction of, or damage to, that personal data;
- To obtain prior consent to engage any third party subcontractor to process that personal data on behalf of the Customer, and ensure such third party subcontractor only uses and accesses that data in accordance with the terms of the Customer Agreement and is bound by written obligations requiring it to provide at least the level of data protection required under the Strategic Alliance Agreement between CNTXT and Google;
- Taking into account the nature of the processing, to assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligations under the European Data Protection Legislation to respond to requests for exercising the data subject's rights;
- To assist the Customer in ensuring compliance with any applicable obligations under the European Data Protection Legislation related to security; breach notification; data protection impact assessments and prior consultation with the supervisory authorities, taking into account the nature of processing and the information available to CNTXT;
- At the choice of the Customer, to delete or return all the personal data to Customer after the end of the provision of the Services, and delete existing copies unless prohibited from doing so by applicable EU or EU member state law;
- To make available to the Customer all information necessary to demonstrate CNTXT’s compliance with the obligations imposed by the Customer Agreement in respect of the personal data and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer; and
- To not process, or cause to be processed, that personal data outside the European Economic Area unless CNTXT adopts a compliance solution that achieves compliance with the terms of Article 25 of the Directive or Article 44 of the GDPR (as applicable).
Interpretation. The terms “processing”, “personal data”, “processor” and “controller” as used in this Exhibit 1 have the meanings given in the European Data Protection Legislation.