This Addendum and forms a part of the commercial Agreement you (collectively, ”You”, ”Your”, “Customer”, or “Data Controller”) and Zafran Security Ltd. or Zafran Security Inc. (“Zafran Security”, ”Us”, ”We”, ”Our”, “Service Provider” or “Data Processor”) Both parties shall be referred to as the “Parties” and each, a “Party”.
Clause |
Content |
WHEREAS: |
Zafran Security shall provide the services set forth in the Agreement (collectively, the "Services") for Customer, as described in the Agreement; and |
WHEREAS: |
In the course of providing the Services pursuant to the Agreement, we may process Personal Data on your behalf, in the capacity of a "Data Processor"; and the Parties wish to set forth the arrangements concerning the processing of Personal Data (defined below) within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. |
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:
- INTERPRETATION AND DEFINITIONS
- The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. Definitions:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws And Regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Zafran Security, but has not signed its own agreement with Zafran Security and is not a “Customer” as defined under the Agreement.
- “Controller” or “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA only, and except where indicated otherwise, the term “Data Controller” shall include the Customer and/or the Customer’s Authorized Affiliates.
- “CCPA” means the California Consumer Privacy Act of 2018 and its modifications and amendments.
- "Data Privacy Framework" or "DPF" means the EU-US Data Privacy Framework as adopted by the European Commission on July 10, 2023, and/or the Swiss-US Data Privacy Framework. "UK Extension" means the United Kingdom's extension to the EU-US Data Privacy Framework;
- “Data Protection Laws and Regulations” means all laws and regulations of the European Union, the European Economic Area and their Member States, the United Kingdom, and the Israeli Privacy Protection Law, 1981 and the regulations promulgated thereunder (including Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001 and Privacy Protection Regulations (Data Security), 5777-2017), and any binding instructions, guidelines and requirements of the Israeli Privacy Protection Authority, as applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
- “Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined under Data Protection Laws and Regulations. For the avoidance of doubt, Customer's business contact information is not by itself deemed to be Personal Data subject to this DPA.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, Customer, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.
- “Security Documentation” means the Security Documentation applicable to the specific Services purchased by Customer, as updated from time to time, and made reasonably available by Zafran Security.
- “Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses for the transfer of Personal Data to Data processors established in third countries which do not ensure an adequate level of protection as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4, 2021, as available here, as updated, amended, replaced or superseded from time to time by the European Commission; or (ii) where required from time to time by a supervisory authority for use with respect to any specific restricted transfer, any other set of contractual clauses or other similar mechanism approved by such Supervisory Authority or by Applicable Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such Regulatory Authority or Data Protection Laws and Regulations;
- “Sub-processor” means any Processor engaged by Zafran Security and/or Zafran Security Affiliate to Process Personal Data on behalf of Customer.
- “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
- PROCESSING OFPERSONAL DATA
- The Parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA Zafran Security is the Data Processor and Zafran Security may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below. For clarity, this DPA shall not apply with respect to Zafran Security processing activity as a Data Controller with respect to Zafran Security data as detailed in Zafran Security’s privacy policy.
- Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations and comply at all times with the obligations applicable to data controllers (including, without limitation, Article 24 of the GDPR). For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the means by which Customer acquired Personal Data. Without limitation, Customer shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall at all times have any and all required ongoing legal bases in order to collect, Process and transfer to Zafran Security the Personal Data and to authorize the Processing by Zafran Security of the Personal Data which is authorized in this DPA. Customer shall defend, hold harmless and indemnify Zafran Security, its Affiliates and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by Customer and/or its authorized users of any Data Protection Laws and Regulations and/or this DPA and/or this Section.
- Zafran Security’s Processing of Personal Data.
- Subject to the Agreement, Zafran Security shall Process Personal Data that is subject to this DPA only in accordance with Customer’s documented instructions as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by Union or Member State law or any other applicable law to which Zafran Security and its Affiliates are subject, in which case, Zafran Security shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
- To the extent that Zafran Security or its Affiliates cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from Customer and/or its authorized users relating to Processing of Personal Data or where Zafran Security considers such a request to be unlawful, Zafran Security (i) shall inform Customer, providing relevant details of the problem (but not legal advice), (ii) Zafran Security may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Zafran Security all the amounts owed to Zafran Security or due before the date of termination. Customer will have no further claims against Zafran Security (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).
- Zafran Security will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Zafran Security, to the extent that such is a result of Customer’s instructions.
- RIGHTS OF DATA SUBJECTS. If Zafran Security receives a request from a Data Subject to exercise its rights as laid down in Chapter III of the GDPR (“Data Subject Request”), Zafran Security shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Customer. Taking into account the nature of the Processing, Zafran Security shall use commercially reasonable efforts to assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Zafran Security’s provision of such assistance.
- ZAFRAN SECURITY PERSONNEL
- Zafran Security shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need to know basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Zafran Security may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws and Regulations (in such a case, Zafran Security shall inform the Customer of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.
- AUTHORIZATION REGARDING SUB-PROCESSORS
- Zafran Security’scurrent list of Sub-processors can be found on Zafran Security’s webpage https://www.zafran.io/legal/sub-processor-list (“Sub-processor List”) and is hereby approved byData Controller. Customer hereby grants a general authorization to ZafranSecurity to appoint new Sub-processors, and Zafran Security shall comply withthe conditions of Section 5.2, to 5.4.
- Customer shall send an email to Privacy@zafran.io with the subject SUBSCRIPTION TO SUB-PROCESSORS NOTIFICATION, to subscribe to notifications of new Sub-processors, and if Customer subscribes, Zafran Security shall provide notification of any new Sub-processor(s).
- Customer may reasonably object to Zafran Security’s use of a Sub-processor for reasons related to the GDPR by notifying Zafran Security promptly in writing within three (3) business days after receipt of Zafran Security’s notice in accordance with the mechanism set out in Section 5.2 and such written objection shall include the reasons related to the GDPR for objecting to Zafran Security’s use of such Sub-processor. Failure to object to such Sub-processor in writing within three (3) business days following Zafran Security’s notice shall be deemed as acceptance of the Sub-Processor. In the event Customer reasonably objects to a Sub-processor, as permitted in the preceding sentences, Zafran Security will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to Sub-processor without unreasonably burdening the Customer. If Zafran Security is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Zafran Security without the use of the objected-to Sub-processor by providing written notice to Zafran Security provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Zafran Security. Until a decision is made regarding the Sub-processor, Zafran Security may temporarily suspend the Processing of the affected Personal Data. Customer will have no further claims against Zafran Security due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
- This Section 5 shall not apply to subcontractors of Zafran Security which provide ancillary services to support the performance of the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors.
- SECURITY
- Taking into account the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Zafran Security shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation which are hereby approved by Customer. Upon the Customer’s request, Zafran Security will use commercially reasonable efforts to assist Customer, at Customer’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing, the state of the art, and the information available to Zafran Security.
- Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Zafran Security shall make available to Customer that is not a competitor of Zafran Security (or Customer’s independent, third-party auditor that is not a competitor of Zafran Security) a copy or a summary of Zafran Security’s then most recent third-party audits or certifications, as applicable (provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Zafran Security’s prior written approval and, upon Zafran Security’s first request, Customer shall return all records or documentation in Customer’s possession or control provided by Zafran Security in the context of the audit and/or the certification). At Customer’s cost and expense, Zafran Security shall allow for and contribute to audits, including inspections of Zafran Security’s, conducted by the controller or another auditor mandated by the controller (who is not a direct or indirect competitor of Zafran Security) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, personal data that does not belong to Customer.
- PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. Zafran Security shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Zafran Security of which Zafran Security becomes aware (a “Personal Data Incident”). Zafran Security shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Zafran Security deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Zafran Security’s reasonable control. In any event, Customer will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).
- RETURN AND DELETIONOF PERSONAL DATA. Subject to the Agreement, Zafran Security shall, atthe choice of Customer, delete or return the Personal Data to Customer afterthe end of the provision of the Services relating to Processing, and shalldelete existing copies unless applicable law requires storage of the PersonalData. In any event, to the extent required or allowed by applicable law, ZafranSecurity may retain one copy of the Personal Data for evidence purposes and/orfor the establishment, exercise or defence of legal claims and/or to complywith applicable laws and regulations. If the Customer requests the PersonalData to be returned, the Personal Data shall be returned in the formatgenerally available for Zafran Security’s Customers.
- AUTHORIZED AFFILIATES
- The Parties acknowledge and agree that, by executing the DPA, the Customer enters into theDPA on be half of itself and, as applicable, in the name and on be half of its Authorized Affiliates, thereby establishing a separate DPA between Zafran Security. Each Authorized Affiliate agrees to be bound by the obligations underthis DPA. All access to and use of the Services by Authorized Affiliates mustcomply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions there in by an Authorized Affiliate shall be deemed a violation by Customer.
- The Customer shallremain responsible for coordinating all communication with Zafran Securityunder the Agreement and this DPA and shall be entitled to make and receive anycommunication in relation to this DPA on behalf of its Authorized Affiliates.
- TRANSFERS OF DATA
- To the extent that there is Processing of Personal Data which includes transfers from the EEA, or the UK to the United States, Zafran Security may rely on our sub-processors' self-certification tothe EU-US Data Privacy Framework and its UK-Extension.
- To theextent that there is Processing of Personal Data which includes transfers from the EEA, the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the below terms shall apply:
- With respect to the EU transfers of Personal Data, Customer as a Data Exporter (as defined in the SCCs) and Zafran Security on be half of itself and each Zafran Security Affiliate (as applicable) as a Data Importer (as defined in the SCCs) here by enter into the SCC set out in Schedule 3. To the extent that there is any conflict orinconsistency between the terms of the SCC and the terms of this DPA, the terms of the SCC shall take precedence.
- With respect to the EU transfers of Personal Data, Customer as a Data Exporter (as defined in the SCCs) and Zafran Security on be half of itself and each Zafran Security Affiliate (as applicable) as a Data Importer (as defined in the SCCs) here by enter into the SCC set out in Schedule 3. To the extent that there is any conflict orinconsistency between the terms of the SCC and the terms of this DPA, the terms of the SCC shall take precedence.
- TERMINATION. This DPA shall automatically terminate upon thetermination or expiration of the Agreement under which the Services areprovided. Sections 2.2, 2.3.3, 7and 11shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminatedseparately to the Agreement, except where the Processingends before the termination of the Agreement, in which case, this DPA shallautomatically terminate.
- RELATIONSHIP WITH AGREEMENT. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions ofthis DPA shall prevail over the conflicting provisions of the Agreement. Not with standing anything to the contrary in the Agreement and/or in any agreement between the parties and to the maximum extent permitted by law: (A) ZafranSecurity’s (including Zafran Security’s Affiliates’) entire, total and aggregate liability, related to personal data or information, privacy, or forbreach of, this DPA and/or Data Protection Laws and Regulations, including, without limitation, if any, any indemnification obligation or applicable lawregarding data protection or privacy, shall be limited to the amounts paid to Zafran Security under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not perincident; (B) In no event will Zafran Security and/or Zafran Security Affiliates and/or their third-party providers, be liable under, or otherwise inconnection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) The fore going exclusions and limitations on liability set forth in this Section shall apply:(i) even if Zafran Security, Zafran Security Affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (suchas, but not limited to, breach of contract or tort).
- AMENDMENTS. This DPA may be amended at any time by a written instrument duly signed by each of the Parties.
- LEGAL EFFECT. This DPA shall only become legally binding between Customer and Zafran Security when the formalities steps set out in the Section“INSTRUCTIONS ON HOW TO EXECUTE THIS DPA” below have been fully completed. Zafran Security may assign this DPA or its rights or obligations here under to any Affiliatethereof, or to a successor or any Affiliate thereof, in connection with amerger, consolidation or acquisition of all or substantially all of its shares ,assets or business relating to this DPA or the Agreement. Any Zafran Security obligation here under may be performed (in whole or in part), and any Zafran Security right (including invoice and payment rights) or remedy may beexercised (in whole or in part), by an Affiliate of Zafran Security.
- SIGNATURE. The Parties represent and warrant that they each have the power to enter into, execute, perform and be bound by this DPA. You, as the signing person on behalf of Customer, represent and warrant that you have, oryou were granted, full authority to bind the Customer and, as applicable, its Authorized Affiliates to this DPA. If you cannot, or do not have authority to, bind the Customer and/or its Authorized Affiliates, you shall not supply orprovide Personal Data to Zafran Security. By signing this DPA, Customer entersinto this DPA on behalf of itself and, to the extent required or permitted under applicable Data Protection Laws and Regulations, in the name and on be half of its Authorized Affiliates, if and to the extent that Zafran Security processes Personal Data for which such Authorized Affiliates qualify as the/a “data controller”.
This DPAhas been pre-signed on behalf of Zafran Security. Instructionson how to execute this DPA.
1. To complete this DPA, you must complete themissing information; and
2. Send the completed and signed DPA to us byemail, indicating the Customer’s name, to Privacy@zafran.ioList of Schedules
List of Schedules
· SCHEDULE 1 - DETAILSOF THE PROCESSING
· SCHEDULE 2 -SUB-PROCESSOR LIST
· SCHEDULE 3 – STANDARD CONTRACTUAL CLAUSES
Field |
ZAFRAN SECURITY Inc./Ltd. |
CUSTOMER |
Signature: |
|
|
Legal Name: |
|
|
Title: |
|
|
Date: |
|
|
SCHEDULE 1 - DETAILSOF THE PROCESSING
Subject matter. Zafran Security will Process Personal Data as necessary to perform the Service spursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose ofProcessing.
- Performing the Agreement, this DPA and/orother contracts executed by the Parties, including, providing the Service(s) to Customer and providing support and technical maintenance, if agreed in the Agreement
- For Zafran Security to comply with documented reasonable instructions provided by Customer where such instructions areconsistent with the terms of the Agreement.
Duration of Processing. Subject to anySection of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, ZafranSecurity will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Typeof Personal Data.
Customer determines the categories of any Customer Personal Data that is made accessible to Zafran, which may include, without limitation, Customer Personal Data relating to the following categories:
- If Customer uses Zafran for scanning, Personal Data might be temporarily processed by Zafran during the scanning. The type of the Personal Data depends on Customer environment and which sources Customer connects.
- Zafranonly stores metadata such as CVEs, misconfigurations, list of installed packages, cloud events, local cloud user accounts, cloud object identifiers and (depending on the features used by Customer) logs and file paths. Such metadata does not generally contain Personal Data, however, depending on the Customer’s environment and naming conventions and the features used by Customer, some limited Personal Data may be included. For example, cloud user account names could include an individual’s name, logs could contain names, associated email address and IP address and pseud optymized samples of findings to enable Customer to locate, verify and remediate the finding(s).
Customer acknowledges that Zafran does not control which Customer Personal Data Customer shares with it in the context ofthe Services.
For the avoidance of doubt, the information subject to the Zafran Security’s privacy policy (e.g., log-in details), which a customer can request from Privacy@zafran.io shall not be subject to the terms of thisDPA.
Categories of Data Subjects. Customermay submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but isnot limited to Personal Data relating to the following categories of data subjects:
- Customer’s customers and/or Customers
- Employees, agents, advisors, freelancers o fCustomer (who are natural persons)
- Prospects, Customers, business partners and vendors of Customer (who are natural persons)
- Employees or contact persons of Customer’s prospects, Customers, business partners and vendors
Thefrequency of the transfer. Continuous basis orone-off
Theperiod for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. As described in this DPA and/or the Agreement
For transfers to (sub-) processors, also specifysubject matter, nature and duration of the processing. As detailedin Schedule 2.
SCHEDULE 2 – SUB-PROCESSOR LIST
When acting as a dataprocessor on behalf of our customers, Zafran, Inc. and its Affiliates engage sub-processors who may process Customer Personal Data submitted to Zafran’sservices.
These sub-processors are listed below, with a description of the types ofprocessing they performand the location. This list may be updated by Zafran from time totime.
Zafran Affiliates
Sub-Processor |
Types of processing |
Location |
Zafran, Inc.* |
Provision of technical services, support services, and supporting provision, management and maintenance of the Service. |
US |
Zafran Ltd.* |
Israel |
*This entity shall not be a subprocessor if customer is contracting with this entity under its agreement with Zafran.
Sub-Processor |
Type of Service |
Location |
Physical address |
Amazon Web Services, Inc. |
Primary hosting provider for Zafran's cloud environment |
United States |
410 Terry Ave North Seattle, WA United States |
Elasticsearch B.V. |
Operational logs |
United States |
Keizersgracht281 Amsterdam Netherlands |
Cloudflare, Inc. |
Web Application Firewall |
Global, depends on customer location |
101 Townsend St. San Francisco, CA United States |
Descope, Inc. |
Authentication and storage of user identifiers |
United States |
101 1 St St. Los Altos, California 94022, United States |
Datadog, Inc. |
Performance monitoring and logging |
United States |
620 8th Avenue New York City, NY United States |
Confluent |
Managed Kafka |
United States |
899 W. Evelyn Avenue Mountain View, CA United States |
Click House |
Managed Database |
United States |
650 Castro St Mountain View CA 94041 United States |
SCHEDULE 3 - STANDARD CONTRACTUAL CLAUSES
EU SCCs. If the Processing of Personal Data includes transfers from the EU to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Chapter V of the GDPR. The Parties hereby agree to execute the Standard Contractual Clauses as follows:
- The Standard Contractual Clauses (Controller-to-Processor and Processor to Processor) as applicable, will apply, with respect to restricted transfers between Customer and Zafran Security that are subject to the GDPR.
- Annex I.A: With respect to Module Two: (i) Data Exporter is Customer as a data controller and (ii) the Data Importer is Zafran Security as a data processor. With respect to Module Three: (i) Data Exporter is Customer as a data processor and (ii) the Data Importer is Zafran Security as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
- Annex I.B of the Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
- Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the Irish supervisory authority.
- Annex II of the Standard Contractual Clauses shall be completed as described in the Security Documentation.
- Annex III of the Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in Schedule 2 (Sub-processor list) of this DPA.
- The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Zafran Security (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 13: the relevant option applicable to the Customer, as informed by Customer to Zafran Security; (v) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland; and (vi) In Clause 18(b) the Parties choose the courts of Ireland, as their choice of forum and jurisdiction.