en
Get Started

Data Processing Addendum

Version Date: September 12, 2022

BACKGROUND 

This Data Processing Addendum (“DPA”) is issued under and forms part of the Dataiku Online Terms (“Terms of Service”) entered into between you (“Customer”) and Dataiku SAS (“Dataiku”). In the event of a conflict between any of the provisions of this DPA and the provisions of the Terms of Service, the provisions of this DPA shall prevail.

1. INTERPRETATION

1.1. Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Terms of Service. In this DPA, unless the context requires otherwise:

Agreement” means, together, the Terms of Service and this DPA;

Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses;

CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the effective date of this Data Processing Addendum;

CCPA Consumer” means a “consumer” as such term is defined in the CCPA;

CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Dataiku Processes on behalf of the Customer in connection with Dataiku’s provision of the Service;

Controller” has the meaning given in the GDPR;

Customer Personal Data” means the CCPA Personal Information and the GDPR Personal Data;

Data Processing Services” means the Processing of CCPA Personal Information for any purpose permitted by the CCPA, such as for a permitted “business purpose,” as such term is defined in the CCPA, or for any other purpose expressly permitted by the CCPA;

Data Subject” has the meaning given in the GDPR;

EU Data Protection Laws” means all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of GDPR Personal Data, including (as applicable):

a) the GDPR; and

b) the UK Data Protection Act 2018;

European Economic Area” or “EEA” means the Member States of the European Union together with the United Kingdom, Iceland, Norway, and Liechtenstein;

GDPR” means Regulation (EU) 2016/679 (the “EU GDPR“) or, where applicable, the “UK GDPR” as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018;

GDPR Personal Data” means the “personal data” (as defined in the GDPR) that Dataiku Processes on behalf of the Customer in connection with Dataiku’s provision of the Service and which is subject to EU Data Protection Laws;

Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum;

Processing” has the meaning given in the GDPR, and “Process” will be interpreted accordingly;

Processor” has the meaning given in the GDPR;

Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data;

Services” means the service(s) provided by Dataiku to the Customer under the Agreement, including the Data Processing Services;

Standard Contractual Clauses” means Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914; 

Subprocessor” means any Processor engaged by Dataiku who agrees to receive from Dataiku any Customer Personal Data; and

Supervisory Authority” has the meaning given in the GDPR.

UK” means the United Kingdom of Great Britain and Northern Ireland.

1.2. Applicability to Customer Personal Data. Except as otherwise provided in this DPA, this DPA shall apply to all Processing of Customer Personal Data by or on behalf of Dataiku.   

REQUIREMENTS FOR GDPR PERSONAL DATA: 

2. GDPR PERSONAL DATA PROCESSING

2.1. Applicability to GDPR Personal Data. Clauses 2 through 6 of this DPA shall only apply to the Processing of GDPR Personal Data by or on behalf of Dataiku 

2.2. Role of the Parties. For the purposes of the EU Data Protection Laws, the Parties acknowledge and agree that Dataiku acts as Processor and the Customer acts as Controller.  

2.3. Instructions for GDPR Personal Data Processing

Dataiku will only Process GDPR Personal Data in accordance with:

a) the Agreement, to the extent necessary to provide the Service to the Customer, and

b) the Customer’s written instructions,

unless Processing is required by European Union, Member State or UK law to which Dataiku is subject, in which case Dataiku shall, to the extent permitted by European Union, Member State or UK law, inform the Customer of that legal requirement before Processing that GDPR Personal Data.

2.4. Processing GDPR Personal Data outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Dataiku on additional instructions for Processing.

2.5. Required consents and notices

Where required by applicable EU Data Protection Laws, the Customer will ensure that it has obtained/will obtain all necessary consents, and has given/will give all necessary notices to Data Subjects, for the Processing of GDPR Personal Data by Dataiku in accordance with the Agreement.

The Customer acknowledges that Dataiku is reliant on the Customer for direction as to the extent to which Dataiku is entitled to use and process the GDPR Personal Data. Consequently, Dataiku will not be liable for any claim brought against the Customer by a Data Subject arising from any act or omission by Dataiku to the extent that such act or omission resulted from the Customer’s instructions or the Customer’s use of the Service.

3. TRANSFER OF GDPR PERSONAL DATA

3.1. Customer agrees that Dataiku may use the following as Subprocessors to Process GDPR Personal Data:

  • Amazon Web Services, Inc.
  • Snowflake Inc.

3.2. Customer agrees that Dataiku may use subcontractors to fulfil its contractual obligations under the Terms of Service and Customer generally authorises the engagement of third party Subprocessors. Dataiku shall notify Customer from time to time of the identity of any Subprocessors it engages. If Customer (acting reasonably) does not approve of a new Subprocessor, then without prejudice to any right to terminate the Agreement, Customer may request that Dataiku moves the GDPR Personal Data to another Subprocessor and Dataiku shall, within a reasonable time following receipt of such request, use reasonable efforts to ensure that the Subprocessor does not Process any such GDPR Personal Data. If it is not reasonably possible to use another Subprocessor, and Customer continues to object for a legitimate reason, either Party may terminate the Terms of Service on thirty (30) days written notice. If Customer does not object within thirty (30) days of receipt of the notice, Customer is deemed to have accepted the new Subprocessor.

3.3. Except as set out in Clauses 3.1 and 3.2, Dataiku shall not permit, allow or otherwise facilitate Subprocessors to Process GDPR Personal Data without Customer’s prior written consent.

3.4. With respect to any Subprocessors engaged by Dataiku to Process GDPR Personal Data, Dataiku shall:

a) enter into a written agreement with the Subprocessor which imposes equivalent obligations on the Subprocessor with regard to their Processing of GDPR Personal Data, as are imposed on Dataiku under this DPA; and

b) at all times remain responsible for compliance with its obligations under the DPA and shall be liable to Customer for the acts and omissions of any Subprocessor as if they were Dataiku’s acts and omissions.

4. STANDARD CONTRACTUAL CLAUSES

4.1. Prohibition on Transfers of Personal Data. To the extent that the Processing of GDPR Personal Data by Dataiku involves the export of such GDPR Personal Data to a country or territory outside the EEA or UK, other than to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of personal data as determined by the European Commission or UK Information Commissioner (as applicable) (an “International Transfer“), such transfer shall, subject to Clause 4.4, be governed by the Standard Contractual Clauses. In the event of any conflict between any terms in the Standard Contractual Clauses, this DPA and the Terms of Service, the Standard Contractual Clauses shall prevail. The Standard Contractual Clauses apply where there is an International Transfer to a country or territory that does not ensure an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of GDPR Personal Data as determined by the European Commission or UK Information Commissioner (as applicable).

4.2. For the purposes of the Standard Contractual Clauses and subject to Clause 4.4:

a) Annex I.A (List of parties) shall be deemed to refer to the Customer and Dataiku;

b) Annex I.B (Description of Transfer) shall, for the purposes of the Standard Contractual Clauses, be deemed to incorporate the information in Annex 1 of this DPA;

c) Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the French Commission Nationale de l’Informatique et des Libertés) (CNIL);

d) Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in Annex II of this DPA; and

e) Annex III (List of Sub-processors) shall be deemed to incorporate the information in Clause 3.1.

4.3. Subject to Clause 4.4, the parties acknowledge and agree that:

a) for the purposes of clause 8.1(a) of the Standard Contractual Clauses, the Terms and this DPA shall be the Customer’s instructions for the processing of GDPR Personal Data;

b) for the purposes of clause 9 of the Standard Contractual Clauses, the Customer gives Dataiku general authorisation to engage Subprocessors and the relevant time period in clause 9(a) shall be thirty (30) days;

c) for the purposes of clause 12 of the Standard Contractual Clauses, Dataiku’s liability for breach of any terms and conditions under this DPA and the Standard Contractual Clauses shall be subject to the liability limitations agreed in the Terms of Service; and

d) for the purposes of clause 17 of the Standard Contractual Clauses, the Standard Contractual Clauses shall be governed by the law of the EU Member State in which the data exporter is established.

4.4. Transfers within the scope of UK GDPR. With respect to any transfers of GDPR Personal Data falling within the scope of the UK GDPR from the Customer (as data exporter) to Dataiku (as data importer):

a) the Approved Addendum as further specified in this Section 4.4 shall form part of this DPA, and the Standard Contractual Clauses shall be read and interpreted in light of the provisions of the Approved Addendum, to the extent necessary according to Clause 12 of the Mandatory Clauses;

b) In deviation to Table 1 of the Approved Addendum and in accordance with Clause 17 of the Mandatory Clauses, the parties are further specified in Annex 1 of this DPA.

c) The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are further specified in Section 4.3 of this DPA as amended by the Mandatory Clauses.

d) Annex I A and B of Table 3 to the Approved Addendum are specified by Annex I of this DPA, Annex II of the Approved Addendum is further specified by Annex II of this DPA, and Annex III of the Approved Addendum is further specified by Sections 3.1 and 3.2 of this DPA.

e) Dataiku (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with clause ‎19 of the Mandatory Clauses;

f) Clause 16 of the Mandatory Clauses shall not apply.

5. ACCESS REQUESTS AND DATA SUBJECT RIGHTS

5.1. Data Subject Requests

Unless otherwise required by applicable law, Dataiku shall promptly notify the Customer of any request received by Dataiku or any Subprocessor from a Data Subject in respect of the GDPR Personal Data of the Data Subject, and shall not respond to the Data Subject.

5.2. Dataiku shall, where possible, assist the Customer with ensuring its compliance under applicable EU Data Protection Laws, and in particular shall:

a) provide the Customer with the ability to correct, delete, block, access or copy the GDPR Personal Data of a Data Subject, or

b) promptly correct, delete, block, access or copy GDPR Personal Data within the Service at the Customer’s request.

5.3. Data Subject Rights

Where applicable, and taking into account the nature of the Processing, Dataiku shall use reasonable efforts to assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising Data Subject rights laid down in the GDPR.

6. DATA PROTECTION IMPACT ASSESSMENT

6.1. To the extent required under applicable EU Data Protection Laws, Dataiku shall provide reasonable assistance to Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of Customer, in each case solely in relation to Processing of GDPR Personal Data and taking into account the nature of the Processing and information available to Dataiku.

REQUIREMENTS FOR CCPA PERSONAL INFORMATION: 

7. CCPA PERSONAL INFORMATION PROCESSING

7.1. Applicability to CCPA Personal Information. Clauses 7 through 9 of this DPA shall only apply to the Processing of CCPA Personal Information by or on behalf of Dataiku.  

7.2. Role of the Parties. For the purposes of the CCPA, the Parties acknowledge and agree that Dataiku will act as a “Service Provider” as such term is defined in the CCPA, in its performance of its obligations pursuant to the Agreement.

7.3. Instructions for CCPA Personal Information Processing

Dataiku shall not retain, use or disclose CCPA Personal Information for any purpose other than for the specific purpose of providing the Service, or as otherwise permitted by the CCPA. Dataiku acknowledges and agrees that it shall not retain, use or disclose CCPA Personal Information for a commercial purpose other than providing the Service.

Processing CCPA Personal Information outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Dataiku on additional instructions for Processing.

7.4. Required consents and notices

Where required by applicable laws, the Customer will ensure that it has obtained/will obtain all necessary consents, and has given/will give all necessary notices, for the Processing of CCPA Personal Information by Dataiku in accordance with the Agreement.

8. TRANSFER OF CCPA PERSONAL INFORMATION

8.1. No Disclosure of CCPA Personal Information

Dataiku shall not disclose, release, transfer, make available or otherwise communicate any CCPA Personal Information to another business or third party without the prior written consent of the Customer unless and to the extent that such disclosure is made to a Subprocessor for a business purpose, provided that Dataiku has entered into a written agreement with Subprocessor that imposes reasonably equivalent restrictions on the Subprocessor with regard to their Processing of CCPA Personal Information as are imposed on Dataiku under this DPA and the Agreement. Notwithstanding the foregoing, nothing in this Agreement shall restrict Dataiku’s ability to disclose CCPA Personal Information to comply with applicable laws or as otherwise permitted by the CCPA.

8.2. Liability of Subprocessors of CCPA Personal Information

Dataiku shall at all times remain responsible for compliance with its obligations under this DPA with respect to the CCPA and will be liable to the Customer for the acts and omissions of any Subprocessor or other third party to whom Dataiku has disclosed or permitted to Process CCPA Personal Information as if they were the acts and omissions of Dataiku.

9. CONSUMER RIGHTS REQUESTS

9.1. CCPA Consumer Rights Requests

Dataiku shall comply with all applicable requirements of the CCPA, and shall, where possible and at Dataiku’s expense, assist Customer with ensuring its compliance under applicable CCPA requirements, and in particular shall:

a) provide the Customer with the ability to delete, block, access or copy the CCPA Personal Information of a CCPA Consumer, or

b) delete, block, access or copy CCPA Personal Information within the Service at the Customer’s request.

9.2. Notice of Requests

Dataiku shall notify the Customer of any request received by Dataiku or any Subprocessor from a CCPA Consumer in respect of the CCPA Personal Information of the CCPA Consumer, and shall not respond to the CCPA Consumer.

REQUIREMENTS FOR ALL CUSTOMER PERSONAL DATA:

10. SECURITY

10.1. Security Obligations

a) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Dataiku will implement and maintain the technical and organizational measures set out in ANNEX II. Customer acknowledges and agrees that these measures ensure a level of security that is appropriate to the risk.

b) Upon request by Customer, Dataiku shall make available any information reasonably necessary to demonstrate compliance with this DPA.

10.2. Security Incident Notification 

If Dataiku becomes aware of a Security Incident, Dataiku will (a) notify Customer of the Security Incident within 72 hours; and (b) investigate the Security Incident and provide Customer (and any law enforcement or regulatory official) with reasonable assistance as required to investigate the Security Incident. Except as required by applicable law, the obligations set out in this Clause 10.2 shall not apply to Security Incidents caused by Customer.

10.3. Dataiku Employees and Personnel

Dataiku shall treat the Customer Personal Data as confidential, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.

10.4. Audits 

Dataiku will, upon reasonable request from Customer with at least 60 days’ prior notice, and no more than once per annum, allow for and contribute to audits, including inspections, conducted by Customer (or a third party auditor on behalf of, and mandated by, Customer) provided (i) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (ii) are conducted only during business hours; and (ii) are conducted to cause minimal disruption to Dataiku’s operations and business. Any expenses or costs associated with such audits or inspections shall be incurred by Customer.

10.5. Government Disclosure

Dataiku shall notify the Customer of any request for the disclosure of any Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by applicable law or a legally binding order of such body or agency.

11. TERMINATION

11.1. Deletion of data

a) Following termination or expiration of the Agreement, Dataiku shall, in accordance with its obligations under the Agreement, delete all Customer Personal Data from Dataiku’s systems.

b) Notwithstanding the foregoing, Dataiku may retain Customer Personal Data (i) as required by applicable laws or (ii) in accordance with its standard backup or record retention policies, and always provided that Dataiku shall ensure the confidentiality of all such Customer Personal Data in accordance with this DPA and the Agreement and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in such applicable laws and for no other purpose.

 

ANNEX I

DETAILS OF THE PROCESSING AND TRANSFER OF CUSTOMER PERSONAL DATA

A. LIST OF PARTIES

Data exporter

Customer

Customer’s name and contact details shall be as specified in the Agreement.

Activities relevant to the data transferred under these Clauses: Performance of the Cloud Service pursuant to the Agreement and as further described in the Terms of Service.

Role: Controller

Data importer

Dataiku’s entity name and contact details shall be as specified in the Agreement.

Activities relevant to the data transferred under these Clauses: Performance of the Cloud Service pursuant to the Agreement and as further described in the Terms of Service.

Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer’s employees, personnel, authorized users and any other data subjects whose data Customer or its authorized users submits, transfers, loads or otherwise provides to Dataiku via the Cloud Service.

Categories of personal data transferred

Business-related datasets that Customer or its authorized users submits to the Cloud Service.

Special categories of personal data (if applicable):

The transferred personal data includes the following special categories of data:

N/A

The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: 

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

The transfer is performed a continuous basis and is determined by Customer’s configuration of the Cloud Service.

Nature of processing:

The Customer Personal Data will be subject to the following basic processing activities: transmitting, collecting, storing and analyzing data in order to provide the Cloud Service to Customer, and any other activities related to the provision of the Cloud Service or specified in the Terms of Service.

Purposes of the data transfer and further processing:

to provide the Cloud Service to Customer pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

For the term of the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

As stipulated in Section 3 of the DPA. The Subprocessors may have access to the Personal Data for the term of this DPA or until the service contract with the respective Sub-processor is terminated or the access by the Subprocessor has been excluded as agreed between Dataiku and Customer.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs:

The competent supervisory authority is the supervisory authority specified in Section 4.2(c) of this DPA.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA 

  1.   Dataiku maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:

(a)    secure any Customer Personal Data Processed by Dataiku against accidental or unlawful loss, access or disclosure;

(b)    identify reasonably foreseeable and internal risks to security and unauthorised access to the Customer Personal Data Processed by Dataiku;

(c)    minimise security risks, including through risk assessment and regular testing.

  1.     Dataiku will, and will use reasonable efforts to procure that its Subprocessors conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.
  2.     Dataiku will, and will use reasonable efforts to procure that its Subprocessors periodically evaluate the security of their network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

ANNEX III

LIST OF SUBPROCESSORS

For more information about Dataiku’s subprocessors, please refer to Sections 3.1 and 3.2 of the DPA. The subprocessor’s contact information will be provided by Dataiku upon request.