DATA PROTECTION ADDENDUM
This Data Protection Addendum, including its Schedules (“DPA”) supplements the agreement between customer (“Customer”) and PlanetScale, Inc. (“PlanetScale”) into which it is incorporated by reference (“Agreement”).
Any capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
“Applicable Data Protection Laws” means all laws and regulations applicable to PlanetScale’s Processing of Personal Data under the Agreement, including the General Data Protection Regulation 2016/679 (“GDPR”) and supplementing data protection law of the European Union Member States; the United Kingdom's Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR"); the Swiss Federal Data Protection Act ("Swiss DPA"); Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) S.C. 2000, ch. 5, and any provincial legislation deemed substantially similar to PIPEDA under the procedures set forth therein; the California Consumer Privacy Act Cal. Civ. Code § 1798.100 et seq., and its implementing regulations ("CCPA”) of 2018; and, the Brazilian Law No. 13,709/2018 – Brazilian General Data Protection Law (“LGPD”).
“Controller” means an entity which determines the purposes and means of the Processing of Personal Data.
“Customer Account Information” means Personal Data that relates to Customer’s relationship with PlanetScale, including the names or contact information of individuals authorized by Customer, phone numbers, email addresses, and billing information associated with Customer Account.
"Customer Data" means any Personal Data contained within the Customer Content, including any special categories of personal data defined under GDPR.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
"Europe" means the European Union, the European Economic Area, Switzerland and the United Kingdom.
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity, where for each (i) or (ii), such data is Customer Data.
"Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. "Process", "Processes" and "Processed" shall be interpreted accordingly.
“Processor” means an entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
"Security Incident" means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.
"Services" means any products or services provided by PlanetScale to Customer pursuant to the applicable Agreement.
“Standard Contractual Clauses” means: (i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "EU SCCs"); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the "UK SCCs"); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner ("FDPIC") (the "Swiss SCCs").
"Sub-processor" means any Processor engaged by PlanetScale to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. 2.
Roles and Scope and Details of Processing.
- Role of the Parties.
- The parties acknowledge and agree that with regard to the Processing of Customer Data, Customer is a Controller and PlanetScale is a Processor. When Customer acts as a Processor of Customer Data, PlanetScale is a Processor as well.
- The parties acknowledge and agree that with regards to the Processing of Customer Account Information, Customer is a Controller and PlanetScale is an independent Controller.
- Scope of Processing.
- Customer Processing of Customer Data. Customer agrees that it shall comply with its obligations as a Controller or Processor under Applicable Data Protection Laws in respect of its Processing of Customer Data and any processing instructions it issues to PlanetScale. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Customer Data, to the extent required under Applicable Data Protection Laws.
- PlanetScale Processing of Customer Data. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to PlanetScale in relation to the Processing of Customer Data and Processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and PlanetScale.
- Details of Processing. The subject matter of Processing of Customer Data by PlanetScale is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1: ‘Details of Processing’ to this DPA.
- Role of the Parties.
PlanetScale Personnel. PlanetScale shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.
- Authorized Sub-processors. Customer agrees that PlanetScale may engage Sub-processors to Process Customer Data on Customer's behalf. PlanetScale maintains an up to date list of its Sub-processors located at https://planetscale.com/legal/subprocessors.
- Sub-processor Obligations. PlanetScale shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Applicable Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause PlanetScale to breach any of its obligations under this DPA.
- Sub-processors Changes. PlanetScale shall notify Customer if it adds, removes or replaces Sub-processors at least ten (10) days prior to any such changes. Customer may object in writing to PlanetScale’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such an event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).
- Security Measures. PlanetScale has implemented and will maintain appropriate technical and organizational security measures to protect Customer Data as set forth in the Agreement, and in Schedule 2: ‘Technical and Organizational Security Measures’.
- Security Incident Response. Upon becoming aware of a Security Incident, PlanetScale shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.
- Updates to Security Measures. Customer is responsible for reviewing the information made available by PlanetScale relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that the security measures are subject to technical progress and development and that PlanetScale may update or modify them from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
- Customer Responsibilities. Customer agrees that Customer is responsible for its secure use of the Services, including properly configuring the Services, securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data used in connection to the Services.
- Security Report. Customer acknowledges that PlanetScale may be audited against SSAE 18 SOC 2 standards by independent third party auditors. Upon Customer’s reasonable written request, and subject to confidentiality, PlanetScale shall supply (on a confidential basis) a summary copy of its audit report(s) ("Report") to Customer, so that Customer can verify PlanetScale's compliance with the audit standards against which it has been assessed, and this DPA.
- Audits. Customer agrees that any audit rights granted by Applicable Data Protection Laws will be satisfied by the Report. To the extent that PlanetScale’s provision of a Report does not provide sufficient information and the Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan of PlanetScale’s policies and procedures relevant to the Processing of Customer Data with PlanetScale that: (i) ensures the use of an independent third party; (ii) provides notice to PlanetScale in a timely fashion, and in any event no less than ten (10) business days; (iii) requests access only during business hours; (iv) occurs no more than once annually; (v) restricts its findings to only data relevant to Customer; and (vi) obligates Customer to keep confidential any information gathered that, by its nature, should be confidential, to the extent permitted by law.
Data Protection Impact Assessment; Data Subject Rights; and Government Access Requests.
- Data Protection Impact Assessment. PlanetScale will provide reasonable cooperation to Customer in connection with any data protection impact assessment, at Customer’s expense only if such reasonable cooperation will require PlanetScale to assign dedicated resources.
- Data Subject Rights. The Services provide Customer with some controls that Customer may use to retrieve, correct, delete or restrict Customer Data, which Customer may use to assist it in connection with its obligations under the Applicable Data Protection Laws, including its obligations relating to responding to requests from Data Subjects or applicable data protection authorities. To the extent that Customer is unable to independently access the relevant Customer Data within the Services, PlanetScale shall provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the Processing of Customer Data under the Agreement. In the event that any such request is made directly to PlanetScale, PlanetScale shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so.
- Governments Access Requests. If a law enforcement agency sends a demand for Customer Data (for example, through a subpoena or court order), PlanetScale shall attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, PlanetScale may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then PlanetScale shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy, unless PlanetScale is legally prohibited from doing so.
- International Transfer. Customer acknowledges that PlanetScale’s primary processing facilities are in the United States of America. PlanetScale may transfer and process Customer Data anywhere in the world where PlanetScale, or its Sub-processors maintain data processing operations. PlanetScale shall at all times provide an adequate level of protection for the Customer Data processed, in accordance with the requirements of Applicable Data Protection Laws.
- Transfer from Europe. Any transfer of Customer Data from Europe to a country outside of Europe that is not recognized as providing an adequate level of protection of Personal Data under the Applicable Data Protection Laws, the parties agree to the following:
- Standard Contractual Clauses. PlanetScale agrees to comply with the Standard Contractual Clauses as set forth in Schedule 3. For the purpose of the Standard Contractual Clauses, PlanetScale agrees that it is the ‘data importer’ and Customer is the ‘data exporter’. To the extent that Customer is a Controller, the Standard Contractual Clauses (Controller to Processor) shall apply. If Customer is a Processor, the Standard Contractual Clauses (Processor to Processor) shall apply. For Customer Account Information, the Standard Contractual Clauses (Controller to Controller) shall apply.
- Alternative Transfer Mechanism. If PlanetScale adopts an alternative data transfer mechanism, including any new version of the Standard Contractual Clauses, for the transfer of data subject to the Applicable Data Protection Laws (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of the Standard Contractual Clauses.
CCPA. To the extent PlanetScale is processing Customer Data within the scope of CCPA, PlanetScale will Process Customer Data only as necessary to provide the Services, and will not (i) sell (as defined under the CCPA) Customer Data; (ii) retain, use, or disclose Customer Data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (iii) retain, use, or disclose Customer Data outside of the scope of the Agreement.
Return, Deletion and Retention of Customer Data. Upon termination of the Agreement, PlanetScale shall (at Customer's request) delete or return to Customer all Customer Data in its possession or control within thirty (30) days of such Customer’s request, and delete any Customer Data on PlanetScale’s backup system within ninety (90) days after Customer’s request, provided that this requirement shall not apply to the extent PlanetScale is required by applicable law to retain some or all of the Customer Data. PlanetScale will process Customer Account information as long as required to provide the Services to Customer, for PlanetScale’s legitimate business needs; or in accordance with any applicable law or regulation.
- Conflict. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement with regard to the subject matter of this DPA, this DPA shall prevail to the extent of that conflict.
- Limitation of Liability. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and all DPAs together.
- Modification. PlanetScale may,in its sole discretion, make any updates to this DPA; provided, however PlanetScale will provide reasonable notice to Customer when an update is required as a result of (i) a change in Applicable Data Protection Laws or a determination or order by a supervisory authority or court affecting this DPA; or (ii) a merger, acquisition, or other similar transaction.
- Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
DETAILS OF PROCESSING
- Nature and Purpose of the Processing. PlanetScale will Process Personal Data as necessary to provide the Services to Customer under the Agreement. PlanetScale will Process Customer Data, and Customer Account Information in accordance with this DPA.
- Duration of the Processing. The duration for which Customer Data and Customer Account Information will be retained as described in the DPA (Section 10).
- Categories of Data Subjects. Customer, End Users, Customer’s employees, or otherwise any individuals authorized by Customer.
- Categories of Personal Data. PlanetScale will Process any Personal Data contained in Customer Content, Customer Data and Customer Account Information.
- Sensitive Data. Not Applicable. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting End Users to transmit or process, any sensitive data or special categories of data via the Services.
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURE
- Physical Access Controls: PlanetScale shall take reasonable measures to prevent physical access, such as security personnel and secured buildings and factory premises, to prevent unauthorized persons from gaining access to Customer Data, or ensure third parties operating data centers on its behalf are adhering to such controls.
- System Access Controls: PlanetScale shall take reasonable measures to prevent Customer Data from being used without authorization. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.
- Data Access Controls: PlanetScale shall take reasonable measures to provide that Customer Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Customer Data to which they have privilege of access; and, that Customer Data cannot be read, copied, modified or removed without authorization in the course of Processing.
- Transmission Controls: PlanetScale shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Customer Data by means of data transmission facilities is envisaged so Services cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
- Input Controls: PlanetScale shall take reasonable measures to provide that it is possible to check and establish whether and by whom Services have been entered into data processing systems, modified or removed. PlanetScale shall take reasonable measures to ensure that (i) the Customer Data source is under the control of Controller; and (ii) Customer Data integrated into the Services is managed by secured transmission from Controller.
- Data Backup: Back-ups of the databases in the Services are taken on a regular basis, are secured, and encrypted across the public internet and at rest to ensure that Customer Data is protected against accidental destruction or loss when hosted by PlanetScale, and in accordance with the Documentation.
- Legal Separation: Data from different PlanetScale’s subscriber environments is logically segregated on PlanetScale’s systems to ensure that Customer Data that is collected for different purposes may be Processed separately.
SCHEDULE 3 CROSS BORDER DATA TRANSFER MECHANISMS
Standard Contractual Clauses. The parties agree that the Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is: (a) not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
Module One (Controller to Controller) of the Standard Contractual Clauses will apply where PlanetScale is Processing Customer Account Information.
Module Two (Controller to Processor) of the Standard Contractual Clauses will apply where Customer is a Controller of Customer Data and PlanetScale is processing Customer Data.
Module Three (Processor to Processor) of the Standard Contractual Clauses will apply where Customer is a Processor of Customer Data and PlanetScale is processing Customer Data.
For each Module, where applicable:
- in Clause 9 of the Standard Contractual Clauses, Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 4.3 (Current Sub-processors Changes) of this DPA;
- In Clause 11 the optional language will not apply;
- in Clause 17 (Option 1), the Standard Contractual Clauses will be governed by Irish law; and
- in Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of Ireland.
Annex I, Part A of the Standard Contractual Clauses:
Data Exporter: Customer.
Contact details: The email address(es) designated by Customer in Customer’s account via its notification preferences.
Data Exporter Role: The Data Exporter’s role is set forth in Section 2.1 (Role of the Parties) of this DPA.
Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: PlanetScale Inc.
Contact details: PlanetScale Privacy Team - firstname.lastname@example.org
Data Importer Role: The Data Importer’s role is set forth in Section 2.1 (Role of the Parties) of this DPAm.
Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Annex I, Part B of the Standard Contractual Clauses:
The categories of data subjects are described in Section 4 of Schedule 1 (Details of Processing) of this DPA.
The Sensitive Data transferred is described in Section 6 of Schedule 1 (Details of Processing) of this DPA.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is described in Section 1 of Schedule 1 (Details of Processing) of this DPA.
The purpose of the processing is described in Section 1 of Schedule 1 (Details of Processing) of this DPA.
The duration for which the personal data will be retained is described in Section 3 of Schedule 1 (Details of Processing) of this DPA.
For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth herein
Annex I, Part C of the Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.
Schedule 2 (Technical and Organizational Security Measures) of this DPA serves as Annex II of the Standard Contractual Clauses.
UK Standard Contractual Clauses. The parties agree that the UK Standard Contractual Clauses will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
- The UK Controller to Processor SCCs will apply where PlanetScale is Processing Customer Data. The illustrative indemnification clause will not apply. Schedule 1 (Details of Processing) of this DPA serves as Appendix I of the UK Controller to Processor SCCs. Schedule 2 (Technical and Organizational Security Measures) of this DPA serves as Appendix II of the UK Controller to Processor SCCs.
- The UK Controller to Controller SCCs will apply where PlanetScale is Processing Customer Account Information. In Clause II(h) of the UK Controller to Controller SCCs, PlanetScale will process Personal Data in accordance with the data processing principles set forth in Annex A of the UK Controller to Controller SCCs. Schedule 1 (Details of Processing) of this DPA serves as Annex B of the UK Controller to Controller SCCs. Personal Data transferred under these clauses may only be disclosed to the following categories of recipients: (i) PlanetScale’s employees, agents, affiliates, advisors, and independent contractors with a reasonable business purpose for processing such personal data; (ii) PlanetScale vendors or service providers that, in their performance of their obligations to PlanetScale, must Process such Personal Data acting on behalf of and according to instructions from PlanetScale; and (iii) any person (natural or legal) or organization to whom PlanetScale may be required by applicable law or regulation to disclose Personal Data, including law enforcement authorities and central and local government authorities.
No Conflict. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement and the DPA the Standard Contractual Clauses shall prevail to the extent of such conflict.