Shine a light on shadow apps

Data Processing Agreement

This Data Processing Agreement (this “DPA”) forms a part of the Master Services Agreement or other agreement executed and/or agreed upon by the Parties (the “Agreement”) between ConductorOne, Inc. (“ConductorOne”) and Customer. Capitalized terms used herein but not defined in this DPA shall have the meanings given to them in the Agreement.

1. Subject Matter and Duration.

a) Subject Matter. This DPA reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with ConductorOne’s execution of the Agreement. If and to the extent language in this DPA or any of its exhibits conflicts with the Agreement, this DPA shall control. For purposes of Data Protection Laws, ConductorOne is the “data processor” and Customer is the “data controller”.

b) Duration and Survival. This DPA will become legally binding upon the effective date of the Agreement. ConductorOne will Process Customer Personal Data until the relationship terminates as specified in the Agreement. ConductorOne’s obligations and Customer’s rights under this DPA will continue in effect so long as ConductorOne Processes Customer Personal Data.

2. Definitions.

For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.

a) “Customer Personal Data” means Personal Data provided to ConductorOne by Customer. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Exhibit A to this DPA.

b) “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” shall include, but not be limited to: (i) the California Consumer Privacy Act of 2018 (“CCPA”), (ii) the EU General Data Protection Regulation 2016/679 (“GDPR”), and (iii) the GDPR as incorporated into the United Kingdom by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendment etc) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).

c) “Personal Data” shall have the meaning assigned to the terms “personal data” and/or “personal information” under Data Protection Laws.

d) “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

e) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

f) “Services” means any and all products and services that ConductorOne provides and/or performs under the Agreement, including the Platform.

g) “Subprocessor(s)” means ConductorOne’s authorized contractors, agents, vendors and third-party service providers (i.e., sub-processors) that Process Customer Personal Data.

3. Data Use and Processing.

a) Documented Instructions. ConductorOne and its Subprocessors shall Process Customer Personal Data solely for the purpose of providing the Services to Customer, and solely to the extent necessary to provide the Services to Customer, in each case, in accordance with the Agreement, this DPA and Data Protection Laws. ConductorOne will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.

b) Authorization to Use Subprocessor. To the extent necessary to fulfill ConductorOne’s contractual obligations under the Agreement or any Order Form, Customer hereby authorizes ConductorOne to engage Subprocessors. Any Subprocessor Processing of Customer Personal Data shall be consistent with Customer’s documented instructions and comply with Data Protection Laws.

c) ConductorOne and Subprocessor Compliance. ConductorOne shall (i) enter into a written agreement with Subprocessors regarding such Subprocessor’s Processing of Customer Personal Data that imposes on such Subprocessors (and their sub-processors) data protection and security requirements for Customer Personal Data that are at least as restrictive as the obligations in this DPA; and (ii) remain responsible to Customer for ConductorOne’s Subprocessors’ (and their sub-processors if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data. ConductorOne shall flow down all material obligations in this DPA to Subprocessors (and their sub-processors) regarding, among other things: (i) Customer Personal Data and (ii) all Customer’s and Customer’s regulator’s rights regarding review and audit (including Customer’s right to appoint an independent third party to perform such review or audits).

d) Right to Object to Subprocessor. ConductorOne’s list of Subprocessors that currently Process Customer Personal Data is included in Exhibit A. Prior to engaging any new Subprocessors that Process Customer Personal Data, ConductorOne will notify Customer via email and allow Customer 30 days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the Parties will work together in good faith to resolve the grounds for the objection for no less than 30 days, and failing any such resolution, Customer may terminate the part of the Services performed under the Agreement that cannot be performed by ConductorOne without use of the objectionable Subprocessor. ConductorOne shall refund any pre-paid fees to Customer in respect of the terminated part of the Services.

e) Confidentiality. Any person or Subprocessor authorized to Process Customer Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.

f) Personal Data Inquiries and Requests. ConductorOne agrees to provide reasonable assistance and comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.

g) Sale of Customer Personal Data Prohibited. ConductorOne shall not sell Customer Personal Data as the term “sell” is defined by the CCPA. ConductorOne shall not disclose or transfer Customer Personal Data to a Subprocessor or other parties that would constitute “selling” as the term is defined by the CCPA.

h) Data Protection Impact Assessment and Prior Consultation. ConductorOne agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by ConductorOne requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.

i) Demonstrable Compliance. ConductorOne agrees to keep records of its Processing in compliance with Data Protection Laws and provide any necessary records to Customer to demonstrate compliance upon reasonable request.

4. Cross-Border Transfers of Personal Data.

a) Cross-Border Transfers of Personal Data. Customer authorizes ConductorOne and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area to the United States. Where required, cross-border transfers of Customer Personal Data must be supported by an approved adequacy mechanism.

b) UK Standard Contractual Clauses. UK Standard Contractual Clauses. For transfers of Customer Personal Data out of the United Kingdom that are subject to Section 4(a) of this DPA, the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (the “UK Standard Contractual Clauses”) will apply and are incorporated into this DPA by reference, provided that the illustrative indemnification clause within Appendix 2 of the UK Standard Contractual Clauses will not apply. Exhibit A of this DPA will serve as Appendix 1 of the UK Standard Contractual Clauses.

c) 2021 Standard Contractual Clauses. ConductorOne and Customer will use the European Commission Decision C(2021)3972 Standard Contractual Clauses for Controllers to Processors (“SCC”) (available at https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf) as the adequacy mechanism supporting the transfer and Processing of Customer Personal Data out of the EEA and Switzerland, the terms of which are herein incorporated by reference and made a part hereof. The Parties agree that “Module Two: Transfer controller to processor” will be the version used for purposes of this DPA. All other module options will not apply. Under Annex 1 of the SCCs, the “data exporter” is Customer and the “data importer” is ConductorOne and the information required by Annex 1 can be found in Exhibit A hereto. For the purposes of Annex 2 of the SCCs, the technical and organizational measures implemented by the data importer are those listed in Section 5 of this DPA. Pursuant to clause 5(h) of the SCCs, Customer agrees that ConductorOne may engage new Subprocessors in accordance with Section(s) 3(c) – 3(e) of this DPA. For clause 17, the Parties choose Option 1 and the Parties agree that the governing law will be the Republic of Ireland. For clause 18, the Parties agree that the courts of the Republic of Ireland will apply for subsection (b). The Parties agree that the Illustrative Clause (Optional) is expressly not included in the SCCs. Each party’s signature to this DPA shall be considered a signature to the SCCs. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the SCCs as separate documents. In case of conflict between the SCCs and this DPA, the SCCs will prevail.

5. Information Security Program.

a) ConductorOne agrees to implement appropriate technical and organizational measures to protect Customer Personal Data (the “Information Security Program”). At a minimum, such measures shall include:

(i) Pseudonymisation of Customer Personal Data where appropriate, and encryption of Customer Personal Data in transit and at rest;
(ii) The ability to ensure the ongoing confidentiality, integrity, availability of ConductorOne’s Processing and Customer Personal Data;
(iii) The ability to restore the availability and access to Customer Personal Data in the event of a physical or technical incident;
(iv) A process for regularly testing, assessing and evaluating the effectiveness of the ConductorOne’s Information Security Program to ensure the security of Customer Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

6. Security Incidents.

a) Security Incident Procedure. Security Incident Procedure. ConductorOne will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to

(i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and
(ii) restore the availability or access to Customer Personal Data in a timely manner.

b) Notice. ConductorOne agrees to provide prompt written notice without undue delay (and in any event within 48 hours) to Customer’s Designated POC if it verifies that a Security Incident has taken place. Such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

7. Audits.

a) Right to Audit; Permitted Audits. In addition to any other audit rights that may be described in the Agreement, Customer and its regulators shall have the right, in the event any of the following occurs, upon at least 30 days’ prior written notice, to an on-site audit (at a date and time mutually agreed upon) of ConductorOne’s architecture, systems, policies and procedures relevant to the security and integrity of Customer Personal Data, or as otherwise required by a governmental regulator:

(i) Following any notice from ConductorOne to Customer of an actual or reasonably suspected Security Incident involving Customer Personal Data;
(ii) Upon Customer’s knowledge that ConductorOne is not in compliance with Data Protection Laws, this DPA or its security policies and procedures under the Agreement;
(iii) As required by governmental regulators; and (iv) For compliance purposes, once annually.

b) Audit Terms. Any audits described in this Section shall be:

(i) Conducted by Customer or its regulator, or through a third-party independent contractor selected by one of these parties and paid for by Customer;
(ii) Conducted during reasonable times;
(iii) To the extent possible, conducted upon reasonable advance notice (but no less than 30 days’ prior notice) to ConductorOne; and
(iv) Of reasonable duration and shall not unreasonably interfere with ConductorOne’s day-to-day operations.

c) Third Parties Auditor. In the event that Customer conducts an audit through a third party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect ConductorOne’s and ConductorOne’s customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement.

d) Audit Results. Upon ConductorOne’s request, after conducting an audit, Customer shall notify ConductorOne of the manner in which ConductorOne does not comply with any of the applicable security, confidentiality or privacy obligations or Data Protection Laws herein. Upon such notice, ConductorOne shall make any reasonably necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer when such changes are complete. Notwithstanding anything to the contrary in the Agreement, Customer may conduct a follow-up audit within six 6 months of ConductorOne’s notice of completion of any necessary changes. To the extent that a ConductorOne audit and/or Customer audit identifies any material security vulnerabilities, ConductorOne shall remediate those vulnerabilities within a commercially reasonable amount of time of the completion of the applicable audit, unless any vulnerability by its nature cannot be remedied within such time, in which case the remediation must be completed within a mutually agreed upon time.

8. Data Storage and Deletion.

a) Data Storage. ConductorOne will not store or retain any Customer Personal Data except as necessary to perform the Services under the Agreement.

b) Data Deletion. ConductorOne will abide by the following with respect to deletion of Customer Personal Data:

(i) Within a reasonable amount of time after the Agreement’s expiration or termination, or sooner if requested by Customer, ConductorOne will securely destroy (per subsection (iii) below) all copies of Customer Personal Data (including automatically created archival copies).
(ii) Upon Customer’s request, ConductorOne will promptly return to Customer a copy of all Customer Personal Data within 30 days and, if Customer also requests deletion of the Customer Personal Data, will carry that out as set forth above.
(iii) Customer Personal Data shall be disposed of in a method that prevents any recovery of the data in accordance with industry best practices for shredding of physical documents and wiping of electronic media (e.g., NIST SP 800-88).
(iv) Upon Customer’s request, ConductorOne will provide a “Certificate of Deletion” certifying that ConductorOne has deleted all Customer Personal Data. ConductorOne will provide the “Certificate of Deletion” within 30 days of Customer’s request.

9. Contact Information.

a) ConductorOne and the Customer agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for both parties are:

Exhibit A

1.1 Subject Matter of ProcessingThe subject matter of Processing is the Services pursuant to the Agreement.
1.2 Duration of ProcessingThe Processing will continue until the expiration or termination of the Agreement.
1.3 Categories of Data SubjectsMay include, but is not limited to, the following:

- Customer’s employees and contractors.
1.4 Nature and Purpose of ProcessingThe purpose of Processing of Customer Personal Data by Company is the performance of the Services pursuant to the Agreement.
1.5 Types of Personal DataMay include, but is not limited to, the following:

- First and last name
- Employee ID
- Job Title
- Department
- Manager
- E-mail

1.6 Subprocessors

As listed at www.conductorone.com/legal/subprocessors

Stay in touch

The best way to keep up with identity security tips, guides, and industry best practices.