Login

Data Processing Addendum

Last Updated: September 3, 2022

This Data Processing Addendum, including its schedules and the Standard Contractual Clauses (collectively, the “DPA”), forms part of the Subscription Agreement available at https://akitra.com/terms (collectively, the “Agreement”) between the parties under which Akitra will provide certain services (collectively, the “Services”) to Customer. This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Akitra processes personal data on behalf of Customer while providing the Services protected by Applicable Data Protection Law under the Agreement.

By entering into the Agreement, Customer enters into this DPA, and the Standard Contractual Clauses (as applicable and as defined below) on behalf of itself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of its Affiliates (if any) permitted to use the Services. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and such Affiliates. If the Customer entity signing the DPA is not a party to an Order Form nor an Agreement directly with Akitra, but is a customer indirectly via an authorized reseller or partner of Akitra services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required

The parties agree as follows:

Definitions For purposes of this DPA, the terms below have the meanings set forth below.  Capitalized terms that are used but not defined in this DPA have the meanings 

1.1. Affiliates means an entity that directly or indirectly controls, is controlled by or is under common Control with an entity, where “Control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise. 

1.2. Applicable Data Protection Law means privacy, data protection and security laws and regulations applicable to any jurisdiction applicable to the Processing of Personal Data under the Agreement, including, without limitation, European Data Protection Laws and the CCPA. 

1.3. CCPA means Title 1.81.5 California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case, as amended from time to time, including the California Privacy Rights Act of 2020, and any regulations promulgated thereunder. 

1.4. Customer Data means any data that is protected as “personal data”, “personal information” or “personally identifiable information” under Applicable Data Protection Law and processed in accordance with Section 2.1 of this DPA in connection with the Services, and as more particularly described in Schedules 1 and 2 of this DPA (as applicable).

1.5. Europe means, for the purposes of this DPA, the member states of the European Economic Area (“EEA”), Switzerland and the United Kingdom (“UK”). 

1.6. European Data Protection Law means the GDPR and other data protection laws and regulations of the European Union, its Member States, Switzerland, Iceland, Liechtenstein, Norway and the United Kingdom, in each case, to the extent applicable to the Processing of Personal Data under the Agreement. GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time.

1.7. Restricted Transfer means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

1.8. Information Security Incident means a personal data breach or any confirmed breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise processed by Akitra in connection with the provision of the Services. Security Incident shall not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks and other network attacks on firewalls or networked systems.

 

1.9. Standard Contractual Clauses (SCC) means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in its Implementing Decision (EU) 2021/91 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

 

1.10. Sub-processor means any third parties that Akitra engages to Process Personal Data in relation to the Services.

1.11. UK Addendum means the UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018.

1.12. Personal Data means customer content that constitutes “personal data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws, or information of a similar character regulated thereby, except that personal data does not include such information pertaining to Customer’s personnel or representatives who are business contacts of Akitra, where Akitra acts as a controller of such information. 

1.13 Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms controller, data subject, processor and supervisory authority as used in this DPA have the meanings given in the GDPR.

  1. Duration and Scope of DPA

2.1 This DPA will remain in effect so long as Akitra Processes Personal Data, notwithstanding the expiration or termination of the Agreement, protected by Applicable Data Protection Law in the course of providing the Services pursuant to the Agreement as follows:

2.1.1. Where Customer is a controller or business (as applicable) of the Customer Data covered by this DPA, Akitra shall be a processor or service provider (as applicable) processing Customer Data on behalf of the Customer and this DPA shall apply accordingly;

2.1.2. Where and to the extent Akitra and/or each relevant Akitra Affiliates process Customer Data as controller or business (as applicable), Akitra will process such Customer Data in compliance with Applicable Data Protection Law, the Akitra Privacy Policy which can be found at https://www.akitra.com/privacy-policy, and Sections 3, 5.1, 5.2, 6, 7, and 9.1.3 of this DPA, to the extent applicable, only. Schedules 1 and 2 to this DPA apply solely to Processing subject to European Data Protection Laws.  Schedule 3 to this DPA applies solely to Processing subject to the CCPA to the extent Customer is a “business” (as defined in CCPA) with respect to such Processing.

2.2. Customer Instructions for processing of Personal Data. As a processor, Akitra shall process Customer Data only with customer’s instructions for the purposes described in this DPA and only in accordance with Customer’s documented lawful instructions, except to the extent required by Applicable Data Protection Law. The parties agree that this DPA and the Agreement provide the Customer’s complete and final instructions to Akitra in relation to the processing of Customer Data, and if applicable, include and are consistent with all instructions from third party controllers, and processing outside the scope of these instructions shall require prior written agreement between Customer and Akitra. Without prejudice to Section 2.3, Akitra shall notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Law, if it becomes aware or believes that any data processing instruction from Customer violates Applicable Data Protection Law. Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that Akitra may be required to provide to or receive from a third-party controller.

2.3. Customer Responsibilities.  

Without limitation of Customer’s obligations under the Agreement, Customer (a) agrees that Customer is solely responsible for its use of the Services, including (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data, (2) securing the account authentication credentials, systems and devices Customer uses to access the Services, (3) securing Customer’s systems and devices that Akitra uses to provide the Services, and (4) backing up Personal Data; (b) shall comply with its obligations under Applicable Data Protection Laws; and (c) shall ensure (and is solely responsible for ensuring) that its instructions comply with Applicable Data Protection Laws, and that Customer has given all notices to, and has obtained all such notices from, individuals to whom Personal Data pertains and all other parties as required by applicable laws or regulations for Akitra to Process Personal Data as contemplated by the Agreement. (d) Customer shall comply with its obligations under Applicable Data Protection Laws.


Customer represents and warrants to Akitra that Customer Data does not and will not, without Akitra’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 16 years of age; or any information that falls within any special categories of data (as defined in GDPR).

 

2.4. Aggregate Data. Notwithstanding the foregoing or anything to the contrary in the Agreement, Customer acknowledges that Akitra and its Affiliates shall have a right to collect and create anonymized, aggregate and/or de-identified information (as defined by Applicable Data Protection Law) for its own legitimate business purposes.

  1. Akitra as a Controller

3.1. Each party shall be individually and separately responsible for complying with the obligations that apply to it as a separate and independent controller under Applicable Data Protection Law and neither party shall be responsible for the other party’s compliance with Applicable Data Protection Law. 

  1. Sub-processing

4.1. Authorized Sub-processors. Customer hereby provides a general authorization to Akitra to engage Sub-processors to process Customer Data on Customer’s behalf (with respect to its role as a processor or service provider, as applicable). The Sub-processors engaged by Akitra depend on the Services purchased by Customer and are made available at Akitra’s website at www.akitra.com/subprocessors (“Sub-processor List”).

4.2. Notice. Akitra shall notify Customer of any new engagement of a Sub-processor at least ten (10) days before any such changes by sending an email to the email address designated by Customer to receive notifications.

  1. Security Measures, Incidents and Audits

5.1. Security Measures. Akitra will implement and maintain administrative, technical and physical safeguards designed to protect the security and integrity of Personal Data, prevent Information Security Incidents (“Security Measures”).  The Security Measures shall at a minimum include the measures described in Schedule 4 and any other measures required by Applicable Data Protection Laws. Akitra may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data. Customer acknowledges that the Security Measures are subject to technical progress and development and that Akitra may update and/or modify the Security Measures from time to time, provided that such updates and/or modifications do not result in the material degradation of the overall security of the Services purchased by the Customer.

5.2. Security Incidents. Akitra will notify Customer without undue delay of any Information Security Incident of which Akitra becomes aware.  Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Akitra recommends the Customer take to address the Information Security Incident.  Akitra’s notification of or response to an Information Security Incident will not be construed as Akitra’s acknowledgement of any fault or liability with respect to the Information Security Incident.

5.3. Customer Security Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data processed in connection with the Services. Customer shall implement and maintain appropriate technical and organizational security measures designed to protect personal data from Security Incidents and to preserve the security and confidentiality of personal data while in its dominion and control.

5.4. Security Incident Response. Upon becoming aware of a Security Incident, Akitra shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer. Akitra’s notification of or response to a Security Incident in accordance with this section will not be construed as an acknowledgment by Akitra of any fault or liability with respect to the Security Incident.

5.5. Security Audits. On written request from Customer, Akitra shall provide written responses, which may include audit report summaries or extracts to all reasonable requests for information made by Customer related to its processing of Customer Data necessary to confirm Akitra’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any 12-month rolling period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Akitra has experienced a Security Incident, or on another reasonably similar basis. Nothing herein shall be construed to require Akitra to provide: (i) trade secrets or any proprietary information; (ii) any information that would violate Akitra’s confidentiality obligations, contractual obligations, or applicable law; or (iii) any information, the disclosure of which could threaten, compromise, or otherwise put at risk the security, confidentiality, or integrity of Akitra’s infrastructure, networks, systems, or data.

  1. International Transfers

6.1. Processing Locations. Customer acknowledges and agrees that Akitra and its Sub-processors may transfer (including conduct Restricted Transfers) and process Customer Data to and in the United States and anywhere else in the world where Akitra, its Affiliates or its Sub-processors maintain data processing operations, as more particularly described in the Sub-processor List. The parties shall ensure that such transfers are made in compliance with the requirements of Applicable Data Protection Law and this DPA.

  1. Deletion of Customer Data

7.1. Deletion. Upon termination or expiry of the Agreement, on Customer’s request Akitra shall delete all Customer Data processed by Akitra as a processor including copies in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent Akitra is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which data Akitra shall securely isolate and protect from any further processing and delete in accordance with its deletion practices, except to the extent required by applicable law. Customer Data processed by Akitra as a controller will be deleted or retained in accordance with the Akitra Privacy Statement. 

  1. Rights of Individuals and Cooperation

8.1. Data Subject Requests. To the extent Customer is unable to independently access the relevant Customer Data within the Services, Akitra shall, at Customer’s expense and taking into account the nature of the processing, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Data under the Agreement. In the event that any such request is made to Akitra directly, and Akitra is able to readily discern that such request is associated with Customer, Akitra shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Akitra is required to respond to such a request, Akitra shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

  1. Jurisdiction Specific Terms

9.1. Europe. To the extent Customer Data is subject to European Data Protection Law, the following terms shall apply in addition to the terms in the remainder of this DPA:

9.1.1. Sub-processor Obligations. Akitra shall: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require Sub-processor to protect Customer Data to the standard required by applicable European Data Protection Law and this DPA; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Akitra to breach any of its obligations under this DPA. Akitra shall use reasonable efforts to provide relevant extracts of the agreement with any Sub-processor it appoints to Customer upon request.

9.1.2. Objections to Sub-processors. Customer may object in writing to Akitra’s appointment of a new Sub-processor on reasonable grounds relating to data protection (e.g., if making Customer Data available to the Sub-processor may violate European Data Protection Law or weaken the protections for such Customer Data) by notifying Akitra promptly in writing within five (5) calendar days of receipt of Akitra’s notice in accordance with Section 4.1 above. Such notice shall explain the reasonable grounds for the objection and the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If no such resolution can be reached, Akitra will, at its sole discretion, either not appoint the Sub-processor, or permit Customer to suspend or terminate the affected Product in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer before suspension or termination). If such objection right is not exercised by Customer in the terms described above, silence shall be deemed to constitute an approval of such engagement. 

9.1.3. Restricted Transfers. The parties agree that when the transfer of Personal Data from Customer (as “data exporter”) to Akitra (as “data importer”) is a Restricted Transfer, it shall be subject to the Standard Contractual Clauses, which shall be automatically incorporated by reference and form an integral part of this DPA, as follows:
A. Akitra as a Processor. In relation to Customer Data that is protected by the EU GDPR and is processed in accordance with Sections 2.1.1 of this DPA, the SCCs shall apply, completed as follows:

  1. Module Two will apply;
  2. in Clause 7, the optional docking clause will apply;

iii. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes is identified in Section 4 above;

  1. in Clause 11, the optional language will not apply; 
  2. in Clause 17, Option 1 will apply, and the SCCs will be governed by the law of the EU Member State in which the data exporter is established and if no such law Ireland law;
  3. in Clause 18(b), disputes shall be resolved before the courts of the law of the EU Member State in which the data exporter is established and if no such law Ireland law;

vii. Schedule 1 of the SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA; and

viii. subject to Sections 5.1 and 5.2 of this DPA,  Schedule 1 of the SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA;

  1. Akitra as a Controller. In relation to Customer Data that is protected by the EU GDPR and is processed in accordance with Section 2.1.2 of this DPA, the SCCs shall apply, completed as follows:
  2. Module One will apply;
  3. in Clause 7, the optional docking clause will apply;

iii. in Clause 11, the optional language will not apply; 

  1. in Clause 17, Option 1 will apply, and the SCCs will be governed by the law of the EU Member State in which the data exporter is established and if no such law Ireland law law;
  2. in Clause 18(b), disputes shall be resolved before the courts of the law of the EU Member State in which the data exporter is established and if no such law Ireland law;
  3. Schedule 1 of the SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA; and

vii. Subject to Sections 5.1 and 5.2 of this DPA, Schedule of the SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA.

  1. Transfers relating to the UK. In relation to Customer Data that is protected by the UK GDPR, the SCCs: (i) shall apply as completed in accordance with sub-paragraphs (A) and (B) above; and (ii) shall be deemed amended as specified by the UK Addendum attached as Schedule 4, which shall deemed executed by the parties and incorporated into and form an integral part of this DPA. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
  2. Transfers relating to Switzerland. In relation to Customer Data that is protected by the Swiss DPA, the SCCs as implemented under sub-paragraphs (A) and (B) above will apply with the following modifications:
  3. references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;
  4. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA;

iii. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”;

  1. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
  2. Clause 13(a) and Schedule 2 Competent supervisory authority are not used and the “competent supervisory authority” is the Swiss Federal Data Protection and Information Commissioner;
  3. references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection and Information Commissioner” and “applicable courts of Switzerland”;

vii. in Clause 17, the SCCs shall be governed by the laws of Switzerland; 

viii. Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland; and

  1. the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act. 
  2. Conflicts. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.

9.1.4. Alternative Transfer Arrangement. If, and to the extent Akitra adopts an alternative data export solution (including adopting Binding Corporate Rules or any new version of or successor to the SCCs or Privacy Shield adopted pursuant to applicable European Data Protection Law) for the transfer of Customer Data as prescribed by applicable European Data Protection Laws (“Alternative Transfer Mechanism”),the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable European Data Protection Law and extends to the territories to which Customer Data is transferred) and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such Alternative Transfer Mechanism. In addition, if and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Customer Data to a country that does not ensure an adequate level of protection (within the meaning of applicable European Data Protection Law), the parties shall reasonably cooperate to agree and take any actions that may be reasonably required to implement any additional measures or safeguards not described in this DPA or alternative transfer mechanisms (“Alternative Transfer Arrangements”) to enable the lawful transfer of such Customer Data.

9.1.5. Data Protection Impact Assessment. To the extent Akitra is required under applicable European Data Protection Law, Akitra shall provide reasonably requested information regarding Akitra processing of Customer Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by law.

9.2. California. To the extent the Customer Data is subject to the CCPA, the parties agree that Customer is a business and that it appoints Akitra as its service provider to process Customer Data as permitted under the Agreement and the CCPA, or for purposes otherwise agreed in writing (“Permitted Purposes”). Customer represents and warrants that it will only provide or make personal information available to Akitra in compliance with the CCPA. Customer and Akitra agree that: (i) Akitra shall not retain, use or disclose personal information for any purpose other than the Permitted Purposes; (ii) Customer Data was not sold to Akitra and Akitra shall not sell personal information; (iii) Akitra shall not retain, use or disclose personal information outside of the direct business relationship between Customer and Akitra; and (iv) Akitra may de-identify or aggregate personal information in the course of providing the Services. Akitra certifies that it understands the restrictions set out in this Section 9.2 and will comply with them.

  1. Miscellaneous

10.1. Disclosures. Customer acknowledges that Akitra may disclose this DPA including the Standard Contractual Clauses and any relevant privacy provisions in the Agreement to the U.S. Department of Commerce, the Federal Trade Commission, a European data protection authority or any other U.S. or European judicial or regulatory body upon their request.

10.2. Necessary Modifications. Notwithstanding anything to the contrary in the Agreement, Akitra may modify the terms of this DPA where necessary to (i) comply with a request or order by a supervisory authority or other government or regulatory entity; (ii) comply with Applicable Data Protection Law; or (iii) implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Applicable Data Protection Law. Supplemental terms may be added as an Annex to this DPA where such terms only apply to the processing of Customer Data under the Applicable Data Protection Law of specific countries or jurisdictions. Akitra shall provide notice of such changes to Customer, and the modified DPA shall become effective in accordance with the terms of the Agreement or, if not specified in the Agreement, as otherwise provided on Akitra’s website.

10.3. Conflicts. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

10.4. Claims. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In particular, any claim or remedy Customer or its Affiliates may have against Akitra, its Affiliates, employees, contractors, agents and Sub-processors, arising under or in connection with this DPA, whether in contract, tort including negligence or under any other theory of liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the Agreement and this DPA together. Notwithstanding the foregoing, in no event may any party limit its liability with respect to any data subject rights or data protection authorities under this DPA.

10.5. Severability. If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the DPA.

10.6. Governing Law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by European Data Protection Law or the SCCs. 

Schedule 1

Description of the Processing Activities / Transfer

Details of Processing

Nature and Purpose of Processing:   Company will process Customer’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this Addendum, and in accordance with Customer’s instructions as set forth in this Addendum.

Duration of Processing: Company will process Customer’s Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Company’s legitimate business needs; or (iii) by applicable law or regulation. Customer Account Data and Customer Usage Data will be processed and stored as set forth in Company’s privacy policy.

Categories of Data Subjects: Personal data of customer’s employees, consultants and end-users

Categories of Personal Data: Depending on the Services selected by Customer, Akitra may process the following categories of personal data – Name, Username, Email address, Job Title, Employment Status Organization Name, Online identifiers such as IP addresses, Device IDs, Device operating system, version, and characteristics (e.g. whether a screen lock, encryption or anti-virus is enabled), background check verification records (at discretion of Controller), security training records, Geolocation data (based on IP address) and any other personal data submitted to the Services as part of Customer Data. 

 

Sensitive Data or Special Categories of Data: Customers are prohibited from providing sensitive personal data or special categories of data to Company, including without limitation, any data which discloses the criminal history of any persons.

Frequency of the Transfer: Customer Data is transferred in accordance with Customer’s documented lawful instructions as described in Section 2.2. of the DPA.

Nature of Processing: Customer Data transferred will be processed in accordance with the Agreement and with this DPA.

 

Schedule 2 

List of Parties: 

The following includes the information required by Annex I and Annex III of the EU SCCs, and Appendix 1 of the UK SCCs. 

The Parties 

Data Exporter

Data Importer

Name: the party identified as the “Customer” in the Agreement and this DPA

Name: Akitra Inc. (“Akitra”)

Address: As set out in the Agreement

Address: 830 Stewart Drive, Ste 269. Sunnyvale, CA 94085 USA

Contact Person’s Name, position and contact details: The contact details specified in this DPA or the Agreement or otherwise associated with Customer’s account

Contact Person’s Name, position and contact details: Privacy Team, privacy@Akitra.com

Activities relevant to the transfer: See Annex 1(B) below

Activities relevant to the transfer: See Annex 1(B) below

Role: Controller

Role: Processor

Description of Transfer

 

 

Categories of data subjects:

Personal data of customer’s employees, consultants and end-users

Categories of personal data:

Depending on the Services selected by Customer, Akitra may process the following categories of personal data – Name, Username, Email address, Job Title, Employment Status Organization Name, Online identifiers such as IP addresses, Device IDs, Device operating system, version, and characteristics (e.g. whether a screen lock, encryption or anti-virus is enabled), background check verification records (at discretion of Controller), security training records, Geolocation data (based on IP address) and any other personal data submitted to the Services as part of Customer Data.

Sensitive data (if applicable) and applied restrictions or safeguards:

Customers are prohibited from providing sensitive personal data or special categories of data to Company, including without limitation, any data which discloses the criminal history of any persons.

Frequency of the transfer:

Customer Data is transferred in accordance with Customer’s documented lawful instructions as described in Section 2.2. of the DPA.

Nature of processing:

Customer Data transferred will be processed in accordance with the Agreement and with this DPA.

Purpose(s) of the data transfer and further processing:

Providing the Services to Customer.

Retention period (or, if not possible to determine, the criteria used to determine that period):

See Section 7.1. of the DPA.

Competent supervisory authority

The competent supervisory authority will be determined in accordance with European Data Protection Law.

 

Schedule 3

Technical and Organizational Measures: The following technical and organizational measures are in place across the Services to protect the personal data processed by Akitra.

Measure

Description

Measures of pseudonymization and encryption of personal data

Akitra uses encryption at rest and encryption in transit for the protection of personal data

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Akitra is SOC 2 and ISO 27001 compliant and, as a result, has processes in place designed to ensure confidentiality, integrity and availability of its systems for the benefit of customers.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Akitra performs routine backups and retains such backups for a necessary period of time to ensure restoration and access, if relevant.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

Akitra performs internal audits and external audits at least annually to ensure the effectiveness of technical and organizational measures.

Measures for user identification and authorization

Customers may login via Google Workspace and are therefore responsible for such user identification and authorization.

Measures for the protection of data during transmission

Akitra uses encryption in transit to protect data during transmission.

Measures for the protection of data during storage

Akitra uses encryption at rest to protect data during storage.

Measures for ensuring physical security of locations at which personal data are processed.

Akitra’s services and data are hosted in AWS’ facilities in the USA and protected by AWS in accordance with their security protocols. Access limited to approved personnel.

Measures for ensuring events logging

Akitra uses logging and monitoring to capture events.

Measures for ensuring system configuration, including default configuration

Akitra monitors for drift configuration.

Measures for internal IT and IT security governance and management

Akitra is SOC 2 and ISO 27001 compliant and, as a result, has processes in place designed to ensure security governance and management.

Measures for certification/assurance of processes and products

Akitra is SOC 2 and ISO 27001 compliant.

Measures for ensuring data minimization

Akitra limits the data which it captures and stores only such data necessary to deliver the services.

Measures for ensuring data quality

Customers are in-control of the data provided to Akitra and Akitra ensures that such data is valid.

Measures for ensuring limited data retention

Akitra only retains data for as long you are a customer and will remove such data upon request.

Measures for ensuring accountability

Akitra follows a set of policies including data protection and processing policies in order to ensure accountability to external third-parties.

Measures for allowing data portability and ensuring erasure

Akitra follows standard data portability practices.

Schedule 4 – UK Addendum

 

This Schedule 4 forms part of this DPA and applies in accordance with Section 9.1.3(C) (Transfers relating to the UK) of the DPA.

 

Start Date

The date of the Agreement.

Parties

Exporter

Importer

Parties’ details

Name: The entity identified as the Customer in the Agreement and this DPA.

Address: The address for the Customer associated with its account or otherwise specified in this DPA or the Agreement. Contact person’s name, position and contact details: The contact details specified in this DPA or the Agreement or otherwise associated with Customer’s account

Name: Akitra Inc. (“Akitra”) Address: 830 Stewart Drive, Ste 269, Sunnyvale, CA, 94085 USA

 

Contact person’s name, position and contact details: Privacy Dept, privacy@Akitra.com

Addendum SCCs

The Approved SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the approved SCCs brought into effect for the purposes of this Addendum: See Section 9.1.3(C) of the DPA.

Appendix Information

See Schedules 1 and 2

Ending this Addendum when the Approved Addendum changes

Neither Party

Mandatory Clauses

Part 2: Mandatory Clauses of the UK Addendum, as it is revised under Section 18 of those Mandatory Clauses

Schedule 5 – California Schedule

  1. For purposes of this Schedule, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Personal Data that constitutes personal information, the Processing of which is governed by the CCPA.
  2. It is the parties’ intent that with respect to any personal information, Akitra is a service provider.  Akitra shall (i) not “sell” (as defined in the CCPA) personal information; and (ii) not retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing personal information for a commercial purpose (as defined in the CCPA) other than providing the Services.  For the avoidance of doubt, the foregoing prohibits Akitra from retaining, using or disclosing personal information outside of the direct business relationship between Akitra and Customer.  Akitra hereby certifies that it understands the obligations under this section 2 and shall comply with them.
  3. The parties acknowledge that Akitra’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Akitra’s provision of the Services and the business relationship between the parties.

We care about your privacy​
We use cookies to operate this website, improve usability, personalize your experience, and improve our marketing. Your privacy is important to us and we will never sell your data. Privacy Policy.