Data Protection Addendum
Last updated on March 11, 2023
This Data Protection Addendum, including all attachments ("DPA" or "Addendum"), forms an addendum to the Agreement (defined below). This Addendum takes precedence over any other portion of the Agreement with regard to the Processing of Personal Data to the extent of any conflict.
Cypress may change this DPA from time to time without advance notice by posting the changes to this web page. The updated DPA will only apply to Customer and its subscription under the Agreement at the beginning of any subscription renewal or new subscription purchase, but may apply earlier as follows:
If Cypress adds new or different features, functionality, or other offerings to Customer's subscription, then Cypress may change the DPA to accommodate those features, functionality or offerings. If those features, functionality or offerings are optional, then Cypress will provide Customer a choice to use them. If Customer chooses not to use the new features, functionality or offerings, then the updated DPA will not apply before the next subscription renewal or new purchase as provided above. If those features, functionality, or other offerings are not optional, then the DPA will only apply at the next subscription renewal or new purchase as provided above.
If Data Protection Laws change in a way that prevents or hinders Cypress from providing its services or fulfilling its obligations under the Agreement or that Cypress believes may conflict with the DPA, then Cypress may change this DPA in order to continue to comply with Data Protection Laws, and Cypress will notify Customer of the updated DPA. The updated DPA will apply if Customer continues to use the subscribed services under the Agreement after receipt of the notice. Any notices to Cypress regarding this DPA should be sent to [email protected]. Cypress may contact and notify Customer at the email address Customer provides under the Agreement as part of its account information or its billing email address.
1. Definitions
For purposes of this Addendum: "Agreement" means the Cypress Cloud Terms of Use currently located at https://cloud.cypress.io/terms-of-use), or a similar written agreement for the provision of the Cypress Cloud service which expressly incorporates this Addendum, between Cypress and Customer and any associated contractual document made by Cypress and Customer under it, such as an order form.
"Customer" means the entity who enters into the Agreement with Cypress.
"Cypress" means Cypress.io, Inc.
"Data Protection Laws" means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, when effective, the California Privacy Rights Act amendments ("CCPA"); the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"); the Swiss Federal Act on Data Protection ("FADP"); and the United Kingdom Data Protection Act of 2018 ("UK GDPR"). For the avoidance of doubt, if Cypress's Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this Addendum.
"Data Subject" means an identified or identifiable natural person about whom Personal Data relates.
"EU SCCs" means the Standard Contractual Clauses issued pursuant to Commission Implementing
Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as set forth in Section 7 below.
"Personal Data" includes "personal data," "personal information," "personally identifiable information," and similar terms, as defined by applicable Data Protection Laws, that Cypress Processes on behalf of Customer under the Agreement.
"Process" and "Processing" mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Security Breach" means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Subprocessors" means affiliates and third parties, including without limitation subcontractors, who Process Personal Data on behalf of Cypress.
2. Scope and Purposes of Processing
a. The scope, nature, purposes, and duration of the processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this Addendum, including its Schedule A. The details provided in Schedule A are deemed to satisfy any requirement to provide such details under any Data Privacy Law.
b. Cypress will Process Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this Addendum; (2) on Customer's behalf; and (3) in compliance with Data Protection Laws. Cypress will not "sell" Personal Data (as such term in quotation marks is defined in applicable Data Protection Laws), "share" or Process Personal Data for purposes of "cross-context behavioral advertising" or "targeted advertising" (as such terms in quotation marks are defined in applicable Data Protection Laws), or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the direct business relationship with Customer.
c. Cypress will not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Customer.
3. Personal Data Processing Requirements.
Cypress will:
a. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
b. Taking into account the nature of the processing, assist Customer by implementing appropriate technical and organizational measures, including but not limited to appropriate updates to software functionality or facilitation by support staff to ensure that Customer may at any time respond to request(s) from Data Subjects exercising their rights under Data Protection Laws. Further, any such Data Subject request received by Cypress will be referred to Customer promptly for handling.
c. Promptly notify Customer of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Cypress's Processing of Personal Data on Customer's behalf, unless prohibited by Data Protection Laws. Cypress will provide Customer with reasonable cooperation and assistance in relation to any such
request. If Cypress is prohibited by applicable Data Protection Laws from disclosing the details of a government request to Customer, Cypress shall inform Customer that it can no longer comply with Customer's instructions under this Addendum without providing more details and await Customer's further instructions. Cypress shall use all available legal mechanisms to challenge any demands for data access through national security process that it receives, as well as any non-disclosure provisions attached thereto.
d. Provide reasonable assistance to and cooperation with Customer for Customer's performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Protection Laws, and at Customer's reasonable expense.
e. Provide reasonable assistance to and cooperation with Customer for Customer's consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Cypress under Data Protection Laws to consult with a regulatory authority in relation to Cypress's Processing or proposed Processing of Personal Data.
f. Cypress certifies that it understands its obligations under this Addendum (including without limitation the restrictions under Sections 2 and 3 and that it will comply with them.
4. Data Security
Cypress will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Schedule A.
5. Security Breach.
Cypress will notify Customer without undue delay of any known Security Breach and will assist Customer in Customer's compliance with its Security Breach-related obligations, including without limitation, by:
Taking commercially reasonable steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
Providing Customer with the following information, to the extent known:
The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned.
The likely consequences of the Security Breach; and
Measures taken or proposed to be taken by Cypress to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
6. Subprocessors
Customer acknowledges and agrees that Cypress may use Cypress affiliates and third-party Subprocessors to Process Personal Data in accordance with the provisions within this Addendum and Data Protection Laws. Cypress will take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Protection Laws.
Cypress's current list of Subprocessors is located at the following website:
https://www.cypress.io/subprocessors
. Customer hereby consents to Cypress's use of such Subprocessors. Cypress may update that list of its Subprocessors from time to time, and it will provide Customer with a mechanism to obtain notice of any new Subprocessor added to the list 20 days prior to that new Subprocessor receiving access to Customer's Personal Data. If Customer has a commercially reasonable objection to a new Subprocessor within 10 days from receiving such notice, Cypress will use reasonable efforts to make available to Customer a change in the services or recommend a commercially reasonable change to, Customer's use of the services to avoid Processing of Personal Data by the objected-to Subprocessor without unreasonably burdening the Customer. Customer may, in its sole discretion, terminate the Agreement in the event that Cypress is not able to provide a reasonable change to address Customer's Subprocessor objection.
7. Data Transfers
Cypress will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Protection Laws. Where Cypress engages in an onward transfer of Personal Data, Cypress shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
To the extent legally required, by signing this Addendum, Customer and Cypress are deemed to have signed the EU SCCs, which form part of this Addendum and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:
Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a controller) to Cypress (as a processor);
Clause 7 (the optional docking clause) is included;
Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in Schedule B of this Addendum and Cypress shall update that list and provide a notice to Customer in advance of any intended additions or replacements of sub-processors as provided in Section 6.
Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;
Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A of this Addendum;
Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
Annex II (Technical and organizational measures) is completed with Schedule A of this Addendum; and
Annex III (List of subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9, however a list of Cypress's subprocessors is available in Schedule B.
With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) ("UK SCCs") forms part of this Addendum and takes precedence over the rest of this Addendum as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:
Table 1 of the UK SCCs:
The Parties' details shall be the Parties and their affiliates to the extent any of them is involved in such transfer.
The Key Contacts shall be the contacts set forth in Schedule A.
Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.
Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Schedules A and B below.
Table 4 of the UK SCCs: Either Party may end this Addendum as set out in Section 19 of the UK SCCs.
By entering into this Addendum, the Parties are deemed to be signing the UK SCCs.
For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this Addendum as set forth in Section 7(b) of this Addendum, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term "member state" in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
8. Audits
Cypress shall permit Customer (or its appointed third Customer's auditors (the "Auditors"), at Customer's sole expense, to audit Cypress's compliance with this DPA and shall make available to the Auditors all information systems and staff necessary for the Auditors to conduct such audit. Cypress acknowledges that the Auditors may enter its premises for the purposes of conducting its audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours and takes all reasonable measures to prevent unnecessary disruption to Cypress's operations. Customer shall limit its exercise of audit rights to not more than once in any 12 calendar month period, unless (1) required by instruction of a Supervisory Authority; or (2) Customer reasonably believes it has a genuine concern regarding Cypress's compliance with this DPA.
9. Destruction of Personal Data
Except to the extent required otherwise by Data Privacy Laws, at the written request of Customer upon termination of the Agreement, Cypress will securely delete or de-identify all Personal Data. Except to the extent prohibited by Data Privacy Laws, Cypress will inform Customer if it is not able to delete or de-identify the Personal Data.
9. Limitation of Liability
For clarity, this Addendum is subject to the liability limitations in the Agreement.
10. Survival.
The provisions of this Addendum survive the termination or expiration of the Agreement for so long as Cypress or its Subprocessors Process the Personal Data.
Schedule A
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
The exporter (Controller) is Customer and Customer's contact details and signature are as provided in the Agreement.
Data importer(s):
The importer (Processor) is Cypress and Cypress's contact details and signature are as provided in the Agreement.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Controller's authorized end users.
Categories of personal data transferred:
Any personal data transferred in connection with the Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measure: N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
On a continuous basis as needed to provide the services to Customer under the Agreement.
Nature of the processing:
The nature of the processing is set out in the Agreement between the parties.
Purpose(s) of the data transfer and further processing:
The purposes of the data transfer is to provide the services requested by Customer pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Please see Schedule B for a list our Subprocessors and the nature of the services they provide. All transfers will last for the duration of the Agreement between the parties.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: The data exporter's competent supervisory authority will be determined in accordance with the GDPR, and where possible, will be the Irish Data Protection Commissioner.
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Cypress's Information Security Program includes specific security requirements for its personnel and all Subprocessors or agents who have access to Personal Data ("Data Personnel"). Cypress's security requirements cover the following areas:
Information Security Policies and Standards. Cypress will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
Organizational Security. Cypress will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
Network Security. Cypress maintains commercially reasonable information security policies and procedures addressing network security.
Access Control. Cypress agrees that: (1) only authorized Cypress staff can grant, modify, or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
Virus and Malware Controls. Cypress protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
Personnel. Cypress has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
Business Continuity. Cypress implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Cypress also adjusts its Information Security Program in light of new laws and circumstances, including as Cypress' business and Processing change.