Sysdig

Global Customer Data Processing Addendum

Global Customer Data Processing Addendum

Sysdig, Inc.

This Global Customer Data Processing Addendum (“DPA”) applies where Sysdig, Inc., on behalf of itself and its subsidiaries, (“Sysdig”) and Customer have entered into a written or electronic services agreement and Order Form which reference this DPA, pursuant to which Sysdig has explicitly agreed to the processing of Personal Data on behalf of Customer (“Agreement”). This DPA is incorporated into and made subject to the Agreement. Any capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.

Signatures of assent of Sysdig and Customer to the Agreement will be deemed signature to, and acceptance and agreement of, this DPA and the SCCs incorporated hereto.

For the avoidance of doubt, this DPA shall not apply to any Agreements that explicitly incorporate a separate data processing agreement, provided such separate data processing agreement has been signed by an authorized Sysdig signatory.

PART I – Definitions
  1. Applicable Privacy Laws” means any data privacy, security or protection laws or regulations to the extent applicable to the processing of Personal Data under this DPA, including any binding laws or regulations ratifying, implementing, adopting, supplementing or replacing the foregoing; in each case, to the extent in force, and as such are updated, amended or replaced from time to time.
  2. Authorized Personnel” means an individual (including without limitation an employee, temporary worker or agency worker) who is authorized to process Personal Data under the authority of Sysdig.
  3. Data Subject Request” means a request from a Data Subject to exercise their data subject rights with respect to the Personal Data, as granted by Applicable Privacy Laws.
  4. Instructions” means Customer’s written instructions to Sysdig directing Sysdig to process the Personal Data as provided under the Agreement, this DPA, through Customer’s use of the features and functionality of the Services or as otherwise mutually agreed by authorized signatories of both parties in writing.
  5. Personal Data” shall have the meaning given to Customer Personal Data under the Agreement.
  6. Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Sysdig’s possession or under its control (including when transmitted or stored by Sysdig).
  7. Services” means the services as described in the Agreement.
  8. Standard Contractual Clauses” or (“SCCs” or “Clauses”) means (i) the standard contractual clauses for international transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to Third Countries as adopted by the European Commission and the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries (collectively “EU SCCs”); (ii) the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office (“UK ICO”) for data transfers from the UK to Third Countries; or (iii) any similar such clauses by a data protection regulator relating to data transfers to Third Countries; or (iv) any successor clauses to (i) – (iii).
  9. Subprocessor” means any person or entity, including Sysdig’s affiliates, appointed by or on behalf of Sysdig in connection with the processing of Personal Data in connection with the Agreement.
  10. Third Country means countries that, where so regulated by Applicable Privacy Laws, have not received an adequacy decision from an applicable authority relating to data transfers, including regulators such as the European Commission, UK ICO, or Swiss FDPIC.

In this DPA, the following terms (and any substantially similar terms as defined under Applicable Privacy Laws) shall have the meanings and otherwise be interpreted in accordance with Applicable Privacy Law:
Business, Data Controller, Data Processor, Data Subject, Sale, Service Provider, Share, Supervisory Authority, process(ing) and transfer.

PART II – Sysdig as a Data Controller
    • For the purposes of the General Data Protection Regulation (EU) and substantially similar Applicable Privacy Laws, Sysdig is an independent Controller with respect to Sysdig’s processing of personally identifiable information within the B2B Relationship Data and Services Analytics (as defined under the Agreement).The subject matter, nature, purpose, and duration of processing, as well as the types of Personal Data collected and categories of Data Subjects, are as described in Exhibit A. Sysdig will process such data as further set forth in the Sysdig Privacy Policy except that Sysdig’s use of such data shall be limited to uses for the purpose of Sysdig’sbusiness operations incident to providing the Services to Customer, including: billing and account management, securing its systems and combating fraud and as further set forth under the Agreement.
    • To the extent such data is transferred under this DPA to a Third Country, the parties agree to abide by the SCCs, where applicable, for such transfers.In particular, transfers of Personal Data from the European Union, European Economic Area, Switzerland, or the United Kingdom of Great Britain and Northern Ireland (“UK”) to Third Countries are subject to the Standard Contractual Clauses, Module One. The information required for the purposes of the SCCs is provided in Exhibit C of this DPA. The SCCs are hereby incorporated into the Agreement and the parties’ acceptance of this DPA shall constitute the parties’ acceptance and signing of the Standard Contractual Clauses. If the terms of the Agreement conflict with the SCCs, the terms of the SCCs will prevail. Notwithstanding the foregoing, in the event any data transfer mechanisms or certifications are approved under Applicable Privacy Laws (including, as applicable, any approved successor or replacement to the EU–US Privacy Shield framework and/or the Swiss–US Privacy Shield framework) the parties may agree to leverage such data transfer mechanisms in lieu of the Standard Contractual Clauses.
PART III – Sysdig as a Data Processor (or subprocessor)
  • Processing of Data
    • The parties acknowledge and agree that with respect to processing of Personal Data, Sysdig is a Data Processor and a Service Provider and Customer is a Data Controller and Business, except where Customer is a Data Processor in which case Sysdig is a sub-processor of Customer.
    • This Part III of this DPA applies where and solely to the extent that Sysdig processes Personal Data on behalf of Customer for the purpose of providing the Services to the Customer pursuant to the Agreement. Sysdig shall process such data solely for the “Business Purposes” and as further defined and set forth in Exhibit A. The subject matter, nature, purpose, and duration of processing, as well as the types of Personal Data collected and categories of Data Subjects, are as described in Exhibit A. As set forth in the applicable agreement for the Sysdig services, Customer has agreed not to input or otherwise transmit any Personal Data, other than such Personal Data set forth under Exhibit A, into the Sysdig services without Sysdig’s prior written consent or as otherwise set forth in the applicable Order Form.
    • Sysdig shall process Personal Data only as set forth in the Agreement and in accordance with Exhibit A of this DPA and the Instructions. Sysdig shall promptly notify Customer if an Instruction, in Sysdig’s opinion, infringes Applicable Privacy Laws. Sysdig will comply with its obligations under Applicable Privacy Laws in connection with the processing of Personal Data and provide for the same level of privacy protection as offered by such Applicable Privacy Law. Where and to the extent required by Applicable Privacy Laws, Sysdig shall notify Customer in the event that Sysdig makes the determination that it can no longer meet its obligations thereunderExcept as expressly permitted by the Customer or Applicable Privacy Laws, Sysdig shall not (i) Sale or Share Personal Data collected pursuant to this DPA; nor (ii) retain, use or disclose the Personal Data collected pursuant to this DPA for any purpose (including any commercial purpose) other than the Business Purposes, outside the direct business relationship with Customer or as otherwise expressly permitted by Customer or Applicable Privacy Laws. To the extent required by Applicable Privacy Laws, (i) Sysdig certifies that it understands the foregoing restrictions and will comply with them; and (ii) Sysdig shall allow Customer, upon reasonable notice to Sysdig, to take reasonable and appropriate steps to ensure Sysdig uses Personal Data collected pursuant to the DPA in a manner consistent with Customer’s obligations under Applicable Privacy Laws and tostop and remediate the unauthorized use of Personal Data.
    • Customer shall, in its use of the Services, at all times process Personal Data, and provide the Instructions for the processing of Personal Data, in compliance with Applicable Privacy Laws. Customer represents and warrants that Customer has obtained or will obtain, all necessary consents, licenses and approvals for the processing of Personal Data under this DPA and, where applicable, has a valid legal basis under Applicable Privacy Laws for the processing of Personal Data under this DPA. If Customer is a Data Processor of Personal Data, Customer represents and warrants that Customer’s instructions and processing of Personal Data, including its appointment of Sysdig as a sub-processor, have been authorized by the respective Data Controller. Customer further represents and warrants that Customer (i) will comply with all Applicable Privacy Laws in its performance arising out of this DPA; and (ii) has reviewed Sysdig’s security practices and acknowledges that such practices are appropriately designed to ensure a level of security appropriate to the risk of processing hereunder.
    • Following completion of the Services, Sysdig shall return or delete the Personal Data as set forth under the Agreement or applicable service documentation, or provide Customer the ability to delete such Personal Data directly through the tools or functionality made available by the Service. The foregoing obligations shall not apply (a) where deletion is not permitted under applicable law (including Applicable Privacy Laws) or the order of a governmental or regulatory body; (b) where Sysdig retains such Personal Data for internal record keeping and compliance with any legal obligations; and (c) where Sysdig’s then-current data retention or similar back-up system stores Personal Data provided such data will remain protected in accordance with the measures described in the Agreement and this DPA. 
  • Authorized Personnel
    • Sysdig shall ensure that all Authorized Personnel are made aware of the confidential nature of Personal Data and have executed confidentiality agreements or are otherwise subject to binding duties of confidentiality that prohibit them from disclosing or otherwise processing, any Personal Data except in accordance with the Instructions and their obligations in connection with the Services.
    • Sysdig shall take commercially reasonable steps to ensurethat Authorized Personnel have received data privacy security and training appropriate to the nature of their processing of Personal Data and the requirements of Applicable Privacy Laws.
  • Sysdig Subprocessors
    • Customer hereby provides Sysdig with general written authorization to engage Subprocessors to process (including transfer)Personal Data in connection with the Services in accordance with this Section 4.
    • A list of Sysdig’s current Subprocessors (the “Subprocessor List”) is available at https://go.sysdig.com/sysdig-subprocessors (such URL may be updated by Sysdig from time to time upon notice to Customer). These Subprocessors will be deemed authorized by Customer to process Personal Data in connection with this DPA. At least ten (10) days before enabling any new Subprocessor to access or participate in the processing of Personal Data, Sysdig will add such Subprocessor to the Subprocessor List and notify Customer of that update. Customer may object to such an engagement on reasonable data protection grounds by providing notice to Sysdig within ten (10) days of receipt of the aforementioned notice from Sysdig.
      • If Customer objects to an engagement in accordance with Section 4.2, Sysdig shall provide Customer with a written description of commercially reasonable alternative(s), if any, to such engagement. If Sysdig, in its sole discretion, cannot reasonably provide any such alternative(s), or if Customer does not agree to any such alternative(s) if provided, either party may terminate the impacted Services. Alternatively, Customer’s continued use of the Service following Customer’s refusal of the proffered alternative will constitute Customer’s consent for such a change to the Subprocessor List. Termination shall not relieve Customer of any fees owed to Sysdig under the Agreement.
      • If Customer does not object to the engagement of a third party in accordance with Section 4.2, that third party will be deemed an authorized Subprocessor for the purposes of this DPA.
    • Sysdig shall ensure that each Subprocessor is subject to obligations regarding the processing of Personal Data that are substantially similar to those which Sysdig is subject under this DPA.
    • Sysdig shall be liable to Customer for any breach of this DPA caused by the acts or omissions of its Subprocessors.
    • If Customer and Sysdig have entered into the Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data the above authorizations will constitute Customer’s prior written consent to the subcontracting by Sysdig of the processing of Personal Data if such consent is required under the Standard Contractual Clauses.
  • Security of Personal Data
    • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Sysdig shall maintain appropriate technical and organizational measures designed to (i) ensure a level of security appropriate to the risk presented by the processing of the Personal Data; and (ii) protect the Personal Data from unauthorized access, destruction, use, modification or disclosure. Such technical and organizational measures shall include measures equal to or exceeding the measures set forth in Exhibit B of this DPA. 
  • Transfers of Personal Data
    • Customer acknowledges and agrees that Sysdig and its Subprocessors may process (including transfer) Personal Data in the United States, the European Economic Area and in any other location where Sysdig or a Sysdig Subprocessor maintains data processing operations, as set forth in the Subprocessor List. Sysdig will at all times provide an adequate level of protection for the Personal Data, in accordance with the requirements of Applicable Privacy Laws and, to the extent applicable, the requirements below.
    • In connection with the provision of the Services to Customer, Sysdig may (and may authorize its Subprocessors to) receive from, process within, or transfer Personal Data to, any Third Country provided that Sysdig and its Subprocessors take measures to adequately protect such data consistent with Applicable Privacy Laws.Such measures may include to the extent available and applicable under such laws:
      • The parties’ agreement to enter into and comply with the Standard Contractual Clauses which are hereby incorporated into this DPA and as further set forth in Exhibit C.In particular, transfers of Personal Data from the European Union, European Economic Area, Switzerland or the United Kingdom of Great Britain and Northern Ireland (“UK”) by Customer to Sysdig or Sysdig to Customer in Third Countries are subject to the Standard Contractual Clauses, Module Two (“Controller to Processor”), and Module Three (“Processor to Processor”). The information required for the purposes of the SCCs is provided in Exhibit C to this DPA;
      • Processing in compliance with Binding Corporate Rules in accordance with Applicable Privacy Laws; or
      • Implementing any other data transfer mechanisms or certifications approved under Applicable Privacy Laws, including, as applicable, any approved successor or replacement to the EU–US Privacy Shield framework and/or the Swiss–US Privacy Shield framework.
        To the extent that any substitute or additional appropriate safeguards or transfer mechanisms under Applicable Privacy Laws are required to transfer data to a Third Country, the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this DPA.
    • The Parties acknowledge and agree that they have, taking into account, without limitation, the Personal Data and Third Countries in scope, the relevant security measures under this DPA and the relevant parties participating in the processing of such Personal Data, conducted an assessment of the appropriateness of the relevant transfer mechanism adopted hereunder and have determined that such transfer mechanism is appropriately designed to ensure Personal Data transferred in accordance with this DPA is afforded a level of protection in the destination country that is essentially equivalent to that guaranteed under the Applicable Privacy Laws.
  • Cooperation; Audit and Records Requests
    • Sysdig shall, to the extent permitted by law, promptly notify Customer following the receipt and verification of a Data Subject Request or shall otherwise advise the Data Subject to submit their Data Subject Request to Customer directly. In either case, Customer will be responsible for responding to such request.
    • At the request of Customer and taking into account the nature of the processing applicable to any Data Subject Request, Sysdig shall apply appropriate technical and organizational measures to enable Customer to comply with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance provided that (i) Customer is itself unable to respond or fulfill the request without Sysdig’s assistance and (ii) Sysdig is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Sysdig.
    • If Sysdig receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Data, Sysdig shall, legally permitting, promptly notify Customer in writing of such request. Sysdig shall only comply with such third-party request where Sysdig has determined it is legally required to do so, in which case Sysdig shall provide reasonable cooperation to Customer, at Customer’s expense, if Customer wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.
    • Sysdig shall, taking into account the nature of the processing and the information available to Sysdig provide Customer with reasonable cooperation and assistance for Customer to comply with its obligations under the Applicable Privacy Laws, including any obligations to conduct a data protection impact assessment, respond to any inquiry from or consult with any Supervisory Authority or demonstrate compliance with Applicable Privacy Law. The obligations hereunder shall only apply where required of Sysdig by Applicable Privacy Law and provided that Customer does not otherwise have access to the relevant information or functionality being requested. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Sysdig.
    • Upon Customer’s request and no more than once per calendar year, Sysdig shall make available for Customer’s review copies of certifications or reports demonstrating Sysdig’s compliance with Applicable Privacy Laws as they relate to Sysdig’s processing of the Personal Data hereunder. Solely where and to the extent (i) required by Applicable Privacy Laws and (ii) such copies of certifications or reports are insufficient to demonstrate Sysdig’s compliance with Applicable Privacy Laws as it relates to Sysdig’s processing of the Personal Data hereunder, Sysdig shall make available to the Customer additional information necessary to demonstrate compliance with such obligations and allow for and contribute to audits, including inspections, of those data processing facilities within Sysdig’s control conducted by the Customer or another auditor mandated by Customer.
    • Any audit or inspection authorized by Section 7.5 will occur only after Customer has provided Sysdig with at least 60 days’ prior written notice and during a mutually agreed upon date, time, and location. Audits must not unreasonably interfere with Sysdig’s business or operations, and the scope of such audit will be subject to Sysdig’s reasonable pre-approval. Individuals responsible for conducting such audit shall be subject to a contract of confidentiality with Sysdig. The work required by Sysdig to participate in any audit may result in additional fees (at a mutually agreed upon hourly rate) to be paid by the Customer, unless otherwise agreed in writing prior to the commencement of such audit. To ensure that Sysdig complies with Applicable Privacy Laws and its contractual obligations regarding data privacy and security, Customer agrees that Sysdig is not required to provide Customer with access to Sysdig’s systems or information in a manner that may compromise the security, privacy, or confidentiality of Sysdig’s other customers’ confidential or proprietary information.
    • Any information disclosed pursuant to this Section 7 will be deemed Sysdig’s Confidential Information.
  • Personal Data Breach
    • After becoming aware of a Personal Data Breach, Sysdig shall, without undue delay, inform Customer of the Personal Data Breach and take such steps as Sysdig, in its sole discretion, deems necessary and reasonable to remediate such Personal Data Breach (to the extent that remediation is within Sysdig’s reasonable control).
    • Sysdig shall, taking into account the nature of the processing and the information reasonablyavailable to Sysdig: (a)provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under Applicable Privacy Laws with respect to notifying relevant regulators and/or Data Subjects affected by such Personal Data Breach; and (b) provide Customer with information in Sysdig’s reasonable control concerning the details of the Personal Data Breach including, as applicable, the nature of the Personal Data Breach, the categories and approximate numbers of Data Subjects and Personal Data records concerned, and the likely consequences of the Personal Data Breach.
    • The obligations described in this Section 8 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. In no event will Sysdig’s cooperation or obligation to report or respond to a Personal Data Breach under this Section be construed as an acknowledgement by Sysdig of any fault or liability with respect to the Personal Data Breach.
    • Unless prohibited by an applicable statute or court order, Customer will notify Sysdig of any third-party legal process relating to any PersonalData Breach, including, but not limited to, any legal process initiated by any governmental entity.
  • Miscellaneous
    • All notices to Customer under this DPA shall be sent by email and directed to the Customer’s designated system administrator for the Services and the “legal and privacy notices” contact if provided by Customer in conjunction with the Agreement. Customer may update these contacts at any time by emailing [email protected].
    • The liability of Sysdig and its respective employees, directors, officers, affiliates, successors, and assigns (the “Sysdig Parties”), arising out of or related to this DPA, whether in contract, tort, or other theory of liability, shall be subject to the “Limitation of Liability” and “Exclusions of Liability” sections (or their equivalent sections) of the Agreement, and any reference in such section to the liability of Sysdig or the Sysdig Parties means the aggregate liability of the Sysdig Parties under the Agreement and this DPA together.
    • This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail. In the event of any conflict between the terms of this DPA and the Standard Contractual Clauses then, only insofar as the Standard Contractual Clauses apply, the Standard Contractual Clauses will prevail.
    • Unless otherwise so required under this DPA or Applicable Privacy Law, Customer and Sysdig each agree that the dispute resolution provisions of the Agreement (including governing law and venue) apply to this DPA.
EXHIBIT A
Details of Processing
  1. Data exporter:
    • Name, address and contact information: As provided under the Agreement.
    • Activities relevant to the data transferred under the Clauses: Receipt of the Services under the Agreement.
    • Signature and date: As provided under the Agreement.
  2. Data importer:
    • Name: Sysdig, Inc.
    • Address: 135 Main Street, 21st Floor, San Francisco, CA 94105, United States
    • Contact information: Colleen Lam, VP of Legal; [email protected] 
    • Activities relevant to the data transferred under the Clauses: The provision, maintenance and securing of the Services
    • Signature and date: As provided under the Agreement.
  3. Details of processing: 

Topic

Sysdig as a Data Controller

Sysdig as a Data Processor (or subprocessor)

Role of the parties:

The following details of processing shall apply where and to the extent Sysdig processes personally identifiable information asa data controller in accordance with Section 1 of the DPA.

The following details of processing shall apply where and to the extent Sysdig processes Personal Data as a data processor (or subprocessor) on behalf of Customer.

Categories of Data Subjects:

Customer’s employees and other personnel using the Services or acting as administrative or business representatives with respect to the Services

Customer’s employees and other personnel using the Services

Categories of personal data:

Personally identifiable information within B2B Relationship Data and Service Analytics as defined under the Agreement, including Contact Information and Internet or other electronic network activity information.

Contact Information (e.g., name, email address, phone number, username, password)

Internet or other electronic network activity information collected for the purpose of providing, maintaining and securitythe Service

Other:any other additional Personal Data provided by Customer to Sysdig through Customer’s use of the Services, including the chat or capture functionality or support services, where applicable.

Subject matter of processing (including transfers):

As set forth in the Agreement and Section 1 of this DPA.

Personal Data processed as further outlined under this Exhibit A, in connection with the provision of the Services to “authorized users,” and, where and to the extentused by Customer: (1) the chat functionality offered by the Services; (2) the capture functionality of the Services; and (3) support for the Services.

Nature and purpose of processing (including transfers):

As set forth in the Agreement and Section 1 of this DPA.

The nature and purposes of processing carried out by Sysdig on behalf of Customer shall include the following Business Purposes:

  • Performing services on behalf of Customer (including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, or providing similar services on behalf of the Customer);
  • Debugging to identify and repair errors that impair existing intended functionality;
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity; and
  • Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

Sysdig may also use the Personal Data for internal use to build or improve the quality of the Services, to retain and employ another Subprocessor (or service provider) or as otherwise explicitly set forth under the Agreement.

Special Categories of personal data:

None

Frequency of transfer:

Continuous

Duration of Processing:

As set forth in the Agreement and Section 1 of this DPA.

Sysdig will process Personal Data until the expiration or termination of the Agreement and for so long after such expiration or termination as required by applicable law.
EXHIBIT B
Technical and Organizational Security Measures

Sysdig currently employs the following technical and organizational measures designed to ensure an appropriate level of security, in each case, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Sysdig may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Sysdig Services.

  • Measures of pseudonymisation and encryption of personal data: Records and files containing Personal Data are encrypted at rest, and in transit over public networks, by default.
  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: As part of Sysdig’s SOC2 Type 2, and ISO 27001 and 27701 certifications, various policies and processes are in place to control Personal Data access, disclosure,modification and retention. Additionally, Personal Data is stored in a high availability setup and backed up on a regular basis.
  • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: Business Continuity and Data Recovery policies are in place with clearly defined RTO and RPO. Testing is performed at least annually.
  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing: Pen tests as well as compliance audits are performed at least annually through authorized third parties.
  • Measures for user identification and authorisation: Sysdig follows industry standard practices for the identification and authentication of users who access or attempt to access Sysdig premises, devices or systems that contain Personal Data.
  • Measures for the protection of data during transmission: As a default practice, Personal Data in transit over public networks is encrypted in accordance with industry standard practices.
  • Measures for the protection of data during storage: Personal Data at rest is encrypted in accordance with Sysdig’s system management standard.
  • Measures for ensuring physical security of locations at which personal data are processed: Sysdig limits access to facilities where information systems that process Personal Data are located to identified authorized inliiduals. Sysdig maintains emergency and contingency plans for the facilities in which Sysdig information systems that process Personal Data are located.
  • Measures for ensuring events logging: In accordance with Sysdig’s SOC2 Type 2 certification audit trails are in place and are kept according to Sysdig’s retention policies and the requirements of Applicable Privacy Laws.
  • Measures for ensuring system configuration, including default configuration: Configuration is managed through IaC (infrastructure as code).Changes require review and approval by at least one other authorized Sysdig representative.
  • Measures for internal IT and IT security governance and management: All Sysdig laptops and workstations use endpoint protection and are enrolled in MDM to enforce consistent security policies (e. g. disk encryption, screen locking).
  • Measures for certification/assurance of processes and products: Sysdig processes and policies are reviewed on a regular basis in accordance with SOC2 Type 2, and ISO 27001 and 27701 certification requirements.
  • Measures for ensuring data minimisation: The Sysdig platform only requires a minimal amount of Personal Datato operate as outlined in the Exhibit A details of processing.Processing of additional Personal Data requires separate, written agreement between both Parties.
  • Measures for ensuring data quality: Input validation and database structures are in place to help ensure data quality.
  • Measures for ensuring limited data retention: Data and backup retention policies are in place and are reviewed at least annually to ensure compliance with Applicable Privacy Laws and minimization of retained data.
  • Measures for ensuring accountability: Sysdig has defined roles and responsibilities within the company designed towards ensuring the confidentiality, integrity and availability of Personal Data. These roles and responsibilities are reviewed annually to ensure continued efficacy and compliance with Applicable Privacy Laws. Sysdig employs least privilege access mechanisms to control access to Personal Data. Role-based access controls are employed to ensure that access to Personal Data required for the provision, maintenance and securing of the Services is for an appropriate purpose and approved with management oversight.
  • Measures for allowing data portability and ensuring erasure: Processes are in place to automatically remove Personal Data contained within the applicable Sysdig Services upon Agreement termination.
  • For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter: Sysdig has a vendor management process in place to review subprocessor compliance on an ongoing basis. DPAs and/or contractual clauses are in place to allow for data transfer as required by Applicable Privacy Laws.
EXHIBIT C
Standard Contractual Clauses

The parties agree that personal data transferred between and by the parties to Third Countries shall be subject to the Standard Contractual Clauses to the extent applicable and as further set forth under the DPA.

    1. The parties acknowledge the importance of the protection of personal data and the legal restrictions on international transfers of such data to Third Countries.
    2. Accordingly, the parties agree to abide by the GDPR, UK DPA 2018, and Swiss DPA, and other Applicable Privacy Laws recognizing the Standard Contractual Clauses or similar principles, as applicable, and enter into these standard contractual clauses to ensure that transfers of personal data to Third Countries are lawful and subject to adequate data protections. To the extent a transfer of personal data is subject to Article 3(2) of the GDPR, this Exhibit C shall not apply.
  1. CLARIFICATION OF DEFINITIONS & TERMS
    1. The terms “data controller” or “controller,” “data exporter,” “data importer,” “data processor” and “Personal Data” shall have the meaning under the GDPR, UK DPA 2018, Swiss DPA, or another Applicable Privacy Law, as applicable.
    2. For transfers of Personal Data to Third Countries originating from outside the EU, references to the General Data Protection Regulation will be replaced by the Applicable Privacy Law and references to the “EU,” “Union” or “Member State” shall be replaced with the applicable originating region.
    3. Section 1 Clause 1 (a) of the Standard Contractual Clauses (Definition of Data Importer): The “data importer” means Sysdig.
    4. Section 1 Clause 1 (a) of the Standard Contractual Clauses (Definition of Data Exporter):The “data exporter” means Customer.
    5. With respect to objections to subprocessors under Section 1 Clause 9,the process set forth under Section 4 of this DPA shall apply.
  2. APPLICABLE MODULES

    With respect to Processing of applicable personal data:

    1. When Customer is a Data Exporter and Controller, and Sysdig is a Data Importer and Controller – Module 1 shall apply.
    2. When Customer is a Data Exporter and Controller, and Sysdig is a Data Importer and Processor – Module 2 shall apply.
    3. When Customer is a Data Exporter and Processor, and Sysdig is a Data Importer and Sub-Processor – Module 3 shall apply.
    4. References to Module 4 in the SCCs shall not apply and language referencing that module shall not be treated as part of this DPA.
  3. AMENDMENTS OR UPDATES

    To the extent that any additional appropriate safeguards under Applicable Privacy Laws recognizing the Standard Contractual Clauses or similar principles are required to export data to any Third Country, or to the extent that the Standard Contractual Clauses are substituted or replaced or not recognised under any such law, the parties agree to either promptly implement the same or agree to use another acceptable method for transfer of such data and promptly amend this Exhibit C as necessary to comply with such requirements.

  4. CONFLICTS

    If the terms of the Agreement or the DPA conflict with the Standard Contractual Clauses, the terms of the Standard Contractual Clauses will prevail.

  5. STANDARD CONTRACTUAL CLAUSES

    The Standard Contractual Clauses will be deemed incorporated into this DPA and shall apply as completed below:

    1. In Clause 7, the “Docking Clause (Optional)”, will be deemed incorporated.
    2. In Clause 9, Option 2 is selected, and the time period for prior notice of addition or replacement of Subprocessors will be as set forth in the DPA.
    3. In Clause 11, the optional language will not apply.
    4. In Clause 13, the competent supervisory authority shall be the Irish Data Protection Commission where the EU SCCs apply, the FDPIC where the Swiss DPA applies and the UK Information Commissioner where the UK Transfer Addendum applies.
    5. In Clause 17, Option 2 is selected, and the Standard Contractual Clauses will be governed by the law of Ireland where the EU SCCs apply, the law of Switzerland where the Swiss DPA applies and the law of England and Wales where the UK Transfer Addendum applies.
    6. In Clause 18(b), disputes will be resolved before the courts of Ireland where the EU SCCs apply, the courts of Switzerland where the Swiss DPA applies and the courts of England and Wales where the UK Transfer Addendum applies.
    7. Annexes I and II of the SCCs are as set in Exhibits A and B of this DPA; and Annex III is as set forth in the Subprocessor List.
    8. For the purposes of the UK Transfer Addendum, the Standard Contractual Clauses will be interpreted in accordance with Part 2 of the UK Transfer Addendum; Sections 9 – 11 of the UK Transfer Addendum will override Clause 5 of the EU SCCs and both the “Importer” and “Exporter” shall be able to end the UK Transfer Addendum as set out in Section 19 of the UK Transfer Addendum.

By entering into the DPA, the Parties are deemed to be signing the applicable Standard Contractual Clauses.

November 2022