Data Privacy & Data Security Agreement

DATA PRIVACY & DATA SECURITY AGREEMENT

This Data Privacy & Data Security Agreement (the “DPA”) is between MacStadium, Inc. (“MacStadium”), a Georgia corporation, and Customer indicated below who uses MacStadium Services (“Customer”). Customer and MacStadium are referred to as the “Parties.” This DPA governs the Parties’ obligations with regard to the privacy and security of Customer Data to the extent that MacStadium acts as a Processor or a service provider under Data Protection Laws and shall be incorporated into the Master Services Agreement (“Agreement”) by and between MacStadium and Customer. Any capitalized terms not defined in this DPA shall have the meaning stated in the Agreement.

Background

MacStadium is the provider of private cloud-based infrastructure services. MacStadium provides a physical location for the operation of certain computing equipment, the personal computers and servers themselves, data center-related services, such as physical security, electricity, HVAC, and similar services, and internet connectivity. The setup and operation of the computers and servers themselves are operated exclusively by MacStadium’s Customers, other than certain services where MacStadium has access to Customer computing infrastructure solely to configure such computers, including storage and virtualization. All Customer Data transmitted to or stored on MacStadium’s computing infrastructure or equipment is required to be in encrypted form.

The Parties agree as follows:

1. Definitions.

“Authorized Persons” means MacStadium’s employees, agents, and contractors that have a need to know or otherwise access Customer Data to enable MacStadium to provide the Services.

“Customer Data” means all data relating to Customer or Customer’s users that is (i) provided to MacStadium by or on behalf of Customer or a Customer’s user or (ii) otherwise obtained, accessed, developed, or produced by MacStadium. Customer Data may include Personal Data.

“Controller” means a controller as defined under the GDPR or a business as defined by the CPRA.
“Data Protection Laws” means all international, federal, national, and state data laws and regulations with regard to data privacy or data security.

“Data Breach” means any loss or unauthorized access, acquisition, theft, destruction, disclosure, or use of Customer Data that is caused by MacStadium while such Customer Data is in the possession of or under the control of MacStadium.

“CPRA” means the California Privacy Rights Act and implementing regulations.

“EU Customer Data” means Customer Data that is Personal Data relating to an individual residing in the EU.
“GDPR” means the EU General Data Protection Regulation 2016/679.

“Personal Data” means information relating to an identified or identifiable natural person (the “Data Subject”). An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Process” or “Processing” means any operation or set of operations that are performed upon Customer Data, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the applicable Data Protection Laws.

“Processor” means a processor as defined under the GDPR or a service provider under the CPRA.

“Services” means the services, solutions, and products to be provided to or carried out by or on behalf of MacStadium for Customer

“Sub-Processor” shall mean an entity engaged by MacStadium to assist it in Processing the Customer Data in fulfillment of its obligations with regard to the Services.

“Third Party” is any person or entity other than MacStadium and Customer.

2. Data Privacy.

2.1 Compliance with Laws. For purposes of the Data Protection Laws, Customer is considered the Controller and MacStadium is its Processor. If Customer is considered a Processor for purposes of the Data Protection Laws, then MacStadium is considered its Sub-Processor. Customer is authorized to take reasonable and appropriate steps to ensure that MacStadium is not in breach of its obligations or limitations as outlined in this DPA or under Data Protection Laws. Customer will only take such steps by exercising its rights as set forth in this DPA.

2.2 Distribution of Customer Data. Customer shall only provide MacStadium with Personal Data that is needed by MacStadium to provide the Services. MacStadium shall not be responsible for any additional Personal Data. Customer represents and warrants that it has obtained all consents from any Controller or Data Subject necessary to provide the Personal Data that it makes available to MacStadium pursuant to this DPA.

2.3 Limitations on Use of Personal Data. The Parties acknowledge and agree that, by the nature of the Services, MacStadium cannot and therefore agrees not to Process Customer Data other than for the purposes specifically directed by Customer. The Parties agree that MacStadium has no knowledge of the nature of the Customer Data stored and is therefore unable to determine, and will have no obligation to limit, the time within which Customer Data is stored. MacStadium does not provide backup or data retention services for Customers. Customer acknowledges and agrees that, as part of providing the Services, MacStadium may use Customer Data for its internal business purposes, such as (i) to enhance, analyze, develop or troubleshoot MacStadium’s products and services; (ii) to comply with applicable laws (including law enforcement requests or compulsory disclosures); (iii) to help ensure the internal security of MacStadium’s products and services and prevent fraud or mitigate risk; and/or (iv) for any other purposes contemplated or permitted by the Agreement, this DPA, or by applicable law (each of the foregoing, along with the provision of Services, a “Permitted Service Purpose” collectively the “Permitted Service Purposes”).

2.4 Restrictions. MacStadium certifies that it will not: (a) use Customer Data other than as necessary for MacStadium to provide the Services and its obligations under this DPA, (b) disclose, sell, ‘share’ (as such term is defined under the California Privacy Rights Act), assign, lease or otherwise provide Customer Data to Third Parties (other than to its affiliates or Sub-Processors), (c) merge or combine Customer Data received in connection with performing the Services with other data, or modify or commercially exploit any Customer Data, (d) retain, use or disclose the Customer Data for any purpose other than the provision of Services including to retain, use, or disclose the Customer Data for a commercial purpose other than for the provision of Services, and (e) retain, use, or disclose the Customer Data outside of the direct business relationship between MacStadium and Customer except at Customer’s direction. The Parties acknowledge and agree that the foregoing restrictions in this section 2.4 shall not restrict MacStadium from using Customer Data for Permitted Service Purposes. Customer and MacStadium hereby acknowledge and agree that in no event shall the transfer of Customer Personal Information from Customer to MacStadium pursuant to the Agreement constitute a sale of information to MacStadium, and that nothing in the Agreement shall be construed as providing for the sale of Customer Personal Information to MacStadium.

2.5 Sensitive Personal Data. In no event will Customer provide any Sensitive Personal Data to MacStadium. “Sensitive Personal Data” means (a) information that reveals a natural person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, (b) information or data concerning a natural person’s health or sex life or sexual orientation; or (c) genetic data or biometric data about a natural person.

3. Sub-Processors.

MacStadium may engage Sub-Processors where prior notice is provided at least fifteen (15) days prior to the first instance of Customer Data sharing in connection with the provision of the Services. MacStadium may not provide a Sub-Processor with access to Customer Data unless the Sub-Processor has: (i) a business need to know/access the relevant Customer Data, as necessary for the purposes of the Services; (ii) signed a written obligation of confidentiality or are under professional obligations of confidentiality; and (iii) implemented technical, operational, physical, and organization safeguards to protect Customer Data against accidental or unlawful destruction or alteration and unauthorized disclosure or access. The Parties acknowledge and agree that service providers to MacStadium, whose scope of services do not include the Processing of Customer Data, are not Sub-Processors under the terms of this Section.

4. Data Subject Rights; Cooperation.

Based on the information available to it and the nature of its processing, if MacStadium receives any request from Data Subjects, authorities, or others relating to its data processing, MacStadium will without undue delay inform Customer and reasonably assist Customer with developing a response (but MacStadium will not itself respond other than to confirm receipt of the request, to inform the data subject, authority or other third party that their request has been forwarded to Customer, and/or to refer them to Customer, except per reasonable instructions from Customer). With respect to Customer Data or Personal Data, at a party’s request and at such requesting party’s expense, the parties shall provide each other reasonable assistance (taking into account the nature of Processing and the information available to MacStadium) with respect to data protection impact assessments, prior consultations, and/or notifications to a supervisory authority.

5. Return or Destruction of Customer Data.

Customer acknowledges that at all times Customer retains the ability (i) to retrieve any or all Customer Data and (ii) to delete Customer Data permanently and securely. However, if MacStadium is required by law to retain Customer Data, then MacStadium will continue to protect such Customer Data in accordance with this DPA and limit any use to the purposes of such retention or as required by law. Notwithstanding any other term herein, MacStadium may delete all data at the expiration or termination of the Agreement or relevant service terms or service orders.

6. Data Security.

6.1 Security Program Requirements. MacStadium will maintain a program of physical security that contains administrative, technical, and physical safeguards appropriate to the complexity, nature, and scope of its activities. MacStadium’s physical security program shall be designed to protect the security and confidentiality of Customer Data against unlawful or accidental access to, or unauthorized processing, disclosure, destruction, damage, or loss of Customer Data. Customer acknowledges and agrees that other than physical security, Customer solely controls and is solely responsible for all other aspects of the security of Customer Data.

6.2 Regular Reviews. MacStadium shall ensure that its physical security measures are regularly reviewed and revised to address evolving threats and vulnerabilities. MacStadium has the right to install patches that address security vulnerabilities. MacStadium will not be liable for any inability, delay, failure, or mistake in the implementation of any security upgrade or patch.

7. Data Breach Procedures.

7.1 Notification. MacStadium shall notify Customer of any Data Breach caused by MacStadium as soon as practicable, and without undue delay, after becoming aware of it. Such notification shall at a minimum: (i) describe the nature of the Data Breach, if known; (ii) communicate the name and contact details of MacStadium's data protection officer or other relevant contact from whom more information may be obtained; and (iii) describe the measures taken or proposed to be taken to address the Data Breach. MacStadium will not provide the categories and numbers of Data Subjects concerned and the categories and numbers of Personal Data records concerned.

7.2 Remedial Actions. In the event of a Data Breach caused by MacStadium, MacStadium will use commercially reasonable efforts, but only consistent with the Services and the limitations of the Services provided to: (a) remedy the Data Breach condition, investigate, document, restore Customer service(s), and undertake required response activities; (b) provide regular status reports to Customer on Data Breach response activities; (c) assist Customer with the coordination of media, law enforcement, or other Data Breach notifications; and (d) assist and cooperate with Customer in its Data Breach response efforts.

8. Cross-Border Transfers.

8.1 Location. MacStadium systems and MacStadium’s Processing of Customer Data will occur within the following jurisdictions: United States of America and the European Union (the “Processing Jurisdictions”). MacStadium will not transfer any Customer Data outside of the Processing Jurisdictions without the prior written agreement of Customer. Customer acknowledges that MacStadium does not have sufficient access to the computing systems provided by the Services to transfer Customer Data to any location. To the extent legally available as providing an adequate level of protection for transfers of EU Customer Data, Customer agrees that MacStadium may rely on the EU-U.S. Data Privacy Framework (“DPF”) operated by the U.S. Department of Commerce as providing an adequate level of protection for transfers of Customer Data. While MacStadium is self-certified to the Data Privacy Framework, MacStadium agrees to Process EU Customer Data in compliance with the Data Privacy Framework principles. MacStadium may use and/or require Customer to utilize an alternative data transfer framework in MacStadium’s discretion, including if the DPF becomes unavailable.

8.2 Sub-Processors. Upon notice from Customer that it has provided EU Customer Data to MacStadium and acknowledgement of the same from MacStadium, , MacStadium will use commercially reasonable efforts to contract with Sub-Processors only in accordance with DPF requirements, or with an alternative data transfer framework utilized in MacStadium’s discretion (including the EU-prescribed Standard Contractual Clauses (the “Clauses”). (These Clauses can be located in their original text on the European Commission website here: https://commission.europa.eu/publications/standard-contractual-clauses-controllers-and-processors-eueea_en. The Parties acknowledge and agree that service providers to MacStadium, whose scope of services do not include the Processing of Customer Data, are not Sub-Processors of MacStadium under the terms of this Section. The Parties additionally acknowledge and agree that third parties to whom Customer directs the provision of Customer Data are not Sub-Processors of MacStadium.

8.3 Customer further acknowledges and agrees that MacStadium has no knowledge of the content of the data processed by Customer using the Services.

9. Indemnification.

Customer shall defend, indemnify, and hold harmless MacStadium and its subsidiaries, affiliates, and their respective officers, directors, employees, agents, successors, and permitted assigns (“Indemnified Parties”) from and against all losses, damages, liabilities, actions, judgments, penalties, fines, costs, or expenses (including reasonable attorneys' fees) arising from any Third Party claims against any such Indemnified Parties (collectively, “Losses”) to the extent such Losses result from (i) Customer’s failure to materially comply with any of its obligations under this DPA, (ii) Customer’s failure to properly encrypt any Customer Data in transit or at rest in connection with the Services; or (iii) Customer’s failure to adequately protect decryption keys. Customer’s obligations are subject to the Indemnified Party’s: (a) promptly notifying the Customer of the claim giving rise to the indemnity; (b) providing the Customer with sole control and authority over the defense of such claim and all related settlement negotiations; and (c) providing the Customer, at the Customer’s request and expense, with all information and assistance under the possession or control of the Customer Party that is reasonably necessary or useful to defend and/or settle any such claim or action.

10. Audits Reports.

Without limiting any of MacStadium's other obligations under this Section 10, if MacStadium engages a third-party auditor to perform a Statement on Standards for Attestation Engagements No. 16 (SSAE 16) or other data security audit of MacStadium's operations, information security program or disaster recovery/business continuity plan, MacStadium shall provide a copy of the audit report to Customer within a reasonable time after Customer’s written request for a copy of such report. Any such audit reports shall be MacStadium's confidential information.

11. Notices.

As required by Data Protection Laws, MacStadium shall notify Customer if MacStadium determines that it can no longer meet its obligations under Data Protection Laws or this DPA. As required by applicable Data Protection Laws, Customer may take reasonable and appropriate steps to stop and remediate MacStadium’s unauthorized use of Customer Data by providing a notice to MacStadium of the steps that Customer proposes MacStadium take.

AGREED: