v1.9 Updated April 12, 2021
This Data Processing Agreement (the “DPA”) is executed as of the latest signed date by both parties below (the “DPA Effective Date”) between Fivetran, Inc. (“Fivetran”) and Customer defined below (“Customer”). Capitalized terms have the meanings provided in the MSA (defined below) except as provided here.
WHEREAS, Fivetran and Customer are parties to a Master Subscription Agreement (the “MSA”) regarding Customer’s trial and/or subscription to Fivetran’s Services; and
WHEREAS, Fivetran and Customer wish to enter this DPA, which will supplement certain provisions of the MSA regarding the parties’ security and data protection obligations.
NOW THEREFORE, the parties agree as follows:
1.1 “Breach” means a breach of security by Fivetran that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data stored in the Services.
1.2 “CCPA” means the California Consumer Privacy Act, its associated regulations and their successors.
1.3 “Controller”, “Processor”, “Data Subject” and “Process” (whether or not capitalized) have the meanings ascribed to them by GDPR (as defined below) and include equivalent terms in the CCPA and other applicable laws, in each case as applicable to the Services provided by Fivetran under the MSA.
1.4 “Customer Data” means all data provided by Customer to Fivetran to enable the provision of the Services.
1.5 “Data Protection Laws” means GDPR, UK GDPR, CCPA and all other laws and regulations applicable to the Processing of Personal Data under the MSA within the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom.
1.6 “GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.7 “Personal Data”: (a) has the meaning provided in Data Protection Laws in reference to residents of the European Economic Area, Switzerland and the United Kingdom, (b) means Personal Information as defined in the CCPA in reference to California residents, and (c) in reference to residents of other jurisdictions incorporates equivalents terms under other laws applicable to the Services.
1.8 “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries approved by EC Commission Decision of 5 February 2010 or any successor clauses adopted in accordance with GDPR. For purposes of the Standard Contractual Clauses Customer is the data exporter, Fivetran is the date importer, and the information required by Appendices 1 and 2 is described in Appendices 1 and 2 of this DPA.
1.9 “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018.
2. Handling of Customer Data.
2.1 General Processing Conditions. Fivetran will only process Customer Data in order to perform its obligations under the MSA or with Customer’s prior written consent.
2.2 Processing in Accordance with EU and UK Law. Customer may be the controller of Personal Data or a processor. Fivetran will act as a processor or sub-processor, as appropriate. Each party will comply with the obligations that apply to it under Data Protection Laws. Fivetran will promptly inform Customer if it becomes aware that processing requested by Customer infringes Data Protection Laws.
2.3 Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) Fivetran will not “sell” (as defined in the CCPA) any Personal Data; and (b) Fivetran will not collect, share or use any Personal Data except as necessary to perform services for Customer.
2.4 Local Implementation Agreement. If and when necessary to accommodate laws, regulations, and/or local business requirements in a particular country outside the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, the parties may enter into a Local Implementation Addendum covering additional requirements under such laws that are not already addressed in the MSA or this DPA.
2.5 Confidentiality of Processing. Fivetran will treat Customer Data as Customer’s Confidential Information (as that term is defined in the MSA). Fivetran will protect the Customer Data in accordance with the confidentiality obligations under the MSA.
2.6 Cooperation and Data Subjects' Rights. Fivetran will provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Data Protection Laws (including rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Data. If any such request, correspondence, enquiry or complaint is made directly to Fivetran, Fivetran will promptly inform Customer providing full details of the same.
2.7 Customer Data Return and Disposal. Within 30 days after a written request by Customer or the termination or expiration of the MSA, Fivetran will: (a) if requested by Customer, provide Customer with a copy of any Customer Data in Fivetran’s possession that Customer does not already have; and (b) securely destroy all Customer Data in Fivetran’s possession in a manner that makes such Customer Data non-readable and non-retrievable. Notwithstanding the foregoing, Fivetran may retain copies of Customer Data: (x) to the extent Fivetran has a separate legal right or obligation to retain some or all of the Customer Data; and (y) in backup systems until the backups have been overwritten or expunged in accordance with Fivetran’s backup policy.
2.8 International Transfers. Fivetran shall not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Without prejudice to the foregoing, Customer consents to transfers outside of the EEA where Fivetran has implemented a transfer solution compliant with Data Protection Laws, which for example may include: (a) where such transfer is subject to an adequacy decision by the European Commission; (b) the Standard Contractual Clauses, which are incorporated herein by reference; (c) another appropriate safeguard applies pursuant to Article 46 of the GDPR or other provisions of Data Protection Laws; or (d) a derogation pursuant to Article 49 of the GDPR.
2.9 Subprocessing. Customer consents to Fivetran engaging Fivetran affiliates and third party sub-processors to process Personal Data to carry out Fivetran’s obligations under the MSA. Fivetran will maintain an up-to-date list of its sub-processors on its website, which it will update with details of any change in sub-processors at least 10 days prior to any such change, thereby giving Customer the opportunity to object to such changes. Fivetran will impose data protection terms on any sub-processor it appoints as required to protect Personal Data equivalent to those imposed on Fivetran in this DPA.
2.10 Data Protection Impact Assessment. Fivetran will provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that Customer may be required to perform under Data Protection Laws.
3. Fivetran Security Measures.
3.1 Audit. The audit requirements under Data Protection Laws will be satisfied as follows. On Customer’s request and subject to the confidentiality obligations set forth in the MSA or an appropriate NDA in the case of third parties, Fivetran will make available to Customer a summary of its most recent SOC 2 audit report. Not more than once per year, Fivetran will also respond to a Customer security questionnaire and meet by teleconference or in person (at Customer’s expense) to address follow up questions. In addition, Customer may contact Fivetran to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Personal Data. Before the commencement of any such on-site audit, Customer and Fivetran shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Fivetran incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Fivetran. Customer shall promptly notify Fivetran with information regarding any non-compliance discovered during the course of an audit.
3.2 Fivetran Security Responsibilities. Fivetran will: (a) use procedural, technical, and administrative safeguards on its Services designed to ensure the confidentiality, security, integrity, availability, and privacy of Customer Data when cached by the Services and in transit between Customer’s data sources and target systems; and (b) protect against any unauthorized processing, loss, use, disclosure or acquisition of or access to Customer Data via the Services.
3.3 Personnel Background Checks. Prior to engaging any employee or contractor who may receive access to Customer Data Fivetran will conduct a criminal history background check (modified as appropriate to comply with applicable law in countries outside the United States) covering the five-year period prior to the employment commencement date of such employee.
4. Customer Security Measures.
Without limiting Fivetran’s obligations in this DPA and the MSA, Customer acknowledges it is responsible for determining how to connect the Services to Customer’s data sources and data warehouses. Notwithstanding any other provision of this DPA, the MSA or any other agreement related to the Services, Fivetran will have no obligations or liability as to any loss resulting from: (a) Customer’s environment, source and target data repositories, systems or software, or (b) Customer’s security configuration or administration of the Services. In particular:
4.1 Customer Responsibilities. Customer is responsible for security relating to its environment, particularly its source systems and target warehouse, and security relating its configuration of the Services. This includes implementing and managing procedural, technical, and administrative safeguards on its systems and networks sufficient to: (a) ensure the confidentiality, security, integrity, and privacy of Customer Data while in the source and target systems; and (b) protect against breaches of Customer Data.
4.2 Appropriate Permissioning. Customer is solely responsible for provisioning users on the Services, including: (a) methods of authenticating users (such as industry-standard secure username/password policies); (b) managing admin privileges; (c) deauthorizing personnel who no longer need access to the Services; (d) setting up any API usage in a secure way; and (e) regularly auditing any public access links users create and restricting the permission to create public links, as necessary.
4.3 Fivetran Permission to Access Customer Data Sources. In order to use the Services, Customer must authorize the Services to access Customer’s databases or source systems. When granting authorization, Customer should follow the principle of least privilege to Customer database information, especially by granting no more than read-only access to database data.
5. Personal Data Breach Notification and Resolution.
5.1 Breach Notice. Fivetran will notify Customer via email of any confirmed Breach by email to the notice email address on the signature page below, or Customer’s principal contact for the Services if none is provided, without undue delay after Fivetran’s discovery or notification of a Breach. Fivetran will further take reasonably necessary measures to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach.
5.2 Cooperation. Fivetran will provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) applicable law.
6.1 Construction; Interpretation. This DPA is not a standalone agreement and is only effective if a MSA is in effect between Fivetran and Customer. This DPA is part of the MSA and is governed by its terms and conditions, including limitations of liability set forth therein. This DPA and the MSA are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.
6.2 Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.
6.3 Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.
6.4 Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the MSA. If the MSA is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.
6.5 Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the MSA unless otherwise required by GDPR or Data Protection Laws, in which case this DPA will be governed by the laws of the Republic of Ireland.
6.6 Counterparts. This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
Appendix 1: Description of Data Processing
The data processing activities carried out by Fivetran under the MSA may be described as follows:
Subject Matter and Purpose
The personal data transferred will be subject to the following basic processing activities:
Fivetran will process Customer personal data in order to facilitate migration of data from Customer’s data sources into Customer’s data warehouse.
The personal data transferred concern the following categories of data subjects:
Customer’s employees and consultants who use Fivetran’s Service.
Individuals whose personal data is stored in Customer’s data sources and processed by Fivetran.
Categories of personal data
The personal data transferred concern the following categories of data:
Fivetran may have access to personal data of Customer’s employees and consultants who use Fivetran’s Service.
Fivetran may have access to personal data of Individuals whose personal data is stored in Customer’s data sources.
The types of personal data processed are determined by Customer and may include without limitation: Name, Email address, Physical address, IP-address and other online identifiers, Date of birth, Telephone/mobile number, Location Data.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
Appendix 2 Technical and Organizational Security Measures
Description of the technical and organisational security measures implemented by Fivetran in accordance with Data Protection Laws:
Fivetran security measures can be found on our website at https://fivetran.com/docs/security
Security measures include:
Transport layer security
All data is transmitted to or from Fivetran over an encrypted protocol using industry-standard cryptographic protocols (TLS 1.2+)
Fivetran redirects unencrypted requests (HTTP) to an encrypted protocol (HTTPS)
Physical & Environmental Security
The Fivetran services are hosted in Google Cloud Platform (GCP) and Amazon Web Services (AWS). Hosting providers maintain physical & environmental security protections including:
Physical access is restricted to approved employees based on the principle of least privilege
Multi-factor authentication when approved personnel access facilities
Closed Circuit Television Camera (CCTV) video recording of access points
Fire detection and suppression systems
Redundant infrastructure for power, networking, and cooling
Logical Access controls
Logical access to the Fivetran services is restricted to employees based on the principle of least privilege. All access is formally approved and require multi-factor authentication.
Access is removed in the event of employee termination or if the employee changes roles and no longer requires access, as well as being reviewed on a quarterly basis
Access activity is logged in centralized logging infrastructure and protected from tampering.
Fivetran completes an annual, independent SOC 2 Type 2 audit of its facilities, networks, and systems. On Data Exporter’s request, Fivetran will provide the results of the audit.
Processing of customer data
Data pipes for each customer are managed separately within the host environment. Except as described at https://fivetran.com/docs/security#retentionofcustomerdata Fivetran does not store customer data, other than while in transit. Access information to customer resources required for data pipe functionality is logically separated within the host storage facility GCP or AWS.
Fivetran does not control the host physical infrastructure. Fivetran relies on the fault-tolerant nature of GCP and AWS across multiple availability zones, and can redeploy the platform to another region in case of catastrophic failure.
Except as described at https://fivetran.com/docs/security#retentionofcustomerdata, Fivetran will process Customer Data within the region specified by the Customer during configuration of the data pipe. Current geographic regions supported by Fivetran are found here: https://fivetran.com/docs/getting-started/ips.