This Data Protection Agreement (the “DPA”) forms part of, and is subject to, the License Agreement (defined below) between Fivetran, Inc. (“Fivetran”) and Customer defined below (“Customer”). Capitalized terms have the meanings provided in the License Agreement (defined below) except as provided here.
WHEREAS, Fivetran and Customer are parties to the Master Services Agreement or other written or electronic terms of service (the “License Agreement”) regarding Customer’s subscription to Fivetran’s Services; and
WHEREAS, Fivetran and Customer wish to enter this DPA, which will supplement certain provisions of the License Agreement regarding the parties’ security and data protection obligations.
NOW THEREFORE, the parties agree as follows:
1.1 “Breach” means a breach of security by Fivetran that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data stored in the Services.
1.2 “CCPA” means the California Consumer Privacy Act, its associated regulations and their successors.
1.3 “Controller”, “Processor”, “Data Subject” and “Process” (whether or not capitalized) have the meanings ascribed to them by EU Data Protection Law and include equivalent terms in the CCPA and other applicable laws, in each case as applicable to the Services provided by Fivetran under the License Agreement.
1.4 “Customer Data” means all data provided by Customer to Fivetran to enable the provision of the Services.
1.5 “EU Data Protection Law” means the General Data Protection Regulation 2016/679 (“GDPR”).
1.6 “Personal Data”: (a) has the meaning provided in EU Data Protection Law in reference to residents of the European Economic Area, (b) means Personal Information as defined in the CCPA in reference to California residents, and (c) in reference to residents of other jurisdictions incorporates equivalents terms under other laws applicable to the Services.
1.7 “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries approved by EC Commission Decision of 5 February 2010 or any successor clauses adopted in accordance with GDPR.
2. Handling of Customer Data.
2.1 General Processing Conditions. Fivetran will only process Customer Data in order to perform its obligations under the License Agreement, to manage its business operations or with Customer’s prior written consent.
2.2 Processing in Accordance with EU Law. Customer may be the controller of Personal Data or a processor. Fivetran will act as a processor or sub-processor, as appropriate. Each party will comply with the obligations that apply to it under EU Data Protection Law. Fivetran will promptly inform Customer if it becomes aware that processing requested by Customer infringes EU Data Protection Law.
2.3 Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) Fivetran will not “sell” (as defined in the CCPA) any Personal Data; and (b) Fivetran will not collect, share or use any Personal Data except as necessary to perform services for Customer.
2.4 Confidentiality of Processing. Fivetran will treat Customer Data as Customer’s Confidential Information (as that term is defined in the License Agreement). Fivetran will protect the Customer Data in accordance with the confidentiality obligations under the License Agreement.
2.5 Cooperation and Data Subjects' Rights. Fivetran will provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under EU Data Protection Law or the CCPA (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Data. If any such request, correspondence, enquiry or complaint is made directly to Fivetran, Fivetran will promptly inform Customer providing full details of the same.
2.6 Customer Data Return and Disposal. Within 30 days after a written request by Customer or the termination or expiration of the License Agreement, Fivetran will: (a) if requested by Customer, provide Customer with a copy of any Customer Data in Fivetran’s possession that Customer does not already have; and (b) securely destroy all Customer Data in Fivetran’s possession in a manner that makes such Customer Data non-readable and non-retrievable. Notwithstanding the foregoing, Fivetran may retain copies of Customer Data: (x) to the extent Fivetran has a separate legal right or obligation to retain some or all of the Customer Data; (y) that is incorporated into Fivetran business records such as email and accounting records, and (z) in backup systems until the backups have been overwritten or expunged in accordance with Fivetran’s backup policy.
2.7 International Transfers. Fivetran may not transfer Personal Data to, or process such data in, a location outside of the EEA without Customer’s prior written consent (in each case a “Transfer”). Without prejudice to the foregoing, Customer consents to Transfers outside of the EEA where Fivetran has implemented a Transfer solution compliant with EU Data Protection Law, which for example may include: (a) where such Transfer is subject to an adequacy decision by the European Commission; (b) the Standard Contractual Clauses, which are incorporated herein by reference; (c) another appropriate safeguard pursuant to Article 46 of the GDPR applies; or (d) a derogation pursuant to Article 49 of the GDPR.
2.8 Subprocessing. Customer consents to Fivetran engaging Fivetran affiliates and third party sub-processors to process Personal Data to carry out Fivetran’s obligations under the License Agreement. Fivetran will maintain an up-to-date list of its sub-processors on its website, which it will update with details of any change in sub-processors at least 10 days prior to any such change, and Fivetran will impose data protection terms on any sub-processor it appoints as required to protect Personal Data equivalent to those imposed on Fivetran in this DPA. Customer may object to Fivetran's appointment or replacement of a sub-processor prior to its appointment or replacement on reasonable grounds relating to data protection.
2.9 Data Protection Impact Assessment. Fivetran will provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that Customer may be required to perform under EU Data Protection Law.
3. Fivetran Security Measures.
3.1 Audit. The requirements of GDPR Article 28 and Clauses 5(f) and 12(2) of the Standard Contractual Clauses will be satisfied as follows. On Customer’s request and subject to the confidentiality obligations set forth in the License Agreement or an appropriate NDA in the case of third parties, Fivetran will make available to Customer a summary of its most recent SOC 2 audit report. Not more than once per year, Fivetran will also respond to a Customer security questionnaire and meet by teleconference or in person (at Customer’s expense) to address follow up questions. In addition, Customer may contact Fivetran to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Personal Data. Before the commencement of any such on-site audit, Customer and Fivetran shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Fivetran incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Fivetran. Customer shall promptly notify Fivetran with information regarding any non-compliance discovered during the course of an audit.
3.2 Fivetran Security Responsibilities. Fivetran will use procedural, technical, and administrative safeguards on its Services designed to ensure the confidentiality, security, integrity, availability, and privacy of Customer Data when cached by the Services and in transit between Customer’s data sources and target systems; and (b) protect against any unauthorized processing, loss, use, disclosure or acquisition of or access to Customer Data via the Services.
3.3 Personnel Background Checks. Prior to engaging any employee or contractor who may receive access to Customer Data Fivetran will conduct a criminal history background check (modified as appropriate to comply with applicable law in countries outside the United States) covering the five-year period prior to the employment commencement date of such employee.
4. Customer Security Measures.
Without limiting Fivetran’s obligations in this DPA and the License Agreement, Customer acknowledges it is responsible for determining how to connect the Services to Customer’s data sources and data warehouses. Notwithstanding any other provision of this DPA, the License Agreement or any other agreement related to the Services, Fivetran will have no obligations or liability as to any loss resulting from: (a) Customer’s environment, source and target data repositories, systems or software, or (b) Customer’s security configuration or administration of the Services. In particular:
4.1 Customer Responsibilities. Customer is responsible for security relating to its environment, particularly its source systems and target warehouse, and security relating its configuration of the Services. This includes implementing and managing procedural, technical, and administrative safeguards on its systems and networks sufficient to: (a) ensure the confidentiality, security, integrity, and privacy of Customer Data while in the source and target systems; and (b) protect against breaches of Customer Data.
4.2 Appropriate Permissioning. Customer is solely responsible for provisioning users on the Services, including: (a) methods of authenticating users (such as industry-standard secure username/password policies); (b) managing admin privileges; (c) deauthorizing personnel who no longer need access to the Services; (d) setting up any API usage in a secure way; and (e) regularly auditing any public access links users create and restricting the permission to create public links, as necessary.
4.3 Fivetran Permission to Access Customer Data Sources. In order to use the Services, Customer must authorize the Services to access Customer’s databases or source systems. When granting authorization, Customer should follow the principle of least privilege to Customer database information, especially by granting no more than read-only access to database data.
5. Personal Data Breach Notification and Resolution.
5.1 Breach Notice. Fivetran will notify Customer via email of any confirmed Breach by email to the notice email address on the signature page below, or Customer’s principal contact for the Services if none is provided, without undue delay after Fivetran’s discovery or notification of a Breach. Fivetran will further take reasonably necessary measures to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach.
5.2 Cooperation. Fivetran will provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) applicable law.
6.1 Construction; Interpretation. This DPA is not a standalone agreement and is only effective if a License Agreement is in effect between Fivetran and Customer. This DPA is part of the License Agreement and is governed by its terms and conditions, including limitations of liability set forth therein. This DPA and the License Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.
6.2 Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.
6.3 Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.
6.4 Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the License Agreement. If the License Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.
6.5 Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the License Agreement unless otherwise required by EU Data Protection Law, in which case this DPA will be governed by the laws of the Republic of Ireland.
6.6 Counterparts. This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.