v1.10 Updated September 27, 2021
This Data Processing Addendum (the “DPA”) is executed as of the latest date below (the “DPA Effective Date”) between Fivetran, Inc. (“Fivetran”) and Customer defined below (“Customer”). Capitalized terms have the meanings provided in the MSA (defined below) except as provided here.
WHEREAS, Fivetran and Customer are parties to a Master Subscription Agreement (the “MSA”) regarding Customer’s trial and/or subscription to Fivetran’s Services; and
WHEREAS, Fivetran and Customer wish to enter this DPA, which will supplement certain provisions of the MSA regarding the parties’ security and data protection obligations.
NOW THEREFORE, the parties agree as follows:
1.1 “Breach” means a breach of security by Fivetran that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data stored in the Services.
1.2 “CCPA” means the California Consumer Privacy Act, its associated regulations and their successors.
1.3 “Controller”, “Processor”, “Data Subject” and “Process” (whether or not capitalized) have the meanings ascribed to them by GDPR (as defined below) and include equivalent terms in the CCPA and other Data Protection Laws, in each case as applicable to the Services provided by Fivetran under the MSA.
1.4 “Customer Data” means all data provided by Customer to Fivetran to enable the provision of the Services.
1.5 “Data Protection Laws” means GDPR, UK GDPR, CCPA and all other laws and regulations applicable to the Processing of Personal Data under the MSA within the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom.
1.6 “GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.7 “Personal Data”: (a) has the meaning provided in Data Protection Laws in reference to residents of the European Economic Area, Switzerland and the United Kingdom, (b) means Personal Information as defined in the CCPA in reference to California residents, and (c) in reference to residents of other jurisdictions incorporates equivalent terms under other laws applicable to the Services.
1.8 “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by European Commission Implementing Decision 2021/914. Appendix 1 to this DPA contains certain interpretive and supplementary provisions regarding application of the Standard Contractual Clauses. The information required by Annexes 1 and 2 of the Standard Contractual Clauses is provided in Annexes 1 and 2 of this DPA.
1.9 “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018.
2. Handling of Customer Data.
2.1 General Processing Conditions. Fivetran will only process Customer Data in order to perform its obligations under the MSA or with Customer’s prior written consent. Fivetran shall immediately inform Customer if it is unable to follow those instructions.
2.2 Processing in Accordance with EU and UK Law. Customer may be the controller of Personal Data or a processor. Fivetran will act as a processor or sub-processor, as appropriate. Each party will comply with the obligations that apply to it under Data Protection Laws. Fivetran will promptly inform Customer if it becomes aware that processing requested by Customer infringes Data Protection Laws.
2.3 Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) Fivetran will not “sell” (as defined in the CCPA) any Personal Data; and (b) Fivetran will not collect, share or use any Personal Data except as necessary to perform services for Customer.
2.4 Local Implementation Agreement. If and when necessary to accommodate laws, regulations, and/or local business requirements in a particular country outside the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, the parties may enter into a Local Implementation Addendum covering additional requirements under such laws that are not already addressed in the MSA or this DPA.
2.5 Confidentiality of Processing. Fivetran will treat Customer Data as Customer’s Confidential Information (as that term is defined in the MSA). Fivetran will protect the Customer Data in accordance with the confidentiality obligations under the MSA.
2.6 Cooperation and Data Subjects' Rights. Fivetran will provide reasonable and timely assistance to Customer to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Data Protection Laws (including rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Data. If any such request, correspondence, enquiry or complaint is made directly to Fivetran, Fivetran will (unless prohibited by applicable law) promptly inform Customer providing full details of the same.
2.7 Customer Data Return and Disposal. Within 30 days after a written request by Customer or the termination or expiration of the MSA, Fivetran will: (a) if requested by Customer, provide Customer with a copy of any Customer Data in Fivetran’s possession that Customer does not already have; and (b) securely destroy all Customer Data in Fivetran’s possession in a manner that makes such Customer Data non-readable and non-retrievable. Notwithstanding the foregoing, Fivetran may retain copies of Customer Data: (x) to the extent Fivetran has a separate legal right or obligation to retain some or all of the Customer Data; and (y) in backup systems until the backups have been overwritten or expunged in accordance with Fivetran’s backup policy. Until the data is deleted or returned, Fivetran shall continue to ensure compliance with its security and privacy obligations in the MSA and this DPA.
2.8 International Transfers. Fivetran shall not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Without prejudice to the foregoing, Customer consents to transfers outside of the EEA where Fivetran has implemented a transfer solution compliant with Data Protection Laws, which for example may include: (a) where such transfer is subject to an adequacy decision by the European Commission; (b) the Standard Contractual Clauses, which are incorporated herein by reference; (c) another appropriate safeguard applies pursuant to Article 46 of the GDPR or other provisions of Data Protection Laws; or (d) a derogation pursuant to Article 49 of the GDPR.
2.9 Subprocessing. Customer consents to Fivetran engaging Fivetran affiliates and third party sub-processors to process Personal Data to carry out Fivetran’s obligations under the MSA. Fivetran will maintain an up-to-date list of its sub-processors on its website, which it will update with details of any change in sub-processors at least 10 days prior to any such change, thereby giving Customer the opportunity to object to such changes. Fivetran will impose data protection terms on any sub-processor it appoints as required to protect Personal Data equivalent to those imposed on Fivetran in this DPA.
2.10 Data Protection Impact Assessment. Fivetran will provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that Customer may be required to perform under Data Protection Laws.
3. Fivetran Security Measures.
3.1 Audit. The audit requirements under Data Protection Laws will be satisfied as follows. On Customer’s request and subject to the confidentiality obligations set forth in the MSA or an appropriate NDA in the case of third parties, Fivetran will make available to Customer a summary of its most recent SOC 2 audit report. Not more than once per year, Fivetran will also respond to a Customer security questionnaire and meet by teleconference or in person (at Customer’s expense) to address follow up questions.
3.2 Fivetran Security Responsibilities. Fivetran will: (a) use procedural, technical, and administrative safeguards on its Services designed to ensure the confidentiality, security, integrity, availability, and privacy of Customer Data when cached by the Services and in transit between Customer’s data sources and target systems; and (b) protect against any unauthorized processing, loss, use, disclosure or acquisition of or access to Customer Data via the Services.
3.3 Personnel Background Checks. Prior to engaging any employee or contractor who may receive access to Customer Data Fivetran will conduct a criminal history background check (modified as appropriate to comply with applicable law in countries outside the United States) covering the three-year period prior to the employment commencement date of such employee.
4. Personal Data Breach Notification and Resolution.
4.1 Breach Notice. Fivetran will notify Customer without undue delay after Fivetran’s discovery or notification of Breach by email to the notice email address on the signature page below, or Customer’s principal contact for the Services if none is provided. Fivetran will further take reasonably necessary measures to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach.
4.2 Cooperation. Fivetran will provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) applicable law.
5.1 Construction; Interpretation. This DPA is not a standalone agreement and is only effective if a MSA is in effect between Fivetran and Customer. This DPA is part of the MSA and is governed by its terms and conditions, including limitations of liability set forth therein. This DPA and the MSA are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.
5.2 Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.
5.3 Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.
5.4 Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the MSA. If the MSA is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.
5.5 Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the MSA unless otherwise required by GDPR or Data Protection Laws, in which case this DPA will be governed by the laws of the Republic of Ireland.
5.6 Counterparts. This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
APPENDIX 1: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS
1. Incorporation of Standard Contractual Clauses
The Parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:
1.1 Where Fivetran Processes Personal Data as a Controller pursuant to the terms of the Agreement, Fivetran and its relevant Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA, Module 1: Transfer controller to controller, Clauses 1 to 6, 8 and 10 to 18 apply.
1.2 Where Fivetran Processes Personal Data as a Processor pursuant to the terms of the Agreement, Fivetran and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA, Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply.
1.3 Where Fivetran Processes Personal Data as a Processor pursuant to the terms of the Agreement, and Fivetran and its relevant Sub-Processor Affiliates are located in the EEA, and Customer and its relevant Affiliates are located in non-adequacy approved third countries, Module 4: Transfer processor to controller, Clauses 1 to 6, 8, 10 to 12, and 14 to 18 apply.
2. Standard Contractual Clause Optional Provisions
In addition to Section 1.1, where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
2.1 Clause 7 (Docking Clause) is omitted;
2.2 In Clause 9(a) (Use of sub-processors) (Module 2) – Option 2 shall apply and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors;
2.3 In Clause 11(a) (Redress) (Module 1, 2 or 4) – the Optional provision shall NOT apply;
2.4 In Clause 16(b) (Suspension of transfers) if Fivetran is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;
2.5 In Clause 17 (Governing Law) (Module 1, 2 or 4) – the laws of the Republic of Ireland shall govern; and
2.6 In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2 or 4) – the courts of the Republic of Ireland shall have jurisdiction.
3. Supplementary Terms to Standard Contractual Clauses
3.1 Documentation and compliance. For the purposes of Clause 8.9(b) – Module One, Clause 8.9(e) – Module Two and Clause 8.3 – Module Four the review and audit provisions in the Agreement and DPA shall apply.
3.2 Notification and Transparency.
(a) The Parties acknowledge and agree that Fivetran, where required by the Standard Contractual Clauses, to notify the competent supervisory authority, shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification, where Customer so desires to do, and without delaying the timing of the notification unduly.
(b) For purposes of Clause 8.2 – Module 1, Clause 8.3 – Module 2 and Clause 15.1(a), the Parties agree and acknowledge that it may not be possible for Fivetran to make the appropriate communications to data subjects and accordingly, Customer shall (following notification by the Data Importer) have the option to be the party who makes any communication to the data subject, and Vendor shall provide the level of assistance set out in the DPA.
3.3 Liability. For the purposes of Clause 12(a), the liability of the Parties shall be limited in accordance with the limitation of liability provisions in the Agreement.
3.4 Enforcement. The Data Exporter may enforce the terms of the Standard Contractual Clauses against the Data Importer (and vice versa), provided however, that the Parties agree that any valid legal action, suit, claim or proceedings must be brought by Fivetran on behalf of the relevant Data Exporter/Data Importer (as applicable), where such Data Exporter/Data Importer would otherwise have the right to bring such claim directly against Customer if it were a party to the Agreement (each a “Relevant Claim”), unless the applicable Data Protection Laws to which the relevant Data Exporter/Data Importer is subject requires that the relevant Data Exporter/Data Importer itself bring or be a party to such Relevant Claim. The Standard Contractual Clauses entered into between Customer and Vendor shall only be enforceable against the Customer entity which is party to the Agreement as such Standard Contractual Clauses form an integrated part of the Agreement (including the DPA), which shall form the entire agreement with regard to the Processing of Personal Data by Vendor. Any such Relevant Claim shall at all times be subject to any aggregate limitation of liability that applies under the Agreement. The existence of more than one claim shall not enlarge this limit.
3.5 Signatories. Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without being signed directly, Fivetran and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the Standard Contractual Clauses, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.
Identification of Parties
The full name, address and contact details for the Data Exporter and Data Importer (as defined below) are set out in the Agreement; and
(a) In the case of Module 1, the data exporter and Controller is Customer and its relevant Affiliates which are established in the EEA, and the data importer and Controller is Fivetran and its relevant Affiliates located in non-adequacy approved third countries;
(b) In the case of Module 2, the data exporter and Controller is Customer and its relevant Affiliates which are established in the EEA, and the data importer and Processor is Fivetran and its relevant Sub-Processor Affiliates located in non-adequacy approved third countries;
(c) In the case of Module 3, the data exporter and Processor is Fivetran and its relevant Sub-Processor Affiliates, which are established in the EEA / exporting data from the EEA, and the data importer and Controller is Customer and its relevant Affiliates located in non-adequacy approved third countries.
Description of Data Processing
The data processing activities carried out by Fivetran under the MSA may be described as follows:
Subject Matter and Purpose
The personal data transferred will be subject to the following basic processing activities:
Fivetran will process Customer personal data in order to facilitate migration of data from Customer’s data sources into Customer’s data warehouse.
The personal data transferred concern the following categories of data subjects:
Customer’s employees and consultants who use Fivetran’s Service.
Individuals whose personal data is stored in Customer’s data sources and processed by Fivetran.
Categories of personal data
The personal data transferred concern the following categories of data:
Fivetran may have access to personal data of Customer’s employees and consultants who use Fivetran’s Service.
Fivetran may have access to personal data of Individuals whose personal data is stored in Customer’s data sources.
The types of personal data processed are determined by Customer and may include without limitation: Name, Email address, Physical address, IP-address and other online identifiers, Date of birth, Telephone/mobile number, Location Data.
Special categories of data
The personal data transferred concern the following special categories of data:
Annex II - Technical and Organizational Security Measures
Description of the technical and organisational security measures implemented by Fivetran in accordance with Data Protection Laws:
Fivetran security measures can be found on our website at https://fivetran.com/docs/security
Security measures include:
Transport layer security
All data is transmitted to or from Fivetran over an encrypted protocol using industry-standard cryptographic protocols (TLS 1.2+)
Fivetran redirects unencrypted requests (HTTP) to an encrypted protocol (HTTPS)
Physical & Environmental Security
The Fivetran services are hosted in Google Cloud Platform (GCP) and Amazon Web Services (AWS). Hosting providers maintain physical & environmental security protections including:
Physical access is restricted to approved employees based on the principle of least privilege
Multi-factor authentication when approved personnel access facilities
Closed Circuit Television Camera (CCTV) video recording of access points
Fire detection and suppression systems
Redundant infrastructure for power, networking, and cooling
Logical Access controls
Logical access to the Fivetran services is restricted to employees based on the principle of least privilege. All access is formally approved and require multi-factor authentication.
Access is removed in the event of employee termination or if the employee changes roles and no longer requires access, as well as being reviewed on a quarterly basis
Access activity is logged in centralized logging infrastructure and protected from tampering.
Fivetran completes an annual, independent SOC 2 Type 2 audit of its facilities, networks, and systems. On Customer’s request, Fivetran will provide the results of the audit.
Processing of customer data
Data pipes for each customer are managed separately within the host environment. Except as described at https://fivetran.com/docs/security#retentionofcustomerdata Fivetran does not store customer data, other than while in transit. Access information to customer resources required for data pipe functionality is logically separated within the host storage facility GCP or AWS.
Fivetran does not control the host physical infrastructure. Fivetran relies on the fault-tolerant nature of GCP and AWS across multiple availability zones, and can redeploy the platform to another region in case of catastrophic failure.
Except as described at https://fivetran.com/docs/security#retentionofcustomerdata, Fivetran will process Customer Data within the region specified by the Customer during configuration of the data pipe. Current geographic regions supported by Fivetran are found here: https://fivetran.com/docs/getting-started/ips.