1. Definitions.
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Cloud Terms."Customer", "you", "your" means the individual or organization, including its affiliates, that agrees to the Cloud Terms.
"Customer Personal Data" means all Personal Data that is uploaded by Customer to the Timescale Services and Processed by Timescale on behalf of Customer. For the avoidance of doubt, Customer Personal Data does not include "Account Personal Data," which is defined as Personal Data collected by Timescale from Customer, its employees or contractors in connection with its administration of the Timescale Services (such as contact names, email addresses and billing information for Customer).
"Data Protection Laws" means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” may include, but is not limited to, the California Consumer Privacy Act of 2018, as amended (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).
"Personal Data" has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
"Process" or "Processing" means any operation or set of operations which is performed on Customer Personal Data or sets of Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Security Incident(s)" means the breach of security leading to the unauthorized or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Timescale.
"Subprocessor(s)" means Timescale’s authorized vendors and third-party service providers that Process Customer Personal Data.
"Timescale Services" means the services that Timescale performs under the Cloud Terms.
2. Processing Terms For Customer Personal Data.
Documented Instructions. Timescale shall Process Customer Personal Data to provide the Timescale Services in accordance with the Cloud Terms, this Addendum, and any instructions mutually agreed upon by authorized employees of the parties in writing. Timescale will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.Authorization to Use Subprocessors. To the extent necessary to fulfill Timescale’s contractual obligations under the Cloud Terms, Customer hereby authorizes Timescale to engage Subprocessors. We maintain a list of our Subprocessors available at https://www.timescale.com/legal/timescale-cloud-subprocessors which we will update at least 7 days before the addition of or replacement of any Subprocessor.Timescale and Subprocessor Compliance. Timescale agrees to (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this Addendum; and (ii) remain responsible to Customer for Timescale’s Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.Confidentiality. Any person authorized to Process Customer Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.Personal Data Inquiries and Requests. Where required by Data Protection Laws, Timescale agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.Sale or Sharing of Customer Personal Data Prohibited. Timescale shall not sell or share Customer Personal Data as the terms “sell” and “share” are defined by the CCPA. Timescale further agrees that it shall:i. not access, retain, use, or disclose Customer Personal Data for any purpose other than as needed to provide the Timescale Services pursuant to the Cloud Terms or as otherwise permitted by applicable data protection laws;
ii. not access, retain, use, or disclose Customer Personal Data for a commercial purpose other than as needed to provide the Timescale Services pursuant to the Cloud Terms;
iii. not access, retain, use, or disclose Customer Personal Data outside of the direct business relationship between Timescale and Customer other than as needed to provide the Timescale Services pursuant to the Cloud Terms;
iv. permit Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Data by Timescale;
v. except as may be necessary in connection with the provision of the services, not co-mingle or combine Personal Information with the data of any third party; and
vi. not attempt to identify or re-identify any data subject other than as strictly required to provide the Timescale Services for Customer.
Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Timescale agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s reasonable judgment, the type of Processing performed by Timescale requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.Demonstrable Compliance. Timescale agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Customer’s reasonable request.Aggregation and De-Identification. Timescale may: (i) compile aggregated and/or de-identified information in connection with providing the Timescale Services provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.Timescale shall use commercially reasonable efforts to implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data.
4. Security Incidents; Notice.
Upon becoming aware of a Security Incident, Timescale agrees to provide you with written notice without undue delay and within the time frame required under Data Protection Laws.5. Cross-Border Transfers Of Customer Personal Data.
- Cross-Border Transfers of Customer Personal Data. Customer authorizes Timescale and its Subprocessors to transfer Customer Personal Data, across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.
- EEA, Swiss, and UK Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area (“EEA”), Switzerland, and/or the United Kingdom is transferred by Customer to Timescale in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by the UK: International Data Transfer Addendum to the Current EU Standard Contractual Clauses, version B1.0 (if attached to EU SCCs), https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK Addendum”), or the Current EU Standard Contractual Clauses, as applicable, located at https://eur-lex.europa.eu/eli/dec_impl/2021/914 each as supplemented by Exhibit A attached hereto, the terms of which are incorporated herein by reference. For purposes of this Addendum, the “Current EU Standard Contractual Clauses” mean the Standard Contractual Clauses approved by the European Commission in decision 2021/914. For transfers of Customer Personal Data outside of the UK, the International Data Transfer Addendum to the Current EU Standard Contractual Clauses, version B1.0 as set forth above will apply. For transfers of Customer Personal Data outside of the EEA or Switzerland, the Current EU Standard Contractual Clauses will apply. When Customer is acting as a controller under the Current EU Standard Contractual Clauses, the Controller-to-Processor Clauses will apply to a data transfer. When Customer is acting as a processor under the Current EU Standard Contractual Clauses, the Processor-to-Processor Clauses will apply to a Data Transfer. The Current EU Standard Contractual Clauses and the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, version B.10 will form an integral part of this Addendum.
6. Audits.
Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may, at Customer’s expense, carry out an audit of Timescale’s policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit must be: (i) conducted during Timescale’s regular business hours; (ii) with reasonable advance notice to Timescale; (iii) carried out in a manner that prevents unnecessary disruption to Timescale’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.7. Customer Personal Data Deletion.
At the expiration or termination of the Cloud Terms, Timescale will, at Customer’s option and at Timescale’s then-current rate, delete or return all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Timescale’s data retention schedule), except where Timescale is required to retain copies under applicable laws, in which case Timescale will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.8. Customer’s Obligations.
Customer represents and warrants that it has (i) it has complied and will comply with Data Protection Laws; (ii) it has provided data subjects whose Customer Personal Data will be Processed in connection with the Cloud Terms with a privacy notice or similar document that clearly and accurately describes Customer’s practices with respect to the Processing of Customer Personal Data; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Customer Personal Data as contemplated by this Addendum and the Cloud Terms; and (iv) Timescale’s Processing of Customer Personal Data in accordance with this Addendum and the Cloud Terms will not violate Data Protection Laws or cause a breach of any agreement or obligations between Customer and any third party.9. Processing Details.
- Subject Matter. The subject matter of the Processing is the Timescale Services pursuant to the Cloud Terms.
- Duration. The Processing will continue until the expiration or termination of the Cloud Terms.
- Categories of Data Subjects. Data subjects whose Customer Personal Data will be Processed pursuant to the Cloud Terms.
- Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by Timescale is the performance of the Timescale Services.
- Types of Customer Personal Data. Customer Personal Data that is Processed pursuant to the Cloud Terms.
EXHIBIT A TO THE DATA PROCESSING ADDENDUM
This Exhibit A forms part of the Addendum and supplements the Current EU Standard Contractual Clauses and of the UK Addendum. Capitalized terms not defined in this Exhibit A have the meaning set forth in the Addendum.
The parties agree that the following terms shall supplement the Current EU Standard Contractual Clauses:1. Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the Current EU Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Current EU Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 3.4 of the Addendum; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).2. Annex I. Annex I to the Current EU Standard Contractual Clauses shall read as follows:A. List of Parties
Data Exporter: Customer.
Address: As set forth in an order form or in the Customer’s account details.
Contact person’s name, position, and contact details: As set forth in an order form or in the Customer’s account details.
Activities relevant to the data transferred under these Current EU Standard Contractual Clauses: The Timescale Services.
Role: Controller.
Data Importer: Timescale.
Address: As set forth in the Notices section of the Cloud Terms.
Contact person’s name, position, and contact details: [email protected]
Activities relevant to the data transferred under these Current EU Standard Contractual Clauses: The Timescale Services.
Role: Processor. B. Description of the Transfer:
Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred under the EU Standard Contractual Clauses including, but not limited to, end users of Customer.
Categories of personal data transferred: The categories of personal data transferred under the Clauses including, but not limited to, personal data submitted by you and your end users via the Timescale Services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: “To the parties knowledge, no sensitive data is transferred.”
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Customer Personal Data is transferred in accordance with the standard functionality of the Timescale Services, or as otherwise agreed upon by the parties.
Nature of the processing: The Timescale Services.
Purpose(s) of the data transfer and further processing: The Timescale Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the Addendum.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Please see our sub-processors’ list here: https://www.timescale.com/legal/timescale-cloud-subprocessors
C. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
D. Data Transfer Impact Assessment Outcome: Taking into account the information and obligations set forth in the Addendum and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the personal data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the Current EU Standard Contractual Clauses to a country that has not been found to provide an adequate level of protection under applicable data protection laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable data protection laws.
E. Clarifying Terms: The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Current EU Standard Contractual Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Current EU Standard Contractual Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Current EU Standard Contractual Clauses shall be carried out in accordance with Section 7 of the Addendum; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Current EU Standard Contractual Clauses will be limited to the termination of the Current EU Standard Contractual Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Current EU Standard Contractual Clauses; (vi) the information required under Clause 15.1(c) of the Current EU Standard Contractual Clauses will be provided upon data exporter’s written request; and (vii) notwithstanding anything to the contrary, data exporter will reimburse data importer for all costs and expenses incurred by data importer in connection with the performance of data importer’s obligations under Clause 15.1(b) and Clause 15.2 of the Current EU Standard Contractual Clauses without regard for any limitation of liability set forth in the Cloud Terms.
3. Annex II. Annex II of the Current EU Standard Contractual Clauses shall read as follows:Data importer shall use commercially reasonable efforts to implement and maintain technical and organisational measures designed to protect personal data in accordance with the Addendum.
Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Addendum.
4. Annex III. A new Annex III shall be added to the Current EU Standard Contractual Clauses and shall read as follows:Table 1: The start date in Table 1 is the effective date of the Addendum. All other information required by Table 1 is set forth in Annex I, Section A of the Current EU Standard Contractual Clauses.
Table 2: The UK Addendum forms part of the version of the Current EU Standard Contractual Clauses which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.
Table 3: The information required by Table 3 is set forth in Annex I and II to the Current EU Standard Contractual Clauses.
Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.