This Data Protection Addendum (“DPA”) forms part of the Master Subscription Agreement between Aryaka and Customer (the “Agreement”) under which Aryaka provides the Services to Customer. Capitalized terms used but not defined in this DPA shall have the meaning as set forth in the Agreement.

  1. DEFINITIONS
    1. Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Information.
    2. Data Processor” means the entity which Processes Personal Information on behalf of the Data Controller.
    3. Data Protection Laws” mean all laws applicable to the Processing of Personal Information.
    4. Data Subject” means any individual about whom Personal Information may be Processed under this DPA.
    5. Personal Information” or “Personal Data” means business contact information that relates to an identified or identifiable natural person collected from the Customer, such as name, title, email address, and phone number that is necessary to negotiate and perform the Services contemplated by the Agreement and maintain the commercial relationship between the parties.
    6. Process” or “Processing” means any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Information.
  2. Relationship between the Parties. Customer and Aryaka have entered into an Agreement for Services. The Parties acknowledge that Customer and Aryaka are each a Controller for purposes of the Agreement. In order to fulfill the terms of the Agreement, the Parties must provide limited Personal Information to each other. The Parties will Process such Personal Information in accordance with the Agreement and this DPA or otherwise as required by applicable law. Each Party will be solely responsible for complying with its obligations under Data Protection Laws with respect to the Processing of Personal Information, including for providing any necessary notices to, and obtaining any necessary consents from, Data Subjects or other individuals with respect to the Processing of Personal Information.
  3. Security.The Parties will maintain reasonable administrative, physical and technical safeguards designed to protect the security, confidentiality and integrity of the Personal Information against unauthorized loss, destruction, alteration, access, or disclosure, including the measures listed in Annex 2 to Appendix 1.
  4. Subcontractors. Customer agrees that Aryaka may disclose Personal Information to its subcontractors for purposes of providing Services to Customer (“Subcontractors”), provided that Aryaka will impose substantially similar obligations on its Subcontractors regarding the security and confidentiality of Personal Information as those set forth in this DPA.
  5. Data Location. In connection with the performance of the Agreement, Aryaka may transfer Personal Information to various locations, which may include locations both inside and outside of the United Kingdom (“UK”) or European Economic Area (“EEA”). To the extent such transfer involves a transfer of Personal Information originating from Customer in the UK, EEA or Switzerland to Aryaka or its Subcontractors located in countries outside the UK, EEA or Switzerland that have not received a binding adequacy decision, the Parties agree that the European Union Standard Contractual Clauses (Controller to Controller) which are attached hereto at Appendix 1 and such transfer is described in Annex I thereto.

Appendix 1
Standard Contractual Clauses (2021) (Controller-to-Controller),
incorporated by reference into this DPA and accessed here:
www.aryaka.com/SCC2021-Controller-to-Controller/

ANNEX I

  1. LIST OF PARTIES

    Data exporter(s): The data exporter is: Customer, as defined in the Agreement

    [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

  2. Name: See Order Form between Customer and Aryaka

    Address: See Order Form between Customer and Aryaka

    Contact person’s name, position, and contact details: See Order Form between Customer and Aryaka

    Activities relevant to the data transferred under these Clauses: See Agreement between Customer and Aryaka

    Role (controller/processor): Controller

    Data importer(s) The data importer is: Aryaka.

    [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

    Name: Aryaka Networks, Inc.

    Address: 1850 Gateway Drive, Suite 500, San Mateo, CA 94404 USA

    Contact person’s name, position, and contact details: Edward Frye, CISCO/IT, edward.frye@aryaka.com Activities relevant to the data transferred under these Clauses: See Agreement between the Parties.

    Role (controller/processor): Controller

  3. DESCRIPTION OF TRANSFER
    Categories of data subjects whose personal data is transferred

    Business contacts of the Customer and Aryaka.

    Categories of personal data transferred

    Business contact information, such as name, title, email address, telephone numbers, physical address.

    Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

    None

    The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

    As needed to perform the Services under the Agreement and maintain the commercial relationship.

    Nature of the processing
    Aryaka will process Personal Information as necessary to fulfill perform the Services pursuant to the Agreement.
    Purpose(s) of the data transfer and further processing

    Transfer to Aryaka’s business offices located outside of the UK, EEA, or Switzerland. Aryaka will process Personal Information as necessary to fulfill and perform the Services pursuant to the Agreement.
    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

  4. Type Number of Years Retained
    Sales Records 5 years
    Invoices 7 years
    General Ledger Permanent

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

    The following Sub-processors may be deployed for the following services/at the following Processing locations:

    Salesforce, Inc.
    Location: Worldwide
    Services: Customer Relationship Management

    NetSuite
    Location: Worldwide
    Services: Accounting

    Zuora
    Location: Worldwide
    Services: Billing

    Marketo
    Location: Worldwide
    Services: Marketing and Messaging

  5. COMPETENT SUPERVISORY AUTHORITY
    Identify the competent supervisory authority/ies in accordance with Clause 13
    The UK Information Commissioner’s Office.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

EXPLANATORY NOTE:

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Aryaka maintains various policies, standards and processes designed to secure Personal Information. Following is a description of some of the core technical and organisational security measures implemented by Aryaka.

Physical Access Controls

Aryaka implements and maintains measures designed to prevent unauthorized persons from gaining physical access to Aryaka locations.

Technical Access Controls

Aryaka implements and maintains measures designed to prevent unauthorized persons from gaining access to Aryaka’s data processing systems, including:

  • Hybrid DDoS protection integrating detection and mitigation (on-premises or in the cloud) with cloud-based volumetric DDoS attack prevention, and 24×7 Emergency Response Team (ERT) support; and
  • Network edge security providing advanced perimeter security solutions that are built into Customer’s SD-WAN appliance.

Data Access Controls
Aryaka implements and maintains measures to restrict access to its data processing system to individuals who need such access within the scope and to the extent covered by their respective access permission (authorization).

Job Controls
Arkaya implements and maintains measures designed to ensure that Personal Information being processed in the performance of the Services for the Customer is processed solely in accordance with the Agreement.

Availability Controls
Aryaka implements and maintains measures designed to protect Personal Information against disclosure, accidental or unauthorized destruction or lost