This Data Protection Addendum (“DPA”) forms part of the Master Subscription Agreement between Aryaka and Customer (the “Agreement”) under which Aryaka provides the Services to Customer. Capitalized terms used but not defined in this DPA shall have the meaning as set forth in the Agreement.
- 1.1 “Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Information.
- 1.2 “Data Processor” means the entity which Processes Personal Information on behalf of the Data Controller.
- 1.3 “Data Protection Laws” mean all laws applicable to the Processing of Personal Information.
- 1.4 “Data Subject” means any individual about whom Personal Information may be Processed under this DPA.
- 1.5 “Personal Information” or “Personal Data” means business contact information that relates to an identified or identifiable natural person collected from the Customer, such as name, title, email address, and phone number that is necessary to negotiate and perform the Services contemplated by the Agreement and maintain the commercial relationship between the Parties.
- 1.6 “Process” or “Processing” means any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Information.
- 2. Relationship between the Parties. Customer and Aryaka have entered into an Agreement for Services. The Parties acknowledge that Customer and Aryaka are each a Controller for purposes of the Agreement. In order to fulfill the terms of the Agreement, the Parties must provide limited Personal Information to each other. The Parties will Process such Personal Information in accordance with confidentiality requirements, the Agreement and this DPA or otherwise as required by applicable Data Protection Law. Each Party will be solely responsible for complying with its obligations under Data Protection Laws with respect to the Processing of Personal Information, including for providing any necessary notices to, and obtaining any necessary consents from, Data Subjects or other individuals with respect to the Processing of Personal Information. The Parties will not retain, use, sell, share or disclose Personal Information for any purpose other than performance of the Agreement, or as required by applicable Data Protection Laws. Should a Party determine that it can no longer meet its obligations under applicable Data Protection Laws, it will promptly inform the other Party.
- 3. Security.The Parties will maintain reasonable administrative, physical and technical safeguards designed to protect the security, confidentiality and integrity of the Personal Information against unauthorized loss, destruction, alteration, access, or disclosure, including the measures listed in Annex 2 to Appendix 1.
- 4. Subcontractors. Customer agrees that Aryaka may disclose Personal Information to its subcontractors for purposes of providing Services to Customer (“Subcontractors”), provided that Aryaka will impose substantially similar obligations on its Subcontractors regarding the security and confidentiality of Personal Information as those set forth in this DPA.
- 5. Data Location. In connection with the performance of the Agreement, Aryaka may transfer Personal Information to various locations, which may include locations both inside and outside of the United Kingdom (“UK”) or European Economic Area (“EEA”). To the extent such transfer involves a transfer of Personal Information originating from Customer in the UK, EEA or Switzerland to Aryaka or its Subcontractors located in countries outside the UK, EEA or Switzerland that have not received a binding adequacy decision, the Parties agree that the European Union Standard Contractual Clauses (Controller to Controller) which are attached hereto at Appendix 1 and such transfer is described in Annex I thereto.
- 6. Data Subject Requests and Complaints. The Parties will cooperate in responding to a Data Subject request or complaint. Each Party will seek to implement appropriate processes (including technical and organizational measures) to respond to requests or complaints from Data Subjects. Each Party will promptly and securely delete or destroy any Personal Information pertaining to an individual (not otherwise subject to an exemption) where such information is within the Party’s possession or control. If applicable, the Party will direct any affiliate or subprocessor that Processes Personal Information related to the identified Data Subject to promptly and securely delete or destroy such Personal Information.
Standard Contractual Clauses (2021) (Controller-to-Controller),
incorporated by reference into this DPA and accessed here:
A. LIST OF PARTIES
Data exporter(s): The data exporter is: Customer, as defined in the Agreement
[Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: See Order Form between Customer and Aryaka
Address: See Order Form between Customer and Aryaka
Contact person’s name, position, and contact details: See Order Form between Customer and Aryaka
Activities relevant to the data transferred under these Clauses: See Agreement between Customer and Aryaka
Role (controller/processor): Controller
Data importer(s): The data importer is: Aryaka.
[Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Name: Aryaka Networks, Inc.
Address: 1850 Gateway Drive, Suite 500, San Mateo, CA 94404 USA
Contact person’s name, position, and contact details: Edward Frye, CISCO/IT, firstname.lastname@example.org
Activities relevant to the data transferred under these Clauses: See Agreement between the Parties.
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Business contacts of the Customer and Aryaka.
Categories of personal data transferred
Business contact information, such as name, title, email address, telephone numbers, physical address.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
As needed to perform the Services under the Agreement and maintain the commercial relationship.
Nature of the processing
Aryaka will process Personal Information as necessary to fulfill perform the Services pursuant to the Agreement.
Purpose(s) of the data transfer and further processing
Transfer to Aryaka’s business offices located outside of the UK, EEA, or Switzerland. Aryaka will process Personal Information as necessary to fulfill and perform the Services pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
|Type||Number of Years Retained|
|Sales Records||5 years|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The following Sub-processors may be deployed for the following services/at the following Processing locations:
Services: Customer Relationship Management
Services: Marketing and Messaging
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The UK Information Commissioner’s Office.
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
Aryaka maintains various policies, standards and processes designed to secure Personal Information. Following is a description of some of the core technical and organisational security measures implemented by Aryaka.
Physical Access Controls
Aryaka implements and maintains measures designed to prevent unauthorized persons from gaining physical access to Aryaka locations.
Technical Access Controls
Aryaka implements and maintains measures designed to prevent unauthorized persons from gaining access to Aryaka’s data processing systems, including:
- Hybrid DDoS protection integrating detection and mitigation (on-premises or in the cloud) with cloud-based volumetric DDoS attack prevention, and 24×7 Emergency Response Team (ERT) support; and
- Network edge security providing advanced perimeter security solutions that are built into Customer’s SD-WAN appliance.
Data Access Controls
Aryaka implements and maintains measures to restrict access to its data processing system to individuals who need such access within the scope and to the extent covered by their respective access permission (authorization).
Aryaka implements and maintains measures designed to ensure that Personal Information being processed in the performance of the Services for the Customer is processed solely in accordance with the Agreement.
Aryaka implements and maintains measures designed to protect Personal Information against disclosure, accidental or unauthorized destruction or lost