Elastic Vendor Data Processing Addendum

Elastic Vendor Data Processing Addendum

This Elastic Vendor Data Processing Addendum ("DPA") forms part of the agreement between Vendor (defined below) and Elastic (defined below) for the Services (defined below) provided by Vendor to Elastic (collectively, the "Agreement"). For the purposes of this DPA, "Elastic" means the entity identified as "Elastic" and "Vendor" means the entity identified as "Vendor" on the applicable Ordering Document.

This DPA describes the commitments of Elastic and Vendor (each a "Party" and together, the "Parties") concerning the processing of Elastic Personal Data in connection with the provision of one or more services contemplated by the Agreement (the "Services").

The terms used in this DPA have the meaning set forth in this DPA. Capitalized terms not otherwise defined herein have the meaning given to them in the Agreement.

The Parties agree as follows:

  1. 1. Definitions. The following capitalized terms, when used in this DPA, will have the corresponding meanings provided below:
    1. 1.1 "Applicable Data Protection Laws" mean all worldwide privacy and data protection laws, regulations, rules, ordinances and other decrees applicable to each respective Party in its role related to the processing of Elastic Personal Data pursuant to the Agreement, including (but not limited to): (i) European Data Protection Laws; (ii) Canadian Privacy Laws; and (iii) US Privacy Laws; in each case as may be amended, superseded or replaced.
    2. 1.2 "Canadian Privacy Laws" mean: (i) the federal Personal Information Protection and Electronic Documents Act (PIPEDA), the provincial Personal Information Protection Acts in place in Alberta and British Columbia, and An Act respecting the Protection of Personal Information in the Private Sector (Québec); (ii) the E-Health (Personal Health Information Access and Protection of Privacy Act) in British Columbia, the Health Information Act in Alberta, the Personal Health Information Act in Manitoba, the Personal Health Information Protection Act, 2004 in Ontario, the Personal Health Information Privacy and Access Act in New Brunswick, the Personal Health Information Act in Newfoundland and Labrador, and the Personal Health Information Act in Nova Scotia; and (iii) the Canada Anti-Spam Act Legislation (CASL).
    3. 1.3 "EEA" means the countries that are parties to the Agreement on the European Economic Area, and Switzerland.
    4. 1.4 "Elastic Personal Data" means any Personal Data processed by Vendor as a service provider or processor (as applicable) on behalf of Elastic in connection with the Agreement.
    5. 1.5 "European Data Protection Laws" mean: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC ("e-Privacy Directive"); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance ("Swiss DPA"); and (v) in respect of the United Kingdom ("UK"), the Data Protection Act 2018 and the GDPR as saved into UK law by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018 ("UK GDPR") and the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of Section 2 of the UK's European Union (Withdrawal) Act 2018.
    6. 1.6 "Personal Data" means any information that relates to an identified or identifiable natural person and which is protected as "personal data," "personal information," or "personally identifiable information" under Applicable Data Protection Laws.
    7. 1.7 "Restricted Transfers" mean: (i) where the GDPR applies, a transfer of Elastic Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (an "EEA Restricted Transfer"); (ii) where the UK GDPR applies, a transfer of Elastic Personal Data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 (a "UK Restricted Transfer"); and (iii) where the Swiss DPA applies, a transfer of Elastic Personal Data to a country outside of Switzerland which is not included in the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner (a "Swiss Restricted Transfer").
    8. 1.8 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the EU Commission by means of the Implementing Decision EU 2021/914 of June 4, 2021.
    9. 1.9 "Sub-processor" means any third party data processor engaged by Vendor to process Elastic Personal Data on Elastic's behalf to assist in fulfilling Vendor's obligations with respect to providing the Services pursuant to the Agreement and this DPA. Sub-processors may include independent third parties and Vendor affiliates.
    10. 1.10 "UK Addendum" means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner's Office under S.119(A) of the UK Data Protection Act 2018.
    11. 1.11 "US Privacy Laws" mean, as applicable: the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq. (2018) as amended by the California Privacy Rights Act of 2020 ("CPRA") (together the "CCPA"), and any other US state privacy or data protection laws that have been enacted at the time of the Parties' execution of this DPA.
    12. 1.12 The terms "controller", "processor" and "processing" shall have the meanings given to them in applicable European Data Protection Laws, and "process", "processes" and "processed" shall be interpreted accordingly; and the terms "business", "business purpose", "consumer", "commercial purpose", "personal information", "service provider", "sell" and "share" shall have the meanings given to them in applicable US Privacy Laws.
  2. 2. Roles and Scope of Processing
    1. 2.1 Scope. This DPA applies to the extent that Vendor processes any Elastic Personal Data as a processor or service provider (as applicable).
    2. 2.2 Roles of the Parties. The Parties acknowledge and agree that Elastic is a business or the controller (as applicable) with respect to the processing of Elastic Personal Data, and Vendor shall process Elastic Personal Data only as a processor or service provider (as applicable) on behalf of Elastic. Any processing of Elastic Personal Data by either Party under or in connection with the Agreement shall be performed in accordance with Applicable Data Protection Laws.
    3. 2.3 Vendor Processing of Personal Data. Vendor agrees that it shall process Elastic Personal Data only for the purposes described in the Agreement and in accordance with Elastic's documented lawful instructions. The Parties agree that the Agreement and this DPA set out Elastic's complete and final instructions to Vendor in relation to the processing of Elastic Personal Data. Vendor shall notify Elastic in writing, unless prohibited from doing so under Applicable Data Protection Laws, if it becomes aware or believes that any data processing instructions from Elastic violates Applicable Data Protection Laws. Notwithstanding anything to the contrary in the Agreement, Vendor shall not process Elastic Personal Data for its own internal purposes including but not limited to in an anonymized or aggregated form.
  3. 3. Sub-processing
    1. 3.1 The provisions on sub-contracting set forth in Section 7 of the Agreement shall apply in the same manner to any engagement of Sub-processors by the Vendor in connection with the processing of Elastic Personal Data under this DPA. The Sub-processors currently engaged by Vendor and authorized by Elastic are as set forth in Exhibit C to the underlying Agreement.
  4. 4. Security and Audits
    1. 4.1 The information security and Security Breach notification provisions set forth in Sections 13.1 and 13.2 of the Agreement shall also extend to Elastic Personal Data. In addition, the audit rights granted under Section 13.3 of the Agreement shall also apply to Elastic's right to audit the Vendor for compliance with obligations under Applicable Data Protection Laws.
    2. 4.2 Vendor Data Protection Measures. In addition to the security measures described in the Elastic Vendor Information Security Addendum herein, Vendor shall implement and maintain appropriate technical and organizational measures to ensure data protection for Elastic Personal Data including but not limited to: (i) measures for certification or similar assurance of data protection in its processes and products; (ii) measures for ensuring data minimization; (iii) measures for ensuring data quality; (iv) measures for ensuring limited data retention; (v) measures for ensuring accountability; (vi) measures for allowing data portability where required by Applicable Data Protection Law; and (vii) measures for ensuring erasure.
  5. 5. Deletion of Elastic Personal Data
    1. 5.1 Upon termination or expiry of the Agreement, Vendor shall delete all Elastic Personal Data (including copies) in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent Vendor is required by applicable law to retain some or all of the Elastic Personal Data, in which case Vendor shall retain such Elastic Personal Data in compliance with all Applicable Data Protection Laws.
  6. 6. Rights of Individuals and Cooperation
    1. 6.1 Individual Rights Requests. Vendor shall, taking into account the nature of the processing, provide reasonable cooperation to assist Elastic in responding to any requests from individuals to exercise their rights under Applicable Data Protection Laws relating to the processing of Elastic Personal Data under the Agreement. In the event that any such request that implicates Elastic Personal Data is made to Vendor directly, Vendor shall redirect the individual to make their request directly to Elastic. If Vendor is required to respond directly to such a request, Vendor shall promptly notify Elastic and provide it with a copy of the request unless legally prohibited from doing so.
    2. 6.2 Disclosure Requests. If Vendor receives a demand to disclose or provide access to Elastic Personal Data from a law enforcement agency, government authority, public authority, or other third party ("Third-Party Demand"), then Vendor will attempt to redirect the Third-Party Demand to Elastic. If Vendor cannot redirect the Third-Party Demand to Elastic, Vendor shall promptly notify Elastic and provide a copy of the Third-Party Demand to allow Elastic to seek a protective order or other appropriate remedy unless Vendor is legally prohibited from doing so in which case Vendor shall take all reasonable steps to challenge such prohibition. Vendor shall only disclose or provide access to Elastic Personal Data in response to a Third-Party Demand as strictly required by law.
  7. 7. Jurisdiction Specific Terms
    1. 7.1 Data Protection Impact Assessments. To the extent required under Applicable Data Protection Laws, Vendor shall provide Elastic with reasonably requested information regarding Vendor's processing of Elastic Personal Data under the Agreement to assist Elastic in carrying out data protection impact assessments or prior consultations with supervisory authorities as required by law.
    2. 7.2 Restricted Transfers
      1. 7.2.1 GDPR. To the extent that any transfer of Elastic Personal Data to Vendor from Elastic is an EEA Restricted Transfer, Vendor agrees to abide by and process Elastic Personal Data in compliance with the Standard Contractual Clauses, which shall be deemed incorporated into this DPA as follows:
        1. (a) Where Elastic is the controller of Elastic Personal Data and Vendor is the processor. Module Two (controller to processor transfers) shall apply, or where Elastic is a processor of the Elastic Personal Data, Module Three (processor to processor transfers) shall apply;
        2. (b) In Clause 7, the optional docking clause will apply;
        3. (c) In Clause 9, Option 2 (General Written Authorization) will apply and the time period for prior notice of Sub-processor changes shall be as set out in Section 3.1 of this DPA;
        4. (d) In Clause 11, the optional language will not apply;
        5. (e) In Clause 17, Option 2 will apply, and the Standard Contractual Clauses will be governed by the law of the Netherlands;
        6. (f) In Clause 18(b), disputes shall be resolved before the courts of the Netherlands; and
        7. (g) Annex I and II of the Standard Contractual Clauses shall be deemed completed with the information set out in Annexes I and II attached hereto.
      2. 7.2.2 UK GDPR. To the extent that any transfer of Elastic Personal Data to Vendor from Elastic is a UK Restricted Transfer, the Standard Contractual Clauses shall apply in accordance with Section 7.2.1 above, but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Addendum, which shall be incorporated into and form an integral part of this DPA. Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum. In addition, tables 1 through 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annex I and Annex II attached hereto and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party."
      3. 7.2.3 Swiss DPA. To the extent that any transfer of Elastic Personal Data to Vendor from Elastic is a Swiss Restricted Transfer, the Standard Contractual Clauses shall apply in accordance with Section 7.2.1 above, but with the following modifications:
        1. (a) any references in the Standard Contractual Clauses to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein;
        2. (b) any references to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be;
        3. (c) any references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the relevant data protection authority and courts in Switzerland; and
        4. (d) the Standard Contractual Clauses shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.
    3. 7.3 US Privacy Laws. To the extent that Vendor's processing of Elastic Personal Data under the Agreement is subject to US Privacy Laws, the Parties agree that Elastic is a business and that it appoints Vendor as its service provider to process Elastic Personal Data for the limited and specific business purpose permitted under the Agreement (including this DPA) and US Privacy Laws (the "Permitted Purposes"). To the extent required under US Privacy Laws, Elastic and Vendor agree that:
      1. (a) Vendor shall not retain, use, or disclose Elastic Personal Data outside of the direct business relationship between Elastic and Vendor, or for any purpose other than for the Permitted Purposes, including retaining, using, or disclosing Elastic Personal Data for a commercial purpose other than the Permitted Purposes;
      2. (b) Elastic is not sharing or selling Elastic Personal Data to Vendor, and Vendor shall not sell or share Elastic Personal Data;
      3. (c) Vendor shall comply with its applicable obligations under US Privacy Laws, shall provide the level of privacy protection required by US Privacy Laws, and shall notify Elastic if it decides it can no longer meet its obligations under US Privacy Laws with respect to its processing of Elastic Personal Data under the Agreement;
      4. (d) Elastic has the right to take reasonable and appropriate steps to ensure Vendor processes Elastic Personal Data in a manner consistent with Elastic's obligations under US Privacy Laws, and in compliance with the Agreement in accordance with the audit parameters set forth in Section 4.3 (Audits) of this DPA, and shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Elastic Personal Data;
      5. (e) Vendor may engage other service providers to assist in the processing of Elastic Personal Data for the Permitted Purposes under the Agreement on behalf of Elastic, as detailed in Section 3.1 (Authorized Sub-processors) of this DPA pursuant to a written contract(s) binding such additional service providers to observe the applicable requirements of US Privacy Laws; and
      6. (f) Vendor shall not combine the Elastic Personal Data that Vendor receives from or on behalf of Elastic, with Personal Data that it receives from or on behalf of another person or persons, or collects from its own interaction with consumers.
  8. 8. Use of Artificial Intelligence
    1. 8.1 AI Features. To the extent that Vendor employs, uses, or otherwise implements any generative artificial intelligence, large language models (LLMs), machine learning, or any other artificial intelligence features to provide the Services (collectively "AI Features") the following terms shall apply:
      1. (a) Vendor shall not use any Elastic Personal Data, including in anonymized or aggregated form, for any purpose other than to provide the Services directly to Elastic, including to train or otherwise improve any AI Features;
      2. (b) Vendor has specified in Annex III (List of Sub-processors) any third parties that provide the AI Features as part of the Services;
      3. (c) Vendor shall at all times process Elastic Personal Data in connection with the use of AI Features in accordance with its obligations under Applicable Data Protection Laws and this DPA; and
      4. (d) Notwithstanding anything to the contrary, Elastic shall retain all right, title, and interest in and to Elastic Personal Data at all times.
  9. 9. Miscellaneous
    1. 9.1 Except for the changes made by this DPA as applicable to the Agreement, the Agreement remains unchanged and in full force and effect; provided, however, that any limitations on liability and/or disclaimers of damages contained in the Agreement shall not apply to any damages arising from Vendor's breach of this DPA.
    2. 9.2 The Parties acknowledge and agree that, by executing the Agreement, Elastic enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Affiliates (as defined in the underlying Agreement), thereby establishing a separate DPA between Vendor and each such Affiliate subject to the provisions of the Agreement and this Section. For the avoidance of doubt, an Affiliate is not and does not become a party to the Agreement, but is only a party to this DPA. Elastic shall remain responsible for coordinating all communication with Vendor under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates.
    3. 9.3 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

ANNEX I

  1. A. LIST OF PARTIES
    Data exporter(s):

    1. Name: Elastic
      Address: As detailed in the underlying Agreement
      Contact person's name, position and contact details: As detailed in the underlying Agreement
      Activities relevant to the data transferred under these Clauses: the Services described in the Agreement

      Role: Controller or Processor, as applicable

    Data importer(s):

    1. Name: Vendor
      Address: As detailed in the underlying Agreement
      Contact person's name, position and contact details: As detailed in the underlying Agreement
      Activities relevant to the data transferred under these Clauses: the Services described in the Agreement

      Role: Processor

  2. B. DESCRIPTION OF TRANSFER
    • Categories of data subjects whose personal data is transferred
      Elastic Personal Data transferred to Vendor may concern the following categories of data subjects: individuals whose Personal Data Elastic elects to transfer to Vendor for fulfillment of the Services as set forth in the Agreement.
    • Categories of personal data transferred
      The types of Elastic Personal Data are determined and controlled by Elastic in its sole discretion, and may include: name, address, title, email address, contact details, username; and/or any other Elastic Personal Data that Elastic elects to transfer to Vendor for the operation, provision, receipt, support, and/or use of the Services.
    • Sensitive data transferred
      Unless expressly specified in the Agreement, Vendor shall not process special categories of Personal Data.
    • Frequency of the transfer
      The frequency of the transfer is on a continuous or one-off basis depending on the nature of the Services.
    • Nature of the processing
      Elastic Personal Data that Elastic elects to transfer for Vendor to provide the Services as set forth in the Agreement.
    • Purpose(s) of the data transfer and further processing
      The operation, support, or use of the Services as set out in the Agreement and compliance with applicable laws.
    • The period for which the personal data will be retained
      The duration of the processing under this DPA is until the termination of the Services in accordance with the Agreement terms.
  3. C. COMPETENT SUPERVISORY AUTHORITY
    The supervisory authority of the Netherlands shall act as competent supervisory authority.

ANNEX II

Vendor has implemented and will maintain the administrative, physical and technical measures set forth in EXHIBIT B to the Agreement to ensure the security, confidentiality and integrity of Elastic Personal Data it processes on behalf of Elastic in fulfillment of the Services. The measures shall be appropriate to the nature and risk to Personal Data, and in any event shall not be less stringent than those prescribed under Applicable Data Protection Laws.

PREVIOUS TERMS AND CONDITIONS

Terms effective from 06.04.2024 through 01.14.2026