This Data Processing Addendum including its Schedules (“DPA”) is agreed between Gearset and Customer pursuant to the terms of the Gearset Master Services Agreement (“Agreement”) under which Customer has agreed to procure and Gearset has agreed to provide certain Services (as defined in the Agreement). This is version v1202209.2 which is effective from 17 November 2022.
This DPA is incorporated into the Agreement by reference, and forms part of the Agreement. It sets out the terms that apply when Gearset Processes Personal Data (as defined in this DPA) on behalf of Customer under the terms of the Agreement. Its purpose is to ensure that such Processing is conducted in accordance with the written instructions of the Customer, as set out in this DPA, and all applicable laws, and with due respect for the rights and freedoms of individuals whose Personal Data are Processed.
NB. This DPA only applies to the extent that Customer uses Gearset’s data migration, masking, backup and/or archiving solutions, as that is the only situation in which Gearset Processes Personal Data on behalf of Customer.
Definitions
Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.
For the purposes of this DPA the following words and phrases shall have the following meanings:
“Addendum” means the UK International Transfer Addendum to the EU SCCs, as provided at Schedule 3;
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations;
“Controller” shall mean the entity which, alone or jointly with others, determines the purposes and means of the Processing of the Personal Data;
“Data Protection Laws and Regulations” means all laws and regulations from time to time of the United Kingdom, the European Union and the EEA and their member states, Switzerland, and the United States and its states, applicable to the Processing of Personal Data under this DPA including the UK GDPR; the Data Protection Act 2018 (“DPA 2018”); the GDPR; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; the CCPA; and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data;
“Data Subject” means the identified or identifiable person to whom Personal Data relates;
“Data Transfer Provisions” means, the EU SCCs and the Addendum;
“EEA” means the European Economic Area, which constitutes the member states of the European Union, Norway, Iceland and Liechtenstein;
“EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021;
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (as amended, replaced or superseded);
“Gearset” means Gearset Limited, a company registered in England with company number 10345423 and whose registered office is at The Bradfield Centre, Cambridge Science Park Rd, Cambridge, CB4 0GA, UK;
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” shall mean an entity which processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA;
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data (as defined in the Agreement);
“Security, Privacy and Architecture Documentation” means the Security, Privacy and Architecture Documentation applicable to the Services purchased by Customer, as updated from time to time, and accessible via Gearset’s security webpage at https://gearset.com/security or as otherwise made reasonably available by Gearset;
“Sub-processor” means any third party data processor engaged by a Processor who has or will have access to or process Personal Data from a Controller; and
“UK GDPR” means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
Processing of Personal Data
Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data as is necessary for providing the Services, Customer may be the Controller or a Processor. Where the Customer is a Controller, Gearset will be a Processor. Where the Customer is itself a Processor, Gearset will be the Customer’s Sub-Processor. In either case, the parties acknowledge and agree that Gearset will engage Sub-processors pursuant to the requirements set forth in clause 5 below.
The Customer acknowledges that Gearset is a controller with regard to the personal data collected by Gearset as part of the sale and/or management of the Subscription (as defined in the Agreement) and/or Services and/or the provision of the Services to Customer, including (but not exclusively) any User Data (as defined in the Agreement). For the avoidance of doubt, this DPA only applies to Customer Data and does not apply to personal data for which Gearset is the controller.
Customer’s Processing of Personal Data. Customer: (i) is responsible for ensuring that it has complied, and will continue to comply, with all applicable Data Protection Laws and Regulations; (ii) warrants that it has, and will continue to have, the right to Process, transfer, and/or provide access to, the Personal Data to Gearset for Processing in accordance with the terms of the Agreement and this DPA; and (iii) has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data, including ensuring that there is a lawful basis for the Processing. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.
Gearset’s Processing of Personal Data. Gearset shall Process Personal Data on behalf of Customer as is necessary for providing the Services and only in accordance with Customer’s documented instructions as set out in this DPA. Gearset shall notify the Customer promptly if, in Gearset’s opinion, the Customer’s instructions would not comply with the Data Protection Laws and Regulations. Any Processing required outside of the scope of these instructions will require prior written agreement between the parties. To the extent the CCPA is applicable to Customer’s business and solely with respect to such Personal Data subject to the CCPA, the parties acknowledge and agree that Gearset’s Processing of Personal Data is as a “service provider” as that term is defined under the CCPA for a “business purpose” as that term is defined under the CCPA (i.e., performing services on behalf of Customer).
Details of the Processing. The subject-matter of Processing of Personal Data by Gearset, the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Data Processing Appendix) to this DPA.
Data Protection Impact Assessments. Upon Customer’s request, Gearset shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under applicable Data Protection Laws and Regulations to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Gearset. Gearset shall provide reasonable assistance to Customer in the cooperation or prior consultation with the applicable Supervisory Authority in the performance of its tasks relating to clause 2.4 of this DPA, to the extent required under applicable Data Protection Laws and Regulations.
Rights of Data Subjects
Gearset Personnel
Confidentiality. Gearset shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are bound by confidentiality terms no less onerous than those set out in the Agreement. Gearset shall ensure that such confidentiality obligations survive the termination of the personnel engagement for a reasonable period.
Limitation of Access. Gearset shall ensure that Gearset’s access to Personal Data is limited to those personnel who have a need to access the Personal Data to facilitate the performance of the Services.
Data Protection Contact. Gearset has personnel responsible for the protection and Processing of Personal Data. Those personnel may be reached at [email protected].
Sub-processors
Appointment of Sub-processors. Customer acknowledges and agrees that: (i) Gearset’s Affiliates may be retained as Sub-processors, and (ii) Gearset and Gearset’s Affiliates may engage third-party Sub-processors in connection with the provision of the Services. Gearset has entered into a written agreement with each Sub-processor containing data protection obligations no less protective than those in this Agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.
List of Current Sub-processors and Notification of New Sub-processors. Gearset shall make available to Customer (via the Gearset Website or otherwise) the current list of Sub-processors for the Services (“Sub-processor List”). The Sub-processor List shall include the identities of those Sub-processors and their country of location. Gearset shall provide notification of new Sub-processor(s) by updating the Sub-processor List. Gearset shall use reasonable endeavors to alert the Customer of changes to the Sub-processor List through the Software, but the Customer is advised to check the Gearset Website periodically for communications concerning such changes.
Objection Right for New Sub-processors. Customer may object to Gearset’s use of a new Sub-processor for a commercially reasonable reason by notifying Gearset promptly in writing within ten (10) business days after Gearset updates the Sub-processor List. In the event Customer reasonably objects to a new Sub-processor, Gearset will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Gearset is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Gearset or Customer may terminate the applicable Subscription(s) with respect to those Services which cannot be provided by Gearset without the use of the objected-to new Sub-processor by providing written notice to the other party. Gearset will refund Customer any prepaid fees covering the remainder of the term of such Subscription(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
Liability. Gearset shall be liable for the acts and omissions of its Sub-processors to the same extent Gearset would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
Security
Controls for the Protection of Personal Data. Gearset shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure or access), confidentiality and integrity of Personal Data, as set forth in the Security, Privacy and Architecture Documentation. Gearset regularly monitors compliance with these measures. Customer acknowledges that the security measures are subject to technical progress and development and that Gearset may update or modify the security measures from time to time, provided that such updates and modifications do not result in the material degradation of the overall security of the Services purchased by the Customer.
Third-Party Audits. Gearset engages third party auditors to verify the adequacy of its security measures. These audits (a) will be performed at least annually; (b) will be performed according to internationally recognized standards; (c) will be performed by independent third party security professionals at Gearset’s selection and expense and (d) will result in the generation of an audit report (“Audit Report”) which will constitute Gearset’s Confidential Information.
Access to Audit Reports. No more than once during any consecutive 12-month period, on the Customer’s written request and subject to the confidentiality obligations in the Agreement, Gearset shall make available to a Customer that is not a competitor of Gearset (or Customer’s independent, third-party auditor that is not a competitor of Gearset) a copy of Gearset’s then most recent Audit Report or the summary results, as appropriate. Within such request, the Customer shall be entitled to ask reasonable questions of Gearset related to its compliance with the terms of this DPA and Data Protection Laws and Regulations, and Gearset shall use its reasonable endeavors to respond adequately when providing the Audit Report.
Sub-processor Audits. No more than once during any consecutive 12-month period, on the Customer’s written request, Gearset will exercise such relevant audit rights that it may have in connection with its Sub-processors’ compliance with their obligations regarding their processing of Personal Data, and provide the Customer with a summary of the audit results or, in the event that Gearset has recently exercised such rights for another customer, it shall provide to the Customer a summary of the most recent audit results.
Customer’s Right to Audit. Customer agrees to exercise any right it may have to conduct an audit or inspection of Gearset or its Sub-processors by instructing Gearset to carry out the audit described in this clause 6. If Customer wishes to change this instruction regarding the audit, then Customer has the right to request a change to this instruction by sending Gearset written notice as provided for in the Agreement. If Gearset declines to follow any instruction requested by Customer regarding audits or inspections, Customer is entitled to terminate this DPA and the Agreement.
Incident Management and Notification
Gearset shall notify Customer promptly and without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise Processed by Gearset or its Sub-processors of which Gearset becomes aware (a “Personal Data Incident”).
Gearset shall make reasonable efforts to identify the cause of any Personal Data Incident and take those steps as Gearset deems necessary and reasonable to remediate the cause of such a Personal Data Incident to the extent the remediation is within Gearset’s reasonable control.
The notice to be provided pursuant to clause 7.1 above shall detail, to the extent relevant and reasonably available to Gearset at the time:
Gearset shall keep Customer reasonably updated of any material developments to its investigation, handling and remediation of the Personal Data Incident, and Customer and Gearset shall reasonably co-operate to mitigate the risk to each party and the affected data subjects.
The obligations in this clause 7 shall not apply to incidents that are caused by Customer or its Authorised Users, or by access to the Services in breach of clause 4 (Use of Services and Documentation, Customer Obligations) of the Agreement, unless and until the Customer has notified Gearset that they constitute a Personal Data Incident in which case Gearset shall provide the Customer with reasonable assistance (at Customer’s cost) in investigating the information set out in clause 7.3 above.
Return and Deletion of Personal Data
Limitation of Liability
Transfer Mechanisms
International Transfers. It is acknowledged and accepted by Customer that Gearset provides a hosted service which can operate in data centers in various locations around the world, as selected by Customer through the Software. As such, Gearset may transfer Personal Data outside of the UK and EEA as part of its hosting and disaster recovery processes. Customer acknowledges and consents to Gearset transferring Personal Data outside of the UK and EEA for the purposes of providing the Services, provided that any such transfer meets the relevant requirements under the applicable Data Protection Laws and Regulations.
Data Transfer Provisions. The Data Transfer Provisions will apply, as applicable, to transfers of Personal Data outside the UK or EEA, whether directly or via onward transfer, where the transfer is: (i) to or within a country not recognized by the UK Government (in the case of transfers made pursuant to the UK GDPR) or European Commission (in the case of transfers made pursuant to the GDPR) as providing an adequate level of protection for personal data; and (ii) no other appropriate safeguard for such transfer as set out in Article 46 of the GDPR is applicable to such transfer. Agreement to this DPA will constitute agreement to the applicable the Data Transfer Provisions, which shall be incorporated into this DPA by reference. Where the Data Transfer Provisions apply pursuant to this clause 10.2, then in the event of any inconsistency (but not a direct conflict) between the terms of this DPA and the Data Transfer Provisions, the terms of this DPA will prevail. In the event of a direct conflict between the terms of this DPA and the Data Transfer Provisions, the terms of the Data Transfer Provisions will prevail.
General Provisions
Except as amended by this DPA, the Agreement will remain in full force and effect.
If there is a conflict between the Agreement and this DPA, the terms of this DPA will take precedence.
Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
This DPA will automatically terminate on the termination or expiry of the Agreement.
List of Schedules
Schedule 1: Details of the Processing
Schedule 2: EU to Third Country Transfers
Schedule 3: UK International Transfer Addendum to the EU SCCs
Data Controller/importer
Data Controller/importer is the legal entity specified as Customer in the Agreement/DPA.
Data Processor/exporter
Gearset Limited, a provider of enterprise DevOps software and cloud services.
Nature and Purpose of Processing
Gearset will Process Personal Data as necessary to perform the Services pursuant to the Agreement, and as further instructed by Customer in its use of the Services.
Duration of Processing
Subject to clause 8 of the DPA, Gearset will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Categories of Data Subjects
Customer may submit Personal Data to Gearset, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
Categories of Personal Data
Customer may submit Personal Data to Gearset, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
Sensitive Data (if appropriate)
Customer may submit special categories of data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Frequency of the Transfer
Determined by Customer, in line with its use of the Software.
Sub-Processor Transfers
As set out at clause 5 of the DPA.
Competent Supervisory Authority
Except where Schedule 2 applies, The UK Information Commissioner.
Where Schedule 2 applies, The Irish Data Protection Commissioner.
Technical and Organisational Measures
As set out in the Security, Privacy and Architecture Documentation, and accessible at www.gearset.com/security or otherwise made available by Gearset. Gearset will not materially decrease the overall security of the Services during the term of the Agreement.
Incorporation of the EU SCCs
To the extent the transfer is made pursuant to the GDPR, this Schedule 2 and the following terms shall apply:
Clarifications to the EU SCCs
Appendices and Annexures to the EU SCCs
The processing details required by the EU SCCs are set out in Schedule 1:
The details required at Annex 1.A of the EU SCCs are set out at paragraphs 1 - 2;
The details required at Annex 1.B of the EU SCCs are set out at paragraph 3 - 9;
The details required at Annex 1.C of the EU SCCs are set out a paragraph 10; and
The details required at Annex 2 of the EU SCCs is set out at paragraph 11.
Part 1
Parties. As set out in Schedule 1.
Selected SCCs, Modules and Clauses
Module 4 of the EU SCCs and no other optional clauses unless explicitly specified, and as amended by the clarifications in Schedule 2, paragraph 2, but subject to any further amendments detailed in this Schedule 3 (“ICO Modified EU SCCs”).
Personal data received from the importer is not combined with personal data collected by the exporter.
Appendix Information
The processing details required by this Addendum are as set out in Schedule 1 (“Appendix Information”).
Termination of the Addendum
In the event the template Addendum issued by the Information Commissioner’s Office (“ICO”) and laid before Parliament in accordance with s119A of the DPA 2018 on 2 February 2022, as it is revised under Section 18 (“ICO’s Addendum”) is amended, either party may terminate this Addendum on written notice to the other in accordance with Part 2, paragraph 4 of this Schedule 3 and replace it with a mutually acceptable alternative.
Part 2
Interpretation
Except as otherwise defined in this Addendum, where this Addendum uses terms that are defined in the EU SCCs, those terms shall have the same meaning as in the EU SCCs.
This Addendum must always be interpreted:
In a manner that is consistent with all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR (as defined in section 3 of the DPA 2018) and the DPA 2018 (“UK Data Protection Laws”); and
So that it fulfils the Parties’ obligation to provide the appropriate safeguards, being the standard of protection over the Personal Data and of Data Subjects’ rights required by UK Data Protection Laws when a party is making a transfer which is covered by Chapter V of the UK GDPR (“Restricted Transfer”) relying on standard data protection clauses under Article 46(2)(d) UK GDPR (“Appropriate Safeguards”).
If the provisions included in the ICO Modified EU SCCs amend the EU SCCs in any way which is not permitted under the EU SCCs or the ICO’s Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the ICO’s Addendum will take their place.
If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, the UK Data Protection Laws apply.
If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with the UK Data Protection Laws applies.
Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
Although clause 5 of the EU SCCs sets out that the EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in paragraph 2.2 will prevail.
Where there is any inconsistency or conflict between the ICO’s Addendum and the ICO Modified EU SCCs (as applicable), the ICO’s Addendum overrides the ICO’s Modified EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the ICO’s Modified EU SCCs provides greater protection for data subjects, in which case those terms will override the ICO’s Addendum.
Where this Addendum incorporates EU SCCs which have been entered into to protect transfers subject to the GDPR then the Parties acknowledge that nothing in this Addendum impacts those EU SCCs.
Incorporation of and changes to the EU SCCs
This Addendum incorporates the EU SCCs which are amended to the extent necessary so that:
Together they operate for data transfers made by the exporter to the importer, to the extent that UK Data Protection Laws apply to the exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
Paragraphs 2.1 to 2.3 override clause 5 (Hierarchy) of the EU SCCs; and
This Addendum (including the EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
Unless the Parties have agreed alternative amendments which meet the requirements of paragraph 3.1, the provisions of paragraph 3.4 will apply.
No amendments to the EU SCCs other than to meet the requirements of paragraph 3.1 may be made.
The following amendments to the EU SCCs (for the purpose of paragraph 3.1) are made:
References to the “Clauses” means this Addendum, incorporating the ICO Modified EU SCCs;
In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
References to Regulation (EU) 2018/1725 are removed;
References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK” (being the United Kingdom of Great Britain and Northern Ireland);
Clause 13(a) and Part C of Annex I are not used;
The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
The footnotes to the EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
From time to time, the ICO may issue a revised ICO Addendum which:
Makes reasonable and proportionate changes to the ICO Addendum, including correcting errors in the ICO Addendum; and/or
Reflects changes to UK Data Protection Laws;
The revised ICO Addendum will specify the start date from which the changes to the ICO Addendum are effective and whether the parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised ICO Addendum from the start date specified in any such replacement ICO Addendum issued.
If the ICO issues a revised ICO Addendum under clause 4.1, if either Party will as a direct result of the changes in the ICO Addendum have a substantial, disproportionate and demonstrable increase in:
Its direct costs of performing its obligations under the ICO Addendum; and/or
Its risk under the ICO Addendum,
And in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may terminate this Addendum on fourteen (14) days’ written notice to the other Party before the start date of the revised ICO Addendum.
The parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.