Updated September 2019
This Data Processing Agreement (“DPA”) forms part of the End User License Agreement (“Agreement”) between Claroty Ltd.
(“Company”) and the entity set forth on the associated Agreement (“Customer”).
This DPA applies in respect of the processing of any Personal Data (as defined below) collected, provided, or otherwise made available to Company in connection with the provision of the Software and any services related to the Software under the Agreement, if the Processing of such Personal Data is subject to the GDPR, only to the extent the Customer is a Controller of Personal Data and Company is a Processor. The DPA is intended to satisfy the requirements of European Union data protection law, including Article 28(3) of the GDPR. This DPA shall be effective for the term of the Agreement or until deletion of Personal Data as instructed by Customer under this DPA, whichever is earlier.
1.1. For the purposes of this DPA:
1.1.1. “Controller” has the meaning given in the GDPR;
1.1.2. “Data Protection Legislation” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time;
1.1.3. “Data Subject” has the meaning given in the GDPR. The categories of Data Subjects to whom Personal Data Processed
under this DPA relates are described under Section 2 of this DPA;
1.1.4. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
1.1.5. “Personal Data” has the meaning given in the GDPR. The types of Personal Data Processed by Company under this DPA are described under Section 2; and
1.1.6. “Personal Data Breach”, “Processing”, and “Processor” will each have the meaning given in the GDPR.
1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2.1. Types of Personal Data and Categories of Data Subjects. This DPA applies to the Processing of Personal Data relating to individuals about whom data is submitted to or through the Software by Customer or by any Customer end user, including IP addresses, machine names, user names and contact information of Customers’ employees using the Software, the extent of which is determined by Customer (or any Customer end user) in its sole discretion.
2.2. Subject-Matter, Nature and Purpose of The Processing. The subject-matter of Processing of Personal Data by Company is the provision of the Software and any services related to the Software to the Customer that involves the Processing of Personal Data. Personal Data will be collected, analyzed and stored by Company for purposes of providing the Software and any services related to the Software set out into the Agreement .
2.3. Duration of The Processing. Personal Data will be Processed for the duration of the Agreement until return or deletion as instructed by the Customer under Section 9 of this DPA.
3.1. The parties acknowledge and agree that Customer is the Controller of Personal Data and Company is the Processor. Company will only process Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions. Company is hereby instructed to process Personal Data to the extent necessary to enable Company to provide the Software and any services related to the Software in accordance with the Agreement. If Company cannot process Personal Data in accordance with Customer’s instructions due to a legal requirement under any applicable European Union or Member State law, Company will (i) promptly notify Customer of that legal requirement and/or of the inability to comply with any instructions before the relevant Processing, to the extent permitted by the Data Protection Legislation; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Customer issues new instructions with which Company is able to comply. If this provision is invoked, Company will not be liable to Customer under the Agreement for any failure to provide the Software and any services related to the Software until such time as Customer issues new instructions in regard to such Processing.
3.2. Customer shall, in its use of the Software, process Personal Data in accordance with the requirements of the Data Protection Legislation. Customer’s instructions for the Processing of Personal Data shall comply with the Data Protection Legislation. Customer shall ensure that Customer has provided or will provide any necessary notices to Data Subjects, and has obtained or will obtain all consents (if required) and rights necessary for Company to process Personal Data in accordance with this DPA.
3.3. In connection with the performance of the Agreement, Customer authorizes Company to transfer Personal Data from the European Economic Area (“EEA”) and Switzerland, as applicable, to the United States and to any country that is recognized by the European Commission as providing an adequate level of protection for personal data.
4.1. Company will ensure that any person whom Company authorizes to process Personal Data on its behalf is subject to confidentiality obligations in respect of that Personal Data.
5.1. Company will implement appropriate technical and organisational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including, as appropriate, the measures required by Article 32 of the GDPR.
6.1. Customer hereby grants general written authorization to Company to appoint sub-Processors to perform specific Processing activities on behalf of the Customer. List of sub-Processors currently engaged by Company in connection with the provision of the Software any services related to the Software is attached hereto as Exhibit A (as may be updated by Company from time to time in accordance with this DPA). Company will inform Customer of any intended changes concerning the addition or replacement of its sub-Processors and Customer will have an opportunity to object to such changes on reasonable grounds within fifteen (15) business days after being notified.
6.2. Before engaging any sub-Processor to process Personal Data, Company will enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor the same obligations that apply to Company under this DPA. Where the sub- Processor fails to fulfil its data protection obligations, Company will remain fully liable to the Customer for the performance of such sub-Processors obligations.
7.1. Taking into account the nature of the Processing, Company will assist Customer by appropriate technical and organizational measures, insofar as this is possible and to the extent permitted by the applicable law, for the fulfilment of the Customer’s obligation to respond to Data Subjects’ requests for the exercise of Data Subjects’ rights under the Data Protection Legislation. Customer shall be solely responsible for responding to such requests.
7.2. At Customer’s request, Company will provide Customer with reasonable assistance to facilitate conduction of data protection impact assessments related to Customer’s use of the Software and consultation with competent data protection authorities, if Customer is required to do so under the Data Protection Legislation, in each case solely to the extent that such assistance is necessary and relates to the Processing by Company of Personal Data, taking into account the nature of the Processing and the information available to Company.
7.3. Company will, at the Customer’s request, provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligation to keep Personal Data secure.
7.4. To the extent permitted by the applicable law, Customer shall be responsible for any costs and expenses arising from provision by Company of the assistance contemplated under this Section 7.
8.1. Company will notify Customer without undue delay after it becomes aware of any Personal Data Breach affecting any Personal Data. At Customer’s request, Company will promptly provide Customer with reasonable assistance necessary to enable Customer to notify Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Legislation.
8.2. Company will not assess the contents of Personal Data in order to identify information subject to any specific legal requirements under the Data Protection Legislation or other applicable law. Customer shall be solely responsible for complying with Personal Data Breach notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach.
9.1. Company will delete (or, at the election of the Customer, return, in such format as Company may reasonably elect and subject to Customer paying all of Company’s fees at prevailing rates, and all expenses, for transferring Personal Data to such format) all Personal Data in the possession or control of Company or any of its sub-Processors after Company ceases to provide the Software and any services related to the Software, unless the applicable law of the EU or of an EU Member State requires otherwise.
10.1. Company will, at Customer’s request and subject to the Customer paying all of Company’s fees at prevailing rates, and all expenses, reasonably cooperate with the Customer to provide the Customer with all information necessary to enable the Customer to demonstrate compliance with its obligations under the GDPR, and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, to the extent that such information is within Company’s control and Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party. Company will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Legislation.
11.1. The Customer acknowledges that Company is reliant on the Customer for direction as to the extent to which Company is entitled to process Personal Data on behalf of Customer in providing the Software and any services related to the Software. Consequently, Company will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by Company, to the extent that such action or omission resulted directly from Customer’s instructions or from Customer’s failure to comply with its obligations under the Data Protection Legislation.
11.2. Notwithstanding any provisions to the contrary included in this DPA, each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
Exhibit A – List of Sub-Processors
Sub-Processors Type of Processing
• Amazon Web Services (AWS) • Cloud infrastructure provider
• Google Cloud Platform • Cloud infrastructure provider