Are you currently experiencing an attack?

Are you currently experiencing an attack?

Reblaze’s Data Processing Addendum (DPA)

This Data Processing Addendum (the “Addendum”) forms a part of the Service Agreement and related Terms of Service entered into by and between [Customer_name] (“Customer”) and Reblaze Technologies Ltd. (the “Company” and the “Agreement”, respectively). The Parties agree that this Addendum shall be added as an addendum to the Agreement, according to which Reblaze shall provide to the Customer certain data processing services, as described therein (respectively, the “Services”). Each of the Customer and Reblaze shall be referred to as a “Party”, and collectively referred to as the “Parties”. For the purposes of this Addendum, the term “Customer” shall include Customer and/or its Affiliates.

  1. Definitions – In this Addendum, the following terms shall have the meaning set out below and cognate terms shall be construed accordingly:
    1. Affiliate” shall mean a person or entity controlling, controlled by or under the common control with either Party; the term “control”, for the purpose of this definition, shall mean direct or indirect possession of the power to direct or cause the direction of the management or policies of Customer, whether through the ability to exercise voting power, by contract or otherwise. 
    2. Agreement Data Subject” shall mean natural persons to which Agreement Personal Data relate.
    3. Agreement Personal Data” shall mean any Personal Data Processed by the Company or any Subcontractor as part of the performance of the Services under the Agreement.
    4. Applicable Laws” shall mean any applicable law, including Applicable Privacy Laws, and any other applicable law with respect to any Agreement Personal Data, to which either Party is subject.
    5. Applicable Privacy Laws” shall mean any applicable domestic and foreign laws, rules, directives and regulations pertaining to data privacy, data security and/or the protection of personal data, including, as applicable, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), and including any amendments or replacements thereof.
    6. “Approved Jurisdiction” shall mean a member state of the EEA, or other jurisdiction as may be approved pursuant to the GDPR as having adequate legal protections for data by the European Commission.
    7. EEA” shall mean the European Economic Area.
    8. Privacy Policy” shall mean the Company’s privacy policy, available at https://www.reblaze.com/platform-privacy-policy/, which describes the Company’s Agreement Personal Data processing operations.  
    9. Subcontractor” shall mean any person appointed by or on behalf of Company to Process Agreement Personal Data on behalf of the Customer in connection with the Agreement, excluding any employee of Company or of any such appointed person. 
    10. Standard Contractual Clauses” mean the agreement pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021 (Commission Implementing Decision (EU) 2021/914 on Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as officially published at https://eurlex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN.
    11. Term” shall have the meaning ascribed to it under Section ‎12 below.
    12. European Commission”, “Controller”, “Processor”, “Data Subject”, “International Organisation”, “Member State”, “Personal Data”, “Personal Data Breach” and “Processing” shall have the meanings ascribed to them in the GDPR.

  2. Authorization and Compliance
    1. By virtue of the Agreement, Customer is considered as the “Controller” (or equivalent term under Applicable Privacy Laws) and the Company is considered as the “Processor” (or equivalent terms under Applicable Privacy Laws) with regards to the Agreement Personal Data. 
    2. Schedule ‎A to this Addendum sets out certain details regarding the Company’s Processing of Agreement Personal Data, as required by Article 28(3) of the GDPR and other Applicable Privacy Laws.
    3. Company shall Process Agreement Personal Data solely (i) in accordance with the Agreement (and solely subject to the provisions of this Addendum), and/or (ii) on reasonable  documented instructions from Customer, where such instructions are consistent with the terms of the Agreement, unless required to do so by Applicable Laws to which Company is subject, in which case Company shall inform Customer of that legal requirement before the relevant Processing, unless that Applicable Law prohibits such information on important grounds of public interest. 
    4. The Customer hereby instructs the Company (and authorizes the Company to instruct each of its Subcontractors) to process the Agreement Personal Data, as reasonably necessary for the provision of the Services and in accordance with the Agreement, the Privacy Policy and this Addendum. Additional instructions outside the scope of this Addendum and the Agreement require prior written agreement between the Parties and will include any additional fees that may be payable by the Customer for carrying out such instructions. 
    5. The Customer hereby acknowledges that as part of the provision of the Services hereunder, the Company may collect, disclose, publish, share and otherwise use fully anonymized,  de-identified and de-identifiable data, including statistical data, analytics, trends and other aggregated data which derives from the Agreement Personal Data processed by the Company as part of the provision of the Services, all as required for the Company’s legitimate purposes, and the Customer hereby agrees and acknowledges that such processing activities (including the anonymization and de-identification of Agreement Personal Data) will not be considered as performed outside the scope of the instructions provided by the Customer hereunder. Company agrees not to use said anonymized data in a form that identifies the Customer or any Agreement Data Subject.  
    6. The Company will notify the Customer if Company is of the opinion that a written instruction received from the Customer is in violation of Applicable Law and/or in violation of contractual duties under the Agreement.
    7. The Company shall treat Agreement Personal Data as confidential information and will not disclose, make available or transfer the Agreement Personal Data to any third party, other than as permitted under this Addendum.
    8. The Customer shall have sole responsibility for the accuracy, quality and legality of the Agreement Personal Data, and hereby warrants and undertakes that it shall receive all required consents from the applicable Agreement Data Subjects for the processing carried out by the Company under this Addendum and that the Agreement Data Subjects have received all required privacy notices, in accordance with the Privacy Policy and this Addendum.

  3. Company’s Personnel
    1. The Company shall ensure that access to Agreement Personal Data is strictly limited to those individuals who need to know or access the relevant Agreement Personal Data to perform the Services. 
    2. The Company shall take all steps reasonably necessary to ensure the reliability of its personnel who may have access to Agreement Personal Data and shall ensure that each such individual (i) is informed of the confidential nature of Agreement Personal Data; (ii) has received appropriate training on his responsibilities under this Addendum; and (iii) is subject to confidentiality undertakings or appropriate statutory obligations of confidentiality.
    3. The Company shall be responsible for any breach of this Addendum made by any of its employees, agents or contractors as if Company itself had performed such breach.

  4. Subcontractors
    1. The Customer hereby (i) grants the Company a general authorization to engage (and permits each Subcontractor appointed in accordance with this Section to engage) Subcontractors for the purpose of providing the Services; (ii) agrees that Affiliates of Company may be used as Subcontractors; and (iii) confirms that Company may continue to use those Subcontractors already engaged by Company as of the Effective Date of this Addendum, which are detailed in Schedule A hereto (“Existing Subcontractors”).
    2. The Company can at any time and without justification replace or appoint a new Subcontractor, provided that prior to engaging any new Subcontractor: 
      1. The Company will provide a fourteen (14) days’ prior notice to the Customer regarding the engagement of a new Subcontractor, and the Customer does not reasonably object to such changes within that timeframe under legitimate and documented grounds. If the Customer’s objection to an engagement of a Subcontractor is legitimate, the Company shall either refrain from using such Subcontractor in the context of the processing of Agreement Personal Data, or shall notify Customer that it is unable to provide the Services without the use of such Subcontractor and therefore it will suspend or restrict the Services (or an applicable part thereof) with immediate effect. 
      2. The Company shall perform adequate due-diligence to ensure that Subcontractor is capable of providing the level of protection for Agreement Personal Data required by any Applicable Privacy Law and Company’s obligations under the applicable provisions of the Agreement and this Addendum; and 
      3. Ensure that the arrangement between the Company and the Subcontractor is regulated by a written agreement, imposing on the Subcontractor undertakings that guarantee at least the same level of protection for Agreement Personal Data as those set out in this Addendum and meet the requirements of any Applicable Privacy Laws, including Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing of Agreement Personal Data by the Subcontractor will meet the requirements of any Applicable Privacy Laws. 
    3. At the request of the Customer, the Company shall provide the Customer with a list containing up to date information regarding (i) the names of all Subcontractors; (ii) the purpose(s) of the Processing of Agreement Personal Data by each Subcontractor; (iii) the categories of Agreement Personal Data Processed by each Subcontractor; and (iv) any other information reasonably required by Customer regarding the Processing of Agreement Personal Data by any Subcontractor.
    4. The Company shall be liable for the acts and omissions of the Subcontractors to the same extent the Company would be liable if the Processing of Agreement Personal Data that is carried out through Subcontractors was performed directly by Company.

  5. Rights of Agreement Data Subject
    1. Taking into account the nature of the processing, the Company shall assist the Customer, including by appropriate technical and organisational measures, insofar as this is possible, in fulfilment of Customer’s obligations to comply with or respond to requests for exercising Agreement Data Subject’s rights under the Applicable Privacy Laws, including those laid down in Chapter III of the GDPR. 
    2. Without derogating from the generality of the above, the Company shall (i) promptly notify the Customer of any request raised by an Agreement Data Subject in relation to Agreement Personal Data concerning him or her, received by the Company and/or a Subcontractor; (ii) ensure that neither it nor any Subcontractor responds to any such request, except on a written instruction of Customer or as required by Applicable Law to which the Company or the Subcontractor is subject, while in the latter case, unless that Applicable Law prohibits so, the Company shall inform, and if applicable, procure that the relevant Subcontractor informs Customer of that legal requirement prior to responding to the request.

  6. Personal Data Breaches
    1. The Company shall notify the Customer without undue delay, upon becoming aware of any Personal Data Breach affecting Agreement Personal Data and in any event, not later than 48 hours after becoming aware of that breach, and shall provide the Customer with all information necessary for Customer to meet its obligations under Applicable Privacy Laws, to notify the relevant public authorities of that Personal Data Breach and to communicate it to Agreement Data Subject.
    2. Without derogating from the generality of the above, the information to be provided to the Customer by Company pursuant to Section ‎6.1 above shall include, without limitation, (i) a description of the nature of the Personal Data Breach; (ii) the categories and numbers of Agreement Data Subject concerned, and  the categories and numbers of Agreement Personal Data records concerned; (iii) name and contact details of Company’s, and if relevant, Subcontractor’s, data protection officer and other contact point(s) where other information can be obtained; (iv) a description of the likely consequences of the Personal Data Breach; and (v) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
    3. Where it is not possible to provide the information outlined in Section 6.1 and 6.2 above within 48 hours after Company becoming aware of the Personal Data Breach, the information may be provided in phases, without undue delay.  
    4. The Company shall reasonably cooperate with the Customer and take all necessary steps reasonably required by Customer to investigate and handle any Personal Data Breach affecting Agreement Personal Data.   
    5. The Company shall document any Personal Data Breach affecting Agreement Personal Data (including the facts relating to the Personal Data Breach, its effects and the remedial actions taken) in a sufficient manner to enable the Customer to demonstrate compliance with any Applicable Privacy Law, including Article 33 of the GDPR.

  7. Data Security
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of Agreement Personal Data, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall, in relation to Agreement Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including those measures required under Applicable Privacy Laws and including, as appropriate, to those specified under Article 32 of the GDPR. 
    2. In assessing the appropriate level of security, the Company shall take account in particular of the risks that are presented by processing, in particular in connection with a Personal Data Breach.
    3. The technical and organizational security measures are subject to technical progress and development and the Company may update or modify technical and organizational security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.

  8. Data Protection Impact Assessment and Prior Consultation
    The Company shall assist the Customer with any assessment of the impact of the envisaged processing operations on the protection of Agreement Personal Data and prior consultations with data protection authorities, which Customer considers to be required by it according to any Applicable Privacy Law, particularly Articles 35 and 36 of the GDPR.

  9. Records and Audits
    1. The Company shall maintain written records of all categories of processing activities carried out on behalf of Customer, in accordance with the requirement of Applicable Privacy Laws.  
    2. Upon the request of Customer and/or the relevant public authorities, the Company shall make the records referred to in Section 9.1 above available to the relevant public authorities. 
    3. During the Term and upon request, the Company shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Applicable Privacy Laws and this Addendum and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, all at the Customer’s sole expense and only in order to ensure the Company’s compliance with the obligations laid down in Applicable Privacy Laws and this Addendum. If and to the extent the Customer engages third parties to conduct the audit, such third parties must be bound to strict confidentiality obligations. Notwithstanding the above, the Customer shall only be entitled to conduct such inspection during business hours and no more than once during one calendar year, provided that the Customer shall be entitled to conduct such inspection at any time if it reasonably suspects the Company to be in material breach of its obligations under this Addendum and that nothing in this Section shall limit the timing and scope of any audit required to be conducted by Applicable Privacy Laws.
    4. The Customer shall provide the Company a reasonable prior written notice of any audit or inspection to be conducted under this Section and shall avoid (and ensure that each of its auditors avoids) causing any damage, injury or disruption to Company’s premises, equipment, personnel and business while its personnel are on those premises in the course of such audit or inspection. 
    5. Nothing in this Addendum will require the Company either to disclose to the Customer (and/or its authorized auditors), or provide access to: (i) any data of any other customer of the Company; (ii) Company’s internal accounting or financial information; (iii) any trade secret of the Company; or (iv) any information that, in the Company’s sole discretion, could compromise the security of any of the Company’s systems or premises or cause the Company to breach obligations under any Applicable Law or its obligations to any third party.

  10. Deletion or Return of Agreement Personal Data
    1. Upon a written request of Customer at any time and/or upon the expiry or termination of an agreement with Company and/or a Subcontractor for any reason whatsoever, the Company (and the Company shall procure that that Subcontractor shall), at Customer’s option, promptly (i) delete all Agreement Personal Data in its possession or control, along with all copies, extracts and other objects or items in which it may be contained or embodied; or (ii) return to Customer by secure file transfer all Agreement Personal Data in its possession or control and delete all such Agreement Personal Data, along with all copies, extracts and other objects or items in which it may be contained or embodied. 
    2. Notwithstanding the foregoing, the Company may retain the Agreement Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that the Company shall ensure the confidentiality of all such Agreement Personal Data and shall ensure that such Agreement Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.

  11. International Transfer of Personal Data
    1. With respect to all other cross-border transfers, the Company shall put in place appropriate safeguards, as required under Applicable Privacy Laws. 
    2. To the extent required under the Applicable Privacy Laws, where the Company or any Company Affiliate process, by themselves, Agreement Personal Data outside an Approved Jurisdiction, the Parties shall enter into the Standard Contractual Clauses, in which event the Customer shall be deemed as the Data Exporter and the Company shall be deemed as the Data Importer (as these terms are defined therein).
    3. The Company may transfer Agreement Personal Data originating from the EEA outside the EEA, including to Subcontractors, without the Customer’s consent, subject to the following: 
      1. The transfer is necessary for the purpose of Company carrying out the Company’s obligations under the Agreement, or is required under Applicable Laws; 
      2. The transfer is done: (i) to an Approved Jurisdiction, or (ii) subject to appropriate safeguards under Applicable Privacy Laws, including the Standard Contractual Clauses executed between the Company and the recipient of such Agreement Personal Data; and
      3. The Company implements any additional safeguards required under Applicable Privacy Laws, to facilitate such transfer.

  12. Term
    This Addendum shall become effective upon execution or acceptance of the Agreement and shall remain in full force until the later of the date when the Company ceases to process the Agreement Personal Data or termination of the Agreement (the “Term”). All provisions of this Addendum, which by their language or nature should survive the termination of this Addendum, will survive the termination of this Addendum.

  13. Miscellaneous
    1. Nothing in this Addendum reduces the Company’s obligations under the Agreement in relation to the protection of Agreement Personal Data or permits the Company to process (or permit the processing of) Agreement Personal Data in a manner which is not explicitly authorized by the Agreement. 
    2. In the event of inconsistencies between the provisions of this Addendum and any other agreements between the Parties, including the Agreement, the provisions of this Addendum shall prevail. 
    3. Customer may, by written notice to Company, propose changes to this Addendum which Customer reasonably considers to be necessary to comply with any Applicable Privacy Law; upon receipt of Customer’s notice as mentioned, the Parties shall discuss and negotiate the proposed changes in good faith with the aim to achieve and ensure compliance with Applicable Privacy Laws and Company shall procure that changes corresponding to the agreed changes are made to the agreements or other written instruments entered into or executed in accordance with Article ‎4.2.2; provided, however, that if Customer and Company do not reach an agreement as to the proposed changes, such changes will amend this Addendum upon the earlier of: (i) 30 (thirty) days from the date in which Customer notifies Company of such proposed changes, or (ii) the entry into force of any applicable change in the Applicable Privacy Law. 
    4. This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws and subject to the jurisdiction of the courts as outlined in the Agreement, and for such purposes the Parties hereby irrevocably submit to the jurisdiction of such courts. 
    5. If any provision of this Addendum is held by a court of competent jurisdiction to be unenforceable under Applicable Law, then such provision shall be excluded from this Addendum and the remainder of this Addendum shall be interpreted as if such provision was so excluded and shall be enforceable in accordance with its terms; provided, however, that in such event this Addendum shall be interpreted so as to give effect, to the greatest extent consistent with and permitted by applicable law, to the meaning and intention of the excluded provision as determined by such court of competent jurisdiction.
    6. Any capitalized term not defined in this Addendum shall have the meaning attributed to it in the Agreement, unless the context requires otherwise.

BY ENTERING INTO THE AGREEMENT, YOU ALSO ACCEPT, CONSENT AND ENTER INTO THIS ADDENDUM, AND YOU FURTHER REPRESENT AND WARRANT THAT YOU HAVE READ AND UNDERSTOOD THIS ADDENDUM AND THAT YOU HAVE THE RIGHT AND AUTHORITY TO ENTER INTO THIS ADDENDUM ON YOUR AND ON YOUR ORGANIZATION’S BEHALF.

Schedule A

Details regarding the Company’s Processing of Agreement Personal Data required by Article 28(3) of the GDPR

Subject matter and duration of the Processing of Agreement Personal Data:

The subject matter and duration of the Processing of the Agreement Personal Data are set out in the Agreement and the Addendum. 

The nature and purpose of the Processing of Agreement Personal Data:

As described in the Agreement

 

The types of Agreement Personal Data to be Processed:

Customer’s end users:

    • IP Address (including location)
    • Timestamp
    • User Agent – type, version
    • Web Site
    • Header request details (up to content length value)
    • Any other personal data included in Customer’s web-properties, uploaded by Customer’s end-users. 

(ii) Customer’s employees who use the Company dashboard: 

    • e-mail address
    • full name
    • company name and a password

The categories of Data Subjects to whom the Agreement Personal Data relates:

(i) Customer’s end-users and (ii) Customer’s representative using Company dashboard.

The obligations and rights of Customer:

The obligations and rights of Customer are set out in the Agreement and the Addendum.

List of Subcontractors

Blue Grid – Bulevar Mihajla Pupina 10A – Belgrade / Serbia

 

 

Version 22

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.