Cloud Data Processing Agreement
Data protection requirements with respect to the processing of Customer Personal Data
Last updated 9th July 2021
This Data Processing Agreement (“DPA”) is incorporated into and forms a part of the Cloud Subscription Agreement, Cloud Terms of Service, or other applicable service or subscription agreement between you and OpenDataDSL with respect to your use of the Cloud Services (“OpenDataDSL Agreement”). This DPA sets out data protection requirements with respect to the processing of Customer Personal Data (as defined below) that is collected, stored, or otherwise processed by OpenDataDSL for the purpose of providing the Cloud Services. This DPA is effective on the effective date of the OpenDataDSL Agreement, unless this DPA is separately executed in which case it is effective on the date of the last signature.
1. Definitions
The following terms have the following meanings when used in this DPA. Any capitalized terms that are not defined in this DPA have the meaning provided in your MongoDB Agreement.
“Data Protection Act of 2018” The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
“Customer,” “you” and “your” means the organization that agrees to an Order Form, or uses the Cloud Services subject to the relevant OpenDataDSL Agreement.
“Customer Personal Data” means any personal data that Customer uploads into the Cloud Services that is processed by OpenDataDSL.
“Data Protection Law” means GDPR, CCPA, and any other data protection legislation applicable to the respective party in its role in the processing of Customer Personal Data under the OpenDataDSL Agreement.
“Data Subject Request” has the meaning given to it in Section 5.1.
“EEA” means the European Economic Area.
“GDPR” means the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended, updated or replaced from time to time, in the European Union, Switzerland and/or the United Kingdom.
"Standard Contractual Clauses" means the Standard Contractual Clauses for Processors as approved by the European Commission in the form set out in Annex 1.
"Subprocessor" means any third-party data processor engaged by OpenDataDSL to process Customer Personal Data.
“Technical and Organizational Security Measures” has the meaning given to it in Section 3.2.
The terms “controller,” “data subject,” “personal data,” “personal data breach,” “processor,” “processing” and “supervisory authority” have the meanings set forth in the GDPR.
2. Data Processing
2.1. Scope and Roles. This DPA applies when OpenDataDSL processes Customer Personal Data in the course of providing the Cloud Services. In this context, OpenDataDSL is a “processor” to Customer, who may act as either a “controller” or “processor” with respect to Customer Personal Data.
2.2. Details of the Processing.
2.2.1. Subject Matter. The subject matter of the data processing under this DPA is Customer Personal Data.
2.2.2. Duration. The duration of the data processing under this DPA is until the expiration or termination of the OpenDataDSL Agreement in accordance with its terms.
2.2.3. Nature and Purpose. The purpose of the data processing under this DPA is the provision of the Cloud Services to Customer in accordance with the OpenDataDSL Agreement.
2.2.4. Types of Customer Personal Data. The types of Customer Personal Data processed under this DPA include any Customer Personal Data uploaded to the Cloud Services by Customer.
2.2.5. Categories of Data Subjects. The data subjects may include Customer’s customers, employees, suppliers, and end users, or any other individual whose personal data Customer uploads to the Cloud Services.
2.2.6. Processing Operations. The objective of the processing of Customer Personal Data by OpenDataDSL is the provision of Cloud Services to the Customer in accordance with the OpenDataDSL Agreement.
2.3. Compliance with Laws. Each party will comply with all applicable Data Protection Law, including the GDPR, in relation to the processing of Customer Personal Data.
2.4. OpenDataDSL’s Processing. OpenDataDSL will process Customer Personal Data only for the purposes of: (i) provisioning the Cloud Services, (ii) processing initiated by Customer in its use of the Cloud Services, and (iii) processing in accordance with your OpenDataDSL Agreement, this DPA, and your other reasonable documented instructions that are consistent with the terms of your OpenDataDSL Agreement. Any other processing will require prior written agreement between the parties.
2.5. Customer Obligations. Customer acknowledges that it controls the nature and contents of the Customer Personal Data. Customer will ensure that it has obtained all necessary and appropriate consents from and provided notices to data subjects where required by Data Protection Law to enable the lawful transfer of any Customer Personal Data to OpenDataDSL for the duration and purposes of this DPA and the OpenDataDSL Agreement.
3. Security
3.1. Confidentiality of Personnel. OpenDataDSL will ensure that any of our personnel and any subcontractors who have access to Customer Personal Data are under an appropriate obligation of confidentiality.
3.2. Security Measures. We will implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risks that are presented by the processing of Customer Personal Data. The current technical and organizational security measures are described at Technical and Organizational Security Measures (“Technical and Organizational Security Measures”).
3.3. Optional Security Controls. OpenDataDSL makes available a number of security controls, features, and functionalities that Customer may elect to use, as described in the Technical and Organizational Security Measures and our Documentation. Customer is responsible for implementing those measures to ensure a level of security appropriate to the Customer Personal Data.
3.4. Breach Notification. We will notify you without undue delay if we become aware of a personal data breach affecting Customer Personal Data.
4. Subprocessors
4.1. Authorized Subprocessors. You acknowledge and agree that we may retain our affiliates and other third parties to further process Customer Personal Data on your behalf as Subprocessors in connection with the provision of the Cloud Services. We maintain a current list of our Subprocessors at: Cloud Service Subprocessors which we will update at least 30 days before the addition or replacement of any Subprocessor. You may also register to receive email notifications of any change to our list of Subprocessors.
4.2. Subprocessor Obligations. OpenDataDSL will impose on each Subprocessor the same data protection obligations as are imposed on us under this DPA. We will be liable to you for the performance of the Subprocessors' obligations to the extent required by Data Protection Law.
5. Data Subject Requests
5.1. To assist with your obligations to respond to requests from data subjects, the Cloud Services provide Customer with the ability to retrieve, correct, or delete Customer Personal Data. Customer may use these controls to assist it in connection with its obligations under the GDPR, including its obligations related to any request from a data subject to exercise their rights under Data Protection Law (each, a “Data Subject Request”).
5.2. If a data subject contacts OpenDataDSL with a Data Subject Request that identifies Customer, to the extent legally permitted, we will promptly notify Customer. Solely to the extent that Customer is unable to access Customer Personal Data itself, and OpenDataDSL is legally permitted to do so, we will provide commercially reasonable assistance to Customer in responding to the Data Subject Request. To the extent legally permitted, Customer will be responsible for any costs arising from OpenDataDSL’s provision of such assistance, including any fees associated with the provision of additional functionality.
6. Requests for Customer Personal Data
6.1. If we receive a valid and binding legal order (“Request”) from any governmental body (“Requesting Party”) for disclosure of Customer Personal Data, we will use commercially reasonable efforts to redirect the Requesting Party to seek that Customer Personal Data directly from Customer.
6.2. If, despite our efforts, we are compelled to disclose Customer Personal Data to a Requesting Party, we will:
(a) if legally permitted, promptly notify Customer of the Request to allow Customer to seek a protective order or other appropriate remedy. If we are prohibited from notifying Customer, we will use commercially reasonable efforts to obtain a waiver of that prohibition;
(b) challenge any over-broad or inappropriate Request (including Requests that conflict with the law of the European Union); and
(c) disclose only the minimum amount of Customer Personal Data necessary to satisfy the Request.
7. Cooperation
Taking into account the nature of the processing and the information available to us, at your request and cost, OpenDataDSL will provide reasonable assistance to ensure compliance with the obligations under applicable Data Protection Law with respect to implementing appropriate security measures, personal data breach notifications, impact assessments and consultations with supervisory authorities or regulators, in each case solely related to processing of Customer Personal Data by OpenDataDSL.
8. Customer Audit Rights
8.1. Upon Customer’s request, and subject to the confidentiality obligations set forth in your OpenDataDSL Agreement, OpenDataDSL will make available to Customer (or Customer’s independent, third-party auditor) information regarding OpenDataDSL’s compliance with the security obligations set forth in this DPA in the form of third-party certifications and audits.
8.2. If that information is not sufficient to demonstrate our compliance with the security obligations in the DPA, you may contact OpenDataDSL in accordance with the notice provision of your OpenDataDSL Agreement to request an on-site audit of OpenDataDSL’s procedures relevant to the protection of Customer Personal Data, but only to the extent required under applicable Data Protection Law. Customer will reimburse OpenDataDSL for its reasonable costs associated with any such on-site audit. Before the commencement of any such on-site audit, Customer and OpenDataDSL will mutually agree upon the scope, timing, and duration of the audit.
8.3. Customer will promptly notify OpenDataDSL with information regarding any non-compliance discovered during the course of an audit, and OpenDataDSL will use commercially reasonable efforts to address any confirmed non-compliance.
9. Data Transfers
9.1. Data Deployment Locations. Customer Personal Data will only be hosted in Western Europe unless the customer provides their own MongoDB Atlas Cluster. Customer is solely responsible for any transfer of Customer Personal Data caused by Customer’s subsequent designation of other Deployment Regions. When required by Data Protection Law, such transfers by Customer will be governed by the transfer mechanisms described in Section 9.3 below.
9.2. Other Processing Locations. You may choose to use certain optional features of the Cloud Services that require transfers of Customer Personal Data outside of the EEA or the United Kingdom. When required by Data Protection Law, such transfers will be governed by the transfer mechanisms described in Section 9.3 below.
9.3. Transfer Mechanism. Where the transfer of Customer Personal Data is from the EEA or the United Kingdom to a territory which has not been recognized by the European Commission as providing an adequate level of protection for personal data on the basis of Article 45 GDPR (or in the case of transfers from the United Kingdom, by the United Kingdom Government), OpenDataDSL agrees to process that Customer Personal Data in compliance with the Standard Contractual Clauses of the third party.
10. Return or Deletion of Data
Customer may retrieve or delete all Customer Personal Data upon expiration or termination of the OpenDataDSL Agreement. Upon termination of your OpenDataDSL Agreement or upon your request, OpenDataDSL will delete any Customer Personal Data not deleted by Customer, unless we are legally required to store the Customer Personal Data.