Last updated: March 6th, 2024
This Data Processing Agreement (“DPA”) supplements the Agreement (and related statements of work, attachments, schedules, exhibits and the like) between Lightbend, Inc. (“Supplier” or “Lightbend”) and “Customer” for the purchase of Services and / or Software from Lightbend, to the extent Lightbend Processes Personal Data on behalf of Customer and/or Customer Controllers, as applicable.
The parties acknowledge and agree that (i) when Customer is acting as a Data Controller, Lightbend will be a Data Processor acting on behalf of Customer, and (ii) when Customer is acting as a Data Processor on behalf of Controller Customers, Lightbend will be acting as Customer’s Sub-Processor.
This DPA applies to all activities related to the Agreement and in which employees of Lightbend or Data Sub-Processors commissioned by Lightbend Process Personal Data on behalf of Customer and/or Customer Controllers, as applicable. It contains, in conjunction with the Agreement, the documented instructions for the Processing of Personal Data, as well as the subject-matter, duration, nature, purpose of the Processing, and shall govern the rights and obligations of the parties in connection with the Processing of Personal Data.
Articles of this DPA also apply to the Processing of Non-Personal Data, as noted.
Definitions
For the purpose of this DPA (i) “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) or household; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (ii) “Processing”, “Process”, “Processed” means any operation or set of operations which is performed on Personal Data and/or Non-Personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (iii) “ Data Controller ” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; (iv) “Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of and per the instructions of a Data Controller; (v) “Data Sub-Processor” means a third party engaged by Lightbend (including without limitation an Affiliate and/or a third party sub-contractor of Lightbend) in connection with the Processing of Personal Data; (vi) “Non-Personal Data” means data other than Personal Data that is subject to confidentiality obligations under the Agreement; (vii) “Affiliate” means, with respect to any party, any entity that is under common control of, controls, or is controlled by that party; (viii) “Sell” means any sharing or disclosure of Personal Data to a third party in exchange for monetary or other valuable consideration; (ix) “Security Breach” any actual or alleged data security breach or incident, in particular in each case of destruction, loss, alteration, unauthorized or accidental disclosure of or access to any Personal Data and/or Non-Personal Data or other breach of this DPA by Lightbend or any of its staff, Data Sub-Processors or any other identified or unidentified third party; (x) “Customer Controllers” means customers of Customer, to the extent that such customers are deemed to be Data Controllers of the Personal Data processed by Lightbend; (xi) “Model Clauses” mean appropriate Standard Contractual Clauses specified in Section 6.2.
Capitalized terms used in this DPA that are not defined in Section 1.1 or elsewhere in this DPA, shall have the meaning set out in the Agreement.
Processing of Personal Data
Any Processing of Personal Data by Lightbend under this DPA shall occur only:
on behalf of Customer (including when Processing is initiated by Customer Controllers); and
in accordance with the Agreement and applicable data protection law; and
for the purpose of fulfillment of Customer’s instructions in connection with the provision of Services and/or Products under the Agreement.
Without limiting the generality of Sub-Sections 2.1.1 to 2.1.3, Lightbend agrees that it shall not: (i) Sell any Personal Data; (ii) retain, use, or disclose the Personal Data for any purpose other than as necessary to provide the Services and/or Products set forth in the Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than as necessary to provide the Services and/or Products set forth in the Agreement; (iii) retain, use, or disclose the Personal Data outside of the direct business relationship between Customer and Lightbend; (iv) combine Personal Data received from Customer or collected on behalf of Customer with any other Personal Data, unless instructed so by Customer.
This DPA and the Agreement are Customer’s complete instructions at the time of signature of this DPA to Lightbend for the Processing of Personal Data. However, such instructions may be amended, supplemented or replaced by Customer in documented form at any time (new instruction) by providing written notification to Lightbend, including when such new instructions are necessary to ensure Lightbend only Processes Personal Data in a manner consistent with Customer’s obligations under the applicable data protection laws and regulations. If such new instructions from the Customer exceed the scope of the Agreement, they shall be considered as a request to amend the Agreement. If, for any reason, Lightbend is unable to comply with an agreed instruction, Lightbend will inform Customer of this fact without undue delay. Customer may then suspend the transfer of Personal Data to Lightbend, restrict the access to it, and / or request all Personal Data to be returned to Customer.
Customer is responsible as Data Controller/Data Processor (as applicable) for compliance with the applicable data protection laws and regulations, unless the applicable laws and regulations specifically impose an obligation on Lightbend (acting as Data Processor/Data Sub-Processor, as applicable), in which case Lightbend shall comply with such applicable data protection laws and regulations. Customer represents and warrants that it has obtained all rights necessary to make the Personal Data available to Lightbend.
Lightbend will Process Personal Data for the duration of the order and/or statement of work, as applicable, made pursuant to the Agreement, unless otherwise agreed upon in writing or required by applicable law.
The subject-matter, nature and purpose of the Processing of Personal Data on behalf of Customer and/or Customer Controllers within the scope of this DPA result from the Agreement and may be further specified in the Agreement and/or applicable Annex (if any) to this DPA.
The categories of Data Subjects affected by the Processing of Personal Data on behalf of Customer and/or Customer Controllers within the scope of this DPA result from the Agreement and may include (but is not limited to) employees, agents, advisors, freelancers and business partners of Customer (who are natural persons), natural persons (employees, customers, etc.) of Customer Controllers, etc. Categories of Data Subjects may be further specified in the Agreement and/or applicable Annex (if any) to this DPA.
The categories and types of Personal Data affected by the Processing of Personal Data on behalf of Customer and/or Customer Controllers within the scope of this DPA result from the Agreement and, in particular, from Customer’s and/or its Customer Controllers’ individual usage of (and input into) the Services / Products / or other technology solutions provided by the Lightbend and may include (but is not limited to) name (first name, last name), contact information (company, title / position, email address, phone number, physical address), connection data (IP address), video / call (recordings) data, and metadata derived thereof, etc. Categories and types of Personal Data may be further specified in the Agreement and/or applicable Annex (if any) to this DPA.
Lightbend personnel
Lightbend shall:
ensure all employees involved in Processing of Personal Data and/or Non-Personal Data on behalf of Lightbend have committed themselves to confidentiality in writing, are prohibited from Processing Personal Data and/or Non-Personal Data without authorization, have received appropriate training on their responsibilities;
ensure the access to Personal Data and/or Non-Personal Data is limited to the personnel necessary to execute Lightbend’s obligations under the Agreement;
monitor the fulfillment of his obligations as per Sub-Sections 3.1.1 and 3.1.2 regularly and demonstrate its compliance to Customer in writing within twenty (20) days of request.
appoint a country / global data protection officer, to the extent required by the applicable law, and provide his / her contact details on request to Customer in writing.
Security of Processing
Lightbend has implemented and shall maintain appropriate technical and organizational measures for the Processing of Personal Data and/or Non-Personal Data on behalf of Customer. Lightbend shall ensure a level of security appropriate to the risks that are presented by the Processing, taking into account the risk of varying likelihood and severity for the rights and freedoms of natural persons. Lightbend shall regularly test, assess and evaluate the effectiveness of such technical and organizational measures for ensuring the security of the Processing. Customer may request details of our specific Policies.
Data Sub-Processors
Customer hereby declares its general consent to the usage of Supplier’s respective Affiliates as Data Sub-Processors. Lightbend shall, upon request, provide Customer with a list of its Affiliates used as Data Sub-Processors and shall notify Customer in writing in advance in case of any changes.
Supplier shall be liable for the acts and omissions of its Data Sub-Processors to the same extent Supplier would be liable if performing the services of each Data Sub-Processor directly under the terms of this DPA.
International Transfers of Personal Data
Supplier shall comply with all applicable data privacy laws regarding the international transfers of Personal Data.
Requests from Data Subjects
Supplier shall, in accordance with applicable laws, promptly notify Customer if Supplier receives a request from a Data Subject to exercise his rights (such as: right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to Processing, right not to be subject to an automated individual decision making, etc.) connected to the Processing under the Agreement and this DPA. Supplier shall cooperate and assist Customer in ensuring compliance with Customer’s obligations to respond to such requests. Note that in the event that Customer stores data on the Supplier’s system in an encrypted format, Supplier cannot comply with such a request and will refer it to Customer.
Notification and incidents
Supplier shall:
Notify Customer of any Security Breach within 24 hours of becoming aware of such a breach;
Promptly provide Customer with full cooperation and assistance in respect of any Security Breach and all information in Supplier's possession concerning the Security Breach, including, but not limited to, the following: (i) the possible cause and consequences of the breach; (ii) the categories of Personal Data and/or Non-Personal Data involved; (iii) a summary of the possible consequences for the relevant Data Subjects; (iv) a summary of the unauthorized recipients of Personal Data and/or Non-Personal Data; and (v) the measures taken by Supplier to mitigate any related risk and / or loss or damage or (potential loss or damage);
Take all appropriate corrective actions, including as may be instructed by Customer and applicable privacy laws and regulations, to remedy or mitigate any Security Breach.
In case of reporting and notification obligations of Customer to competent data protection supervisory authorities and / or affected Data Subjects resulting from a Security Breach in connection with the Personal Data being Processed by Supplier, the Supplier shall, upon request, provide support to Customer to comply with these obligations, taking into account the nature of the Processing and the information available to Supplier. The same applies in the event of any reporting or consultation obligations of Customer to the competent data protection supervisory authorities in connection with an intended Personal Data Processing, which bears an increased risk for the rights and freedoms of concerned Data Subjects.
Supplier shall inform Customer about audits or similar measures of a competent supervisory authority, if Personal Data in connection with this DPA is affected. This also applies if a competent data protection authority commences investigations at Supplier due to a breach of data protection regulations in connection with this DPA.
Assistance
Upon written request of Customer, Supplier shall assist Customer in ensuring compliance with obligations that derive from relevant privacy laws and are applicable to Customer (and/or its Customer Controllers) with regards to implementing appropriate technical and organizational measures to ensure an appropriate level of security, conducting assessments of the impact of the envisaged Processing operations on the protection of Personal Data (e.g., Data Protection Impact Assessments), consultation procedures with supervisory authorities (e.g., Prior Consultation), etc., taking into account the nature and risk of the Processing and the information available to Supplier.
Return and deletion of Personal Data
Personal Data (including any copy of it) shall not be kept longer than is required for the Processing purposes, unless (i) a longer retention period is required by applicable law or (ii) Customer instructs Supplier in writing to (a) keep certain Personal Data longer or (b) return certain Personal Data earlier.
The return of any data storage medium provided by Customer to Supplier shall be conducted without undue delay (i) if requested in writing by Customer within ten (10) days after termination or expiration of the Processing activity or (ii) earlier as instructed in writing by Customer.
Miscellaneous
Without prejudice to any other obligations under this DPA or the Agreement, Supplier will provide all Personal Data and/or Non-Personal Data Processing activities (i) with reasonable care and skill, and (ii) in accordance with good industry practice and applicable privacy laws and regulations.
Lightbend shall notify Customer if it determines it can no longer meet its obligations towards Customer under the applicable laws
The term of this DPA corresponds to the term of the Agreement. The clauses of this DPA and obligations which by their nature are intended to survive termination or expiration of this DPA will continue and survive any termination or expiration of this DPA.
Notwithstanding anything to the contrary in the Agreement, in the event of a conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail. In case of a conflict between (i) the Model Clauses and (ii) this DPA or the Agreement, the Model Clauses shall prevail.