Lightstep from ServiceNow Logo

Products

Solutions

Developers

Resources

Login

Lightstep from ServiceNow Logo

ServiceNow Lightstep Observability Service - Data Processing Addendum



SERVICENOW LIGHTSTEP OBSERVABILITY SERVICE - DATA PROCESSING ADDENDUM

All capitalized terms not defined in this Data Processing Addendum (“Lightstep DPA”) have the meaning given to them in other parts of the Agreement as modified by the Lightstep Addendum (the “Lightstep Agreement”).

1. DEFINITIONS

1.1. “Affiliates” means any person or entity directly or indirectly Controlling, Controlled by or under common Control with a party to the Agreement, where “Control” means the legal power to direct or cause the direction of the general management of the company, partnership or other legal entity.

1.2. “Agreement” means the applicable terms of service, order form, or other legal document that governs the Services or relationship of the Parties.

1.3. “Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data. For the purposes of this DPA, Data Controller is Customer and, where applicable, its Affiliates either permitted by Customer to submit Personal Data to the Service or whose Personal Data is Processed in the Service.

1.4. “Data Processor” means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Data Controller. For purposes of this DPA, Data Processor is Lightstep.

1.5. “Data Protection Laws” means all applicable laws and regulations regarding the Processing of Personal Data.

1.6. “Data Subject” means an identified or identifiable natural person.

1.7. “Instructions” means Data Controller’s documented data Processing instructions issued to Data Processor in compliance with this DPA.

1.8. “Lightstep” means Lightstep, Inc., a Delaware corporation and subsidiary of ServiceNow, Inc., located at 101 Green Street, San Francisco, CA 94111

1.9. “Lightstep Services” means the Software, Updates, Documentation, Implementation Service, technology and/or methodologies (including products, software tools, hardware designs, algorithms, templates, software (in source and object forms), architecture, class libraries, objects, and documentation) created by or for, or licensed to, Lightstep and ordered by Customer as services specified in each the applicable Order Form.

1.10. “Lightstep Sub-Processors” means the sub-processors listed in the following list: https://lightstep.com/subprocessors/

1.11. “Personal Data” means any information relating to a Data Subject uploaded by or for Customer or Customer’s agents, employees, or contractors to the Service as Customer Data.

1.12. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.13. “Service” means the Lightstep Services.

1.14. “Sub-Processor” means any legal person or entity engaged in the Processing of Personal Data by Data Processor.

2. SCOPE OF THE PROCESSING

2.1. ROLE OF THE PARTIES. The Parties agree that the status of each party as a ‘controller,’ ‘processor,’ or other categories of defining the Parties’ roles under Data Protection Laws is a question of fact determined under Data Protection Laws.

2.2. LIGHTSTEP AS DATA PROCESSOR. The Parties further agree that, with effect from the Effective Date, the Parties intend that the applicable data protection roles of the Parties are Lightstep acting as Data Processor and Customer acting as Data Controller.

2.3. COMMISSIONED PROCESSOR. Data Controller appoints Data Processor to Process Personal Data on behalf of Data Controller as described in the Agreement and in accordance with the Instructions.

2.4. INSTRUCTIONS. The Agreement constitutes Data Controller’s initial written Instructions to Data Processor for Processing of Personal Data. Data Controller may issue additional or alternate Instructions provided that such Instructions are: (a) consistent with the purpose and the scope of the Agreement; and (b) confirmed in writing by Data Controller. For the avoidance of doubt, Data Controller shall not use additional or alternate Instructions to alter the scope of the Agreement. Data Controller is responsible for ensuring its Instructions to Data Processor comply with Data Protection Laws.

2.5. NATURE, SCOPE AND PURPOSE OF THE PROCESSING. Data Processor shall only Process Personal Data in accordance with Data Controller’s Instructions and to the extent necessary for providing the Service, as described in the Agreement.

2.6. CATEGORIES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS. Data Controller may submit Personal Data to the Service as Customer Data, the extent of which is determined and controlled by Data Controller in its sole discretion and is further described in Appendix 1.

3. DATA CONTROLLER

3.1. COMPLIANCE WITH DATA PROTECTION LAWS. Data Controller shall comply with all of its obligations under Data Protection Laws when Processing Personal Data. Data Controller hereby represents and warrants that it has all necessary rights and a valid legal basis (as defined by applicable Data Protection Laws) to Process Personal Data.

3.1.1. DATA SUBJECT REQUESTS. Data Controller is solely responsible for responding to any Data Subject Requests granted under Data Protection Laws, including rights to access, rectify, restrict Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or not be subject to an automated individual decision making (collectively, “Data Subjects Requests”). Data Processor shall reasonably cooperate with the Data Controller to respond to Data Subject Requests to the extent Data Controller is unable to solely fulfill such Data Subject Requests.

3.2. CUSTOMER’S AFFILIATES. The obligations of Data Processor set forth herein will extend to Customer’s Data Controller Affiliates to which Customer provides access to the Service or whose Personal Data is Processed within the Service, subject to the following conditions:

3.2.1. COMPLIANCE. Customer shall at all times be liable for its Affiliates’ compliance with this DPA and all acts and omissions by a Data Controller Affiliate are considered acts and omissions of Customer.

3.2.2. CLAIMS. Customer’s Data Controller Affiliates will not bring a claim directly against Data Processor. In the event a Data Controller Affiliate wishes to assert a valid legal action, suit, claim or proceeding against Data Processor (a “Data Controller Affiliate Claim”): (i) Customer must bring such Data Controller Affiliate Claim directly against Data Processor on behalf of such Data Controller Affiliate, unless Data Protection Laws require that Data Controller Affiliate be party to such Data Controller Affiliate Claim; and (ii) all Data Controller Affiliate Claims will be considered claims made by Customer and are at all times subject to any aggregate limitation of liability set forth in the Agreement.

3.2.3. COMMUNICATION. Unless otherwise provided in this DPA, all requests, notices, cooperation, and communication, including Instructions issued or required under this DPA (collectively, “Communication”), must be in writing and between Data Controller and Data Processor only and Data Controller shall inform the applicable Data Controller Affiliate of any Communication from Data Processor pursuant to this DPA. Data Controller shall be solely responsible for ensuring any Communications (including Instructions) it provides to Data Processor relating to Personal Data for which a Customer Affiliate is Data Controller reflect the relevant Customer Affiliate’s intentions.

3.3. SECURITY RISK ASSESSMENT. Data Controller agrees that in accordance with Data Protection Laws and before submitting any Personal Data to the Service, Data Controller will perform an appropriate risk assessment to determine whether the security measures within the Service provide an adequate level of security, taking into account the nature, scope,

context and purposes of the processing, the risks associated with the Personal Data and the applicable Data Protection Laws. Data Processor shall provide Data Controller reasonable assistance by providing Data Controller with information requested by Data Controller to conduct Data Controller’s security risk assessment. Data Controller is solely responsible for determining the adequacy of the security measures within the Service in relation to the Personal Data Processed.

3.4. NOTICE AND CONSENT. Data Controller shall provide adequate notices, and obtain the necessary permissions and consents to provide Customer Data to Data Processor for use and disclosure. If Data Controller records or monitors telephone calls, SMS messages, or other communications using the Service, then Data Controller will: (i) comply with all applicable laws prior to doing so, and (ii) provide all required notices and secure all required prior consents to record or monitor communications using the Service. Data Controller acknowledges that these obligations are essential to Data Processor (and its Sub-Processor’s) ability to provide Data Controller with access to recording and monitoring features that are may be part of the Service.

4. DATA PROCESSOR

4.1. DATA CONTROLLER’S INSTRUCTIONS. Data Processor will have no liability for any harm or damages resulting from Data Processor’s compliance with unlawful Instructions received from Data Controller. Where Data Processor believes compliance with Data Controller’s Instructions could result in a violation of Data Protection Laws or is not in the ordinary course of Data Processor’s obligations in operating the Service, Data Processor shall promptly notify Data Controller thereof. Data Controller acknowledges Data Processor is reliant on Data Controller’s representations regarding the extent to which Data Controller is entitled to Process Personal Data.

4.2. DATA PROCESSOR PERSONNEL. Access to Personal Data by Data Processor will be limited to personnel who require such access to perform Data Processor’s obligations under the Agreement and who are bound by obligations to maintain the confidentiality of such Personal Data at least as protective as those set forth herein and in the Agreement.

4.3. DATA SECURITY MEASURES. Data Processor shall use commercially reasonable efforts to maintain the security and integrity of the Service and the Customer Data.

4.4. MONITORING AND SUPPORT. Processor and its Sub-Processors may use Customer Data to detect, prevent, and investigate security incidents, fraud, spam, or unlawful use of the Services by third-parties and support the Services by responding to Customer's technical problems or queries.

4.5. DELETION OF PERSONAL DATA. Upon termination or expiration of the Agreement, Data Processor shall delete Customer Data, including Personal Data contained therein, as described in the Agreement.

4.6. DATA PROCESSOR ASSISTANCE. Data Processor will assist Data Controller in ensuring compliance with Data Controller’s obligations pursuant to Data Protection Laws taking into account the nature of Processing by providing Data Controller with reasonable information requested pursuant to the terms of this DPA, including information required to conduct Data Controller’s data protection impact assessments and prior consultations with supervisory authorities, where required. For clarity, Data Controller is solely responsible for carrying out its obligations under Data Protection Laws and this DPA. Data Processor shall not undertake any task that can be performed by Data Controller.

4.7. DATA PROTECTION CONTACT. Data Processor and its Sub-Processor Affiliates (defined below) will maintain a dedicated data protection team to respond to data protection inquiries throughout the duration of this DPA and can be contacted at privacy@servicenow.com.

4.8. REQUESTS FROM DATA SUBJECTS. Data Processor shall provide Data Controller with the ability to access, correct, rectify, erase, or block Personal Data, or to transfer or port such Personal Data, within the Service, as may be required under Data Protection Laws (collectively, “Data Subject Requests”). Data Processor will instruct the Data Subject to contact the Data Controller in the event Data Processor receives a Data Subject Request directly.

4.9. REQUESTS FROM AUTHORITIES. In the case of a notice, audit, inquiry, or investigation by a government body, data protection authority, or law enforcement agency regarding the Processing of Personal Data, Data Processor shall promptly notify Data Controller unless prohibited by applicable law. Each party shall cooperate with the other party by providing all

reasonable information requested in the event the other party is required to produce such information to a data protection authority.

5. BREACH NOTIFICATION

5.1 NOTIFICATION. Data Processor will report to Data Controller any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data (a “Breach”) without undue delay following determination by Data Processor that a Breach has occurred.

5.2 DATA CONTROLLER OBLIGATIONS. Data Controller will cooperate with Data Processor in maintaining accurate contact information and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s) and prevent a recurrence. Data Controller is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.

6. CUSTOMER MONITORING RIGHTS

6.1 CUSTOMER MONITORING RIGHTS IN RESPECT OF THE SERVICES. Upon Data Controller’s request, Data Processor shall, no more than once per calendar year, make available for Data Controller’s review copies of certifications or reports demonstrating Data Processor’s compliance with prevailing data security standards applicable to the Processing of Data Controller’s Personal Data. If Data Controller and Data Processor have entered into Standard Contractual Clauses as described in Section 8 herein below (International Data Transfers), the parties agree that the audits described in the SCCs shall be carried out in accordance with this Section.

7. SUB-PROCESSORS

7.1 USE OF SUB-PROCESSORS. Data Controller authorizes Data Processor to engage Sub-Processors appointed in accordance with this Section 7.

7.1.1. SUB-PROCESSORS. As of the Effective Date, Data Processor engages, as applicable, the Lightstep Sub-Processors can be found here: https://lightstep.com/subprocessors/ (collectively, “Sub-Processors”). Data Processor will notify Data Controller of changes regarding such Sub-Processors through the Data Processor Support Portal (or other mechanism used to notify its general/Lightstep customer base). Each Sub-Processor shall comply with the obligations of the Agreement in the Processing of the Personal Data.

7.1.2. NEW SUB-PROCESSORS. Prior to Data Processor engaging a Sub-Processor, Data Processor shall:

(a) notify Data Controller by email to Customer’s designated contact(s) or by notification within the Data Processor Support Portal (or other mechanism used to notify its general/Lightstep customer base); and (b) ensure such Sub-Processor entered into a written agreement with Data Processor (or the relevant Data Processor Affiliate) requiring the Sub-Processor abide by terms no less protective than those provided in this DPA. Upon written request by Data Controller, Data Processor shall make a summary of the data processing terms available to Data Controller. Data Controller may request in writing reasonable additional information with respect to Sub-Processor’s ability to perform the relevant Processing activities in accordance with this DPA

7.2. RIGHT TO OBJECT. Data Controller may object to Data Processor’s proposed use of a new Sub-Processor by notifying Data Processor within 10 days after receipt of Data Processor’s notice if Data Controller reasonably determines such Sub-Processor is unable to Process Personal Data in accordance with the terms of this DPA (“Objection Notice”). In the event Data Controller submits its Objection Notice, Data Processor shall reasonably consider such objection and will notify Data Controller if it intends to provide the applicable Service with the use of the Sub-Processor at issue (“Processor Notice”). Customer may terminate the applicable license Use Authorization(s) with respect to the Service requiring use of the Sub-Processor at issue upon written notice to Data Processor within 10 days of the date of Processor Notice (“Termination Period”). Data Processor will, as Customer’s sole and exclusive remedy, refund to Customer any unused prepaid fees

following the effective date of termination for the terminated services. For clarity, Data Processor will not engage the new Sub-Processor at issue until the expiration of the Termination Period.

7.3. LIABILITY. Use of a Sub-Processor will not relieve, waive, or diminish any obligation of Data Processor under the Agreement, and Data Processor is liable for the acts and omissions of any Sub-Processor to the same extent as if the acts or omissions were performed by Data Processor.

8. INTERNATIONAL DATA TRANSFERS

8.1. INTERPRETATION. In the event of any conflict between the Agreement and this DPA, the following order of precedence shall apply: (i) this DPA and (ii) the Agreement. All capitalized terms used in this Section 8 which are not defined in this DPA have the meaning given to them in the SCCs, with references to “Clause” or “Clauses” in this Section 8 referring to the clause or clauses in the SCCs, and refences to “Optional” provisions referring to a clause or clauses in the SCCs that are optional for parties to enter into.

8.2. INCORPORATION OF SCCs. Module Two (Transfer controller to processor) of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "SCCs"), as annexed to Commission Implementing Decision 2021/914, is hereby incorporated by reference into this DPA, solely in respect of any transfers of Personal Data from the Data Exporter to the Data Importer (each as defined below) taking place pursuant to the Agreement. Notwithstanding the fact that the SCCs are incorporated herein by reference without the signature pages of the SCCs actually being signed by the Data Exporter, the Customer agrees that its execution of the Agreement is deemed to constitute its execution of the SCCs on behalf of the Data Exporter, and that it is duly authorised to execute same on behalf of, and to contractually bind, the Data Exporter accordingly.

8.3. OPTIONAL PROVISIONS. Where the SCCs identify Optional provisions (or provisions with multiple options) the following shall apply:

(a) in Clause 7 (Docking Clause) – the Optional provision shall apply;

(b) in Clause 9(a) (Use of sub-processors) – Option 2 shall apply (and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors);

(c) in Clause 11(a) (Redress) – the Optional provision shall NOT apply;

(d) in Clause 17 (Governing law) – Option 1 shall apply, and Irish law shall govern; and

in Clause 18(b) (Choice of forum and jurisdiction) – the courts of Ireland shall have jurisdiction.

8.4. ANNEXES OF SCCs. In addition, with respect to the Annexes to the SCCs, the following shall apply:

(a) In Annex 1A: the data exporter is the Customer and its Affiliates which are established in the European Economic Area (“EEA”) /exporting data from the EEA (the "Data Exporter") and the data importer is: (i) Lightstep (if the Lightstep entity that executed the Agreement with the Customer is located in a third country that has not been declared adequate by the European Commission), and (ii) each and every Lightstep Sub-Processor that is located in a third country that has not been declared adequate by the European Commission (the "Data Importer"). The full name, address and contact details for the Data Exporter and the Data Importer are set out in the Agreement.

(b) In Annex 1B: The: (i) categories of data subjects whose personal data are transferred, (ii) categories of personal data transferred, (iii) sensitive personal data transferred (if applicable) and their applied restrictions or safeguards, (iv) nature of the processing; (v) purpose(s) of the data transfer and further processing; (vi) period for which personal data will be retained (or, the criteria to determine the retention period); and (vii) (for transfers to Sub-Processor(s)) the subject matter, nature and duration of the processing are those set

out in this DPA including Appendix 1 “Details of Processing”, and the Agreement. The frequency of the transfer shall be continuous throughout the duration of the DPA and Agreement.

(c) In Annex 1C: The competent supervisory authority shall be the supervisory authority applicable to the Customer in its EEA country of establishment or, where it is not established in the EEA, in the EEA country where its representative has been appointed pursuant to Article 27(1) of Regulation (EU) 2016/679.

(d) In Annex 2: the security provisions contained in the security related provisions in the DPA and Agreement shall apply.

9.5 SUPPLEMENTARY TERMS TO SCCs

(a) Communication. The Parties agree that all notices, requests, monitoring rights required under the SCCs shall be provided, as applicable, to the Customer and the Lightstep entity that is a party to the Agreement. The Customer shall at all times be responsible for ensuring the Data Exporter’s compliance with the SCCs.

(b) Erasure or return of data. For the purposes of Clause 8.5, Lightstep shall delete or return personal data in accordance with the deletion provisions set out in the Agreement. For the purposes of Clause 16(d), the deletion provisions set out in the Agreement shall also apply.

(c) Documentation and compliance. For the purposes of Clause 8.9, the review and audit provisions in the Agreement/DPA shall apply.

(d) Liability. For the purposes of Clause 12(a), the Parties have agreed that their liability to each other shall be limited in accordance with the limitation of liability provisions in the Agreement.

(e) Enforcement. The Data Exporter(s) may enforce the terms of the SCCs against the Data Importer, provided however, that the Parties agree that any valid legal action, suit, claim or proceedings which must be brought by the Customer on behalf of the relevant Data Exporter, where such Data Exporter would otherwise have the right to bring such claim directly against Lightstep if it were a party to the Agreement (each a “Data Exporter Claim”), unless the applicable Data Protection Laws to which the relevant Data Exporter is subject requires that the Data Exporter itself bring or be a party to such Data Exporter Claim. The SCCs entered into between Data Importer and Data Exporter shall only be enforceable against Lightstep as such SCCs form an integrated part of the Agreement (including the DPA), which together shall form the entire agreement with regard to the Processing of Personal Data of such Data Exporter by Data Importer. Any such Data Exporter Claim shall at all times be subject to any aggregate limitation of liability that applies to the Customer and its Affiliates under the Agreement. The existence of more than one claim shall not enlarge this limit.

(f) Notification. For the purposes of Clause 15.1(a), the Parties agree and acknowledge that it is not possible for the Data Importer to make the appropriate notifications to Data Subjects. Accordingly, the Parties agree that the Customer, as Data Controller, shall (following notification by the Data Importer) be the Party who makes any notification to the Data Subject, and Lightstep shall provide the level of assistance set out in the Agreement.

(g) Alternative data transfer mechanisms. The provisions in this Section 8 shall be without prejudice to the Parties’ ability to rely on any other legally valid international data transfer mechanism for the transfer of data out of the EEA.

APPENDIX 1

DETAILS OF PROCESSING

Data Processor will Process Personal Data for the duration of the Agreement and in accordance with Section 4 (Data Processor) of this DPA.

Data Subjects

Data Controller may submit Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller, and may include Personal Data relating to the following categories of Data Subjects:

· employees and contractors;

· subcontractors and agents; and

· consultants and partners.

Categories of Personal Data

Data Controller may submit Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller, and may include the following categories:

· communication data (e.g. telephone, email); and

· business and personal contact details;

Special Categories of Personal Data

Data Controller may submit Special Categories of Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller in compliance with Data Protection Laws, and may include the following categories, if any:

· N/A.

Processing Operations

The personal data transferred is subject to the following basic processing activities:

All activities necessary for the performance of the Agreement.