Data Processing Addendum



DATA PROCESSING ADDENDUM FOR LIGHTSTEP

All capitalized terms not defined in this Data Processing Addendum ("DPA") have the meaning given to them in other parts of this Agreement.

1. DEFINITIONS

1.1 "Affiliates" means any person or entity directly or indirectly Controlling, Controlled by or under common Control with a party to the Agreement, where "Control" means the legal power to direct or cause the direction of the general management of the company, partnership or other legal entity.

1.2 "Agreement" means the applicable terms of service, order form, or other legal document that governs the Services or relationship of the Parties.

1.3 "Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data. For the purposes of this DPA, Data Controller is Customer and, where applicable, its Affiliates either permitted by Customer to submit Personal Data to the Service or whose Personal Data is Processed in the Service.

1.4 "Data Processor" means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Data Controller. For purposes of this DPA, Data Processor is Lightstep.

1.5 "Data Protection Laws" means all applicable laws and regulations regarding the Processing of Personal Data.

1.6 "Data Subject" means an identified or identifiable natural person.

1.7 "Instructions" means Data Controller's documented data Processing instructions issued to Data Processor in compliance with this DPA.

1.8 "Lightstep" means LightStep, Inc., a Delaware corporation and subsidiary of ServiceNow, Inc., located at 101 Green Street, San Francisco, CA 94111

1.9 "Lightstep Services" means the Software, Updates, Documentation, Implementation Service, technology and/or methodologies (including products, software tools, hardware designs, algorithms, templates, software (in source and object forms), architecture, class libraries, objects, and documentation) created by or for, or licensed to, Lightstep and ordered by Customer as services specified in each the applicable Order Form.

1.10 "Lightstep Sub-Processors" means the sub-processors listed in the following list: https://lightstep.com/subprocessors/

1.11 "Personal Data" means any information relating to a Data Subject uploaded by or for Customer or Customer's agents, employees, or contractors to the Service as Customer Data.

1.12 "Process" or "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.13 "Service" means the Lightstep Services.

1.14 "Sub-Processor" means any legal person or entity engaged in the Processing of Personal Data by Data Processor.

2. SCOPE OF THE PROCESSING

2.1 ROLE OF THE PARTIES. The Parties agree that the status of each party as a 'controller,' 'processor,' or other categories of defining the Parties' roles under Data Protection Laws is a question of fact determined under Data Protection Laws.

2.2 LIGHTSTEP AS DATA PROCESSOR. The Parties further agree that, with effect from the Effective Date, the Parties intend that the applicable data protection roles of the Parties are Lightstep acting as Data Processor and Customer acting as Data Controller.

2.3 COMMISSIONED PROCESSOR. Data Controller appoints Data Processor to Process Personal Data on behalf of Data Controller as described in the Agreement and in accordance with the Instructions.

2.4 INSTRUCTIONS. The Agreement constitutes Data Controller's initial written Instructions to Data Processor for Processing of Personal Data. Data Controller may issue additional or alternate Instructions provided that such Instructions are: (a) consistent with the purpose and the scope of the Agreement; and (b) confirmed in writing by Data Controller. For the avoidance of doubt, Data Controller shall not use additional or alternate Instructions to alter the scope of the Agreement. Data Controller is responsible for ensuring its Instructions to Data Processor comply with Data Protection Laws.

2.5 NATURE, SCOPE AND PURPOSE OF THE PROCESSING. Data Processor shall only Process Personal Data in accordance with Data Controller's Instructions and to the extent necessary for providing the Service, as described in the Agreement.

2.6 CATEGORIES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS. Data Controller may submit Personal Data to the Service as Customer Data, the extent of which is determined and controlled by Data Controller in its sole discretion and is further described in Appendix 1.

3. DATA CONTROLLER

3.1 COMPLIANCE WITH DATA PROTECTION LAWS. Data Controller shall comply with all of its obligations under Data Protection Laws when Processing Personal Data.

3.1.1 SPECIFIC PURPOSE. Data Controller shall not sell, retain, use, or disclose Personal Data for any purpose other than the specific purposes of performing the Service, as provided in the Agreement, and to comply with applicable Data Protection Law;

3.1.2 DATA SUBJECT REQUESTS. Data Controller is solely responsible for responding to any Data Subject Requests granted under Data Protection Laws, including rights to access, rectify, restrict Processing, erasure ("right to be forgotten"), data portability, object to the Processing, or not be subject to an automated individual decision making (collectively, "Data Subjects Requests"). Data Processor shall reasonably cooperate with the Data Controller to respond to Data Subject Requests to the extent Data Controller is unable to solely fulfill such Data Subject Requests;

3.1.3 LEGAL BASIS. Data Controller hereby represents and warrants that it has all necessary rights and a valid legal basis (as defined by applicable Data Protection Laws) to Process Personal Data.

3.2 CUSTOMER'S AFFILIATES. The obligations of Data Processor set forth herein will extend to Customer's Data Controller Affiliates to which Customer provides access to the Service or whose Personal Data is Processed within the Service, subject to the following conditions:

3.2.1 COMPLIANCE. Customer shall at all times be liable for its Affiliates' compliance with this DPA and all acts and omissions by a Data Controller Affiliate are considered acts and omissions of Customer.

3.2.2 CLAIMS. Customer's Data Controller Affiliates will not bring a claim directly against Data Processor. In the event a Data Controller Affiliate wishes to assert a valid legal action, suit, claim or proceeding against Data Processor (a "Data Controller Affiliate Claim"): (i) Customer must bring such Data Controller Affiliate Claim directly against Data Processor on behalf of such Data Controller Affiliate, unless Data Protection Laws require that Data Controller Affiliate be party to such Data Controller Affiliate Claim; and (ii) all Data Controller Affiliate Claims will be considered claims made by Customer and are at all times subject to any aggregate limitation of liability set forth in the Agreement.

3.2.3 COMMUNICATION. Unless otherwise provided in this DPA, all requests, notices, cooperation, and communication, including Instructions issued or required under this DPA (collectively, "Communication"), must be in writing and between Data Controller and Data Processor only and Data Controller shall inform the applicable Data Controller Affiliate of any Communication from Data Processor pursuant to this DPA. Data Controller shall be solely responsible for ensuring any Communications (including Instructions) it provides to Data Processor relating to Personal Data for which a Customer Affiliate is Data Controller reflect the relevant Customer Affiliate's intentions.

3.3 SECURITY RISK ASSESSMENT. Data Controller agrees that in accordance with Data Protection Laws and before submitting any Personal Data to the Service, Data Controller will perform an appropriate risk assessment to determine whether the security measures within the Service provide an adequate level of security, taking into account the nature, scope, context and purposes of the processing, the risks associated with the Personal Data and the applicable Data Protection Laws. Data Processor shall provide Data Controller reasonable assistance by providing Data Controller with information requested by Data Controller to conduct Data Controller's security risk assessment. Data Controller is solely responsible for determining the adequacy of the security measures within the Service in relation to the Personal Data Processed.

3.4 NOTICE AND CONSENT. Data Controller shall provide adequate notices, and obtain the necessary permissions and consents to provide Customer Data to Data Processor for use and disclosure. If Data Controller records or monitors telephone calls, SMS messages, or other communications using the Service, then Data Controller will: (i) comply with all applicable laws prior to doing so, and (ii) provide all required notices and secure all required prior consents to record or monitor communications using the Service. Data Controller acknowledges that these obligations are essential to Data Processor (and its Sub-Processor's) ability to provide Data Controller with access to recording and monitoring features that are may be part of the Service.

4. DATA PROCESSOR

4.1 DATA CONTROLLER'S INSTRUCTIONS. Data Processor will have no liability for any harm or damages resulting from Data Processor's compliance with unlawful Instructions received from Data Controller. Where Data Processor believes compliance with Data Controller's Instructions could result in a violation of Data Protection Laws or is not in the ordinary course of Data Processor's obligations in operating the Service, Data Processor shall promptly notify Data Controller thereof. Data Controller acknowledges Data Processor is reliant on Data Controller's representations regarding the extent to which Data Controller is entitled to Process Personal Data.

4.2 DATA PROCESSOR PERSONNEL. Access to Personal Data by Data Processor will be limited to personnel who require such access to perform Data Processor's obligations under the Agreement and who are bound by obligations to maintain the confidentiality of such Personal Data at least as protective as those set forth herein and in the Agreement.

4.3 DATA SECURITY MEASURES. Data Processor shall use commercially reasonable efforts to maintain the security and integrity of the Service and the Customer Data.

4.4 MONITORING AND SUPPORT. Processor and its Sub-Processors may use Customer Data to detect, prevent, and investigate security incidents, fraud, spam, or unlawful use of the Services by third-parties and support the Services by responding to Customer's technical problems or queries.

4.5 DELETION OF PERSONAL DATA. Upon termination or expiration of the Agreement, Data Processor shall delete Customer Data, including Personal Data contained therein, as described in the Agreement.

4.6 DATA PROCESSOR ASSISTANCE. Data Processor will assist Data Controller in ensuring compliance with Data Controller's obligations pursuant to Data Protection Laws taking into account the nature of Processing by providing Data Controller with reasonable information requested pursuant to the terms of this DPA, including information required to conduct Data Controller's data protection impact assessments and prior consultations with supervisory authorities, where required. For clarity, Data Controller is solely responsible for carrying out its obligations under Data Protection Laws and this DPA. Data Processor shall not undertake any task that can be performed by Data Controller.

4.7 DATA PROTECTION CONTACT. Data Processor and its Sub-Processor Affiliates (defined below) will maintain a dedicated data protection team to respond to data protection inquiries throughout the duration of this DPA and can be contacted at privacy@servicenow.com.

4.8 REQUESTS FROM DATA SUBJECTS. Data Processor shall provide Data Controller with the ability to access, correct, rectify, erase, or block Personal Data, or to transfer or port such Personal Data, within the Service, as may be required under Data Protection Laws (collectively, "Data Subject Requests"). Data Processor will instruct the Data Subject to contact the Data Controller in the event Data Processor receives a Data Subject Request directly.

4.9 REQUESTS FROM AUTHORITIES. In the case of a notice, audit, inquiry, or investigation by a government body, data protection authority, or law enforcement agency regarding the Processing of Personal Data, Data Processor shall promptly notify Data Controller unless prohibited by applicable law. Each party shall cooperate with the other party by providing all reasonable information requested in the event the other party is required to produce such information to a data protection authority.

5. BREACH NOTIFICATION

5.1 NOTIFICATION. Data Processor will report to Data Controller any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data (a "Breach") without undue delay following determination by Data Processor that a Breach has occurred.

5.2 DATA CONTROLLER OBLIGATIONS. Data Controller will cooperate with Data Processor in maintaining accurate contact information and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s) and prevent a recurrence. Data Controller is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.

6. CUSTOMER MONITORING RIGHTS

6.1 CUSTOMER MONITORING RIGHTS IN RESPECT OF THE SERVICES. Upon Data Controller's request, Data Processor shall, no more than once per calendar year, make available for Data Controller's review copies of certifications or reports demonstrating Data Processor's compliance with prevailing data security standards applicable to the Processing of Data Controller's Personal Data. If Data Controller and Data Processor have entered into Standard Contractual Clauses as described in Section 8 herein below (International Data Transfers), the parties agree that the audits described in the SCCs shall be carried out in accordance with this Section.

7. SUB-PROCESSORS

7.1 USE OF SUB-PROCESSORS. Data Controller authorizes Data Processor to engage Sub-Processors appointed in accordance with this Section 7.

7.1.1. SUB-PROCESSORS. As of the Effective Date, Data Processor engages, as applicable, the Lightstep Sub-Processors can be found here: https://lightstep.com/subprocessors/ (collectively, "Sub-Processors"). Data Processor will notify Data Controller of changes regarding such Sub-Processors through the Data Processor Support Portal (or other mechanism used to notify its general/Lightstep customer base). Each Sub-Processor shall comply with the obligations of the Agreement in the Processing of the Personal Data.

7.1.2. NEW SUB-PROCESSORS. Prior to Data Processor engaging a Sub-Processor, Data Processor shall: (a) notify Data Controller by email to Customer's designated contact(s) or by notification within the Data Processor Support Portal (or other mechanism used to notify its general/Lightstep customer base); and (b) ensure such Sub-Processor entered into a written agreement with Data Processor (or the relevant Data Processor Affiliate) requiring the Sub-Processor abide by terms no less protective than those provided in this DPA. Upon written request by Data Controller, Data Processor shall make a summary of the data processing terms available to Data Controller. Data Controller may request in writing reasonable additional information with respect to Sub-Processor's ability to perform the relevant Processing activities in accordance with this DPA.

7.2. RIGHT TO OBJECT. Data Controller may object to Data Processor's proposed use of a new Sub-Processor by notifying Data Processor within 10 days after receipt of Data Processor's notice if Data Controller reasonably determines such Sub-Processor is unable to Process Personal Data in accordance with the terms of this DPA ("Objection Notice"). In the event Data Controller submits its Objection Notice, Data Processor shall reasonably consider such objection and will notify Data Controller if it intends to provide the applicable Service with the use of the Sub-Processor at issue ("Processor Notice"). Customer may terminate the applicable license Use Authorization(s) with respect to the Service requiring use of the Sub-Processor at issue upon written notice to Data Processor within 10 days of the date of Processor Notice ("Termination Period"). Data Processor will, as Customer's sole and exclusive remedy, refund to Customer any unused prepaid fees following the effective date of termination for the terminated services. For clarity, Data Processor will not engage the new Sub-Processor at issue until the expiration of the Termination Period.

7.3. LIABILITY. Use of a Sub-Processor will not relieve, waive, or diminish any obligation of Data Processor under the Agreement, and Data Processor is liable for the acts and omissions of any Sub-Processor to the same extent as if the acts or omissions were performed by Data Processor.

8. INTERNATIONAL DATA TRANSFERS

8.1. STANDARD CONTRACTUAL CLAUSES AND ADEQUACY. Where required under Data Protection Laws, Data Processor or Data Processor's Affiliates shall require Sub-Processors to abide by (a) the Standard Contractual Clauses ("SCCs") for Data Processors established in third countries; or (b) another lawful mechanism for the transfer of Personal Data as approved by the European Commission.

APPENDIX 1

DETAILS OF PROCESSING Data Processor will Process Personal Data for the duration of the Agreement and in accordance with Section 4 (Data Processor) of this DPA.

Data Subjects Data Controller may submit Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller, and may include Personal Data relating to the following categories of Data Subjects:

  • employees and contractors;
  • subcontractors and agents; and
  • consultants and partners.

Categories of Personal Data Data Controller may submit Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller, and may include the following categories:

  • communication data (e.g. telephone, email); and
  • business and personal contact details;

Special Categories of Personal Data Data Controller may submit Special Categories of Personal Data to the Subscription Service, the extent of which is solely determined by Data Controller in compliance with Data Protection Laws, and may include the following categories, if any:

  • N/A.

Processing Operations The personal data transferred is subject to the following basic processing activities: All activities necessary for the performance of the Agreement.