Lightstep Incident Response Data Processing Addendum

All capitalized terms not defined in this Lightstep Incident Response Data Processing Addendum (“DPA”) have the meaning given to them in other parts of the Lightstep Incident Response Terms of Service (“Terms”).

  1. DEFINITIONS

    1. “Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data. For purposes of this DPA, Data Controller is Customer and, where applicable, its Affiliates either permitted by Customer to submit Personal Data to the Service or whose Personal Data is Processed in the Service.

    2. “Data Processor” means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Data Controller. For purposes of this DPA, Data Processor is the ServiceNow entity that is a party to the Terms (also, elsewhere in the DPA, “Company”).

    3. “Data Protection Laws” means all applicable laws and regulations regarding the Processing of Personal Data.

    4. “Data Subject” means an identified or identifiable natural person.

    5. “Instructions” means Data Controller’s documented data Processing instructions issued to Data Processor in compliance with this DPA.

    6. “Personal Data” means any information relating to a Data Subject uploaded by or for Customer or Customer’s agents, employees, or contractors to the Service as Customer Data.

    7. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.

    8. “Service” means the Lightstep Incident Response product accessed by Customer pursuant to the Terms.

    9. “Sub-Processor” means any legal person or entity engaged in the Processing of Personal Data by Data Processor. For the avoidance of doubt, ServiceNow’s colocation datacenter facilities are not Sub-Processors under this DPA.

  2. DATA PROCESSOR

    1. DATA CONTROLLER’S INSTRUCTIONS. Data Processor will have no liability for any harm or damages resulting from Data Processor’s compliance with unlawful Instructions received from Data Controller. Where Data Processor believes compliance with Data Controller’s Instructions could result in a violation of Data Protection Laws or is not in the ordinary course of Data Processor’s obligations in operating the Service, Data Processor shall promptly notify Data Controller thereof. Data Controller acknowledges Data Processor is reliant on Data Controller’s representations regarding the extent to which Data Controller is entitled to Process Personal Data.

    2. DATA PROCESSOR PERSONNEL. Access to Personal Data by Data Processor will be limited to personnel who require such access to perform Data Processor’s obligations under the Terms and who are bound by obligations to maintain the confidentiality of such Personal Data at least as protective as those set forth herein and in the Terms.

    3. DATA SECURITY MEASURES. Without prejudice to Data Controller’s security risk assessment obligations under Section 3.3 (Security Risk Assessment) above, Data Processor shall maintain reasonable technical and organizational safeguards to protect the security, confidentiality, and integrity of Customer Data, including any Personal Data contained therein.

    4. MONITORING AND SUPPORT. Processor and its Sub-Processors may use Customer Data to detect, prevent, and investigate security incidents, fraud, spam, or unlawful use of the Services by third-parties and support the Services by responding to Customer's technical problems or queries.

    5. DATA PROCESSOR ASSISTANCE. Data Processor will assist Data Controller in ensuring compliance with Data Controller’s obligations pursuant to Data Protection Laws taking into account the nature of Processing by providing Data Controller with reasonable information requested pursuant to the terms of this DPA, including information required to conduct Data Controller’s data protection impact assessments and prior consultations with supervisory authorities, where required. For clarity, Data Controller is solely responsible for carrying out its obligations under Data Protection Laws and this DPA. Data Processor shall not undertake any task that can be performed by Data Controller.

    6. DATA PROTECTION CONTACT. ServiceNow and its Sub-Processor Affiliates (defined below) will maintain a dedicated data protection team to respond to data protection inquiries throughout the duration of this DPA and can be contacted at privacy@servicenow.com.

  3. DATA CONTROLLER

    1. COMPLIANCE WITH DATA PROTECTION LAWS. Data Controller shall comply with all of its obligations under Data Protection Laws when Processing Personal Data. Data Controller represents and warrants that it has all necessary rights and a valid legal basis (as defined by applicable Data Protection Laws) to Process Personal Data.

    2. CUSTOMER’S AFFILIATES. If Customer has entered into the Terms on behalf of Customer’s Affiliates, the obligations of Data Processor set forth herein will extend to Customer’s Data Controller Affiliates to which Customer provides access to the Service or whose Personal Data is Processed within the Service, subject to the following conditions:

      1. COMPLIANCE. Customer shall at all times be liable for its Affiliates’ compliance with this DPA and all acts and omissions by a Data Controller Affiliate are considered acts and omissions of Customer.

      2. CLAIMS. Customer’s Data Controller Affiliates will not bring a claim directly against Data Processor. In the event a Data Controller Affiliate wishes to assert a valid legal action, suit, claim or proceeding against Data Processor (a “Data Controller Affiliate Claim”): (i) Customer must bring such Data Controller Affiliate Claim directly against Data Processor on behalf of such Data Controller Affiliate, unless Data Protection Laws require that Data Controller Affiliate be party to such Data Controller Affiliate Claim; and (ii) all Data Controller Affiliate Claims will be considered claims made by Customer and are at all times subject to any aggregate limitation of liability set forth in the Terms.

    3. SECURITY RISK ASSESSMENT. Data Controller agrees that in accordance with Data Protection Laws, it will perform a reasonable risk assessment to determine whether the security measures within the Service provide a reasonable level of security, taking into account the nature, scope, context and purposes of the processing, the risks associated with the Personal Data and the applicable Data Protection Laws. Data Processor shall provide Data Controller reasonable assistance by providing Data Controller with information requested by Data Controller to conduct Data Controller’s security risk assessment.

      1. COMMUNICATION. Unless otherwise provided in this DPA, all requests, notices, cooperation, and communication, including Instructions issued or required under this DPA (collectively, “Communication”), must be in writing and between Customer and Company only and Customer shall inform the applicable Data Controller Affiliate of any Communication from Company pursuant to this DPA. Customer shall be solely responsible for ensuring any Communications (including Instructions) it provides to Company relating to Personal Data for which a Customer Affiliate is Data Controller reflect the relevant Customer Affiliate’s intentions

    4. NOTICE AND CONSENT. Data Controller shall provide adequate notices and obtain the necessary permissions and consents to provide any Personal Data to Data Processor for use and disclosure. If Data Controller records or monitors telephone calls, SMS messages, or other communications using the Service, then Data Controller will: (i) comply with all applicable laws, including Data Protection Laws, prior to doing so, and (ii) provide all required notices and secure all required prior consents to record or monitor communications using the Service. Subject to the Terms, Data Controller acknowledges that these obligations are essential to Data Processor (and its Sub-Processors) ability to provide Data Controller with access to recording and monitoring features that may be part of the Service

  4. DATA PROCESSOR

    1. DATA CONTROLLER’S INSTRUCTIONS. Data Processor will have no liability for any harm or damages resulting from Data Processor’s compliance with unlawful Instructions received from Data Controller. Where Data Processor believes compliance with Data Controller’s Instructions could result in a violation of Data Protection Laws or is not in the ordinary course of Data Processor’s obligations in operating the Service, Data Processor shall promptly notify Data Controller thereof. Data Controller acknowledges Data Processor is reliant on Data Controller’s representations regarding the extent to which Data Controller is entitled to Process Personal Data.

    2. DATA PROCESSOR PERSONNEL. Access to Personal Data by Data Processor will be limited to personnel who require such access to perform Data Processor’s obligations under the Agreement and who are bound by obligations to maintain the confidentiality of such Personal Data at least as protective as those set forth herein and in the Agreement.

    3. DATA SECURITY MEASURES. Without prejudice to Data Controller’s security risk assessment obligations under Section 3.3 (Security Risk Assessment) above, Data Processor shall maintain reasonable technical and organizational safeguards to protect the security, confidentiality, and integrity of Customer Data, including any Personal Data contained therein, as described in the Agreement.

    4. MONITORING AND SUPPORT. Processor and its Sub-Processors may use Customer Data to detect, prevent, and investigate security incidents, fraud, spam, or unlawful use of the Services by third-parties and support the Services by responding to Customer's technical problems or queries.

    5. TERMINATION OF ACCESS. Upon termination or expiration of the Agreement, Data Processor shall use reasonable measures to remove access to Customer Data, including Personal Data contained therein, as described in the Agreement.

    6. DATA PROCESSOR ASSISTANCE. Data Processor will assist Data Controller in ensuring compliance with Data Controller’s obligations pursuant to Data Protection Laws taking into account the nature of Processing by providing Data Controller with reasonable information requested pursuant to the terms of this DPA, including information required to conduct Data Controller’s data protection impact assessments and prior consultations with supervisory authorities, where required. For clarity, Data Controller is solely responsible for carrying out its obligations under Data Protection Laws and this DPA. Data Processor shall not undertake any task that can be performed by Data Controller.

    7. DATA PROTECTION CONTACT. ServiceNow and its Sub-Processor Affiliates (defined below) will maintain a dedicated data protection team to respond to data protection inquiries throughout the duration of this DPA and can be contacted at privacy@servicenow.com.

  5. REQUESTS MADE FROM DATA SUBJECTS AND AUTHORITIES

    1. REQUESTS FROM DATA SUBJECTS. During the Service Term, Data Processor shall provide Data Controller with the ability to access, correct, rectify, erase, or block Personal Data, or to transfer or port such Personal Data, within the Service, as may be required under applicable Data Protection Laws (collectively, “Data Subject Requests”).

    2. RESPONSES. Data Controller will be solely responsible for responding to any Data Subject Requests, provided that Data Processor shall reasonably cooperate with the Data Controller to respond to Data Subject Requests to the extent Data Controller is unable to fulfill such Data Subject Requests using the available functionality. Data Processor will instruct the Data Subject to contact the Customer in the event Data Processor receives a Data Subject Request directly.

    3. REQUESTS FROM AUTHORITIES In the case of a notice, audit, inquiry, or investigation by a government body, data protection authority, or law enforcement agency regarding the Processing of Personal Data, Data Processor shall promptly notify Data Controller unless prohibited by applicable law. Each party shall cooperate with the other party by providing all reasonable information requested in the event the other party is required to produce such information to a data protection authority.

  6. BREACH NOTIFICATION

    1. NOTIFICATION. Data Processor will report to Data Controller any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, of or access to Customer Data (“Breach”) without undue delay following determination by ServiceNow that a Breach has occurred.

    2. REPORT The initial report will be made to Data Controller’s security or privacy contact(s) designated in customer support portal (or if no such contact(s) are designated, to the primary technical contact designated by Customer). As information is collected or otherwise becomes available, Data Processor shall provide without undue delay any further information regarding the nature and consequences of the Breach to allow Data Controller to notify relevant parties, including affected Data Subjects, government agencies and data protection authorities in accordance with Data Protection Laws. The report will include the name and contact information of the Data Processor contact from whom additional information may be obtained. Data Processor shall inform Customer of the measures that it will adopt to mitigate the cause of the Breach and to prevent future Breaches.

    3. DATA CONTROLLER OBLIGATIONS Data Controller will cooperate with Data Processor in maintaining accurate contact information in the customer support portal and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s) and prevent a recurrence. Data Controller is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.

  7. SUB-PROCESSORS

    1. USE OF SUB-PROCESSORS. Data Controller authorizes Data Processor to engage Sub-Processors appointed in accordance with this Section 7.

      1. CURRENT SUB-PROCESSORSAs of the Effective Date, Data Processor engages, as applicable, Twilio, Inc., Pendo.io, Inc., and the following ServiceNow Affiliates as Sub-Processors: ServiceNow, Inc. (USA), ServiceNow Nederland B.V. (the Netherlands), ServiceNow Australia Pty Ltd (Australia), ServiceNow Software Development India Private Limited (India), ServiceNow UK Ltd. (United Kingdom), ServiceNow Ireland Limited (Ireland), and ServiceNow Japan G.K. (Japan) (collectively,“Sub-Processor Affiliates”). Data Processor will notify Data Controller of changes regarding such Sub-Processor Affiliates through Data Processor’s Support Portal (or other mechanism used to notify its general customer base). Each Sub-Processor Affiliate shall comply with the obligations of the Agreement in the Processing of the Personal Data.

      2. NEW SUB-PROCESSORS. Prior to Data Processor or a Data Processor Affiliate engaging a Sub-Processor, Data Processor shall: (a) notify Data Controller by email to Customer’s designated contact(s) or by notification within its support portal (or other mechanism used to notify its customer base); and (b) ensure such Sub-Processor entered into a written agreement with Data Processor (or the relevant Data Processor Affiliate) requiring the Sub-Processor abide by terms no less protective than those provided in this DPA.

      3. RIGHT TO OBJECT. Data Controller may object to Data Processor’s proposed use of a new Sub-Processor by notifying Data Processor within 10 days after receipt of Data Processor’s notice if Data Controller reasonably determines such Sub-Processor is unable to Process Personal Data in accordance with the terms of this DPA (“Objection Notice”) and choose to terminate use of the Service.

    2. LIABILITY. Use of a Sub-Processor will not relieve, waive, or diminish any obligation of Data Processor under the Agreement, and Data Processor is liable for the acts and omissions of any Sub-Processor to the same extent as if the acts or omissions were performed by Data Processor.

  8. INTERNATIONAL DATA TRANSFERS

    1. STANDARD CONTRACTUAL CLAUSES AND ADEQUACY. Where required under Data Protection Laws, Data Processor shall abide by, and Data Processor or Data Processor’s Affiliates shall require Sub-Processors to abide by (a) the Standard Contractual Clauses for Data Processors established in third countries; or (b) another lawful mechanism for the transfer of Personal Data as approved by the European Commission.

APPENDIX 1 DETAILS OF PROCESSING

Duration of Processing
Data Processor will Process Personal Data for the duration of the Agreement and in accordance with Section 4 (Data Processor) of this DPA.


Data Subjects
Data Controller may submit Personal Data to the Service, the extent of which is solely determined by Data Controller, and may include Personal Data relating to the following categories of Data Subjects:

  • clients and other business contacts;

  • employees and contractors;

  • subcontractors and agents; and

  • consultants and partners.


Categories of Personal Data
Data Controller may submit Personal Data to the Service, the extent of which is solely determined by Data Controller, and may include the following categories:

  • communication data (e.g. telephone, email);

  • business and personal contact details; and

  • other Personal Data submitted to the Service.


Special Categories of Personal Data
Data Controller may submit Special Categories of Personal Data to the Service, the extent of which is solely determined by Data Controller in compliance with Data Protection Laws, and may include the following categories, if any:

  • racial or ethnic origin;

  • political opinions;

  • religious or philosophical beliefs;

  • trade union membership;

  • genetic data or biometric data;

  • health information; and

  • sex life or sexual orientation.


Processing Operations
The personal data transferred is subject to the following basic processing activities:

  • All activities necessary for the performance of the Agreement

© ServiceNow, Inc. All rights reserved. Lightstep is the trademark of Lightstep, Inc., a ServiceNow company.