Data Processing Addendum

This Data Processing Addendum, including its Schedule and the Standard Contractual Clauses (collectively, the “DPA”), is incorporated into and forms part of the Order Form and Terms “Agreement”) between Customer (as defined in the Agreement), on behalf of itself and its Affiliates, and Coda Project, Inc., a Delaware corporation with offices at 888 Villa Street, Floor 4, Mountain View, California 94041 (“Coda”) (each a “Party” and collectively the “Parties”). For the purposes of this DPA, and except where indicated otherwise, the term “Customer” shall include any Customer Affiliates. In the event of a conflict between any of the provisions of the provisions of the Agreement, this DPA and (where applicable) the Standard Contractual Clauses, the terms shall apply in the following order of precedence: (i) the Standard Contractual Clauses; (ii) the DPA; and then (iii) the Agreement.

INTERPRETATION

Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement. In this DPA, unless the context requires otherwise:

“Applicable Data Protection Laws” means European Data Protection Laws and US Data Protections, as applicable to the Processing of Customer Personal Data.

“Customer Personal Data” means any Personal Data contained in User Content that Coda Processes on behalf of Customer and/or Customer’s Affiliates in connection with the Services, as more particularly described in Schedule 1;

“European Data Protection Laws” means (i) the EU General Data Protection Regulation 2016/679 (the “GDPR”); (ii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, “UK Data Protection Laws”); (iii) the Swiss Federal Act on Data Protection of 2020 and its corresponding ordinances (“Swiss FADP”); and (iv) any applicable national legislation implementing or supplementing (i), (ii) or (iii); in each case as amended, replaced or superseded from time to time;

“Europe” means the Member States of the European Economic Area (“EEA”) plus Switzerland and the United Kingdom (“UK”);

“Personal Data” means any information that relates to an identified or identifiable natural person and which is protected as “personal data” or “personal information” under Applicable Data Protection Laws.

“Restricted Transfer” means a transfer of Customer Personal Data that is protected by European Data Protection Laws to a country outside Europe that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws);

“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data. The term “Security Incident” does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems;

“Services” means the service(s) provided by Coda to Customer under the Agreement;

“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021; as amended, replaced or superseded from time to time;

“Subprocessor” means any third-party Processor or Service Provider engaged by Coda who agrees to receive from Coda any Customer Personal Data. The term “Subprocessor” does not include any Coda employees, contractors or consultants;

“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner's Office; as amended, replaced or superseded from time to time; and

“US Data Protection Laws” means (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Civ. Code §§ 1798.100 et seq., and any implementing regulations relating to the same (together, the “CCPA”); (ii) the Virginia Consumer Data Protection Act (”CDPA”); (iii) the Colorado Privacy Act (”CPA”); (iv) the Utah Consumer Privacy Act (”UCPA”); (v) the Connecticut Data Privacy Act (”CTDPA”); and (vi) any other applicable US state privacy laws that may be enacted from time to time to protect Personal Data; in each case when effective and as amended, replaced or superseded from time to time.

The terms “Business”, “Controller”, “Processor”, “Service Provider”, “Process”, “Data Subject”, “Consumer”, “Business Purpose”, “Sell” and “Share” shall have the meanings given to them in Applicable Data Protection Laws.

SCOPE AND APPLICABILITY

Scope of DPA. This DPA shall apply to any Customer Personal Data that is subject to Applicable Data Protection Laws and which is Processed by Coda as a Processor or Service Provider (as applicable) on Customer's behalf in connection with the Services.

Account and Usage Data. Notwithstanding the above, Customer acknowledges that Coda may Process Account Data and Usage Data as a Controller or Business (as applicable) in accordance with the terms of the Agreement. To the extent such Processing of Account Data and Usage Data involves a Restricted Transfer of Personal Data from Customer to Coda, Sections 4.2-4.6 of this DPA shall apply. The terms of this DPA shall not otherwise apply in connection with the Processing of Account Data and Usage Data by Coda.

CUSTOMER OBLIGATIONS

Notice and consent. Customer represents and warrants that it has provided all applicable notices to Data Subjects and Consumers (as applicable) and, to the extent required, obtained consent from Data Subjects and Consumers (as applicable) in each case as required for the lawful Processing of Customer Personal Data by Coda under Applicable Data Protection Laws for the purposes described under the Agreement and this DPA.

Compliance with law. Customer shall ensure its Processing of Customer Personal Data in connection with the Services complies with Applicable Data Protection Laws and shall notify Coda if it cannot ensure compliance with such obligations or becomes aware of any instances of non-compliance. Customer is solely responsible for the accuracy, quality, and lawfulness of Customer Personal Data provided to Coda by or on behalf of Customer.

REQUIREMENTS FOR EUROPEAN DATA PROTECTION LAWS

⁠

Applicability to Customer Personal Data. Section 4 of this DPA shall only apply to the Processing of Customer Personal Data that is subject to European Data Protection Laws by or on behalf of Coda.

⁠

International Transfers. Coda shall not make a Restricted Transfer of Customer Personal Data unless Coda takes such step as are necessary to ensure an adequate level of protection for the Customer Personal Data transferred in accordance with European Data Protection Laws, including ensuring that (i) the transfer is governed by the Standard Contractual Clauses; or (ii) the transfer is covered by another suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities as providing an adequate level of protection for Personal Data under applicable European Data Protection Laws.

⁠

Standard Contractual Clauses. To the extent that the transfer of Customer Personal Data from Customer to Coda involves a Restricted Transfer, the Standard Contractual Clauses shall be incorporated by reference and form an integral part of the Agreement. For the purposes of the Standard Contractual Clauses, Coda shall be deemed the “data importer” and Customer shall be deemed the “data exporter” (on behalf of itself and its Affiliates) and the Standard Contractual Clauses shall apply as follows:

the Module Two or Module Three terms shall apply to Customer Personal Data (where Customer is a Controller or a Processor of Customer Personal Data, as applicable) and the Module One terms shall apply to Account Data and Usage Data;

in Clause 7, the optional docking clause shall apply;

in Clause 9, Option 2 shall apply and the list of Subprocessors and time period for notice of changes shall be as agreed under Section 6.4 of the DPA;

in Clause 11, the optional language shall be deleted;

in Clause 17, Option 1 shall apply and the Standard Contractual Clauses shall be governed by Irish law;

in Clause 18(b), disputes shall be resolved before the courts of Ireland;

in Annex I.A, the parties' details are set out in the applicable Order Form;

in Annex 1.B, the description of the transfer is set out in Schedule 1 of this DPA;

in Clause 13 and Annex I.C, the competent supervisory authority shall be determined in accordance with the GDPR; and

in Annex II, the technical and organizational measures are set out in the Coda Security Annex.

UK transfers. To the extent the Customer Personal Data described under Section 4.3 is protected by UK Data Protection Laws, the Standard Contractual Clauses shall be amended by the UK Addendum, which shall be incorporated by reference and form an integral part of the Agreement as follows: (i) in Table 1, the parties' details are set out in the applicable Order Form; (ii) in Table 2, the selected modules and clauses are set out in Section 4.3; (iii) in Table 3, the appendix information is set out in the applicable Order Form and Schedule 1 of this DPA; and (iv) in Table 4, ‘neither party' is selected.

Swiss transfers. To the extent the Customer Personal Data described under Section 4.3 is protected by the Swiss FADP, the Standard Contractual Clauses apply with the following modifications: (i) references to ‘Regulation (EU) 2016/679’ shall be interpreted as references to the Swiss FADP; (ii) references to specific articles of ‘Regulation (EU) 2016/679’ shall be replaced with the equivalent article or section of the Swiss FADP; (iii) references to ‘EU’, ‘Union’ and ‘Member State’ shall be replaced with ‘Switzerland’; (iv) Clause 13(a) and Part C of Annex 2 are not used and the ‘competent supervisory authority’ shall be the Swiss Federal Data Protection Information Commissioner; (v) references to the ‘competent supervisory authority’ and ‘competent courts’ shall be replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘competent courts of Switzerland’; (vi) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (vii) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland.

Additional provisions. In the event a legal or regulatory obligation puts Coda in non-compliance of its obligations under the Standard Contractual Clauses or in substantial or persistent breach of any warranties or undertakings under the Standard Contractual Clauses, and Customer intends to suspend the transfer of Customer Personal Data or terminate the Standard Contractual Clauses, Customer agrees to provide reasonable notice to Coda to enable Coda to cure such non-compliance (“Cure Period”) and reasonably cooperate with Coda to identify what additional safeguards, if any, may be implemented by the parties to remedy such non-compliance. If, after the Cure Period, Coda has not or cannot cure the non-compliance then Customer may suspend or terminate the affected part of the Services without penalty or liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

REQUIREMENTS FOR US DATA PROTECTION LAWS

Applicability to Customer Personal Data. Section 5 of this DPA shall only apply to the Processing of Customer Personal Data by or on behalf of Coda that is subject to US Data Protection Laws.

⁠

Role of the Parties. For the purposes of US Data Protection Laws, the Parties acknowledge and agree that Coda will act as a Service Provider or Processor (as applicable) in its performance of its obligations pursuant to the Agreement.

⁠

Processing Restrictions. Coda shall not retain, use or disclose Customer Personal Data for any purpose other than for the specific Business Purpose of providing the Services, as described in the Agreement and this DPA, or as otherwise permitted by applicable US Data Protection Laws. Coda acknowledges and agrees that it shall not retain, use or disclose Customer Personal Data for a commercial purpose other than providing the Services. Any Processing of Customer Personal Data outside the scope of this DPA or the Agreement will require prior written agreement between Customer and Coda.

Additional CCPA Provisions. To the extent that the CCPA applies to the Processing of Customer Personal Data, Coda shall not: (i) Sell Customer Personal Data or Share Customer Personal Data for the purposes of targeted or cross-context behavioral advertising; (ii) combine Customer Personal Data with information received from another third party; or (iii) disclose, release, transfer, make available or otherwise communicate any Customer Personal Data outside of the business relationship between Customer and Coda; in each case except as necessary to provide the Services or comply with applicable laws, where such disclosure is made to a Subprocessor for a Business Purpose, and/or with the prior written consent of Customer. Notwithstanding the foregoing, nothing in this Agreement shall restrict Coda’s ability to (i) retain, use, transfer, disclose, make available or otherwise communicate Customer Personal Data to comply with applicable laws or as otherwise permitted by the CCPA; or (ii) collect, derive, use, transfer, make available or otherwise communicate de-identified and/or aggregate information to provide, maintain and improve Coda's business, services and technologies. Coda certifies that it understands the restrictions in this Section 5.4 and will comply with them. Coda will provide the same level of protection for Customer Personal Data as is required under the CCPA and notify Customer if it can no longer meet its obligations under the CCPA. Customer may take reasonable and appropriate steps consistent with Section 6.7 of this DPA to ensure that Coda's Processing of Customer Personal Data conforms with Customer’s obligations under the CCPA.

REQUIREMENTS FOR ALL CUSTOMER PERSONAL DATA

Role of the Parties. The Parties acknowledge that that Coda will act as a Processor or Service Provider (as applicable) on behalf of Customer, whether itself a Controller or a Processor acting on behalf of a third-party Controller or Business (“Third Party Controller”).

Instructions for Processing. Coda shall only Process Customer Personal Data in accordance with: (i) the Agreement, to the extent necessary to provide the Services to the Customer; and (ii) the Customer’s written instructions, unless Processing is otherwise required by applicable laws to which Coda is subject, in which case Coda shall, unless prohibited by that law, inform Customer of the legal requirement before Processing. Without limiting the foregoing, Customer instructs Coda to Process Customer Personal Data to: (a) perform its obligations under the Agreement; (b) provide, maintain, and improve the Services as licensed, configured, and used by Customer and its Users; (c) protect the Services from security threats; (d) resolve technical issues, bugs, and errors; (d) provide customer support; and (e) other Processing activities necessary to comply with the Agreement (including this DPA) as well as any other documented instruction provided by Customer. Customer shall ensure that its instructions comply with applicable laws and that the Processing of Customer Personal Data in accordance with Customer’s instructions will not cause Coda to breach Applicable Data Protection Laws. Processing of Customer Personal Data outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Coda on additional instructions for Processing.

Cooperation. Coda shall provide reasonable and legally-required assistance and cooperation to enable Customer to fulfill its obligations under Applicable Data Protection Laws including:

promptly notifying Customer if Coda receives a request, complaint or other communication from a Data Subject or Consumer (as applicable) relating to the Processing of their Personal Data, including but not limited to a request to exercise any of their privacy rights under Applicable Data Protection Laws ( (“Rights Request”);

to the extent that Customer is not able to respond to Rights Requests using the functionality of the Services, and taking into account the nature of the Processing, providing assistance (insofar as this is practical) to enable Customer to respond to Rights Requests;

promptly notifying the Customer of any request for the disclosure of any Customer Personal Data by a governmental or regulatory body or law enforcement authority unless otherwise prohibited by applicable law or a legally binding order of such body or agency; and

where required by Applicable Data Protection Laws , assisting Customer with carrying out data protection impact or risk assessments and engaging in prior consultations with regulatory bodies relating to Coda's Processing of Customer Personal Data, taking into account the nature of Processing and the information available to Coda.

⁠

Engagement of Subprocessors. Customer authorizes Coda to engage Subprocessors to Process Customer Personal Data provided it enters into a written agreement with each Subprocessor that: (a) restricts the Subprocessor from Processing the Customer Personal Data for any purposes other than the performance of the obligations subcontracted to it; and (b) imposes obligations on the Subprocessor with regard to their Processing of Customer Personal Data that are no less protective than those imposed on Coda under this DPA. Coda shall make available its current list of Subprocessors, and provide Customer with notice of new Subprocessors, via Coda’s subprocessor page (currently located at coda.io/trust/subprocessor), as may be updated by Coda from time to time. Coda shall at all times remain responsible for compliance with its obligations under this DPA and will be liable to the Customer for the acts and omissions of any Subprocessor that Processes Customer Personal Data as if they were the acts and omissions of Coda.

Objection to Subprocessors. Customer may, on reasonable grounds, object to Coda's use of a new Subprocessor by providing Coda with written notice within thirty (30) days after Coda has notified Customer of such additional Subprocessor as described in Section 6.4 (an “Objection”). In the event of an Objection, Coda will use reasonable endeavors to make available to Customer a change in the Services, or will recommend a commercially reasonable change to the Services, to prevent the applicable Subprocessor from Processing the Customer Personal Data. If Coda is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, either Party may terminate, without penalty, the Agreement by providing written notice to the other Party (but without prejudice to any fees incurred by Customer prior to suspension or termination). Customer acknowledges that Coda complies with its obligations under clause 9 of the Standard Contractual Clauses by complying with Sections 6.4 and 6.5 of the DPA.

Security obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and Consumers (as applicable), Coda shall implement appropriate technical and organizational measures to protect Customer Personal Data from Security Incidents. Without limiting the generality of the foregoing, Coda shall put in place and maintain the technical and organizational measures as set out in the Coda Security Annex to protect the User Content against any Security Incident.

Audits. Customer acknowledges that Coda is regularly audited against SOC 2 Type II compliance standards by independent third party auditors. Upon request, Coda shall supply a summary copy of its audit report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Agreement. Coda shall make available to the Customer on request all further information reasonably necessary to demonstrate its compliance with this DPA. Where applicable, the Parties agree that Customer shall exercise its audit rights under the Standard Contractual Clauses by instructing Coda to comply with the audit measures described in this Section 6.7.

Security Incident notification. If Coda discovers or becomes aware of a Security Incident, then Coda shall notify Customer without undue delay, take any additional steps that are reasonably necessary to mitigate the effects of such Security Incident, and reasonably cooperate in the investigation of the Security Incident.

⁠

Employees and personnel. Coda shall limit access to Customer Personal Data to those employees or other personnel who have a business need to have access to such Customer Personal Data. Further, Coda shall ensure that such employees or other personnel have agreed in writing to protect the confidentiality and security of such Customer Personal Data in accordance with the provisions of this DPA.

Deletion of data. Coda shall promptly, and in any event within 90 (ninety) days of the date of termination of the Agreement (or within such shorter timeframe as may be required by the Agreement), return a complete copy of all Customer Personal Data by secure file transfer (in such a format as notified by the Customer to Coda) or delete and procure the deletion of all other copies of Customer Personal Data Processed by Coda or any Subprocessors, upon Customer's request. Coda may retain Customer Personal Data to the extent required by applicable laws, and only to the extent and for such period as required by applicable laws, and always provided that Coda shall ensure the confidentiality of all such Customer Personal Data in accordance with this DPA and the Agreement and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

GENERAL

Third Party Controllers. If Customer acts as a Processor or Service Provider (as applicable) in relation to Customer Personal Data on behalf of a Third Party Controller, Customer represents and warrants that its instructions in respect of the Processing of Customer Personal Data by Coda have been notified to, and authorized by, the Third Party Controller. Customer shall act as a single point of contact with respect to compliance with this DPA such that where Coda gives information or notice to Customer, such information or notice is deemed received by Customer’s Affiliates and Third Party Controllers. The Parties acknowledge and agree that Coda does not need to interact directly with (including to provide notice to or seek authorization from) Customer's Affiliates or Third Party Controllers, other than through regular provision of the Services to the extent required under an Order Form.

Affiliates. Coda acknowledges and agrees that all rights granted to Customer under this DPA are for the benefit of Customer and for the additional purpose of conferring the same benefit on each of its Affiliates as if they were a party hereto. Other than as stated in this DPA, no person shall have any rights under or in connection with this DPA under the Contracts (Rights of Third Parties) Act 1999.

Governing law. Except where otherwise required by European Data Protection Laws, this DPA, and any dispute or claim arising out of it or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by and construed in accordance with the laws of the Agreement.

Liability. Any claim or dispute between the Parties arising out of, or in connection with this DPA (a “Dispute”) that cannot be resolved by direct discussions between the Parties shall be resolved in accordance with the procedure set out in the Agreement (if any) and shall be subject to the exclusions and limitations set out therein. Customer acknowledges that any Dispute brought against Coda under this DPA shall be brought by Customer on behalf of itself and its Affiliates.

Last Modified: May 15, 2024

Schedule 1

This Schedule 1 forms part of the DPA and describes the processing and transfer of Customer Personal Data by Coda in connection with the Agreement.

Description

Purpose

Categories of Data Subjects/Consumers:

Customers’ end users, employees, contractors, suppliers and/or other third parties whose Personal Data is included within User Content that is submitted by Customer to Coda for Processing.

Categories of Personal Data:

Any Personal Data contained in the User Content that Customer submits or uploads to the Services. The Personal Data that Customer may submit to the Services is determined and controlled by Customer in its sole discretion. We refer to this data as “User Content” in the Agreement. For the purposes of Sections 4.3-4.5 of the DPA only, Personal Data may also include contact information, log-in credentials, billing information and data relating to the operation, use and/or performance of the Coda Platform, as more particularly described in Coda's Privacy Policy which is currently located at https://coda.io/trust/privacy. We refer to this data as "Account Data" and "Usage Data" in the Agreement.

Sensitive data transferred (if applicable) and applied restrictions or safeguards:

Coda does not intentionally collect or Process special categories of data (as that term is defined by European Data Protection Laws) in connection with the provision of the Services. However, Customer (or its Affiliates) may choose to include this type of data within User Content. The Personal Data that Customer may submit to the Services, including any sensitive data, is determined and controlled by Customer in its sole discretion.

Frequency of the transfer:

Continuous

Subject matter and nature of the Processing:

Coda Processes Personal Data to provide, maintain and improve the Services and fulfill contractual obligations towards Customer as described in the Agreement. These Services include the Processing of User Content that may contain Personal Data.

Purpose(s) of the data transfer and further Processing:

Coda provides a cloud-based document editing platform and receives and Processes User Content that Customer submits, manages or otherwise uses in connection with the Services. Such User Content may contain Personal Data relating to third party individuals that Coda only Processes on behalf and under the instruction of Customer, who is the Controller or Business (as applicable) of such Personal Data.

Duration and period for which the personal data will be retained:

For the duration of the Agreement. Upon expiry or termination of the Agreement, Coda shall return or delete Customer Personal Data in accordance with Section 6.10 of the DPA.

There are no rows in this table

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.