This Data Processing Addendum, including its Schedules and the Standard Contractual Clauses (collectively, the "DPA"), is incorporated into and forms part of the SaaS License Agreement ("Agreement”) between Customer (as defined in the Agreement), on behalf of itself and its Affiliates, and Coda Project, Inc., a Delaware corporation with offices at 444 Castro Street, Suite 1200, Mountain View, CA 94041 ("Coda") (each a "Party" and collectively the "Parties"). For the purposes of this DPA, and except where indicated otherwise, the term “Customer” shall include any Customer Affiliates. In the event of a conflict between any of the provisions of the Agreement, this DPA and (where applicable) the Standard Contractual Clauses, the terms shall apply in the following order of precedence: (i) the Standard Contractual Clauses; (ii) the DPA; and then (iii) the Agreement.
Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement. In this DPA, unless the context requires otherwise:
"CCPA" means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and its implementing regulations; as amended, replaced or superseded from time to time;
"Customer Personal Data" means the Personal Data that Coda Processes on behalf of Customer and/or Customer’s Affiliates in connection with the Services, including: (i) names; email addresses; personal and professional information of Users; and (ii) any other personal data provided by the Customer in connection with its use of the Services, as more particularly described in Schedule 1;
"European Data Protection Laws" means (i) the EU General Data Protection Regulation 2016/679 (the "GDPR"); (ii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, "UK Data Protection Laws"); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances ("Swiss DPA"); and (iv) any applicable national legislation implementing or supplementing (i), (ii) or (ii); in each case as amended, replaced or superseded from time to time;
"Europe" means the Member States of the European Economic Area ("EEA") plus Switzerland and the United Kingdom ("UK");
"Personal Data" means any information that relates to an identified or identifiable natural person and which is protected as "personal data" or "personal information" under European Data Protection Laws or the CCPA.
"Restricted Transfer" means a transfer of Customer Personal Data that is protected by European Data Protection Laws to a country outside Europe that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws);
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data. The term "Security Incident" does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems;
"Services" means the service(s) provided by Coda to Customer under the Agreement;
"Standard Contractual Clauses" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021;
"Subprocessor" means any Processor engaged by Coda who agrees to receive from Coda any Customer Personal Data. The term "Subprocessor" does not include any Coda employees, contractors or consultants.
The terms "Controller", "Processor", "Process","Data Subject" and "Supervisory Authority" shall have the meanings given to them in the European Data Protection Laws, and the terms "Business", "Service Provider", "Consumer", "Business Purpose" and"Sell" shall have the meanings given to them in the CCPA.
Scope and Applicability
Scope of DPA. Except as otherwise provided in this DPA, this DPA shall apply to all Customer Personal Data that is subject to European Data Protection Laws or the CCPA and which is processed by Coda as a Processor or Service Provider (as applicable) on Customer's behalf.
Notice and consent. Customer represents and warrants that it has provided all applicable notices to Data Subjects and Consumers (as applicable) and, to the extent required, obtained consent from Data Subjects in each case as required for the lawful Processing of Customer Personal Data by Coda under European Data Protection Laws and the CCPA for the purposes described under the Agreement and this DPA.
Compliance with law. Customer shall ensure its Processing of Customer Personal Data in connection with the Services complies with European Data Protection Laws and the CCPA and shall notify Coda if it cannot ensure compliance with such obligations or becomes aware of any instances of non-compliance.
Requirements for European Data Protection Laws
Applicability to Customer Personal Data. This Section 4 shall only apply to the Processing of Customer Personal Data that is subject to European Data Protection Laws by or on behalf of Coda .
Role of the Parties. For the purposes of European Data Protection Laws, the Parties acknowledge that that Coda acts as Processor on behalf of Customer, whether itself a Controller or a Processor acting on behalf of a third party Controller ("Third Party Controller").
Instructions for Processing. Coda will only Process Customer Personal Data in accordance with: (i) the Agreement, to the extent necessary to provide the Services to the Customer; and (ii) the Customer’s written instructions, unless Processing is otherwise required by applicable laws to which Coda is subject, in which case Coda shall, unless prohibited by that law, inform Customer of the legal requirement before Processing. Processing of Customer Personal Data outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Coda on additional instructions for Processing.
Objection to Subprocessors. Customer may, on reasonable grounds, object to Coda's use of a new Subprocessor by providing Coda with (a) written notice within thirty (30) days after Coda has notified Customer of such additional Subprocessor as described in Section 4.4; and (b) documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements in this DPA (an "Objection"). In the event of an Objection, Coda will use reasonable endeavors to make available to Customer a change in the Services, or will recommend a commercially reasonable change to the Services, to prevent the applicable Subprocessor from Processing the Customer Personal Data. If Coda is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, either Party may terminate, without penalty, the Agreement by providing written notice to the other Party (but without prejudice to any fees incurred by Customer prior to suspension or termination). Customer acknowledges that Coda complies with its obligations under clause 9 of the Standard Contractual Clauses by complying with Sections 4.4 and 4.5 of this DPA.
InternationalTransfers. Coda shall not make a Restricted Transfer of Customer Personal Data unless Coda takes such steps as are necessary to ensure an adequate level of protection for the Customer Personal Data transferred in accordance with European Data Protection Laws, including ensuring that (i) the transfer is governed by the Standard Contractual Clauses; or (ii) the transfer is covered by another suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities as providing an adequate level of protection for Personal Data under European Data Protection Laws.
Standard Contractual Clauses. To the extent that the transfer of Customer Data from Customer to Coda involves a Restricted Transfer, the Standard Contractual Clauses shall be incorporated by reference and form an integral part of the Agreement. For the purposes of the Standard Contractual Clauses:
Coda shall be deemed the "data importer" and Customer shall be deemed the "data exporter" (on behalf of itself and its Affiliates);
The Standard Contractual Clauses shall apply as follows: (i) the Module Two terms shall apply where Customer is a Controller and the Module Three terms shall apply where Customer is a Processor; (ii) in Clause 7, the optional docking clause shall apply; (iii) in Clause 9, Option 2 shall apply and the list of Subprocessors and time period for notice of changes shall be as agreed under Section 5.4 of the DPA; (iv) in Clause 11, the optional language shall be deleted; (v) in Clause 17, Option 1 shall apply and the Standard Contractual Clauses shall be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) in Annex I.A, the parties' details are set out in the applicable Order Form; (viii) in Annex 1.B, the description of the transfer is set out in Schedule 1 of this DPA; (ix) in Clause 13 and Annex I.C, the competent supervisory authority is either the supervisory authority responsible for ensuring Customer's compliance with the GDPR (where Customer is established in the EEA) or the supervisory authority in the EEA member state where Customer's EU representative has been appointed or where the Data Subjects relevant to the transfer are located (where Customer is not established in the EEA); and (xi) in Annex II, the technical and organizational measures are set out in Schedule 2 of this DPA.
To the extent that personal data is protected by UK Data Protection Laws or Swiss DPA, the Standard Contractual Clauses apply with the following modifications (as applicable): (i) references to ‘Regulation (EU) 2016/679’ shall be interpreted as references to the UK GDPR or Swiss DPA, (ii) references to specific articles of ‘Regulation (EU) 2016/679’ shall be replaced with the equivalent article or section of the UK GDPR or Swiss DPA, (iii) references to ‘EU’, ‘Union’ and ‘Member State’ shall be replaced with ‘United Kingdom’ or ‘Switzerland’, (iv) Clause 13(a) and Part C of Annex 2 are not used and the ‘competent supervisory authority’ shall be the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner, (v) references to the ‘competent supervisory authority’ and ‘competent courts’ shall be replaced with the ‘United Kingdom Information Commissioner’ and ‘courts of England and Wales’ or the ‘Swiss Federal Data Protection Information Commissioner’ and ‘competent courts of Switzerland’, (vi) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland, and (vii) in Clause 18(b), disputes shall be resolved before the competent courts of England and Wales or Switzerland.
UK Transfers. To extent that and for so long as the Standard Contractual Clauses as implemented in accordance with Section 4.7 cannot be relied on to lawfully Customer Personal Data in compliance with UK Data Protection Laws, the applicable standard data protection clauses issued, adopted or permitted by the UK authorities shall be incorporated by reference, and the annexes, appendices or tables of such clauses shall be deemed populated with the relevant information set out in Schedule 1 and Schedule 2 of this DPA.
Additional provisions. In the event that a legal or regulatory obligation puts Coda in non-compliance of its obligations under the Standard Contractual Clauses or in substantial or persistent breach of any warranties or undertakings under the Standard Contractual Clauses, and Customer intends to suspend the transfer of Customer Personal Data or terminate the Standard Contractual Clauses, Customer agrees to provide reasonable notice to Coda to enable Coda to cure such non-compliance ("Cure Period") and reasonably cooperate with Coda to identify what additional safeguards, if any, may be implemented by the parties to remedy such non-compliance. If, after the Cure Period, Coda has not or cannot cure the non-compliance then Customer may suspend or terminate the affected part of the Services without penalty or liability to either party (but without prejudice to any fees incurred by Customer prior to the suspension or termination).
Requirements For CCPA
Applicability to Customer Personal Data. Section 5 of this DPA shall only apply to the Processing of Customer Personal by or on behalf of Coda that is subject to the CCPA.
Role of the Parties. For the purposes of the CCPA, the Parties acknowledge and agree that Coda will act as a Service Provider in its performance of its obligations pursuant to the Agreement.
Instructions for Processing.
Coda shall not retain, use or disclose Customer Personal Data for any purpose other than for the specific Business Purpose of providing the Services, or as otherwise permitted by the CCPA. Coda acknowledges and agrees that it shall not retain, use or disclose Customer Personal Data for a commercial purpose other than providing the Services. Any processing of Customer Personal Data outside the scope of this DPA or the Agreement will require prior written agreement between Customer and Coda. Where applicable, Coda shall inform Customer if, in its opinion, its instructions 1.1infringes on any European Data Protection Laws.
No Unauthorized Disclosure or Sale of Customer Personal Data. Coda shall not disclose, release, transfer, make available or otherwise communicate any Customer Personal Data to another Business or third party without the prior written consent of Customer unless and to the extent that such disclosure is made to a Subprocessor for a Business Purpose. Notwithstanding the foregoing, nothing in this Agreement shall restrict Coda’s ability to disclose Customer Personal Data to comply with applicable laws or as otherwise permitted by the CCPA. In no event shall Coda not Sell any Customer Personal Data to another Business or third party without the prior written consent of Customer.
Requirements for All Customer Personal Data
Cooperation. Coda shall reasonably assist and cooperate with Customer in fulfilling its obligations under European Data Protection Laws and the CCPA including:
promptly notifying Customer if Coda receives a request, complaint or other communication from a Data Subject or Consumer (as applicable) relating to the Processing of their Personal Data, including but not limited to a request to exercise any of their privacy rights under European Data Protection Laws or the CCPA ("Rights Request");
to the extent that Customer is not able to respond to Rights Requests using the functionality of the Services, and taking into account the nature of the Processing, providing assistance (insofar as this is practical) to enable Customer to respond to Rights Requests;
promptly notifying the Customer of any request for the disclosure of any Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by applicable law or a legally binding order of such body or agency; and
where required by European Data Protection Laws or the CCPA, assisting Customer with carrying out data protection impact assessments and engaging in prior consultations with Supervisory Authorities relating to Coda's Processing of Customer Personal Data, taking into account the nature of Processing and the information available to Coda.
Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and Consumers (as applicable), Coda shall implement appropriate technical and organisational measures to protect Customer Personal Data from Security Incidents. Without limiting the generality of the foregoing, Coda shall put in place and maintain the technical and organisational measures as set out in Schedule 2 of this DPA to protect the Customer Personal Data against any Security Incident.
Audits. Customer acknowledges that Coda is regularly audited against SOC 2 Type 2 standards by independent third party auditors. Upon request, Coda shall supply a summary copy of its audit report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Agreement. Coda shall make available to the Customer on request all further information reasonably necessary to demonstrate its compliance with this DPA. While it is the Parties' intention to ordinarily rely on such audit reports and information to verify Coda's compliance with this DPA, Customer (or its appointed third party auditors) may carry out an audit of Coda's data processing facilities following a Security Incident or upon the instruction of a Supervisory Authority or other regulator. Customer must, where possible, give Coda reasonable prior notice of such intention to audit, conduct its audit during normal business hours and take all reasonable measures to prevent unnecessary disruption to Coda's operations. Such audits shall be subject to Coda's security and confidentiality terms and Customer shall reimburse any costs and expenses incurred by Coda in facilitating the audit of its data processing facilities under this Section 6.3. Where applicable, the Parties agree that Customer shall exercise its audit rights under the Standard Contractual Clauses by instructing Coda to comply with the audit measures described in this Section 6.3.
Security Incident Notification. If Coda discovers or becomes aware of a Security Incident, then Coda shall notify Customer without undue delay, take any additional steps that are reasonably necessary to mitigate the effects of such Security Incident, and reasonably cooperate in the investigation of the Security Incident.
Employees and Personnel. Coda shall limit access to Customer Personal Data to those employees or other personnel who have a business need to have access to such Customer Personal Data. Further, Coda shall ensure that such employees or other personnel have agreed in writing to protect the confidentiality and security of such Customer Personal Data in accordance with the provisions of this DPA.
Deletion of data. Coda shall promptly, and in any event within 90 (ninety) days of the date of termination of the Agreement (or within such shorter timeframe as may be required by the Agreement), return a complete copy of all Customer Personal Data by secure file transfer (in such a format as notified by the Customer to Coda) or delete and procure the deletion of all other copies of Customer Personal Data Processed by Coda or any Subprocessors, upon Customer's request. Coda may retain Customer Personal Data to the extent required by applicable laws, and only to the extent and for such period as required by applicable laws, and always provided that Coda shall ensure the confidentiality of all such Customer Personal Data in accordance with this DPA and the Agreement and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
Third Party Controllers. Customer shall act as a single point of contact with respect to compliance with this DPA such that where Coda gives information or notice to Customer, such information or notice is deemed received by Customer’s Affiliates and Third Party Controllers. The Parties acknowledge and agree that Coda does not need to interact directly with (including to provide notice to or seek authorization from) Customer's Affiliates or Third Party Controllers, other than through regular provision of the Services to the extent required under an Order Form.
Affiliates. Coda acknowledges and agrees that all rights granted to Customer under this DPA are for the benefit of Customer and for the additional purpose of conferring the same benefit on each of its Affiliates as if they were a party hereto. Other than as stated in this DPA, no person shall have any rights under or in connection with this DPA under the Contracts (Rights of Third Parties) Act 1999.
Governing law. Except where otherwise required by European Data Protection Laws or the CCPA, this DPA, and any dispute or claim arising out of it or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by and construed in accordance with the laws of the Agreement.
Liability. Any claim or dispute between the Parties arising out of, or in connection with this DPA (a “Dispute”) that cannot be resolved by direct discussions between the Parties shall be resolved in accordance with the procedure set out in the Agreement (if any) and shall be subject to the exclusions and limitations set out therein. In no event will either Party limit its liability to a Data Subject under this DPA. Customer acknowledges that any Dispute brought against Coda under this DPA shall be brought by Customer on behalf of itself and its Affiliates.
This Schedule 1 describes the processing and transfer of Customer Personal Data by Coda in connection with the Agreement.
Categories of data subjects:
Customers’ end users, employees, contractors, suppliers and/or other third parties whose Personal Data is included within Customer Content that is submitted by Customer to Coda for Processing.
Categories of personal data:
Any Personal Data contained in the Customer Content that Customer submits to the Services. The Personal Data that Customer may submit to the Services is determined and controlled by Customer in its sole discretion. This may include, without limitation:
Sensitive data transferred (if applicable) and applied restrictions or safeguards:
Coda does not intentionally collect or process special categories of data (as that term is defined by European Data Protection Laws) in connection with the provision of the Services. However, Customer (or its Affiliates) may choose to include this type of data within Customer Content. The Personal Data that Customer may submit to the Services, including any sensitive data, is determined and controlled by Customer in its sole discretion.
Frequency of the transfer:
Subject matter and nature of the processing:
Coda processes Personal Data to provide the Services and fulfill contractual obligations towards Customer as described in the Agreement. These Services include the processing of Customer Content that may contain Personal Data.
Purpose(s) of the data transfer and further processing:
Coda provides a cloud-based document editing platform and receives and processes Customer Content that Customer submits, manages or otherwise uses in connection with the Services. Such Customer Content may contain Personal Data relating to third parties that Coda only processes on behalf and under the instruction of Customer, who is the Controller.
Duration and period for which the personal data will be retained:
For the duration of the Agreement. Upon expiry or termination of the Agreement, Coda shall return or delete the Customer Personal Data in accordance with Section [6.6] of the DPA.
There are no rows in this table
Technical and Organizational Measures
This Schedule describes the minimum technical and organizational measures implemented by Coda to protect Customer Personal Data from Security Incidents:
Coda employs a combination of policies, procedures, guidelines, and technical and physical controls to protect personal data it processes from accidental loss and unauthorized access, disclosure or destruction.
This Schedule provides an overview of the security measures Coda has in place to achieve this. Further information is set out in Coda's internal documentation.
Policies and governance
Coda assigns personnel with responsibility for the determination, review and implementation of security polices and measures. Coda has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents.
Coda uses encryption technology where appropriate to protect personal data held electronically, at rest and in transit. Use of such encryption technology is limited to those algorithms that have received substantial public review and have been proven to work effectively.
Coda's devices (including smartphones, tablets etc.) used to process personal data have appropriate data security software installed on them. Coda also ensures that web applications are assessed for vulnerabilities and that any such vulnerabilities are remediated prior to production deployment.
Coda limits access to personal data by implementing appropriate access controls, including specific controls for remote and wireless access to data importer's networks. Access controls can include:
requiring authentication and authorization to gain access to IT systems (i.e. require users to enter a user id and password before they are permitted access to IT systems);
only permitting user access to personal data which the user needs to access for his/her job role or the purpose they are given access to Coda's IT systems for (i.e. Coda implements measures to ensure least privilege access to IT systems);
having in place appropriate procedures for controlling the allocation and revocation of personal data access rights. For example, having in place appropriate procedures for revoking employee access to IT systems when they leave their job or change role.
Availability and Back-up
Coda has in place a security response plan that describes processes to recover IT systems, applications and data from any type of incident that causes a major outage.
Selection of service providers and commission of services
Coda assesses service providers’ ability to meet their security requirements before engaging them. Coda has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with Coda's instructions.
Disposal of IT equipment
Coda has in place processes to securely remove all personal data before disposing of IT systems. For example by using appropriate technology such as degaussing to purge equipment of data and/or destroying hard disks.
Monitoring, logging and auditing
Coda has established standards for the base configuration of its internal server equipment in order to minimize unauthorized access to its proprietary information and technology.
Coda has identified specific requirements that information systems must meet in order to generate appropriate audit logs and integrate with an enterprise’s log management function.
Coda has in place a procedure to regularly conduct internal security audits to (i) ensure integrity, confidentiality, and availability of information and resources; (ii) investigate possible security incidents ensure conformance to Coda's security policies; and (iii) monitor user or system activity where appropriate.
Coda implements physical security measures to safeguard personal data. This includes the following:
requirements that personal data in hardcopy or electronic form is secure in employees' work areas including that that computer workstations must be locked when a workspace is unoccupied and the use of locked drawers and filing cabinets;
keys used for access to personal data must not be left at an unattended desk;
passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location;
printouts containing personal data should be immediately removed from the printer; and
upon disposal documents containing personal data should be shredded in the official shredder bins or placed in locked confidential disposal bins.