This Data Processing Addendum, including its Schedules and the Standard Contractual Clauses (collectively, the "DPA"), is incorporated into and forms part of the Order Form and/or Terms ("Agreement”) between the party subscribing for use of the Coda Platform (“Customer”), on behalf of itself and its Affiliates, and Coda Project, Inc., a Delaware corporation with offices at 888 Villa Street, Floor 4, Mountain View, CA 94041 ("Coda") (each a "Party" and collectively the "Parties"). For the purposes of this DPA, and except where indicated otherwise, the term “Customer” shall include any Customer Affiliates. In the event of a conflict between any of the provisions of the Agreement, this DPA and (where applicable) the Standard Contractual Clauses, the terms shall apply in the following order of precedence: (i) the Standard Contractual Clauses; (ii) the DPA; and then (iii) the Agreement.
Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement. In this DPA, unless the context requires otherwise: "Customer Personal Data" means any Personal Data contained in User Content that Coda Processes on behalf of Customer and/or Customer’s Affiliates in connection with the Services, as more particularly described in Schedule 1; "European Data Protection Laws" means (i) the EU General Data Protection Regulation 2016/679 (the "GDPR"); (ii) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, "UK Data Protection Laws"); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances ("Swiss DPA"); and (iv) any applicable national legislation implementing or supplementing (i), (ii) or (iii); in each case as amended, replaced or superseded from time to time; "Europe" means the Member States of the European Economic Area ("EEA") plus Switzerland and the United Kingdom ("UK"); "Personal Data" means any information that relates to an identified or identifiable natural person and which is protected as "personal data" or "personal information" under European Data Protection Laws or US Data Protection Laws. "Restricted Transfer" means a transfer of Customer Personal Data that is protected by European Data Protection Laws to a country outside Europe that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws); "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data. The term "Security Incident" does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems; "Services" means the service(s) provided by Coda to Customer under the Agreement; "Standard Contractual Clauses" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021; as amended, replaced or superseded from time to time; "Subprocessor" means any third-party Processor or Service Provider engaged by Coda who agrees to receive from Coda any Customer Personal Data. The term "Subprocessor" does not include any Coda employees, contractors or consultants; "UK Addendum" means the International Data Transfer Addendum issued by the UK Information Commissioner's Office; as amended, replaced or superseded from time to time; and "US Data Protection Laws" means (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Civ. Code §§ 1798.100 et seq., and any implementing regulations relating to the same (together, the "CCPA"); (ii) the Virginia Consumer Data Protection Act ("CDPA"); (iii) the Colorado Privacy Act ("CPA"); (iv) the Utah Consumer Privacy Act ("UCPA"); and (v) the Connecticut Data Privacy Act ("CTDPA"); in each case when effective and as amended, replaced or superseded from time to time. The terms "Business", "Controller", "Processor", "Service Provider", "Process", "Data Subject", "Consumer", "Business Purpose", "Sell" and "Share" shall have the meanings given to them in European Data Protection Laws and US Data Protection Laws (as applicable). Scope of DPA. This DPA shall apply to any Customer Personal Data that is subject to European Data Protection Laws or US Data Protection Laws and which is Processed by Coda as a Processor or Service Provider (as applicable) on Customer's behalf in connection with the Services. Notice and consent. Customer represents and warrants that it has provided all applicable notices to Data Subjects and Consumers (as applicable) and, to the extent required, obtained consent from Data Subjects and Consumers (as applicable) in each case as required for the lawful Processing of Customer Personal Data by Coda under European Data Protection Laws and US Data Protection Laws for the purposes described under the Agreement and this DPA. Compliance with law. Customer shall ensure its Processing of Customer Personal Data in connection with the Services complies with European Data Protection Laws and US Data Protection Laws and shall notify Coda if it cannot ensure compliance with such obligations or becomes aware of any instances of non-compliance. REQUIREMENTS FOR EUROPEAN DATA PROTECTION LAWS Applicability to Customer Personal Data. Section 4 of this DPA shall only apply to the Processing of Customer Personal Data that is subject to European Data Protection Laws by or on behalf of Coda. Role of the Parties. For the purposes of European Data Protection Laws, the Parties acknowledge that that Coda acts as Processor on behalf of Customer, whether itself a Controller or a Processor acting on behalf of a third party Controller ("Third Party Controller"). Instructions for Processing. Coda shall only Process Customer Personal Data in accordance with: (i) the Agreement, to the extent necessary to provide the Services to the Customer; and (ii) the Customer’s written instructions, unless Processing is otherwise required by applicable laws to which Coda is subject, in which case Coda shall, unless prohibited by that law, inform Customer of the legal requirement before Processing. Processing of Customer Personal Data outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Coda on additional instructions for Processing. International Transfers. Coda shall not make a Restricted Transfer of Customer Personal Data unless Coda takes such step as are necessary to ensure an adequate level of protection for the Customer Personal Data transferred in accordance with European Data Protection Laws, including ensuring that (i) the transfer is governed by the Standard Contractual Clauses; or (ii) the transfer is covered by another suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities as providing an adequate level of protection for Personal Data under applicable European Data Protection Laws. Standard Contractual Clauses. To the extent that the transfer of Customer Personal Data from Customer to Coda involves a Restricted Transfer, the Standard Contractual Clauses shall be incorporated by reference and form an integral part of the Agreement. For the purposes of the Standard Contractual Clauses, Coda shall be deemed the "data importer" and Customer shall be deemed the "data exporter" (on behalf of itself and its Affiliates) and the Standard Contractual Clauses shall apply as follows: the Module Two or Module Three terms shall apply to Customer Personal Data (where Customer is a Controller or a Processor of Customer Personal Data, as applicable) and the Module One terms shall apply to Account Data and Usage Data; in Clause 7, the optional docking clause shall apply; in Clause 9, Option 2 shall apply and the list of Subprocessors and time period for notice of changes shall be as agreed under Section 6.4 of the DPA; in Clause 11, the optional language shall be deleted; in Clause 17, Option 1 shall apply and the Standard Contractual Clauses shall be governed by Irish law; in Clause 18(b), disputes shall be resolved before the courts of Ireland; in Annex I.A, the parties' details are set out in the applicable Order Form; in Annex 1.B, the description of the transfer is set out in Schedule 1 of this DPA; in Clause 13 and Annex I.C, the competent supervisory authority shall be determined in accordance with the GDPR; and in Annex II, the technical and organizational measures are set out in Schedule 2 of this DPA. UK transfers. To the extent the Customer Personal Data described under Section 4.5 is protected by UK Data Protection Laws, the Standard Contractual Clauses shall be amended by the UK Addendum, which shall be incorporated by reference and form an integral part of the Agreement as follows: (i) in Table 1, the parties' details are set out in the applicable Order Form; (ii) in Table 2, the selected modules and clauses are set out in Section 4.5; (iii) in Table 3, the appendix information is set out in the applicable Order Form and Schedule 1 of this DPA; and (iv) in Table 4, ‘neither party' is selected. Swiss transfers. To the extent the Customer Personal Data described under Section 4.5 is protected by the Swiss DPA, the Standard Contractual Clauses apply with the following modifications: (i) references to ‘Regulation (EU) 2016/679’ shall be interpreted as references to the Swiss DPA; (ii) references to specific articles of ‘Regulation (EU) 2016/679’ shall be replaced with the equivalent article or section of the Swiss DPA; (iii) references to ‘EU’, ‘Union’ and ‘Member State’ shall be replaced with ‘Switzerland’; (iv) Clause 13(a) and Part C of Annex 2 are not used and the ‘competent supervisory authority’ shall be the Swiss Federal Data Protection Information Commissioner; (v) references to the ‘competent supervisory authority’ and ‘competent courts’ shall be replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘competent courts of Switzerland’; (vi) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and (vii) in Clause 18(b), disputes shall be resolved before the competent courts of Switzerland. Additional provisions. In the event a legal or regulatory obligation puts Coda in non-compliance of its obligations under the Standard Contractual Clauses or in substantial or persistent breach of any warranties or undertakings under the Standard Contractual Clauses, and Customer intends to suspend the transfer of Customer Personal Data or terminate the Standard Contractual Clauses, Customer agrees to provide reasonable notice to Coda to enable Coda to cure such non-compliance ("Cure Period") and reasonably cooperate with Coda to identify what additional safeguards, if any, may be implemented by the parties to remedy such non-compliance. If, after the Cure Period, Coda has not or cannot cure the non-compliance then Customer may suspend or terminate the affected part of the Services without penalty or liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination). REQUIREMENTS FOR US DATA PROTECTION LAWS Applicability to Customer Personal Data. Section 5 of this DPA shall only apply to the Processing of Customer Personal Data by or on behalf of Coda that is subject to US Data Protection Laws. Role of the Parties. For the purposes of US Data Protection Laws, the Parties acknowledge and agree that Coda will act as a Service Provider or Processor (as applicable) in its performance of its obligations pursuant to the Agreement. Instructions for Processing. Coda shall not retain, use or disclose Customer Personal Data for any purpose other than for the specific Business Purpose of providing the Services, or as otherwise permitted by applicable US Data Protection Laws. Coda acknowledges and agrees that it shall not retain, use or disclose Customer Personal Data for a commercial purpose other than providing the Services. Any Processing of Customer Personal Data outside the scope of this DPA or the Agreement will require prior written agreement between Customer and Coda. No Sale, Sharing or Unauthorized Disclosure of Customer Personal Data. Coda shall not: (i) Sell Customer Personal Data or Share Customer Personal Data for the purposes of targeted or cross-context behavioral advertising; (ii) combine Customer Personal Data with information received from another third party; or (iii) disclose, release, transfer, make available or otherwise communicate any Customer Personal Data to another third party; in each case except as necessary to provide the Services, where such disclosure is made to a Subprocessor for a Business Purpose, and/or with the prior written consent of Customer. Notwithstanding the foregoing, nothing in this Agreement shall restrict Coda’s ability to (i) retain, use, transfer, disclose, make available or otherwise communicate Customer Personal Data to comply with applicable laws or as otherwise permitted by applicable US Data Protection Laws; or (ii) collect, derive, use, transfer, make available or otherwise communicate de-identified and/or aggregate information to provide, maintain and improve Coda's business, services and technologies. Coda certifies that it understands these restrictions and will notify Customer if it can no longer meet its obligations under US State Data Protection Laws. REQUIREMENTS FOR ALL CUSTOMER PERSONAL DATA Cooperation. Coda shall provide reasonable and legally-required assistance and cooperation to enable Customer to fulfill its obligations under European Data Protection Laws and US Data Protection Laws including: promptly notifying Customer if Coda receives a request, complaint or other communication from a Data Subject or Consumer (as applicable) relating to the Processing of their Personal Data, including but not limited to a request to exercise any of their privacy rights under European Data Protection Laws or US Data Protection Laws ("Rights Request"); to the extent that Customer is not able to respond to Rights Requests using the functionality of the Services, and taking into account the nature of the Processing, providing assistance (insofar as this is practical) to enable Customer to respond to Rights Requests; promptly notifying the Customer of any request for the disclosure of any Customer Personal Data by a governmental or regulatory body or law enforcement authority unless otherwise prohibited by applicable law or a legally binding order of such body or agency; and where required by European Data Protection Laws or US Data Protection Laws, assisting Customer with carrying out data protection impact or risk assessments and engaging in prior consultations with regulatory bodies relating to Coda's Processing of Customer Personal Data, taking into account the nature of Processing and the information available to Coda. Engagement of Subprocessors. Customer authorizes Coda to engage Subprocessors to Process Customer Personal Data provided it enters into a written agreement with each Subprocessor that: (a) restricts the Subprocessor from Processing the Customer Personal Data for any purposes other than the performance of the obligations subcontracted to it; and (b) imposes obligations on the Subprocessor with regard to their Processing of Customer Personal Data that are no less protective than those imposed on Coda under this DPA. Coda shall make available its current list of Subprocessors, and provide Customer with notice of new Subprocessors, via Coda’s subprocessor page (currently located at coda.io/trust/subprocessor), as may be updated by Coda from time to time. Coda shall at all times remain responsible for compliance with its obligations under this DPA and will be liable to the Customer for the acts and omissions of any Subprocessor that Processes Customer Personal Data as if they were the acts and omissions of Coda. Objection to Subprocessors. Customer may, on reasonable grounds, object to Coda's use of a new Subprocessor by providing Coda with written notice within thirty (30) days after Coda has notified Customer of such additional Subprocessor as described in Section 6.3 (an "Objection"). In the event of an Objection, Coda will use reasonable endeavors to make available to Customer a change in the Services, or will recommend a commercially reasonable change to the Services, to prevent the applicable Subprocessor from Processing the Customer Personal Data. If Coda is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, either Party may terminate, without penalty, the Agreement by providing written notice to the other Party (but without prejudice to any fees incurred by Customer prior to suspension or termination). Customer acknowledges that Coda complies with its obligations under clause 9 of the Standard Contractual Clauses by complying with Sections 6.3 and 6.4 of the DPA. Security obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and Consumers (as applicable), Coda shall implement appropriate technical and organizational measures to protect Customer Personal Data from Security Incidents. Without limiting the generality of the foregoing, Coda shall put in place and maintain the technical and organizational measures as set out in Schedule 2 of this DPA to protect the Customer Personal Data against any Security Incident. Audits. Customer acknowledges that Coda is regularly audited against SOC 2 Type II compliance standards by independent third party auditors. Upon request, Coda shall supply a summary copy of its audit report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Agreement. Coda shall make available to the Customer on request all further information reasonably necessary to demonstrate its compliance with this DPA. Where applicable, the Parties agree that Customer shall exercise its audit rights under the Standard Contractual Clauses by instructing Coda to comply with the audit measures described in this Section 6.5. Security Incident notification. If Coda discovers or becomes aware of a Security Incident, then Coda shall notify Customer without undue delay, take any additional steps that are reasonably necessary to mitigate the effects of such Security Incident, and reasonably cooperate in the investigation of the Security Incident. Employees and personnel. Coda shall limit access to Customer Personal Data to those employees or other personnel who have a business need to have access to such Customer Personal Data. Further, Coda shall ensure that such employees or other personnel have agreed in writing to protect the confidentiality and security of such Customer Personal Data in accordance with the provisions of this DPA. Deletion of data. Coda shall promptly, and in any event within 90 (ninety) days of the date of termination of the Agreement (or within such shorter timeframe as may be required by the Agreement), return a complete copy of all Customer Personal Data by secure file transfer (in such a format as notified by the Customer to Coda) or delete and procure the deletion of all other copies of Customer Personal Data Processed by Coda or any Subprocessors, upon Customer's request. Coda may retain Customer Personal Data to the extent required by applicable laws, and only to the extent and for such period as required by applicable laws, and always provided that Coda shall ensure the confidentiality of all such Customer Personal Data in accordance with this DPA and the Agreement and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose. Third Party Controllers. Customer shall act as a single point of contact with respect to compliance with this DPA such that where Coda gives information or notice to Customer, such information or notice is deemed received by Customer’s Affiliates and Third Party Controllers. The Parties acknowledge and agree that Coda does not need to interact directly with (including to provide notice to or seek authorization from) Customer's Affiliates or Third Party Controllers, other than through regular provision of the Services to the extent required under an Order Form. Affiliates. Coda acknowledges and agrees that all rights granted to Customer under this DPA are for the benefit of Customer and for the additional purpose of conferring the same benefit on each of its Affiliates as if they were a party hereto. Other than as stated in this DPA, no person shall have any rights under or in connection with this DPA under the Contracts (Rights of Third Parties) Act 1999. Governing law. Except where otherwise required by European Data Protection Laws, this DPA, and any dispute or claim arising out of it or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by and construed in accordance with the laws of the Agreement. Any claim or dispute between the Parties arising out of, or in connection with this DPA (a “Dispute”) that cannot be resolved by direct discussions between the Parties shall be resolved in accordance with the procedure set out in the Agreement (if any) and shall be subject to the exclusions and limitations set out therein. Customer acknowledges that any Dispute brought against Coda under this DPA shall be brought by Customer on behalf of itself and its Affiliates.
Last Modified: January 1, 2023
This Schedule 1 forms part of the DPA and describes the processing and transfer of Customer Personal Data by Coda in connection with the Agreement.
Technical and Organizational Measures
This Schedule 2 forms part of the DPA and describes the minimum technical and organizational measures implemented by Coda to protect Customer Personal Data from Security Incidents:
Coda employs a combination of policies, procedures, guidelines, and technical and physical controls to protect Customer Personal Data it processes from accidental loss and unauthorized access, disclosure or destruction. This Schedule provides an overview of the security measures Coda has in place to achieve this. Further information is set out in Coda's internal documentation.
Policies and governance
Coda assigns personnel with responsibility for the determination, review and implementation of security policies and measures. Coda has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents.
Coda uses encryption technology where appropriate to protect Customer Personal Data held electronically, at rest and in transit. Use of such encryption technology is limited to those algorithms that have received substantial public review and have been proven to work effectively.
Coda's devices (including smartphones, tablets etc.) used to process Customer Personal Data have installed on them appropriate data security software. Coda also ensures that web applications are assessed for vulnerabilities and that any such vulnerabilities are remediated prior to production deployment.
Coda limits access to Customer Personal Data by implementing appropriate access controls, including specific controls for remote and wireless access to its networks. Access controls can include:
requiring authentication and authorization to gain access to IT systems (e.g., requiring users to enter a user id and password before they are permitted access to IT systems); only permit user access to Customer Personal Data which the user needs to access for his/her job role or the purpose they are given access to Coda's IT systems for (e.g., Coda’s implementation of measures to ensure least privilege access to IT systems); and having in place appropriate procedures for controlling the allocation and revocation of Customer Personal Data access rights. For example, having in place appropriate procedures for revoking employee access to IT systems when they leave their job or change role.
Availability and Back-up
Coda has in place a security response plan that describes processes to recover IT systems, applications and data from any type of incident that causes a major outage.
Selection of service providers and commission of services
Coda assesses service providers’ ability to meet their security requirements before engaging them. Coda has written contracts in place with service providers which require them to implement appropriate security measures to protect the Customer Personal Data they have access to and limit the use of Customer Personal Data in accordance with Coda's instructions.
Disposal of IT equipment
Coda has in place processes to securely remove all Customer Personal Data before disposing of IT systems, including, for example, by using appropriate technology such as degaussing to purge equipment of data and/or destroying hard disks.
Monitoring, logging and auditing
Coda has established standards for the base configuration of its internal server equipment in order to minimize unauthorized access to its proprietary information and technology.
Coda has identified specific requirements that information systems must meet in order to generate appropriate audit logs and integrate with an enterprise’s log management function.
Coda has in place a procedure to regularly conduct internal security audits to (i) ensure integrity, confidentiality, and availability of information and resources; (ii) investigate possible security incidents to ensure conformance to Coda's security policies; and (iii) monitor user or system activity where appropriate.
Coda implements physical security measures to safeguard Customer Personal Data. This includes the following:
requirements that Customer Personal Data in hardcopy or electronic form is secure in employees' work areas including that that computer workstations must be locked when a workspace is unoccupied and the use of locked drawers and filing cabinets; keys used for access to Customer Personal Data must not be left at an unattended desk; passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location; printouts containing Customer Personal Data should be immediately removed from the printer; and upon disposal documents containing Customer Personal Data should be shredded in the official shredder bins or placed in the lock confidential disposal bins.