This Data Protection Addendum (DPA) forms part of the contractual agreement between  Client ("Customer") and Decube Inc or Decube Data Sdn Bdh. ("Decube"), and applies to the extent that Decube processes Personal Data on behalf of the Customer in the provision of its data observability, catalog, and governance services. The purpose of this DPA is to reflect the parties' agreement with regard to the processing of Personal Data in compliance with the requirements of Data Protection Laws as defined in this DPA. By engaging the services of Decube, the Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if any, thereby establishing a framework for ensuring the protection and security of the data processed."

‍

1. DEFINITIONS

This section establishes the foundational terminology used throughout the DPA, ensuring clarity and mutual understanding of key terms. It should be tailored to align with Decube's operational scope and legal obligations in data observability, data cataloging, and governance.

‍

Decube Inc and Decube Data Sdn Bhd referred as "Decube"

‍

1. Data Controller: Defines an entity that determines the purposes and means of the processing of personal data. For Decube, this term may also encompass clients who use Decube's platform to manage and observe their data, making decisions on how this data is utilized or processed within the scope of Decube’s services.
2. Data Processor: Describes an entity that processes personal data on behalf of a Data Controller. Decube, in this context, is the Data Processor, handling data under the directives of its clients (the Data Controllers) within the functionalities of its data observability, catalog, and governance tools.
3. Data Subject: Refers to any identified or identifiable natural person to whom the personal data relates. In the context of Decube, this could include individuals whose data is managed, observed, or cataloged through Decube’s platform.
4. Purposes: shall include provision of Services by the Processor to the Controller as described in the agreement, including without limitation, any Provision initiated by Users (as defined in the agreement) in their use of Services and as further documented and basis reasonable instructions from the Controller as agreed by the parties.
5. Personal Data: Constitutes any information relating to an identified or identifiable natural person processed within the framework of Decube’s services. This definition should be comprehensive, considering the various types of data Decube's platform may encounter, including but not limited to, user behavior data, metadata, and any other forms of data processed for cataloging and observability purposes.
6. Data Protection Laws: Encompasses all applicable data protection and privacy laws relevant to Decube's operations. This should include, but is not limited to, regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any other regional or sector-specific data protection laws that apply to Decube and its customers.
7. Processing (of Personal Data): Involves any operation or set of operations performed on personal data. For Decube, this could include activities such as collecting, storing, organizing, structuring, using, and deleting data within the scope of providing data observability and cataloging services.
8. Sub-processor: Refers to any third-party service providers engaged by Decube who also process personal data on behalf of Decube’s customers. These entities play a role in supporting the functionalities of Decube's platform and services.
9. Supervisory Authority: Denotes the relevant supervisory authority responsible for privacy and data protection matters in the jurisdiction where the data processing activities occur. For Decube, this might involve multiple authorities given the potential global use of its platform.

‍

‍

2. Role and Scope of Processing

‍

Role of Parties:

1. As between Decube and the Customer, Decube (including its affiliates involved in the processing) will act as the "Data Processor" (or Sub-processor, if applicable), processing Personal Data under the direction of the Customer.
2. The Customer, or its affiliates when using Decube's services, will act as the "Data Controller", responsible for issuing instructions regarding the processing of Personal Data.

‍

Scope of Processing:

1. Purpose of Processing: The processing of Personal Data by Decube under this DPA is strictly limited to the purposes necessary for providing its data observability, catalog, and governance services. This includes processing activities initiated by Users of Decube in their use of its services.
2. Customer Instructions: Decube will process Personal Data solely based on the Customer's instructions. If Decube believes that an instruction infringes Data Protection Laws, it will inform the Customer promptly.
3. Lawfulness of Instructions: The Customer confirms that all instructions issued to Decube for the processing of Personal Data will comply with applicable Data Protection Laws. The Customer will indemnify Decube against any claims arising from instructions that violate these laws.
4. Categories of Data Subjects: The types of Data Subjects whose Personal Data is processed under this DPA are determined by the Customer. This includes, but is not limited to, individuals whose data is managed or observed through Decube’s platform.
5. Categories of Personal Data: The types of Personal Data processed are also determined by the Customer, and could range from basic contact information to more sensitive categories, depending on the nature of the services availed from Decube.
6. Data Retention: Personal Data processed under this agreement will be retained as long as necessary for the purposes outlined in this DPA. Decube will adhere to its internal policies regarding data retention and deletion, ensuring compliance with Data Protection Laws.

‍

3. SUB PROCESSORS

Authority to Use Sub-processors:

1. Decube may engage third-party Sub-processors to provide certain services on its behalf, such as hosting, data processing, and other services related to the offerings of Decube's data observability, catalog, and governance platform.
2. Decube will inform the Customer of the engagement of any new Sub-processors and, upon request, provide a list of current Sub-processors. The Customer's consent to this DPA shall be considered as a general authorization for Decube to use Sub-processors.

‍

Sub-processor Obligations:

1. Decube will enter into written agreements with Sub-processors that obligate them to provide a level of data protection and security that is no less protective than those set out in this DPA and as required by applicable data protection laws.
2. Decube will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processors that cause Decube to breach any of its obligations under this DPA.

‍

Sub-processor List and Changes:

1. Decube will maintain an up-to-date list of the names and locations of all Sub-processors. This list will be available to the Customer upon request.
2. Decube will notify the Customer of any changes to Sub-processors, giving the Customer the opportunity to object to the engagement of a new Sub-processor within a specified timeframe.

‍

Customer's Right to Object:

1. If the Customer objects to a new Sub-processor for reasonable data protection reasons, Decube will use reasonable efforts to make available to the Customer a change in the services or recommend a commercially reasonable change to the Customer's configuration to avoid processing of personal data by the objected-to new Sub-processor.
2. If Decube is unable to address the Customer's objection, the Customer may suspend or terminate the affected part of the services that cannot be provided by Decube without the use of the objected-to new Sub-processor.

‍

4. DATA PROTECTION WARRANTIES AND OBLIGATIONS

‍

Compliance with Data Protection Laws:

1. Both Decube and the Customer agree and warrant that they shall comply with their respective obligations under the applicable Data Protection Laws.
2. The Customer confirms it has all necessary approvals, permits, licenses, consents, and permissions from Data Subjects, Data Controllers, and/or competent authorities in respect of instructions provided to Decube under the Agreement, including, without limitation, permission for international data transfers by Decube, as applicable.

‍

Data Processor Warranties and Undertakings:

1. Decube warrants and undertakes that while processing Personal Data, it shall:
2. Not transfer Personal Data outside the predefined hosting regions except in accordance with the terms of this DPA and applicable Data Protection Laws.
3. Restrict access to Personal Data only to those persons for whom access is necessary for the performance of services under the Agreement.
4. Flow down the obligations of confidentiality and those described under this DPA to all persons authorized to access Personal Data via appropriate written agreements.
5. Implement commercially reasonable technical and organizational measures to protect Personal Data processed under the Agreement, in accordance with applicable Data Protection Laws.
6. Promptly inform the Customer of any enquiries or complaints received from Data Subjects or Supervisory Authorities relating to the processing of Personal Data.
7. Immediately inform the Customer of any doubts as to the legality of the Customer’s instructions.

‍

Data Controller Obligations:

1. The Customer shall ensure that the processing of Personal Data, including the provision of Personal Data to Decube, complies with Data Protection Laws.
2. The Customer is responsible for ensuring that any Personal Data provided to Decube is accurate, complete, and has been collected in accordance with applicable laws.

‍

Data Security:

1. Decube will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

‍

5. SECURITY INCIDENT

‍

Notification of Security Incident:

1. In the event of a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a "Security Incident"), Decube shall without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify the Customer of the Security Incident.
2. The notification will include information Decube has (to the extent known and available) about the nature of the Security Incident, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences, and the measures taken or proposed to be taken to address the Security Incident.

‍

Investigation and Mitigation:

1. Decube will promptly investigate the Security Incident and take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
2. Decube will provide reasonable assistance to the Customer in the investigation, mitigation, and remediation of the Security Incident.

‍

Communication and Coordination:

1. Decube will coordinate with the Customer in good faith to agree on the content of any public statements or any required notification to the Data Subjects or the Supervisory Authorities regarding the Security Incident.
2. Decube shall not inform any third party of any Security Incident without first obtaining the Customer's prior written consent, unless notification is required by law.

‍

Documentation and Reporting:

1. Decube will maintain a record of the Security Incident, including its effects and the remedial actions taken, and will provide the Customer with reasonable cooperation and assistance as needed to fulfill the Customer's data breach reporting obligations under Data Protection Laws.
2. Upon the Customer’s request, Decube will provide a summary report of the Security Incident and the steps taken in response, subject to confidentiality obligations.

‍

Continuous Improvement:

1. Decube will regularly review and update its security measures and incident response plans to ensure ongoing effectiveness and alignment with best practices and applicable legal requirements.

‍

‍

6. INTERNATIONAL DATA TRANSFER

‍

General Principles for Data Transfers:

1. Decube will process Personal Data in accordance with the data protection principles of legality, fairness, and transparency. Decube acknowledges its responsibility in facilitating lawful international transfers of Personal Data under the Agreement.

‍

Hosting Regions and Data Transfers:

1. Decube commits to hosting Customer Personal Data in the region(s) selected by the Customer, and will not transfer Personal Data outside these regions except as necessary to provide the agreed services, comply with legal requirements, or upon the Customer's instruction.
2. Decube will take appropriate measures to ensure that any transfer of Personal Data out of the Customer’s chosen region is protected in accordance with applicable Data Protection Laws.

‍

Compliance with Data Transfer Mechanisms:

1. For transfers of Personal Data subject to European Union data protection laws, Decube will use appropriate safeguards, such as Standard Contractual Clauses or an equivalent mechanism, as required by such laws.
2. For transfers subject to other jurisdictions' data protection laws, Decube will ensure that similar legal mechanisms or safeguards are in place to protect the Personal Data during such transfers.

‍

Responsibility and Cooperation in Data Transfers:

1. Decube will cooperate with the Customer to ensure compliance with any data protection impact assessments, prior consultations with Supervisory Authorities, or other requirements applicable to international data transfers.
2. The Customer shall provide any necessary information and cooperation to Decube to enable lawful transfers of Personal Data.

‍

Notification of Changes and Challenges:

1. Decube will inform the Customer of any changes in the legal framework or its practices that may affect the legality or safety of the international transfer of Personal Data.
2. In case of challenges or inquiries from data protection authorities regarding international data transfers, Decube will promptly inform the Customer and cooperate in resolving such issues.

‍

7. RETURN AND / OR DELETION OF PERSONAL DATA

‍

Post-Termination Data Handling:

1. Upon the termination or expiry of the Agreement, Decube shall, at the Customer's request, return or delete all Personal Data processed under the Agreement.
2. This process includes the return or deletion of all existing copies of Personal Data in Decube's possession, unless otherwise required by law.

‍

Method of Deletion:

1. Decube will employ secure methods to delete Personal Data, ensuring that it cannot be reconstructed or read. This includes physical and logical deletion methods applicable to all forms of data storage, including backups.

‍

Confirmation of Deletion:

1. Decube will provide written confirmation to the Customer once the deletion of Personal Data has been completed, detailing the methods used for deletion.

‍

Retention as Per Legal Requirements:

1. If any Personal Data is required to be retained under applicable laws, Decube will continue to protect such data in accordance with the Agreement and applicable Data Protection Laws.

‍

8. DURATION AND TERMINATION

‍

Effective Duration:

1. This DPA becomes effective as of the Effective Date of the Agreement and will remain in effect until the termination or expiry of the Agreement, or as otherwise stipulated in the terms of the Agreement.

‍

Survival of Obligations:

1. The obligations under this DPA related to the confidentiality and security of Personal Data, and any other obligations which by their nature should survive, will continue to apply even after the termination or expiry of this DPA.

‍

Amendments and Modifications:

1. This DPA may be amended or modified by Decube in accordance with the terms of the Agreement. Any such amendments or modifications will not materially diminish the level of data protection provided by Decube under this DPA.

‍

Termination Rights:

1. In case of material breach of this DPA, the Customer may terminate the Agreement in accordance with the termination provisions set out in the main Agreement.

‍

9. AUDIT

‍

Audit Rights:

1. The Customer shall have the right to conduct audits to verify Decube's compliance with its data protection obligations under this DPA. Audits may be conducted by the Customer or a third-party auditor appointed by the Customer.

‍

Audit Procedure:

1. The Customer shall provide reasonable notice to Decube before initiating an audit.
2. Audits shall be conducted during regular business hours and shall not unreasonably interfere with Decube’s business activities.
3. Decube shall cooperate with the audit and provide all reasonable assistance and access to information necessary to conduct the audit.

‍

Confidentiality:

1. Any information accessed or obtained by the Customer during the audit will be treated as Decube’s confidential information and shall be protected accordingly.

‍

Audit Frequency:

1. The Customer may conduct an audit once per year unless there are reasonable grounds to believe that Decube is not in compliance with its data protection obligations, in which case additional audits may be conducted.

‍

10. RELATIONSHIP WITH AGREEMENT

‍

Superseding Effect:

1. This DPA shall form part of the Agreement between Decube and the Customer and shall supersede any conflicting terms related to data protection in the Agreement.

‍

Amendments:

1. Decube may amend this DPA from time to time to comply with applicable laws and regulations or to accommodate changes in its services or practices. Such amendments will not reduce the overall level of data protection afforded under this DPA.

‍

Conflict Resolution:

1. In the event of any conflict or inconsistency between the provisions of this DPA and the rest of the Agreement, the provisions of this DPA shall prevail with respect to the subject matter of data protection.

‍

Continued Application:

1. The terms of this DPA will continue to apply as long as Decube processes Personal Data under the Agreement, even if the Agreement has been terminated or expired.

‍

11.THIRD PARTY BENEFICIARIES

Without prejudice to the rights of the Data Subjects, this DPA shall not benefit or create any right or cause of action on behalf of a third party(including a third-party Data Controller)

‍

12. GOVERNING LAW

This DPA will be governed by and construed in accordance with governing law and juridiction provision in the Agreement.

----------------------------------------------------------------------

‍

‍

‍

SCHEDULE - 1 (List of Sub-Processors)

‍

Processor Name: Amazon Web Services

1. Address: 410 Terry Avenue North, Seattle, WA 98109-5210 OR at customer hosted location
2. Contact person’s name, position and contact details: We do not have a dedicated person at AWS. Rather, we log into Decube’s AWS account and open support request ticket and we get a contact person assigned OR we fill out the form located at https://aws.amazon.com/contact-us/compliance-support/.
3. Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Hosting of data

‍

Processor Name: Microsoft Azure

1. Address: Redmond, One Microsoft Way, USA OR at customer hosted location
2. Contact person’s name, position and contact details: We do not have a dedicated person at AWS. Rather, we log into Decube’s Microsoft Azure account and open support request ticket and we get a contact person assigned OR we create an incident at https://azure.microsoft.com/en-us/support/create-ticket
3. Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Hosting of data

‍

Processor Name: Google Cloud Services

1. Address: 1600 Amphitheatre Parkway Mountain View, CA 94043, USA OR at customer hosted location

1. Contact person’s name, position and contact details: We do not have a dedicated person at AWS. Rather, we log into Decube’s Google account and open support request ticket and we get a contact person assigned OR we create an incident at https://console.cloud.google.com/support/cases?organizationId={{decube_org_id}}
2. Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Hosting of data

‍

Processor Name: Decube Inc

1. Address: 3828 Kennett Pike, Suite 212, Greenville, DE 19807, USA
2. Description of processing: For the purpose of provision of agreed services as per access provided by the Data Controller.

‍

Processor Name: Decube Data Sdn Bhd

1. Address: Uptown 1, Level 13A, Damansara Utama, Selangor 47400, Malaysia
2. Description of processing: For the purpose of provision of agreed services as per access provided by the Data Controller.