Updated: June 6th, 2023
This Data Processing Addendum (the “Addendum”) is made by and between Instabug, Inc., a company having its principal place of business at 230 California Street, San Francisco, CA 94111 (“Company”) and the counterparty agreeing to these terms (“Client” or “Customer”).
This Addendum forms part of, and is fully incorporated into the agreement between the Company and the Client (“Agreement”) and applies in respect of the Processing of Client Personal Data by the Company on behalf of Client in the provision of the Services except that Annex A (California Annex) to this Addendum applies only to such Processing of Client Personal Data governed by the CCPA. This Addendum shall be effective for the term of the Agreement.
1.1. For the purposes of this Addendum:
1.1.1. “CCPA” means the California Consumer Privacy Act of 2018, as amended from time to time;
1.1.2. “Client Personal Data” means the Personal Data described under Section 2 of this Addendum;
1.1.3. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
1.1.4. “Data Protection Legislation” means all applicable legislation relating to data protection and privacy including, where applicable, the European Data Protection Laws and the CCPA;
1.1.5. “Data Subject” means the individual to whom Personal Data relates;
1.1.6. “European Data Protection Laws” means the GDPR, the Data Protection Act 2018 of the United Kingdom and the Swiss Federal Act on Data Protection, each as amended or replaced from time to time;
1.1.7. “EU Standard Contractual Clauses” means the clauses approved with the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time;
1.1.8. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and any national implementing laws in any Member State of the European Union (“EU GDPR”) and the EU GDPR in such form as incorporated into the laws of the United Kingdom (“UK GDPR”), each as amended or replaced from time to time;
1.1.9. “Personal Data” means any information relating to an identified or identifiable Data Subject;
1.1.10. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
1.1.11. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms “process”, “processes” and “processed” will be construed accordingly; and
1.1.12. “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
1.1.13. “Sensitive Data” means (a) social security number, passport number, driver’s license number, state identification card number or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political, philosophical or religious affiliation, or beliefs, trade union membership, or information about sexual life or sexual orientation; (e) account passwords, mother’s maiden name, or date of birth; (f) criminal history; (g) precise geolocation; (h) contents of mail, email or text messages not addressed to the Company as the intended recipient; or (i) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR, CCPA or any other Data Protection Legislation.
1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2.1. Categories of Data Subjects. This Addendum applies to the Processing of Client Personal Data relating to customers or other end users of the Client who use the applications developed by the Client.
2.2. Types of Personal Data. Client Personal Data includes Data Subjects’ email, name and IP address, and other Personal Data that Client may submit through or upload to the Company’s systems the extent of which is determined and controlled by the Client in its sole discretion subject to the terms of the Agreement, provided that Client shall not submit any Sensitive Data to Company unless explicitly and affirmatively consented to by Data Subjects.
2.3. Subject-Matter, Nature And Purpose of The Processing. The subject-matter, nature and purpose of Processing of Personal Data by Company is the provision of the Services to the Client that involves the Processing of Client Personal Data, as set out into the Agreement and any applicable Statement of Work.
2.4. Duration of The Processing. Client Personal Data will be Processed for the duration specified in the Agreement until deletion or return of Client Personal Data as instructed by the Client under this Addendum.
3.1. The parties acknowledge and agree that Client is either the Controller of Client Personal Data, or if Client is Processing Client Personal Data on behalf of a Controller, then Client is a Processor, and in each case the Company is the Processor of Client Personal Data. Company will only Process Client Personal Data on behalf of and in accordance with the Client’s prior written instructions. Company is hereby instructed to Process Client Personal Data to the extent necessary to enable Company to provide the Services in accordance with the Agreement and as necessary in order to comply with Data Protection Legislation to which the Company is subject. If Company becomes aware or believes that any data processing instructions from Client violate Data Protection Legislation, the Company shall (i) promptly notify the Client of that legal requirement and/or of the inability to comply with any instructions before the relevant Processing, to the extent permitted by the Data Protection Legislation; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Client Personal Data) until such time as the Client issues new instructions with which Company is able to comply (and if this provision applies, Company will not be liable to the Client under the Agreement in respect of any inability to perform the Services until such time as the Client issues new instructions).
3.2. Client shall, in its use of the Services, Process Client Personal Data in accordance with the requirements of the Data Protection Legislation. For the avoidance of doubt, Client’s instructions for the Processing of Client Personal Data shall comply with the Data Protection Legislation. Client shall ensure that Client has provided or will provide any necessary notices to Data Subjects, and has obtained or will obtain all necessary rights and consents (to the extent required) for Company to Process Client Personal Data in accordance with this Addendum. If Client is a Processor for Client Personal Data under this Addendum, Client warrants that its instructions and actions with respect to the Client Personal Data, including its engagement of Company as a Processor pursuant to this Addendum, have been authorized by the relevant Controller.
3.3. The Client acknowledges that the Company is reliant on the Client for direction as to the extent to which Company is entitled to Process Client Personal Data on behalf of Client in performance of the Services. Consequently, the Company will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by the Company, to the extent that such action or omission resulted directly from the Client’s instructions or from Client’s failure to comply with its obligations under the applicable Data Protection Legislation.
4.1. The parties hereby agree that, where Client is a Controller and Company is a Processor, Module Two (Controller to Processor Module) of the EU Standard Contractual Clauses and all other sections of the EU Standard Contractual Clauses having general application (hereinafter, “C2P SCCs”) shall apply to the transfer of Client Personal Data originating from the EEA, the United Kingdom and Switzerland to the Company in the United States and the parties agree to comply with the C2P SCCs, which are hereby incorporated into this Addendum by this reference. Where Client is a Processor and Company is a sub-Processor to Client, Module Three (Processor to Processor Module) of the EU Standard Contractual Clauses and all other sections of the EU Standard Contractual Clauses having general application (hereinafter, “P2P SCCs”) shall apply to such transfers and the parties agree to comply with the P2P SCCs, which are hereby incorporated into this Addendum by this reference. In furtherance of the foregoing, the parties agree that, for purposes of the C2P SCCs and the P2P SCCs:
4.1.1. where Company is a Processor, Company will comply with all the obligations of the “data importer” under the C2P SCCs. Where Company is a sub-Processor to the Client, Company shall comply with all the obligations of the “data importer” under the P2P SCCs. In each case, Client shall comply with the obligations, and shall have the rights, of the “data exporter” under the C2P SCCs and the P2P SCCs, respectively;
4.1.2. for the purpose of Clause 17, the C2P SCCs and the P2P SCCs, as applicable, shall be governed by the laws of Ireland;
4.1.3. for the purpose of Clause 18(b), the parties agree to submit to the jurisdiction of the courts of Ireland;
4.1.4. in Clause 7, the optional docking clause will not apply;
4.1.5. in Clause 9(a), Option 2 will apply and the time period for prior notice of sub-Processor changes will be as set forth in Section 7.1 of this Addendum;
4.1.6. in Clause 11, the optional language regarding independent dispute resolution will not apply;
4.1.7. for the purposes of Annex I, Section A (List of Parties), (i) the data exporter’s and the data importer’s identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Client is either the Controller (under the C2P SCCs) or the Processor (under the P2P SCCs), and Company is a Processor (under the C2P SCCs and the P2P SCCs); (iii) the activities relevant to the data transferred relate to the provision of the Services pursuant to the Agreement; and (iv) each of the Company’s and the Client’s entering into this Addendum shall be treated as, respectively, Company’s and Client’s signature of Annex I, Section A, of the C2P SCCs and the P2P SCCs as of the Effective Date of this Addendum;
4.1.8. for the purposes of Annex I, Section B (Description of Transfer): (i) Section 2 of this Addendum sets out a description of the Processing of Client Personal Data; (ii) the frequency of the transfer is continuous (for as long as the Client uses the Services); (iii) Client Personal Data will be retained in accordance with Clause 8.5 of the C2P SCCs and the P2P SCCs, as applicable, and this Addendum; (iv) Company engages sub-Processors as described in Section 7 of this Addendum;
4.1.9. for the purposes of Annex I, Section C (Competent Supervisory Authority), the competent supervisory authority identified in accordance with Clause 13 of the C2P SCCs and the P2P SCCs, as applicable, is the competent supervisory authority communicated by Client to Company;
4.1.10. for the purposes of Annex II, Company has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Client Personal Data as described at Annex B to this Addendum or as otherwise made reasonably available by Company to the Client;
4.1.11. in respect of transfers of Client Personal Data subject to the UK GDPR, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner (“UK Addendum”) shall be added as Annex III to the C2P SCCs and the P2P SCCs and shall be completed as follows: (i) In Table 1 of the UK Addendum, the parties’ details and key contact information is located in Sections 4.1.7 above; (ii) In Table 2 of the UK Addendum, information about the version of the EU Standard Contractual Clauses, modules and selected clauses which the UK Addendum is appended to is located in Section 4.1 of this Addendum; (iii) In Table 3 of the UK Addendum, the list of parties and the description of the transfer are located
4.1.12. in Section 4.1 of this Addendum, Annex II is located in Annex B (Technical and Organizational Security Measures) to this Addendum, and the list of sub-processors is located at https://docs.instabug.com/docs/sub-processors; and (iv) for the purposes of Table 4 of the UK Addendum, both the importer and the exporter may end the UK Addendum in accordance with its terms. Each of the Company’s and the Client’s entering into this Addendum shall be treated as, respectively, Company’s and Client’s signature of the UK Addendum.
4.2. Insofar as the transfer of Client Personal Data is subject to the Swiss Federal Act on Data Protection, the following provisions apply: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the C2P SCCs or the P2P SCCs, as applicable; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Client Personal Data that is governed by the Swiss Federal Act on Data Protection; (iii) the term ‘Member State’ in the C2P SCCs and the P2P SCCs will not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the C2P SCCs and the P2P SCCs; and (iv) references to the ‘GDPR’ in the C2P SCCs and the P2P SCCs will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Client Personal Data is subject to the Swiss Federal Act on Data Protection.
4.3. The C2P SCCs and the P2P SCCs shall automatically terminate if the European Data Protection Board or other competent authorities determine that EU Standard Contractual Clauses are not applicable to the transfers of Client Personal Data to the Company.
4.4. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs, and accordingly, if and to the extent the SCCs conflict with any provision of this Addendum, the SCCs will prevail to the extent of such conflict.
5.1. Company will ensure that any person whom Company authorizes to Process Client Personal Data on its behalf is subject to confidentiality obligations in respect of that Client Personal Data.
6.1. Company will implement appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data, including, as appropriate,
6.1.1. the pseudonymization of Client Personal Data,
6.1.2. ensuring the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services,
6.1.3. restoring the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident, and
6.1.4. regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing
7.1. Client hereby grants general written authorization to Company to appoint sub-Processors to perform specific services on Company’s behalf which may require such sub-Processors to Process Client Personal Data. For the avoidance of doubt, the above authorization constitutes Client’s prior written consent to the sub-Processing by the Company for purposes of Clause 9(a) of the C2P SCCs or Clause 9(a) of the P2P SCCs, as applicable. The sub-Processors appointed by Company as at the date of this Addendum are set out at https://docs.instabug.com/docs/sub-processors. If Company engages a sub-Processor to Process any Client Personal Data, it will:
7.1.1. Inform Client of any intended changes concerning the addition or replacement of such sub-Processors at least fifteen (15) days in advance, along with reasonably detailed information about such new sub-Processor, and Client will have an opportunity to object to such changes on reasonable grounds within thirty (30) business days after being notified in accordance with the mechanism set out in Section 7.2. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party; and
7.1.2. Enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor the same obligations that apply to Company under this Addendum.
7.2. Customer may receive notifications of new Sub-processors by e-mailing email@example.com with the subject “Subscribe”, and if a Customer contact subscribes, Company shall provide the subscriber with notification of new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services.
8.1. Taking into account the nature of the Processing, Company shall assist the Client by appropriate technical and organizational measures, insofar as this is possible and to the extent Company is legally permitted to do, for the fulfillment of the Client’s obligation to respond to Data Subjects’ requests for the exercise of Data Subjects’ rights under the Data Protection Legislation. Client shall be solely responsible for responding to such requests.
8.2. At the Client’s request, Company will provide the Client with reasonable assistance to facilitate conducting data protection impact assessments and consultation with competent data protection authorities if the Client is required to do so under the Data Protection Legislation, in each case solely to the extent that such assistance is necessary and relates to the Processing by the Company of the Client Personal Data, taking into account the nature of the Processing and the information available to the Company.
8.3. Company will, at the Client’s request, provide the Client with reasonable assistance as necessary for the fulfillment of the Client’s obligation to implement appropriate security measures to protect Client Personal Data.
9.1. Company will:
9.1.1. notify the Client without undue delay but in no event later than seventy-two (72) hours after it becomes aware of any Personal Data Breach affecting any Client Personal Data; and
9.1.2. at the Client’s request, promptly provide the Client with all reasonable assistance necessary to enable the Client to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Client is required to do so under the Data Protection Legislation.
10.1. Upon termination or expiration of the Agreement, the Company will either delete or return (at the election of the Client) the Client Personal Data in its possession as set out in the Agreement within a reasonable timeframe.
11.1. Company will provide the Client with all information necessary to enable the Client to demonstrate compliance with its obligations under the Data Protection Legislation.
11.2. Company uses external auditors to verify the adequacy of its security measures with respect to processing of Client Personal Data. Such audits are performed at least annually by independent third party professionals that result in the generation of a confidential summary audit report (“Report”).
11.3. Upon Client’s written request and subject to reasonable confidentiality controls, Company will supply Client with a summary copy of its most recent Report so that Client can verify Company’s compliance with this Addendum. To the extent Company’s Report does not provide sufficient information or Client is required to respond to a regulatory authority audit, Client agrees to a mutually agreed upon audit program with Client that: (a) ensures the use of an independent third party; (b) gives Company reasonable prior notice of the intention to audit; (c) conducts the audit during normal business hours; (d) takes reasonable measures to prevent unnecessary disruption to Company’s operations; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Client; and (g) obligates Client, to the extent permitted by law or regulation, to keep confidential any information that, by its nature, should be confidential. Client will be responsible for any fees charged by any auditor appointed by Client to execute any such audit.
12.1. Each party’s liability towards the other party under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.
13.1. Company may update the terms of this Addendum from time to time; provided, however, that Company will provide at least thirty (30) days prior written notice to Client if such update is material. The then-current terms of this Addendum are available at https://www.instabug.com/dpa.
1. For purposes of this Annex A, the terms “business”, “business purpose”, “commercial purpose”, “service provider”, “sell”, “share”, “personal information” and “sensitive personal information” have the meanings given in the CCPA.
2. With respect to Client Personal Data, Company is a service provider under the CCPA.
3. The Company will not (a) sell or share Client Personal Data; (b) retain, use or disclose any Client Personal Data for any purpose other than for the specific business purpose of providing the Services, including retaining, using or disclosing the Client Personal Data for a commercial purpose other than providing the Services; (c) retain, use or disclose the Client Personal Data outside of the direct business relationship between the Company and the Client or (d) combine the Client Personal Data with personal information that the Company receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, except as permitted under CCPA. Company hereby certifies that it understands its contractual restrictions under this Agreement and CCPA and will comply with them.
4. The parties acknowledge and agree that the Processing of Client Personal Data authorized by Client’s instructions described in Section 3 of this Addendum is integral to and encompassed by the Company provision of the Services and the direct business relationship between the parties.
5. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the parties acknowledge and agree that the Company’s access to Client Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
6. The Company will permit the Client, at Client’s sole expense, to monitor the Company’s compliance with this Agreement and CCPA through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing occurring not more than once every twelve months. The Client may further take reasonable and appropriate steps to help ensure the Company uses the Client Personal Data in a manner consistent with the Client’s obligations under CCPA.
7. The Company will notify the Client if the Company makes a determination that it can no longer meets its obligations under CCPA.
Company is committed to maintaining the privacy, confidentiality and security of Client Personal Data. The Company uses industry best practices, technology and security measures designed to protect the confidentiality of personal data that is transferred to it and to secure its networks, data centers and servers. The security measures adopted by the Company include, without limitation:
The maintenance of physical, electronic and procedural measures designed to safeguard the confidentiality of personal data in compliance with applicable data protection, privacy and data security laws and regulations. These include, without limitation, (i) restricting access by the Company’s personnel and subcontractors on a role-based, need to know basis, (ii) performing background checks on Company’s personnel; (iii) the implementation and enforcement of corporate policies and standards relating to the protection of information and security (failure to adhere to these policies and the standards will result in disciplinary action, which can include dismissal); (iv) adopting a multi-layered approach to information security controls, which is designed to protect against security breaches; (v) compliance with applicable laws, regulations and security standards applicable to information security; (vi) the employment of highly trained staff who have relevant and up to date knowledge of data protection and data security risk management practices; and (vii) regular reviews and controls against compliance with the above mentioned technical and organizational security measures.
1. Amazon Web Services for all data storage and processing
The Company uses Amazon Web Services (“AWS”) for processing and storing of data. Data on AWS is only accessible when the Client requests it. All AWS security and data privacy compliance can be reviewed at https://aws.amazon.com/compliance/programs/. The use of AWS provides the Company with an industry-leading environment for the protection of its customers’ data.
2. Access Control
Data processing systems shall be prevented from being used without authorization. All systems are protected by the use of personally identifiable access keys that expire on employee change of role or departure from the organization.
3. Change Control
Persons authorized to use a data processing system have access only to those data they are authorized to access, and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording.
4. Data Forwarding
Personal data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred personal data using data transmission facilities. As the systems are located in Amazon Web Services, the Company has no direct access to any of the physical media on which the personal data is stored. AWS compliance with physical media protection standards can be viewed at https://aws.amazon.com/compliance/programs/.
5. Order Control
Personal data processed on behalf of Client is processed pursuant to the Client’s instructions as set out in the Addendum. Company encrypts all personal data that it possesses both at rest and in transit, including electronic messages and attachments.
6. Availability control
Company adopts measures designed to protect against accidental destruction or loss.
7. Separation control
Data collected for different purposes can be processed separately.
8. Company Personnel
Company requires Company Personnel who access Client Personal Data to commit to protect the confidentiality of the information and undergo security training on at least an annual basis.
Company conducts regular internal automated and manual security testing and vulnerability assessments. Company also executes periodic penetration tests of its systems by an independent third party.
10. Adequate alternative measures
The technical and organizational security measures are subject to technical progress and development, and Company may implement adequate alternative measures. Any material changes to technical and organizational measures will be documented. Company must provide Client with reasonable information in order to support Client’s reporting upon written request by the Client. Company will provide to Client any security assessments/certifications previously performed.