YugabyteDB Managed Data Processing Addendum

Last Updated: March 24, 2022

Prior versions of this Yugabyte Data Processing Addendum are available here.

This Data Processing Addendum (“DPA”) forms part of the YugabyteDB Managed Terms of Service between
Yugabyte and Customer for the YugabyteDB Managed database software as a service (the “Agreement”). All
capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

DEFINITIONS
1. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq.,
  including any amendments and any implementing regulations thereto;
2. “CCPA Personal Information” means “personal information” as such term is defined by the CCPA,
  including any information that identifies, relates to, describes, is reasonably capable of being associated
  with, or could reasonably be linked, directly or indirectly, with a particular consumer or household;
3. “Customer Personal Information” means the CCPA Personal Information and the GDPR Personal
  Data that Yugabyte Processes on behalf of Customer, in each case in connection with Yugabyte’s provision of the
  Services. For the avoidance of doubt, Customer Personal Information may include CCPA Personal Information and/or
  GDPR Personal Data that Customer directs Yugabyte to Process on behalf of Customer’s own clients;
4. “Controller” means the entity which, alone or jointly with others, determines the purposes
  and means of the Processing of GDPR Personal Data;
5. “Data Protection Laws” means all applicable laws, regulations and other legal requirements
  currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or
  security of Personal Data, including the European Data Protection Laws, and the CCPA;
6. “EEA” means the Member States of the European Union together with Iceland, Norway, and
  Liechtenstein;
7. “European Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of
  the European Parliament and of the Council (the “GDPR”), the UK Data Protection Act, the UK General Data
  Protection Regulation, and any applicable national legislation implementing or supplementing the foregoing, in
  each case as amended, replaced or superseded from time to time, and all other applicable legislation protecting
  the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of GDPR
  Personal Data;
8. “GDPR Personal Data” means “personal data” as such term is defined by the European Data
  Protection Laws, including any information relating to an identified or identifiable individual or device (a
  “data subject”);
9. “Processing” means any operation or set of operations which is performed on Customer Personal
  Information, or on sets of Customer Personal Information, whether or not by automated means, and “Process” will
  be interpreted accordingly;
10. “Processor” means an entity that Processes Customer Personal Information on behalf of a
  Controller;
11. “Security Incident” means any accidental or unlawful destruction, loss, alteration,
  unauthorized disclosure of, or access to, any Customer Personal Information;
12. “Sell” shall have the meaning given in the CCPA;
13. “Services” means the service(s) provided by Yugabyte to Customer under the Agreement;
14. “Service Provider” shall have the meaning given in the CCPA;
15. “Standard Contractual Clauses” means the applicable standard contractual clauses identified
  in ANNEX 4 of this DPA
16. “Subprocessor” means an entity that Processes Customer Personal Information on behalf of a
  Processor; and
17. “UK” means the United Kingdom.
DATA PROCESSING
1. Role of the Parties. The Parties acknowledge and agree that:
  1. for the purposes of the GDPR, Yugabyte acts as a Processor and Customer acts as the Controller of GDPR
    Personal Data (except when Customer is itself a Processor of the GDPR Personal Data, in which case Yugabyte
    is a Subprocessor); and
  2. for the purposes of the CCPA, Yugabyte will act as a Service Provider in its performance of its
    obligations pursuant to the Agreement.
2. Instructions for Data Processing. Yugabyte will, subject to Section 2.3, only collect,
  retain, use, Sell, disclose, release, transfer, make available or otherwise Process Customer Personal
  Information in accordance with:
  1. the Agreement, to the extent necessary to provide the Services to Customer; and
  2. Customer’s written instructions, including as set forth in ANNEX 1 to this DPA.
  Notwithstanding the foregoing, nothing in this DPA shall restrict Yugabyte’s ability to Process Customer
  Personal Information in anonymous format.
3. Yugabyte may Process Customer Personal Information to the extent required by:
  1. applicable laws to which Yugabyte is subject;
  2. where Customer is established in the EEA, or the Processing of such Customer Personal Information
    by Customer falls within the scope of the GDPR, applicable EEA Member State laws; or
  3. where Customer is established in the United Kingdom, or the Processing of such Customer Personal
    Information by Customer falls within the scope of the UK Data Protection Act 2018, applicable law in
    the United Kingdom, in which case Yugabyte shall, unless prohibited by such applicable laws on
    important grounds of public interest, inform Customer of that legal requirement before Processing
    that Customer Personal Information.
4. Customer shall provide all applicable notices to data subjects required under applicable Data
  Protection Laws for the lawful Processing of Customer Personal Information by Yugabyte in accordance
  with the Agreement.
5. Customer will obtain any consents required under applicable Data Protection Laws for the lawful
  Processing of Customer Personal Information by Yugabyte in accordance with the Agreement.
6. Customer agrees to defend, indemnify and keep indemnified, and hold harmless, at its own expense,
  Yugabyte against all costs, claims, damages and expenses incurred by Yugabyte or for which Yugabyte may
  become liable due to any failure by Customer to comply with Section 2.4 and Section 2.5.
7. Customer acknowledges that Yugabyte is reliant on Customer for direction as to the extent to which
  Yugabyte is entitled to use and process Customer Personal Information. Consequently, Yugabyte will not
  be liable for any claim brought against Customer by a data subject arising from any act or omission by
  Yugabyte to the extent that such act or omission resulted from Customer’s instructions or Customer’s use
  of the Services.
SUBPROCESSORS
1. Consent to Subprocessor Engagement. Customer generally authorizes Yugabyte to engage
  Subprocessors in connection with the Processing of Customer Personal Information for the performance of
  the Agreement. Yugabyte will maintain a list of its Subprocessors at the following URL:
  YugabyteDB Managed Subprocessors and will add the
  names of new and replacement Processors as applicable from time to time. Yugabyte shall inform Customer
  of its intention to engage any new or replacement Subprocessors in writing at least fifteen (15) days in
  advance of the date of the intended commencement of the engagement. Customer may object to such intended
  engagement by giving written notice at the latest ten (10) days in advance of the date of the intended
  commencement of the engagement. If Customer objects to Yugabyte’s appointment of a Subprocessor on
  reasonable grounds relating to the protection of Personal Information, then either Yugabyte shall not
  appoint the Subprocessor to Process Customer Personal Information or Customer may elect to suspend or
  terminate this DPA. In all cases, Yugabyte shall impose substantially similar data protection terms on
  any Subprocessor it appoints as those provided for by this DPA, and Yugabyte shall remain fully liable
  for any breach of this DPA that is caused by an act, error, or omission of Subprocessor.
2. Third-Party Applications: The Services may provide functionality
  which includes but is not limited to application programming interfaces, which allows Customer to
  integrate Customer authorized third-party products and applications with the Services (“Third-Party
  Applications”). Customer acknowledges and agrees that if Customer elects to enable or leverage
  Third-Party Applications to integrate with the Services, then it does so at its own risk and Yugabyte
  has no responsibility for any Customer Personal Information Processed by or through these respective
  Third-Party Applications, nor is Yugabyte a co-processor, Subprocessor, or Controller with respect to
  any Customer Personal Information processed by or on behalf of Customer through the respective
  third-party or through any Third-Party applications.
TRANSFERS
1. Prohibition on Transfers of GDPR Personal Data. GDPR Personal Data which are
  undergoing Processing or are intended for Processing after transfer to a third country outside of the
  EEA or UK, respectively, may only be exported to or accessed by Yugabyte or its Subprocessors (the
  “International Transfer”):
  1. if the recipient, or the country or territory in which it Processes GDPR Personal Data, ensures an
    adequate level of protection for the rights and freedoms of Data Subjects in relation to the
    Processing of GDPR Personal Data as determined by the European Commission for transfers from the EEA
    or the UK Secretary of State for transfers from the UK; or
  2. in accordance with Section 4.2.
2. Standard Contractual Clauses
  1. The Standard Contractual Clauses apply, and are incorporated by reference into this DPA, where
    there is an International Transfer to a country or territory that does not ensure an adequate level
    of protection for the rights and freedoms of Data Subjects in relation to the processing of GDPR
    Personal Data as determined by the European Commission for transfers from the EEA or the UK
    Secretary of State for transfers from the UK.
  2. For Subprocessors based outside the EEA or UK and outside any country for which the European
    Commission or UK Secretary of State, respectively, has published an adequacy decision (the “Third
    Country Subprocessors”), Yugabyte will enter into appropriate Standard Contractual Clauses, as
    described in ANNEX 4 of this DPA, prior to the Subprocessor’s processing of GDPR Personal Data.
    Yugabyte will enforce the Standard Contractual Clauses against the Subprocessor on behalf of
    Customer if a direct enforcement right is not available under European Data Protection Laws.
DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
1. Yugabyte Security Obligations. Taking into account the state of the art, the costs of
  implementation and the nature, scope, context and purposes of Processing as well as the risk of varying
  likelihood and severity for the rights and freedoms of natural persons, Yugabyte shall implement
  appropriate technical and organisational measures to ensure a level of security appropriate to the risk
  including, where applicable by virtue of Article 28(3)(c) of the GDPR, and as appropriate, the measures
  referred to in Article 32(1) of the GDPR. Without limiting the generality of the foregoing, Yugabyte
  shall put in place and maintain the technical and organizational measures as set out in ANNEX 2 of this
  DPA.
2. Security Audits. Yugabyte audits its compliance with data protection and information
  security standards on at least an annual basis. Subject to obligations of confidentiality, Yugabyte will
  make available to Customer a summary of its most recent relevant and applicable audit reports and/or
  supporting documentation reasonably required by Customer so that Customer can verify Yugabyte’s
  compliance with this DPA. To the extent that the audit reports and/or supporting documentation provided
  by Yugabyte do not validate Yugabyte’s compliance with its obligations under this DPA, Customer may
  conduct a remote or on-site audit of Yugabyte’s compliance with this DPA which shall be limited to once
  per calendar year, unless requested by a Supervisory Authority or in the event that Yugabyte is subject
  to a Security Incident caused by Yugabyte’s failure to meet its obligations under the Agreement or this
  DPA. Any such audit shall be conducted by an independent reputable third-party chosen by Customer and
  reasonably acceptable to Yugabyte. Before the commencement of any such audit, Customer shall provide
  Yugabyte with a detailed proposed audit plan which at a minimum will include a detailed description of
  the scope of the audit, duration of the audit, and the proposed commencement date of the audit. Yugabyte
  shall review Customer’s proposed audit plan and provide Customer with any concerns or questions
  regarding the audit plan; the Parties agree to work collaboratively to reach an agreement on a final
  audit plan. The results of the audit and all information reviewed during any such audit shall be
  considered Yugabyte Confidential Information and shall be protected by Customer and Customer’s
  third-party auditors in accordance with the confidentiality provisions noted in the Agreement and this
  DPA. Notwithstanding anything to the contrary, Customer’s auditor may only disclose to the Customer
  specific violations of this DPA, if any, and the basis for such findings, and shall not disclose to
  Customer any of the records or information reviewed during the audit. The Parties agree that any audits
  pursuant to clause 8.9 of the Standard Contractual Clauses will comply with the terms and conditions of
  this Section 5.2.
3. Security Incident Notification. If Yugabyte becomes aware of a Security Incident
  affecting Customer Personal Information, then Yugabyte shall notify Customer without undue delay, take
  any additional steps that are reasonably necessary to remedy any non-compliance with this DPA, including
  complying with all applicable requirements of the Agreement, and reasonably cooperate with Customer in
  the investigation of the Security Incident. Yugabyte’s obligation to report or respond to a Security
  Incident shall not be construed as an acknowledgement of any fault by Yugabyte with respect to the
  Security Incident.
4. Yugabyte Employees and Personnel. Yugabyte shall limit access to Customer Personal
  Information to those employees or other personnel who have a business need to have access to such
  Customer Personal Information. Further, Yugabyte shall ensure that such employees or other personnel
  have agreed in writing to protect the confidentiality and security of such Customer Personal Information
  in accordance with the provisions of this DPA.
5. Government Disclosure. Yugabyte shall promptly notify Customer of any request for the
  disclosure of Customer Personal Information by a governmental or regulatory body or law enforcement
  authority (including any data protection supervisory authority) unless otherwise prohibited by law or a
  legally binding order of such body or agency.
ACCESS REQUESTS AND DATA SUBJECT RIGHTS
1. Data Subject Requests. Unless otherwise required by applicable law, Yugabyte shall
  promptly notify Customer of any request received by Yugabyte or any Subprocessor from a data subject in
  respect of Customer Personal Information and shall not respond to the data subject.
2. Data Subject Rights. Yugabyte shall, where possible, assist Customer with ensuring
  its compliance under applicable Data Protection Laws by implementing appropriate technical and
  organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to
  respond to requests for exercising data subject rights laid down in the Data Protection Laws. In
  particular, Yugabyte shall, where possible:
  1. provide Customer with the ability to correct, delete, block, access, or copy Customer Personal
    Information, or
  2. promptly correct, delete, block, access, or copy Customer Personal Information within the Services
    at Customer’s request.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
1. Where applicable by virtue of the Data Protection Laws, Yugabyte shall provide reasonable assistance
  to Customer with any data protection impact assessments and with any prior consultations to any
  regulatory authority of Customer which are referred, in each case solely in relation to Processing of
  Customer Personal Information and taking into account the nature of the Processing and information
  available to Yugabyte.
DURATION AND TERMINATION
1. Return of Customer Personal Information. Yugabyte shall afford Customer thirty (30)
  days from the termination or expiration of the Agreement to request in writing the return of Customer
  Personal Information in a format technically feasible and practical for Yugabyte. Subject to the
  foregoing, Yugabyte shall return a copy of all Customer Personal Information by secure file transfer or
  other secure transfer mechanism as agreed to by the Parties within thirty (30) days of receipt of a
  timely return request.
2. Deletion of Customer Personal Information.. Subject to Section 8.3 below, Yugabyte
  shall, within ninety (90) days of the date of termination of the Agreement:
  1. delete and use all reasonable efforts to procure the deletion of all other copies of Customer
    Personal Information Processed by Yugabyte or any Subprocessors.
3. Yugabyte and its Subprocessors may retain Customer Personal Information to the extent required by
  applicable laws and only to the extent and for such period as required by applicable laws and always
  provided that Yugabyte shall ensure the confidentiality of all such Customer Personal Information and
  shall ensure that such Customer Personal Information is only Processed as necessary for the purpose(s)
  specified in the applicable laws requiring its storage and for no other purpose.
LAW AND JURISDICTION
1. Where the GDPR is applicable to the Processing of Customer Personal Information under this DPA, this
  DPA shall be governed by, and construed in accordance with the law of the Member State in which Customer
  is established or, where Customer is established in the United Kingdom or Switzerland, English law or
  Swiss law respectively. In all other cases, this DPA shall be governed by the same law as the Agreement.
MISCELLANEOUS
1. Amendment. The Parties acknowledge that the foregoing provisions are designed to
  comply with the mandates of Data Protection Laws. No change, amendment, or modification of this DPA
  shall be valid unless set forth in writing and agreed to by both Parties. Notwithstanding the foregoing,
  the Parties acknowledge that privacy and data protection laws are rapidly evolving and that amendment of
  this DPA may be required to ensure compliance with such developments. The Parties specifically agree to
  take such action as may be reasonably necessary from time to time for the Parties to comply with
  applicable Data Protection Laws.
2. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the
  Parties to comply with the Data Protection Laws.
3. Effect of Agreement. In the event of any inconsistency between the provisions of the
  Agreement, this DPA, the Annexes to this DPA, and the Standard Contractual Clauses (where applicable)
  respectively, the order of precedence shall be as follows:
  1. The Standard Contractual Clauses (where applicable);
  2. The Annexes of this DPA to the extent that they are meant to complete the Standard Contractual
    Clauses (where applicable);
  3. The main body of this DPA including its Annexes;
  4. The Agreement.
4. In the event of inconsistency between the provisions of this DPA and mandatory provisions of the Data
  Protection Laws, or their interpretation by any court or regulatory agency with authority over Customer
  or Yugabyte, such interpretation shall control. Where provisions of this DPA are different from those
  mandated in the Data Protection Laws but are nonetheless permitted by such rules as interpreted by
  courts or agencies, the provisions of this DPA shall control. For the avoidance of doubt, where Standard
  Contractual Clauses apply, the terms of this DPA are meant to supplement the applicable Standard
  Contractual Clauses, in particular, by way of providing guidance for their practical implementation, and
  are not intended to contradict, directly or indirectly, any clauses of the applicable Standard
  Contractual Clauses.
5. General. If any part of a provision of this DPA is found to be illegal or
  unenforceable, it shall be enforced to the maximum extent permissible, and the legality and
  enforceability of the remainder of that provision and all other provisions of this DPA shall not be
  affected. All notices relating to the Parties’ legal rights and remedies under this DPA shall be
  provided in writing to a Party, shall be sent to its address or email address set forth in the signature
  block below, or to such other address or email address as may be designated by that Party by notice to
  the sending Party, and shall reference this DPA. Nothing in this DPA shall confer any right, remedy or
  obligation upon anyone other than Customer and Yugabyte. This DPA is the complete and exclusive
  agreement between the Parties with respect to the subject matter hereof, superseding and replacing all
  prior agreements, communications and understandings (written and oral) regarding its subject matter.

ANNEX 1
DETAILS OF THE PROCESSING

This ANNEX 1 forms part of the DPA and the Standard Contractual Clauses (if any).

In providing Services, Yugabyte does not intentionally process GDPR Personal Data. Customer may process such GDPR
Personal Data through the Services, but the nature and extent of such Processing is solely determined and controlled
by Customer.

PARTIES TO THE PROCESSING

	CUSTOMER	YUGABYTE
Name	The entity identified as “Customer” in the Agreement.	Yugabyte, Inc.
Address	The address for Customer associated with its Yugabyte account or as otherwise specified in the Agreement.	The address identified at the following URL for the applicable region: https://www.yugabyte.com/contact/
Contact Person’s Name, Position and Contact Details	The contact details associated with Customer’s account, or as otherwise specified in the Agreement	Name: Cyrus Wadia Position: General Counsel Contact details: privacy@yugabyte.com
Activities relevant to the data transferred	The activities specified in Section 2 of the DPA.	The activities specified in Section 2 of the DPA.
Role	The role specified in Section 2.1 of the DPA. For International Transfers, Customer is the Data Exporter.	The role specified in Section 2.1 of the DPA. For International Transfers, Yugabyte is the Data Importer.

DESCRIPTION OF TRANSFER

Categories of Data Subjects

Unless provided otherwise by Customer, Customer Personal Information relates to the following categories of data
subjects:

Customers, business partners, and vendors of the Customer (who are natural persons)
Employees or contract persons of Customer’s customers, business partners, and vendors.
Agents, advisors, or any user authorized by the Customer to use the Service (who are natural persons)

Categories of Customer Personal Information

In providing Services, Yugabyte does not intentionally process Customer Personal Information. Customer may process
such customer Personal Information through the Services, but the nature and extent of such Processing is solely
determined and controlled by Customer. To that end, Customer determines the categories of Customer Personal
Information and other data entered onto the Services. Customer Personal Information entered onto the Services
typically relates to the following categories:

Name
Business Contact Information (company, title or position, email address, phone numbers, physical business address)
Personal Contact Information (email address, phone numbers, physical personal address)
Localization data
Authentication data
Pictures and Videos (which are not classified as Special Categories of Data under the European Data Protection Laws.)
Connection Data
System access / usage / authorization data,

Categories of Sensitive Data under European Data Protection Laws

None. Customer agrees not to submit any Customer Personal Information which would be considered Special Categories of
Data under the applicable European Data Protection Laws.

Nature of the Processing

The basic processing activities of Customer Personal Information by Yugabyte is the provision and maintenance of the
Services pursuant to the Agreement entered into by the Parties.

Frequency of International Transfers

Where International Transfers are occurring, the Customer Personal Information will be transferred on a continuous
basis according to the terms of the Agreement.

Purpose(s) of Processing and International Transfers (if applicable)

The purpose of Processing and International Transfers (where applicable) is the provision and maintenance of the
Services pursuant to the Agreement entered into by the Parties.

The Period for Which Personal Data will be Retained

The Customer Personal Information will be retained pursuant to Section 8 of the DPA.

Subject Matter, Nature and Duration of the Processing of Subprocessors

Customer generally authorizes Yugabyte to engage Subprocessors in connection with the Processing of Customer Personal Information for the performance of the Agreement. A description of Yugabyte’s Subprocessors are available at the following URL: https://www.yugabyte.com/yugabyte-cloud-subprocessors/. Customer Personal Information will be retained pursuant to Section 8 of the DPA.

ANNEX 2
Technical and Organisational Security Measures

Yugabyte maintains internal policies and procedures, and procures that its Subprocessors also maintain internal
policies and procedures that are materially consistent with this Annex where applicable, which are designed to:

secure any Customer Personal Information Processed by Yugabyte against accidental or unlawful loss, access, or
disclosure;
identify reasonably foreseeable and internal risks to security and unauthorised access to any Customer Personal
Information Processed by Yugabyte; and
minimise security risks, including through risk assessments and regular testing.

These measures may include:

Preventing unauthorised persons from gaining access to Yugabyte’s information systems that are used to Process
Customer Information Systems (physical access control) by taking measures such as:
- documenting security and other incidents (maintaining an incident log);
- protecting and managing physical access to assets and facilities;
- implementing and maintaining security controls for each computer room and/or data centre and any area containing Customer Personal Information which includes but is not limited to the establishment of secure areas, securing data processing equipment, providing industry standard access controls to facilities that Process Customer Personal Information, the implementation of alarm systems, and other security measures as appropriate; and
- ensuring all access to facilities that Process Customer Personal Information is logged and monitored.
Preventing data processing systems from being used without authorisation (logical access control) by taking
measures such as:
- using appropriate network security devices such as i routers and firewalls;
- periodic review of user access to Yugabyte information systems which Process Customer Personal Information;
- secure log-in with unique credentials for each Yugabyte authorized user, including multi-factor authentication (MFA) while accessing any public entry point to Yugabyte’s information technology infrastructure;
- automatic disablement of user credentials when several consecutive failed attempts are made to access a user terminal;
- dedication of individual terminals and/or terminal user accounts with permissions granted on the need-to-know principle;
- formalized change control management procedures for any changes that occur to Yugabyte information systems;
- use of firewall technology, either application or physical.
- annual vulnerability and penetration tests of Yugabyte information systems used to Process Customer Personal Information;
- locking of unattended workstations;
- role-based access for critical systems containing Customer Personal Information;
- implementing and maintaining a process for routine system updates for known vulnerabilities;
- monitoring for security vulnerabilities on critical systems and applications;
- deployment and updating of antivirus software on Yugabyte’s workstations that access Yugabyte’s information systems that Process Customer Personal Information; and
- compliance with applicable laws, regulations and industry standards as applicable to the performance of the Agreement and this DPA.
Ensuring that persons entitled to use a data processing system can gain access only to the data to which they have
a right of access, and that, in the course of processing or use and after storage, Customer Personal Information
cannot be read, copied, modified or deleted without authorisation (access control to data) by taking measures such
as:
- using appropriate network security devices such as routers and firewalls;
- monitoring the network to detect potential cybersecurity events;
- secure log-in with unique user-ID/password for each of Yugabyte’s authorized users, including multi-factor
  authentication (MFA) while accessing any public entry point to Yugabyte’s information technology infrastructure
  that Processes Customer Personal Information;
- logging and analysis of access to Yugabyte’s information systems used to Process Customer Personal
  Information;
- role-based access for critical systems containing Customer Personal Information;
- dDeployment and updating of antivirus software on Yugabyte’s workstations;
- maintaining a documented incident response plan that addresses actions to be carried out should a Security
  Incident occur;
- maintaining documented policy and procedure for record retention and destruction; and
- implementing and maintaining response and recovery procedures which are tested on at least an annual basis in
  the event of a disaster.
Ensuring that Customer Personal Information cannot be read, copied, modified or deleted without authorisation
during electronic transmission, transport or storage and that all data transmissions are logged, monitored, and
tracked as is technically feasible and practicable (data transfer control) by taking measures such as:
- where appropriate in light of the types or nature of the data processed, encryption of communication and
  encryption of data in storage which is under Yugabyte’s control;
- tunnelling (VPN = Virtual Private Network);
- FSecure transport containers in case of physical transport;
- logging of the transmission of Customer Personal Information as is technically feasible and practicable for
  Yugabyte; and
- Logical network isolation of Yugabyte systems that Process Customer Personal Information from other Yugabyte
  customer environments.
Ensuring that Customer Personal Information is protected against accidental destruction or loss (availability
control) to the extent that is under the Yugabyte’s control by taking measures such as:
- maintaining backup procedures;
- Maintaining redundant servers and/or information system infrastructure in a separate location
- maintaining uninterruptible power supply and auxiliary power systems;
- climate monitoring and control for information technology infrastructure including but not limited to, fire
  resistant doors, fire and smoke detection, fire extinguishing system;
- anti-virus on Workstations connecting to Yugabyte systems that Process Customer Personal Information;
- firewall systems;
- disaster Recovery Plans which include Recovery Time Objectives (RTO) and Recovery Point Objections (RPO) that
  are tested on at least an annual basis; and
- implementation of denial of service (DOS) preventative and/or remediation measures.
Ensuring suitable measures to monitor Yugabyte’s systems administrators to ensure that the Yugabyte’s systems
administrators act in accordance with the Customer’s instructions by taking measures such as:
- formal assignment of systems administrator based on job duties and the need-to-know principle;
- logging of actions taken by a respective systems administrator as is technically feasible and practicable;
- maintaining a list of a respective systems administrator’s identification details; and
- auditing on at least a quarterly basis any Yugabyte user personnel’s access to Yugabyte’s production
  environment to ensure Yugabyteuser personnel that have access to the environment are still authorized to
  accessYugabyte information systems that Process Customer Personal Information.
Ensuring that data collected for different purposes or different principals can be processed separately
(separation control) by taking measures such as:
- ensuring the separation of development, quality assurance, and production environments;
- prohibiting the use of Processing Customer Personal Information in Customer’s non-production environment; and
- logical network isolation of Yugabyte systems that Process Customer Personal Information from other Yugabyte
  customer environments.

Pursuant to Section 3 of the DPA, Yugabyte shall impose substantially similar data protection terms on any
Subprocessor it appoints as those provided for by the DPA.

ANNEX 3

INTERNATIONAL DATA TRANSFERS – RISK ASSESSMENT TEMPLATE

Yugabyte provides the information below to enable Customer to perform a risk assessment pursuant to Section 4.1 of
this DPA.

OVERVIEW
Date		Effective Date of the Agreement
Entity name		YugaByte, Inc.
Brief description of transfer (Please indicate the scale and regularity of transfers in this regard)		See Annex 1.
Data privacy role in regard to the data processing for us (e.g. data processor)		The role specified in Section 2.1 of the DPA. For International Transfers, Yugabyte is the Data Importer.
Current legal mechanism for the international transfer (e.g. Standard Contractual Clauses, Article 49 General Data Protection Regulation)		Standard Contractual Clauses
A. SYSTEMATIC DESCRIPTION OF THE DATA PROCESSING
Describe the nature, scope and context of the data processing		Yugabyte processes Customer Personal Information in order to deliver the Services to Customer.
Purposes of the data processing		See Annex 1.
Functional/technical description of the data processing		See Annex 1.
Categories of personal data being processed		See Annex 1.
Number of datasets that are being processed		Customer shall provide datasets from time to time as needed in connection with Yugabyte’s delivery of the Services. The number of datasets that are being processed are solely determined by the Customer.
The recipients of the personal data		Company entities	Yugabyte
		Vendors	YugabyteDB Managed Subprocessors
Assets on which the personal data sits (e.g. hardware, software, networks, people, paper or paper transmission channels)		Customer Personal Information is stored on Yugabyte’s Subprocessor(s) infrastructure.
B. REGULATORY FRAMEWORK
Factors relevant to the assessment		Analysis
Applicable regulatory regime		U.S. Law
Safeguard offered by local data privacy laws		None (regarding non-U.S. persons)
Risks posed by laws authorizing authorities to access or conduct surveillance on personal data for security or other reasons (including laws applicable to company’s cloud service or other communication providers)	Foreign Intelligence Surveillance Act, Sec. 702	Risk of surveillance mainly on U.S. soil.
	Executive Order 12333 & Presidential Policy Directive 28	Risk of surveillance mainly during transit to/through the U.S.
	[Applicable Law 3] (please indicate if other applicable laws pose any similar risks, e.g. applicable sector-specific laws)	Yugabyte is not aware of any further laws applicable in this respect.
Access to judicial process to protect data subject rights		None (regarding non-U.S. persons); merely generalized judicial review of FISA surveillance decisions by the FISC
Role of regulators and supervisory authorities in protecting data		None (regarding non-U.S. persons)
Ability of individuals to raise complaints, appeal and enforce decisions		None (regarding non-U.S. persons)
C. REQUEST FOR INFORMATION
Factors relevant to the assessment		Analysis
Note: Please indicate if you are under a legal obligation not to answer one of the following questions.
Please indicate whether you qualify as an electronic communication service provider within the meaning of 50 USC § 1881(b)(4) (i.e. as a telecommunications carrier, provider of electronic communication service, provider of a remote computing service, any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored or an officer, employee, or agent of any such entity)		There is a risk, even though not probable, that Yugabyte may qualify as an Electronic Communication Service Provider in the meaning of 50 USC § 1881 (b) (4) due to the hosted software services it currently provides to its Customers or may provide in the future.
Please indicate whether you have been subject to additional government requests for customer data.		Never.
Please indicate whether you cooperate in any respect with US authorities conducting surveillance of communications under EO 12.333, should this be mandatory or voluntary.		No, this has never been requested.
Please indicate whether you periodically issue transparency reports including Information on data access requests in regard to the U.S.		No.
D. MITIGATING MEASURES
Please indicate whether you have implemented any safeguards to mitigate the risk associated with the data transfer (e.g. encryption).		Yes.
If applicable, describe these measures as precise as possible.		See Annex 2.

ANNEX 4
Standard Contractual Clauses

For the purposes of this SCHEDULE 1, references to the “data exporter” and “data importer” shall be to Customer and to
Yugabyte respectively (each a “party”; together “the parties”).

EEA Customer Data TransfersFor all International Transfers described in Section 4.2.1. of the DPA originating from the EEA, the following
Standard Contractual Clauses apply (the “EEA SCCs”):
1. Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing
  Decision (EU) 2021/914 shall apply where Customer acts as the Controller of GDPR Personal Data and Yugabyte acts as
  a Processor; and
2. Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing
  Decision (EU) 2021/914 shall apply where Customer acts as a Processor of GDPR Personal Data and Yugabyte acts as a
  Subprocessor.
  1. Annex I.A (List of Parties) shall be deemed to incorporate the information in Section A of ANNEX 1 of this
    DPA;
  2. Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Section B of ANNEX 1 of
    this DPA;
  3. For purposes of Annex I.C (Competent Supervisory Authority), the competent supervisory authority is (i), where
    Customer is established in the EEA, the supervisory authority with responsibility for ensuring compliance by
    Customer with the GDPR as regards the International Transfer, (ii) where Customer is not established in the EEA
    but has appointed a representative in the EEA, the supervisory authority of the Member State in which the
    representative is established, or (iii) where Customer is not established in the EEA and has not appointed a
    representative in the EEA, the supervisory authority of one of the Member States in which the data subjects
    whose GDPR Personal Data is transferred;
  4. Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in ANNEX 2 of
    this DPA.
UK Customer Data TransfersFor all International Transfers described in Section 4.2.1. of the DPA originating from the UK:
1. neither the UK SCCs (as defined below) nor the DPA shall be interpreted in a way that conflicts with rights and
  obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or
  electronic communications in force from time to time in the UK, including the UK General Data Protection
  Regulation (“UK GDPR”) and the Data Protection Act 2018 (together, the “UK Data Protection Laws”);
2. (1) where Customer acts as the Controller of GDPR Personal Data and Yugabyte acts as a Processor, Module Two
  (controller to processor), or (2) where Customer acts as a Processor of GDPR Personal Data and Yugabyte acts as a
  Subprocessor, Module Three (processor to processor), of the Standard Contractual Clauses annexed to Commission
  Implementing Decision (EU) 2021/914 are deemed to be amended to the extent necessary so they operate:
  1. for transfers made by Customer to Yugabyte, to the extent that UK Data Protection Laws apply to Yugabyte’s
    processing when making that transfer; and
  2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR (such
    amended Standard Contractual Clauses, the “UK SCCs”);
3. the amendments referred to in the above Section 2(b) include (without limitation) the following:
  1. references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK GDPR” and references to
    specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article of the UK GDPR;
  2. references to Regulation (EU) 2018/1725 are removed;
  3. references to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”;
  4. the “competent supervisory authority” shall be the Information Commissioner;
  5. clause 17 of the UK SCCs is replaced with the following:”These Clauses are governed by the laws of England and Wales”;
    1. clause 18 of the UK SCCs is replaced with the following:”Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data
      subject may also bring legal proceedings against the data exporter and/or data importer before the
      courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such
      courts”;
      1. any footnotes to the UK SCCs are deleted in their entirety.
For purposes of the UK SCCs:
i. Annex I.A (List of Parties) shall be deemed to incorporate the information in Section A of ANNEX 1 of this DPA;
ii. Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Section B of ANNEX 1 of
this DPA;
iii. Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in ANNEX 2 of
this DPA.
EEA and UK Subprocessor Data TransfersFor all International Transfers described in Section 4.2.2. of the DPA from Yugabyte to a Third Country
Subprocessor, Yugabyte will enter into an agreement with the Third Country Subprocessor incorporating Module Three
(processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU)
2021/914 along with any amendments necessary so they operate:
1. for transfers made by Yugabyte to Subprocessor, to the extent that UK Data Protection Laws apply to Contractor’s
  processing when making that transfer; and
2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR.

YugabyteDB Managed Data Processing Addendum – Mar 24, 2022