Last Updated:  March 24, 2022

Prior versions of this Yugabyte Data Processing Addendum are available here.

This Data Processing Addendum (“DPA”) forms part of the YugabyteDB Managed Terms of Service between
Yugabyte and Customer for the YugabyteDB Managed database software as a service (the “Agreement”). All
capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

  1. DEFINITIONS
    1. CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq.,
      including any amendments and any implementing regulations thereto;
    2. CCPA Personal Information” means “personal information” as such term is defined by the CCPA,
      including any information that identifies, relates to, describes, is reasonably capable of being associated
      with, or could reasonably be linked, directly or indirectly, with a particular consumer or household;
    3. Customer Personal Information” means the CCPA Personal Information and the GDPR Personal
      Data that Yugabyte Processes on behalf of Customer, in each case in connection with Yugabyte’s provision of the
      Services. For the avoidance of doubt, Customer Personal Information may include CCPA Personal Information and/or
      GDPR Personal Data that Customer directs Yugabyte to Process on behalf of Customer’s own clients;
    4. Controller” means the entity which, alone or jointly with others, determines the purposes
      and means of the Processing of GDPR Personal Data;
    5. Data Protection Laws” means all applicable laws, regulations and other legal requirements
      currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or
      security of Personal Data, including the European Data Protection Laws, and the CCPA;
    6. EEA” means the Member States of the European Union together with Iceland, Norway, and
      Liechtenstein;
    7. European Data Protection Laws” means the EU General Data Protection Regulation 2016/679 of
      the European Parliament and of the Council (the “GDPR”), the UK Data Protection Act, the UK General Data
      Protection Regulation, and any applicable national legislation implementing or supplementing the foregoing, in
      each case as amended, replaced or superseded from time to time, and all other applicable legislation protecting
      the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of GDPR
      Personal Data;
    8. GDPR Personal Data” means “personal data” as such term is defined by the European Data
      Protection Laws, including any information relating to an identified or identifiable individual or device (a
      “data subject”);
    9. Processing” means any operation or set of operations which is performed on Customer Personal
      Information, or on sets of Customer Personal Information, whether or not by automated means, and “Process” will
      be interpreted accordingly;
    10. Processor” means an entity that Processes Customer Personal Information on behalf of a
      Controller;
    11. Security Incident” means any accidental or unlawful destruction, loss, alteration,
      unauthorized disclosure of, or access to, any Customer Personal Information;
    12. Sell” shall have the meaning given in the CCPA;
    13. Services” means the service(s) provided by Yugabyte to Customer under the Agreement;
    14. Service Provider” shall have the meaning given in the CCPA;
    15. Standard Contractual Clauses” means the applicable standard contractual clauses identified
      in ANNEX 4 of this DPA
    16. Subprocessor” means an entity that Processes Customer Personal Information on behalf of a
      Processor; and
    17. UK” means the United Kingdom.
  2. DATA PROCESSING
    1. Role of the Parties. The Parties acknowledge and agree that:
      1. for the purposes of the GDPR, Yugabyte acts as a Processor and Customer acts as the Controller of GDPR
        Personal Data (except when Customer is itself a Processor of the GDPR Personal Data, in which case Yugabyte
        is a Subprocessor); and
      2. for the purposes of the CCPA, Yugabyte will act as a Service Provider in its performance of its
        obligations pursuant to the Agreement.
    2. Instructions for Data Processing. Yugabyte will, subject to Section 2.3, only collect,
      retain, use, Sell, disclose, release, transfer, make available or otherwise Process Customer Personal
      Information in accordance with:

      1. the Agreement, to the extent necessary to provide the Services to Customer; and
      2. Customer’s written instructions, including as set forth in ANNEX 1 to this DPA.

      Notwithstanding the foregoing, nothing in this DPA shall restrict Yugabyte’s ability to Process Customer
      Personal Information in anonymous format.

    3. Yugabyte may Process Customer Personal Information to the extent required by:
      1. applicable laws to which Yugabyte is subject;
      2. where Customer is established in the EEA, or the Processing of such Customer Personal Information
        by Customer falls within the scope of the GDPR, applicable EEA Member State laws; or
      3. where Customer is established in the United Kingdom, or the Processing of such Customer Personal
        Information by Customer falls within the scope of the UK Data Protection Act 2018, applicable law in
        the United Kingdom, in which case Yugabyte shall, unless prohibited by such applicable laws on
        important grounds of public interest, inform Customer of that legal requirement before Processing
        that Customer Personal Information.
    4. Customer shall provide all applicable notices to data subjects required under applicable Data
      Protection Laws for the lawful Processing of Customer Personal Information by Yugabyte in accordance
      with the Agreement.
    5. Customer will obtain any consents required under applicable Data Protection Laws for the lawful
      Processing of Customer Personal Information by Yugabyte in accordance with the Agreement.
    6. Customer agrees to defend, indemnify and keep indemnified, and hold harmless, at its own expense,
      Yugabyte against all costs, claims, damages and expenses incurred by Yugabyte or for which Yugabyte may
      become liable due to any failure by Customer to comply with Section 2.4 and Section 2.5.
    7. Customer acknowledges that Yugabyte is reliant on Customer for direction as to the extent to which
      Yugabyte is entitled to use and process Customer Personal Information. Consequently, Yugabyte will not
      be liable for any claim brought against Customer by a data subject arising from any act or omission by
      Yugabyte to the extent that such act or omission resulted from Customer’s instructions or Customer’s use
      of the Services.
  3. SUBPROCESSORS
    1. Consent to Subprocessor Engagement. Customer generally authorizes Yugabyte to engage
      Subprocessors in connection with the Processing of Customer Personal Information for the performance of
      the Agreement. Yugabyte will maintain a list of its Subprocessors at the following URL:
      YugabyteDB Managed Subprocessors
      and will add the
      names of new and replacement Processors as applicable from time to time. Yugabyte shall inform Customer
      of its intention to engage any new or replacement Subprocessors in writing at least fifteen (15) days in
      advance of the date of the intended commencement of the engagement. Customer may object to such intended
      engagement by giving written notice at the latest ten (10) days in advance of the date of the intended
      commencement of the engagement. If Customer objects to Yugabyte’s appointment of a Subprocessor on
      reasonable grounds relating to the protection of Personal Information, then either Yugabyte shall not
      appoint the Subprocessor to Process Customer Personal Information or Customer may elect to suspend or
      terminate this DPA. In all cases, Yugabyte shall impose substantially similar data protection terms on
      any Subprocessor it appoints as those provided for by this DPA, and Yugabyte shall remain fully liable
      for any breach of this DPA that is caused by an act, error, or omission of Subprocessor.
    2. Third-Party Applications: The Services may provide functionality
      which includes but is not limited to application programming interfaces, which allows Customer to
      integrate Customer authorized third-party products and applications with the Services (“Third-Party
      Applications”). Customer acknowledges and agrees that if Customer elects to enable or leverage
      Third-Party Applications to integrate with the Services, then it does so at its own risk and Yugabyte
      has no responsibility for any Customer Personal Information Processed by or through these respective
      Third-Party Applications, nor is Yugabyte a co-processor, Subprocessor, or Controller with respect to
      any Customer Personal Information processed by or on behalf of Customer through the respective
      third-party or through any Third-Party applications.
  4. TRANSFERS
    1. Prohibition on Transfers of GDPR Personal Data. GDPR Personal Data which are
      undergoing Processing or are intended for Processing after transfer to a third country outside of the
      EEA or UK, respectively, may only be exported to or accessed by Yugabyte or its Subprocessors (the
      “International Transfer”):

      1. if the recipient, or the country or territory in which it Processes GDPR Personal Data, ensures an
        adequate level of protection for the rights and freedoms of Data Subjects in relation to the
        Processing of GDPR Personal Data as determined by the European Commission for transfers from the EEA
        or the UK Secretary of State for transfers from the UK; or
      2. in accordance with Section 4.2.
    2. Standard Contractual Clauses
      1. The Standard Contractual Clauses apply, and are incorporated by reference into this DPA, where
        there is an International Transfer to a country or territory that does not ensure an adequate level
        of protection for the rights and freedoms of Data Subjects in relation to the processing of GDPR
        Personal Data as determined by the European Commission for transfers from the EEA or the UK
        Secretary of State for transfers from the UK.
      2. For Subprocessors based outside the EEA or UK and outside any country for which the European
        Commission or UK Secretary of State, respectively, has published an adequacy decision (the “Third
        Country Subprocessors”), Yugabyte will enter into appropriate Standard Contractual Clauses, as
        described in ANNEX 4 of this DPA, prior to the Subprocessor’s processing of GDPR Personal Data.
        Yugabyte will enforce the Standard Contractual Clauses against the Subprocessor on behalf of
        Customer if a direct enforcement right is not available under European Data Protection Laws.
  5. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
    1. Yugabyte Security Obligations. Taking into account the state of the art, the costs of
      implementation and the nature, scope, context and purposes of Processing as well as the risk of varying
      likelihood and severity for the rights and freedoms of natural persons, Yugabyte shall implement
      appropriate technical and organisational measures to ensure a level of security appropriate to the risk
      including, where applicable by virtue of Article 28(3)(c) of the GDPR, and as appropriate, the measures
      referred to in Article 32(1) of the GDPR. Without limiting the generality of the foregoing, Yugabyte
      shall put in place and maintain the technical and organizational measures as set out in ANNEX 2 of this
      DPA.
    2. Security Audits. Yugabyte audits its compliance with data protection and information
      security standards on at least an annual basis. Subject to obligations of confidentiality, Yugabyte will
      make available to Customer a summary of its most recent relevant and applicable audit reports and/or
      supporting documentation reasonably required by Customer so that Customer can verify Yugabyte’s
      compliance with this DPA. To the extent that the audit reports and/or supporting documentation provided
      by Yugabyte do not validate Yugabyte’s compliance with its obligations under this DPA, Customer may
      conduct a remote or on-site audit of Yugabyte’s compliance with this DPA which shall be limited to once
      per calendar year, unless requested by a Supervisory Authority or in the event that Yugabyte is subject
      to a Security Incident caused by Yugabyte’s failure to meet its obligations under the Agreement or this
      DPA. Any such audit shall be conducted by an independent reputable third-party chosen by Customer and
      reasonably acceptable to Yugabyte. Before the commencement of any such audit, Customer shall provide
      Yugabyte with a detailed proposed audit plan which at a minimum will include a detailed description of
      the scope of the audit, duration of the audit, and the proposed commencement date of the audit. Yugabyte
      shall review Customer’s proposed audit plan and provide Customer with any concerns or questions
      regarding the audit plan; the Parties agree to work collaboratively to reach an agreement on a final
      audit plan. The results of the audit and all information reviewed during any such audit shall be
      considered Yugabyte Confidential Information and shall be protected by Customer and Customer’s
      third-party auditors in accordance with the confidentiality provisions noted in the Agreement and this
      DPA. Notwithstanding anything to the contrary, Customer’s auditor may only disclose to the Customer
      specific violations of this DPA, if any, and the basis for such findings, and shall not disclose to
      Customer any of the records or information reviewed during the audit. The Parties agree that any audits
      pursuant to clause 8.9 of the Standard Contractual Clauses will comply with the terms and conditions of
      this Section 5.2.
    3. Security Incident Notification. If Yugabyte becomes aware of a Security Incident
      affecting Customer Personal Information, then Yugabyte shall notify Customer without undue delay, take
      any additional steps that are reasonably necessary to remedy any non-compliance with this DPA, including
      complying with all applicable requirements of the Agreement, and reasonably cooperate with Customer in
      the investigation of the Security Incident. Yugabyte’s obligation to report or respond to a Security
      Incident shall not be construed as an acknowledgement of any fault by Yugabyte with respect to the
      Security Incident.
    4. Yugabyte Employees and Personnel. Yugabyte shall limit access to Customer Personal
      Information to those employees or other personnel who have a business need to have access to such
      Customer Personal Information. Further, Yugabyte shall ensure that such employees or other personnel
      have agreed in writing to protect the confidentiality and security of such Customer Personal Information
      in accordance with the provisions of this DPA.
    5. Government Disclosure. Yugabyte shall promptly notify Customer of any request for the
      disclosure of Customer Personal Information by a governmental or regulatory body or law enforcement
      authority (including any data protection supervisory authority) unless otherwise prohibited by law or a
      legally binding order of such body or agency.
  6. ACCESS REQUESTS AND DATA SUBJECT RIGHTS
    1. Data Subject Requests. Unless otherwise required by applicable law, Yugabyte shall
      promptly notify Customer of any request received by Yugabyte or any Subprocessor from a data subject in
      respect of Customer Personal Information and shall not respond to the data subject.
    2. Data Subject Rights. Yugabyte shall, where possible, assist Customer with ensuring
      its compliance under applicable Data Protection Laws by implementing appropriate technical and
      organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to
      respond to requests for exercising data subject rights laid down in the Data Protection Laws. In
      particular, Yugabyte shall, where possible:

      1. provide Customer with the ability to correct, delete, block, access, or copy Customer Personal
        Information, or
      2. promptly correct, delete, block, access, or copy Customer Personal Information within the Services
        at Customer’s request.
  7. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
    1. Where applicable by virtue of the Data Protection Laws, Yugabyte shall provide reasonable assistance
      to Customer with any data protection impact assessments and with any prior consultations to any
      regulatory authority of Customer which are referred, in each case solely in relation to Processing of
      Customer Personal Information and taking into account the nature of the Processing and information
      available to Yugabyte.
  8. DURATION AND TERMINATION
    1. Return of Customer Personal Information. Yugabyte shall afford Customer thirty (30)
      days from the termination or expiration of the Agreement to request in writing the return of Customer
      Personal Information in a format technically feasible and practical for Yugabyte. Subject to the
      foregoing, Yugabyte shall return a copy of all Customer Personal Information by secure file transfer or
      other secure transfer mechanism as agreed to by the Parties within thirty (30) days of receipt of a
      timely return request.
    2. Deletion of Customer Personal Information.. Subject to Section 8.3 below, Yugabyte
      shall, within ninety (90) days of the date of termination of the Agreement:

      1. delete and use all reasonable efforts to procure the deletion of all other copies of Customer
        Personal Information Processed by Yugabyte or any Subprocessors.
    3. Yugabyte and its Subprocessors may retain Customer Personal Information to the extent required by
      applicable laws and only to the extent and for such period as required by applicable laws and always
      provided that Yugabyte shall ensure the confidentiality of all such Customer Personal Information and
      shall ensure that such Customer Personal Information is only Processed as necessary for the purpose(s)
      specified in the applicable laws requiring its storage and for no other purpose.
  9. LAW AND JURISDICTION
    1. Where the GDPR is applicable to the Processing of Customer Personal Information under this DPA, this
      DPA shall be governed by, and construed in accordance with the law of the Member State in which Customer
      is established or, where Customer is established in the United Kingdom or Switzerland, English law or
      Swiss law respectively. In all other cases, this DPA shall be governed by the same law as the Agreement.
  10. MISCELLANEOUS
    1. Amendment. The Parties acknowledge that the foregoing provisions are designed to
      comply with the mandates of Data Protection Laws. No change, amendment, or modification of this DPA
      shall be valid unless set forth in writing and agreed to by both Parties. Notwithstanding the foregoing,
      the Parties acknowledge that privacy and data protection laws are rapidly evolving and that amendment of
      this DPA may be required to ensure compliance with such developments. The Parties specifically agree to
      take such action as may be reasonably necessary from time to time for the Parties to comply with
      applicable Data Protection Laws.
    2. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the
      Parties to comply with the Data Protection Laws.
    3. Effect of Agreement. In the event of any inconsistency between the provisions of the
      Agreement, this DPA, the Annexes to this DPA, and the Standard Contractual Clauses (where applicable)
      respectively, the order of precedence shall be as follows:

      1. The Standard Contractual Clauses (where applicable);
      2. The Annexes of this DPA to the extent that they are meant to complete the Standard Contractual
        Clauses (where applicable);
      3. The main body of this DPA including its Annexes;
      4. The Agreement.
    4. In the event of inconsistency between the provisions of this DPA and mandatory provisions of the Data
      Protection Laws, or their interpretation by any court or regulatory agency with authority over Customer
      or Yugabyte, such interpretation shall control. Where provisions of this DPA are different from those
      mandated in the Data Protection Laws but are nonetheless permitted by such rules as interpreted by
      courts or agencies, the provisions of this DPA shall control. For the avoidance of doubt, where Standard
      Contractual Clauses apply, the terms of this DPA are meant to supplement the applicable Standard
      Contractual Clauses, in particular, by way of providing guidance for their practical implementation, and
      are not intended to contradict, directly or indirectly, any clauses of the applicable Standard
      Contractual Clauses.
    5. General. If any part of a provision of this DPA is found to be illegal or
      unenforceable, it shall be enforced to the maximum extent permissible, and the legality and
      enforceability of the remainder of that provision and all other provisions of this DPA shall not be
      affected. All notices relating to the Parties’ legal rights and remedies under this DPA shall be
      provided in writing to a Party, shall be sent to its address or email address set forth in the signature
      block below, or to such other address or email address as may be designated by that Party by notice to
      the sending Party, and shall reference this DPA. Nothing in this DPA shall confer any right, remedy or
      obligation upon anyone other than Customer and Yugabyte. This DPA is the complete and exclusive
      agreement between the Parties with respect to the subject matter hereof, superseding and replacing all
      prior agreements, communications and understandings (written and oral) regarding its subject matter.

ANNEX 1
DETAILS OF THE PROCESSING

This ANNEX 1 forms part of the DPA and the Standard Contractual Clauses (if any).

In providing Services, Yugabyte does not intentionally process GDPR Personal Data. Customer may process such GDPR
Personal Data through the Services, but the nature and extent of such Processing is solely determined and controlled
by Customer.

  1. PARTIES TO THE PROCESSING
    CUSTOMERYUGABYTE
    NameThe entity identified as “Customer” in the Agreement.Yugabyte, Inc.
    AddressThe address for Customer associated with its Yugabyte account or as otherwise specified in the Agreement.The address identified at the following URL for the applicable region:
    https://www.yugabyte.com/contact/
    Contact Person’s Name, Position and Contact DetailsThe contact details associated with Customer’s account, or as otherwise specified in the AgreementName: Cyrus Wadia

    Position: General Counsel

    Contact details: [email protected]

    Activities relevant to the data transferredThe activities specified in Section 2 of the DPA.The activities specified in Section 2 of the DPA.
    RoleThe role specified in Section 2.1 of the DPA. For International Transfers, Customer is the Data Exporter.The role specified in Section 2.1 of the DPA. For International Transfers, Yugabyte is the Data Importer.
  2. DESCRIPTION OF TRANSFER

Categories of Data Subjects

Unless provided otherwise by Customer, Customer Personal Information relates to the following categories of data
subjects:

  • Customers, business partners, and vendors of the Customer (who are natural persons)
  • Employees or contract persons of Customer’s customers, business partners, and vendors.
  • Agents, advisors, or any user authorized by the Customer to use the Service (who are natural persons)

Categories of Customer Personal Information

In providing Services, Yugabyte does not intentionally process Customer Personal Information. Customer may process
such customer Personal Information through the Services, but the nature and extent of such Processing is solely
determined and controlled by Customer. To that end, Customer determines the categories of Customer Personal
Information and other data entered onto the Services. Customer Personal Information entered onto the Services
typically relates to the following categories:

  • Name
  • Business Contact Information (company, title or position, email address, phone numbers, physical business address)
  • Personal Contact Information (email address, phone numbers, physical personal address)
  • Localization data
  • Authentication data
  • Pictures and Videos (which are not classified as Special Categories of Data under the European Data Protection Laws.)
  • Connection Data
  • System access / usage / authorization data,

Categories of Sensitive Data under European Data Protection Laws

None. Customer agrees not to submit any Customer Personal Information which would be considered Special Categories of
Data under the applicable European Data Protection Laws.

Nature of the Processing

The basic processing activities of Customer Personal Information by Yugabyte is the provision and maintenance of the
Services pursuant to the Agreement entered into by the Parties.

Frequency of International Transfers

Where International Transfers are occurring, the Customer Personal Information will be transferred on a continuous
basis according to the terms of the Agreement.

Purpose(s) of Processing and International Transfers (if applicable)

The purpose of Processing and International Transfers (where applicable) is the provision and maintenance of the
Services pursuant to the Agreement entered into by the Parties.

The Period for Which Personal Data will be Retained

The Customer Personal Information will be retained pursuant to Section 8 of the DPA.

Subject Matter, Nature and Duration of the Processing of Subprocessors

Customer generally authorizes Yugabyte to engage Subprocessors in connection with the Processing of Customer Personal Information for the performance of the Agreement. A description of Yugabyte’s Subprocessors are available at the following URL: https://www.yugabyte.com/yugabyte-cloud-subprocessors/. Customer Personal Information will be retained pursuant to Section 8 of the DPA.

ANNEX 2
Technical and Organisational Security Measures

Yugabyte maintains internal policies and procedures, and procures that its Subprocessors also maintain internal
policies and procedures that are materially consistent with this Annex where applicable, which are designed to:

  • secure any Customer Personal Information Processed by Yugabyte against accidental or unlawful loss, access, or
    disclosure;
  • identify reasonably foreseeable and internal risks to security and unauthorised access to any Customer Personal
    Information Processed by Yugabyte; and
  • minimise security risks, including through risk assessments and regular testing.

These measures may include:

  • Preventing unauthorised persons from gaining access to Yugabyte’s information systems that are used to Process
    Customer Information Systems (physical access control) by taking measures such as:

    • documenting security and other incidents (maintaining an incident log);
    • protecting and managing physical access to assets and facilities;
    • implementing and maintaining security controls for each computer room and/or data centre and any area containing Customer Personal Information which includes but is not limited to the establishment of secure areas, securing data processing equipment, providing industry standard access controls to facilities that Process Customer Personal Information, the implementation of alarm systems, and other security measures as appropriate; and
    • ensuring all access to facilities that Process Customer Personal Information is logged and monitored.
  • Preventing data processing systems from being used without authorisation (logical access control) by taking
    measures such as:

    • using appropriate network security devices such as i routers and firewalls;
    • periodic review of user access to Yugabyte information systems which Process Customer Personal Information;
    • secure log-in with unique credentials for each Yugabyte authorized user, including multi-factor authentication (MFA) while accessing any public entry point to Yugabyte’s information technology infrastructure;
    • automatic disablement of user credentials when several consecutive failed attempts are made to access a user terminal;
    • dedication of individual terminals and/or terminal user accounts with permissions granted on the need-to-know principle;
    • formalized change control management procedures for any changes that occur to Yugabyte information systems;
    • use of firewall technology, either application or physical.
    • annual vulnerability and penetration tests of Yugabyte information systems used to Process Customer Personal Information;
    • locking of unattended workstations;
    • role-based access for critical systems containing Customer Personal Information;
    • implementing and maintaining a process for routine system updates for known vulnerabilities;
    • monitoring for security vulnerabilities on critical systems and applications;
    • deployment and updating of antivirus software on Yugabyte’s workstations that access Yugabyte’s information systems that Process Customer Personal Information; and
    • compliance with applicable laws, regulations and industry standards as applicable to the performance of the Agreement and this DPA.
  • Ensuring that persons entitled to use a data processing system can gain access only to the data to which they have
    a right of access, and that, in the course of processing or use and after storage, Customer Personal Information
    cannot be read, copied, modified or deleted without authorisation (access control to data) by taking measures such
    as:

    • using appropriate network security devices such as routers and firewalls;
    • monitoring the network to detect potential cybersecurity events;
    • secure log-in with unique user-ID/password for each of Yugabyte’s authorized users, including multi-factor
      authentication (MFA) while accessing any public entry point to Yugabyte’s information technology infrastructure
      that Processes Customer Personal Information;
    • logging and analysis of access to Yugabyte’s information systems used to Process Customer Personal
      Information;
    • role-based access for critical systems containing Customer Personal Information;
    • dDeployment and updating of antivirus software on Yugabyte’s workstations;
    • maintaining a documented incident response plan that addresses actions to be carried out should a Security
      Incident occur;
    • maintaining documented policy and procedure for record retention and destruction; and
    • implementing and maintaining response and recovery procedures which are tested on at least an annual basis in
      the event of a disaster.
  • Ensuring that Customer Personal Information cannot be read, copied, modified or deleted without authorisation
    during electronic transmission, transport or storage and that all data transmissions are logged, monitored, and
    tracked as is technically feasible and practicable (data transfer control) by taking measures such as:

    • where appropriate in light of the types or nature of the data processed, encryption of communication and
      encryption of data in storage which is under Yugabyte’s control;
    • tunnelling (VPN = Virtual Private Network);
    • FSecure transport containers in case of physical transport;
    • logging of the transmission of Customer Personal Information as is technically feasible and practicable for
      Yugabyte; and
    • Logical network isolation of Yugabyte systems that Process Customer Personal Information from other Yugabyte
      customer environments.
  • Ensuring that Customer Personal Information is protected against accidental destruction or loss (availability
    control) to the extent that is under the Yugabyte’s control by taking measures such as:

    • maintaining backup procedures;
    • Maintaining redundant servers and/or information system infrastructure in a separate location
    • maintaining uninterruptible power supply and auxiliary power systems;
    • climate monitoring and control for information technology infrastructure including but not limited to, fire
      resistant doors, fire and smoke detection, fire extinguishing system;
    • anti-virus on Workstations connecting to Yugabyte systems that Process Customer Personal Information;
    • firewall systems;
    • disaster Recovery Plans which include Recovery Time Objectives (RTO) and Recovery Point Objections (RPO) that
      are tested on at least an annual basis; and
    • implementation of denial of service (DOS) preventative and/or remediation measures.
  • Ensuring suitable measures to monitor Yugabyte’s systems administrators to ensure that the Yugabyte’s systems
    administrators act in accordance with the Customer’s instructions by taking measures such as:

    • formal assignment of systems administrator based on job duties and the need-to-know principle;
    • logging of actions taken by a respective systems administrator as is technically feasible and practicable;
    • maintaining a list of a respective systems administrator’s identification details; and
    • auditing on at least a quarterly basis any Yugabyte user personnel’s access to Yugabyte’s production
      environment to ensure Yugabyteuser personnel that have access to the environment are still authorized to
      accessYugabyte information systems that Process Customer Personal Information.
  • Ensuring that data collected for different purposes or different principals can be processed separately
    (separation control) by taking measures such as:

    • ensuring the separation of development, quality assurance, and production environments;
    • prohibiting the use of Processing Customer Personal Information in Customer’s non-production environment; and
    • logical network isolation of Yugabyte systems that Process Customer Personal Information from other Yugabyte
      customer environments.

Pursuant to Section 3 of the DPA, Yugabyte shall impose substantially similar data protection terms on any
Subprocessor it appoints as those provided for by the DPA.

ANNEX 3

INTERNATIONAL DATA TRANSFERS – RISK ASSESSMENT TEMPLATE

Yugabyte provides the information below to enable Customer to perform a risk assessment pursuant to Section 4.1 of
this DPA.

OVERVIEW
DateEffective Date of the Agreement
Entity nameYugaByte, Inc.
Brief description of transfer (Please indicate the scale and regularity of transfers in this regard)See Annex 1.
Data privacy role in regard to the data processing for us (e.g. data processor)The role specified in Section 2.1 of the DPA. For International Transfers, Yugabyte is the Data
Importer.
Current legal mechanism for the international transfer (e.g. Standard Contractual Clauses, Article
49 General Data Protection Regulation)
Standard Contractual Clauses
A. SYSTEMATIC DESCRIPTION OF THE DATA PROCESSING
Describe the nature, scope and context of the data processingYugabyte processes Customer Personal Information in order to deliver the Services to Customer.
Purposes of the data processingSee Annex 1.
Functional/technical description of the data processingSee Annex 1.
Categories of personal data being processedSee Annex 1.
Number of datasets that are being processedCustomer shall provide datasets from time to time as needed in connection with Yugabyte’s delivery
of the Services. The number of datasets that are being processed are solely determined by the Customer.
The recipients of the personal dataCompany entitiesYugabyte
Vendors
YugabyteDB Managed Subprocessors
Assets on which the personal data sits (e.g. hardware, software, networks, people, paper or paper
transmission channels)
Customer Personal Information is stored on Yugabyte’s Subprocessor(s) infrastructure.
B. REGULATORY FRAMEWORK
Factors relevant to the assessmentAnalysis
Applicable regulatory regimeU.S. Law
Safeguard offered by local data privacy lawsNone (regarding non-U.S. persons)
Risks posed by laws authorizing authorities to access or conduct surveillance on personal data for
security or other reasons (including laws applicable to company’s cloud service or other communication providers)
Foreign Intelligence Surveillance Act, Sec. 702Risk of surveillance mainly on U.S. soil.
Executive Order 12333 & Presidential Policy Directive 28Risk of surveillance mainly during transit to/through the U.S.
[Applicable Law 3] (please indicate if other applicable laws pose any similar risks, e.g. applicable
sector-specific laws)
Yugabyte is not aware of any further laws applicable in this respect.
Access to judicial process to protect data subject rightsNone (regarding non-U.S. persons); merely generalized judicial review of FISA surveillance decisions
by the FISC
Role of regulators and supervisory authorities in protecting dataNone (regarding non-U.S. persons)
Ability of individuals to raise complaints, appeal and enforce decisionsNone (regarding non-U.S. persons)
C. REQUEST FOR INFORMATION
Factors relevant to the assessmentAnalysis
Note: Please indicate if you are under a legal obligation not to answer one of the following
questions.
Please indicate whether you qualify as an electronic communication service provider within the
meaning of 50 USC § 1881(b)(4) (i.e. as a telecommunications carrier, provider of electronic communication
service, provider of a remote computing service, any other communication service provider who has access to wire
or electronic communications either as such communications are transmitted or as such communications are stored or
an officer, employee, or agent of any such entity)
There is a risk, even though not probable, that Yugabyte may qualify as an Electronic Communication
Service Provider in the meaning of 50 USC § 1881 (b) (4) due to the hosted software services it currently provides
to its Customers or may provide in the future.
Please indicate whether you have been subject to additional government requests for customer data.Never.
Please indicate whether you cooperate in any respect with US authorities conducting surveillance of
communications under EO 12.333, should this be mandatory or voluntary.
No, this has never been requested.
Please indicate whether you periodically issue transparency reports including Information on data
access requests in regard to the U.S.
No.
D. MITIGATING MEASURES
Please indicate whether you have implemented any safeguards to mitigate the risk associated with the
data transfer (e.g. encryption).
Yes.
If applicable, describe these measures as precise as possible.See Annex 2.

ANNEX 4
Standard Contractual Clauses

For the purposes of this SCHEDULE 1, references to the “data exporter” and “data importer” shall be to Customer and to
Yugabyte respectively (each a “party”; together “the parties”).

  1. EEA Customer Data TransfersFor all International Transfers described in Section 4.2.1. of the DPA originating from the EEA, the following
    Standard Contractual Clauses apply (the “EEA SCCs”):

    1. Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing
      Decision (EU) 2021/914 shall apply where Customer acts as the Controller of GDPR Personal Data and Yugabyte acts as
      a Processor; and
    2. Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing
      Decision (EU) 2021/914 shall apply where Customer acts as a Processor of GDPR Personal Data and Yugabyte acts as a
      Subprocessor.

      1. Annex I.A (List of Parties) shall be deemed to incorporate the information in Section A of ANNEX 1 of this
        DPA;
      2. Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Section B of ANNEX 1 of
        this DPA;
      3. For purposes of Annex I.C (Competent Supervisory Authority), the competent supervisory authority is (i), where
        Customer is established in the EEA, the supervisory authority with responsibility for ensuring compliance by
        Customer with the GDPR as regards the International Transfer, (ii) where Customer is not established in the EEA
        but has appointed a representative in the EEA, the supervisory authority of the Member State in which the
        representative is established, or (iii) where Customer is not established in the EEA and has not appointed a
        representative in the EEA, the supervisory authority of one of the Member States in which the data subjects
        whose GDPR Personal Data is transferred;
      4. Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in ANNEX 2 of
        this DPA.
  2. UK Customer Data TransfersFor all International Transfers described in Section 4.2.1. of the DPA originating from the UK:
    1. neither the UK SCCs (as defined below) nor the DPA shall be interpreted in a way that conflicts with rights and
      obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or
      electronic communications in force from time to time in the UK, including the UK General Data Protection
      Regulation (“UK GDPR”) and the Data Protection Act 2018 (together, the “UK Data Protection Laws”);
    2. (1) where Customer acts as the Controller of GDPR Personal Data and Yugabyte acts as a Processor, Module Two
      (controller to processor), or (2) where Customer acts as a Processor of GDPR Personal Data and Yugabyte acts as a
      Subprocessor, Module Three (processor to processor), of the Standard Contractual Clauses annexed to Commission
      Implementing Decision (EU) 2021/914 are deemed to be amended to the extent necessary so they operate:

      1. for transfers made by Customer to Yugabyte, to the extent that UK Data Protection Laws apply to Yugabyte’s
        processing when making that transfer; and
      2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR (such
        amended Standard Contractual Clauses, the “UK SCCs”);
    3. the amendments referred to in the above Section 2(b) include (without limitation) the following:
      1. references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK GDPR” and references to
        specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article of the UK GDPR;
      2. references to Regulation (EU) 2018/1725 are removed;
      3. references to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”;
      4. the “competent supervisory authority” shall be the Information Commissioner;
      5. clause 17 of the UK SCCs is replaced with the following:”These Clauses are governed by the laws of England and Wales”;
        1. clause 18 of the UK SCCs is replaced with the following:”Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data
          subject may also bring legal proceedings against the data exporter and/or data importer before the
          courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such
          courts”;

          1. any footnotes to the UK SCCs are deleted in their entirety.

    For purposes of the UK SCCs:

    i. Annex I.A (List of Parties) shall be deemed to incorporate the information in Section A of ANNEX 1 of this DPA;

    ii. Annex I.B (Description of Transfer) shall be deemed to incorporate the information in Section B of ANNEX 1 of
    this DPA;

    iii. Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in ANNEX 2 of
    this DPA.

  3. EEA and UK Subprocessor Data TransfersFor all International Transfers described in Section 4.2.2. of the DPA from Yugabyte to a Third Country
    Subprocessor, Yugabyte will enter into an agreement with the Third Country Subprocessor incorporating Module Three
    (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU)
    2021/914 along with any amendments necessary so they operate:

    1. for transfers made by Yugabyte to Subprocessor, to the extent that UK Data Protection Laws apply to Contractor’s
      processing when making that transfer; and
    2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR.