Last updated: December 2022
This Data Processing Agreement (“DPA”) is governed and hereby attached to the Master Service Agreement, Terms of Service, or any other agreement (“Agreement”) executed by and between Akeyless Security Ltd
(“Akeyless”) and the Customer
All capitalized terms not defined herein shall have the meaning set forth in the Agreement
WHEREAS, Akeyless is the developer and operator of a cloud-based SaaS solution enabling (“Akeyless Technology”) enterprises and organizations to secure and manage authorizations, access, and permissions to IT and Cloud environments, all as agreed by the parties in the Agreement (“Service(s)”);
WHEREAS, the Services may require Akeyless to Process or have access to Personal Data (as such terms are defined below) on the Customer’s behalf subject to the terms and conditions of this DPA; and
WHEREAS, the Parties desire to supplement this DPA to achieve compliance with the UK, EU, Swiss, United States and other data protection laws and agree on the following:
- DEFINITIONS
“Adequate Country” is a country that received an adequacy decision from the European Commission
- “CCPA” means the California Consumer Privacy Act (Cal
- Civ
- Code §§ 1798
- 100 – 1798
-
- of 2018, as may be amended as well as all regulations promulgated thereunder from time to time
- “Customer Data” means Customer Content (as defined in the Agreement) and any Personal Data uploaded or processed during the use of the Services, all as detailed in Annex I attached herein
- The terms “Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing” (and “Process“), “Personal Data Breach”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them in the EU Data Protection Law
- The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider,” “Sale” and “Sell” shall have the same meaning as ascribed to them in the CCPA
- “Data Subject” shall also mean and refer to “Consumer”, as such term defined in the CCPA, “Personal Data” shall include “Personal Information” under this DPA
- “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law and the CCPA) as may be amended or superseded from time to time
- “EEA” means the European Economic Area
- “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority
- “Israeli Law” means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (including Customer Data)
- Any Personal Data Breach will comprise a Security Incident
- “Standard Contractual Clauses” or “SCC” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found here: Standard Contractual Clauses
- “Swiss Data Protection Laws” or “FADP” shall mean (i) Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”); (ii) The Ordinance on the Federal Act on Data Protection (“FODP“); (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing
- “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner
- ”UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time
- ”UK GDPR” shall mean the GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time)
- “UK Standard Contractual Clauses” or “UK SCC” means the UK “International Data Transfer Addendum to The European Commission Standard Contractual Clauses” available at https://ico
- org
- uk/media/for-organisations/documents/4019539/international-data-transfer-addendum
- pdf as adopted, amended or updated by the UK Information Commissioner Office (“ICO”), Parliament or Secretary of State
*Akeyless Vault is an unified platform for Secrets Management and Zero Trust Access