Data Processing Agreement
Privacy PolicyThis DATA PROCESSING AGREEMENT ("Agreement") forms part of the Terms of Service ("Principal Agreement") between: (i) Customer (“Controller”); and (ii) Vast.ai Inc. (“Processor” or “Service Provider”). This Agreement is entered into and effective as of the effective day of Customer entering into the Principal Agreement with Processor
The terms used in this Agreement shall have the meanings set forth in this Agreement. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
AGREEMENT
Definitions
In this Agreement, the following terms shall have the meanings set out below:
“Anonymous Data” means information that relates to a group or category of consumers and/or individuals, from which: (i) the Controller cannot be identified as the source of the information; (ii) personally identifiable information allowing the identification of individuals is removed; and (iii) the information is not reasonably identifiable or linkable to any consumer, individual, household, or device.
"Applicable Laws" means the GDPR;
"Personal Data" means any Personal Data Processed by the Contracted Processor on behalf of the Controller pursuant to the Principal Agreement;
"Contracted Processor" means Processor or a Subprocessor;
"EEA" means the European Economic Area;
"GDPR" means EU General Data Protection Regulation 2016/679 and its implementing regulations in the EEA and the United Kingdom;
“Restricted Transfer” means a transfer of Personal Data subject to the GDPR outside of the EEA;
"Services" means the services and other activities to be supplied to or carried out by or on behalf of Contracted Processor for Controller pursuant to the Principal Agreement;
“Standard Contractual Clauses” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council attached hereto as Schedule A;
"Subprocessor" means any person (including any third party, and any Processor Affiliate, but excluding an employee of Processor) or any of its sub-contractors) appointed by or on behalf of Processor or Processor Affiliate to Process Personal Data on behalf of any Controller in connection with the Principal Agreement; and
“Processor Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Processor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Br/each", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR.
Processing of Personal Data
Processor and Processor Affiliate shall:
comply with all Applicable Laws in the Processing of Personal Data; and
not Process Personal Data other than on the Controller’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Processor or the relevant Processor Affiliate shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the relevant Processing of that Personal Data.
The Controller shall:
instruct Processor and each Processor Affiliate (and authorizes Processor and each Processor Affiliate to instruct each Subprocessor) to:
- Process Personal Data; and in particular, transfer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement.
Processor acknowledges that all Personal Data that it may receive from Controller, Controller’s employees or consultants, or otherwise acquired by virtue of the performance of services under the Principal Agreement shall be regarded by Processor as confidential and held by Processor in confidence.
Processor shall not directly or indirectly sell any Personal Data, or retain, use, or disclose any Personal Data for any purpose other than for the purpose of performing services for Controller; or retain, use, or disclose any Personal Data outside the scope of this Agreement or the Principal Agreement.
Processor understands the restrictions in this Section 2 and will comply with them.
Processor may use Anonymous Data for its own purposes.
The Controller warrants and represents that:
it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in this section;
it has all necessary rights to provide the Personal Data to the Processor for the Processing to be performed in relation to the Services;
one or more lawful bases set forth in the Applicable Laws support the lawfulness of the Processing;
all necessary privacy notices are provided to data subjects;
any necessary data subject consents to the Processing are obtained and a record of such consents is maintained; and
should such a consent be revoked by a data subject, and no other lawful basis remains to keep the data subject’s personal data, it will communicate the fact of such revocation to the Processor.
Processor and Processor Affiliate Personnel
Processor and each Processor Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor and Processor Affiliate shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
In assessing the appropriate level of security, Processor and each Processor Affiliate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Br/each.
The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Applicable Laws or by regulatory authorities of competent jurisdiction.
Where an amendment to the Principal Agreement is necessary in order to execute a Controller instruction to the Processor to improve security measures as may be required by changes in Applicable Laws from time to time, the Parties shall negotiate an amendment to the Principal Agreement in good faith.
Restricted Transfers
Processor shall not export, transfer, store, remotely access Personal Data, or permit any of the latter in/from a country which is not part of the European Economic Area and does not benefit from an adequacy recognition decision of the European Commission pursuant to Article 45 of the GDPR, unless such export, transfer, storage, or remote access is secured through the provision of appropriate guarantees, which may consist of: (i) applicable standard data protection clauses pursuant to Article 46.2 c) or d) of the GDPR; (ii) binding corporate rules pursuant to Article 46.2 b) of the GDPR; (iii) derogations for specific situations under Article 49 of the GDPR; or, (iv) any other instrument recognized by the GDPR and approved by the European Commission or a Supervisory Authority.
To the extent no adequacy decision or other appropriate guarantees apply, the Parties hereby agree to and incorporate the Standard Contractual Clauses into this Agreement. Controller shall be the Data Exporter and Processor shall be the Data Importer. Appendix 1 and 2 to this Agreement shall be Annex 1 and 2 to the Standard Contractual Clauses.
Subprocessing
Controller authorizes Processor and each Processor Affiliate to appoint (and permit each Subprocessor appointed in accordance with this section to appoint) Subprocessors in accordance with this section and any restrictions in the Principal Agreement.
Processor and each Processor Affiliate may continue to use those Subprocessors already engaged by Processor or any Processor Affiliate as of the date of this Agreement.
Processor shall give Controller a list of any new Subprocessors engaged after the date of this Agreement, upon reasonable request from the Controller.
With respect to each Subprocessor, Processor or the Processor Affiliate shall:
ensure that the arrangement between Processor or the Processor Affiliate, on the one hand, and the Subprocessor, on the other hand, is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Agreement; and
if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses or other approved transfer mechanism under the GDPR (e.g. Binding Corporate Clauses) are at all relevant times incorporated into the agreement between Processor or the Processor Affiliate, on the one hand, and the Subprocessor, on the other hand.
Data Subject Rights
Taking into account the nature of the Processing, Processor and each Processor Affiliate shall assist each Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations to respond to requests to exercise Data Subject rights under the Applicable Laws.
Processor shall:
notify Controller if Processor or a Processor Affiliate receives a request from a Data Subject under any Applicable Laws in respect of Personal Data; and,
ensure that the Contracted Processor does not respond to that request except as required by Applicable Laws to which the Contracted Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Controller of that legal requirement before the Contracted Processor responds to the request.
Controller shall:
be responsible for responding to a request from a Data Subject as required under any Applicable Laws in respect of Personal Data.
Assistance to Data Controller
Taking into account the nature of processing and the information available to the Processor, the Processor shall assist the Controller, at Controller’s expense, in Data Protection Impact Assessments, and with prior consultations with supervisory authorities. Controller and Processor shall work together in good faith to determine a reasonable fee for Processor’s assistance prior to the initiation of this assistance.
Personal Data Br/each
- Processor shall notify Controller without undue delay upon Processor or Subprocessor becoming aware of a Personal Data Br/each affecting Personal Data.
Audits
At the reasonable request of the Controller, the Processor shall demonstrate the technical and organizational measures it has taken pursuant to this Agreement and shall allow the Controller to audit and test such measures.
Controller undertaking an audit shall give Processor or the relevant Processor Affiliate reasonable notice of any audit or inspection to be conducted under this section and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of identity and authority;
- outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and the Controller undertaking an audit has given notice to Processor or the relevant Processor Affiliate that this is the case before attendance outside those hours begins; or
- for the purposes of more than once audit or inspection in any calendar year, except for any additional audits or inspections which the controller is required or requested to carry out by Applicable Laws or a regulatory authority of competent jurisdiction, where the Controller has identified the relevant requirement or request in its notice to Processor or the relevant Processor Affiliate of the audit or inspection.
Unless otherwise required by Applicable Laws or a regulatory authority of competent jurisdiction, Contracted Processor shall fulfill the audit requirement in this Section by providing Controller with a copy of its most recent Soc 2 audit report or its equivalent, pursuant to a non-disclosure agreement, applicable to its processes, systems and networks involved in performance of the Agreement.
Deletion or Return of Personal Data
Within 30 days of the termination date, Controller may by written notice require Processor and each Processor Affiliate to (a) return a complete copy of all Personal Data to Controller and/or (b) delete and procure the deletion of all other copies of Personal Data Processed by any Contracted Processor. Processor and each Processor Affiliate shall comply with any such written request within 90 days of the written request.
Each Contracted Processor may retain Personal Data to the extent required by Applicable Laws and shall ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws.
Governing Law and Jurisdiction
the parties to this Agreement hereby submit to the choice of jurisdiction stipulated in the Principal Agreement; and
this Agreement and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
SCHEDULE A
Standard Contractual Clauses (controllers to processors)
Name of the data exporting organisation:
Address:
Tel.:
Other information needed to identify the organisation:
(the data exporter)
And Name of the data importing organisation:Vast.ai Inc.
Address: 6600 Sunset Blvd, STE 256 Los Angeles, CA 90028
Tel.: (323) 483-5256
Other information needed to identify the organisation:
(the data importer)
each a “party”; together “the parties”, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Annex 1
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1 Purpose and scope
| (a) | The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country. |
| (b) | The Parties: (i) (hereinafter each ‘data exporter’), and (ii) Vast.ai Inc. (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’). |
| (c) | These Clauses apply with respect to the transfer of personal data as specified in Annex 1 1. |
| (d) | The Appendices to these Clauses containing forms an integral part of these Clauses. |
| Clause 2 | Effect and invariability of the Clauses (a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Annex 1. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects. (b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679. |
| Clause 3 | Third-party beneficiaries (a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions: (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7; (ii) Clause 8 - Clause 8.1(b), 8.9(a), (c), (d) and (e); (iii) Clause 9 –Clause 9(a), (c), (d) and (e); (iv) Clause 12 – Clause 12(a), (d) and (f); (v) Clause 13; (vi) Clause 15.1(c), (d) and (e); (vii) Clause 16(e); (viii) Clause 18 –Clause 18(a) and (b). |
| (b) | Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679. |
| Clause 4 | Interpretation (a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation. (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679. (c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679. |
| Clause 5 | Hierarchy In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail. |
| Clause 6 | Description of the transfer(s) The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex 1. |
| Clause 7 | Docking clause (a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing and signing the Annex 1. (b) Once it has completed and signed the Annex 1 1, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex 1. (c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party. |
| SECTION II | OBLIGATIONS OF THE PARTIES |
| Clause 8 | Data protection safeguards The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses. |
| 8.1 | Instructions (a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract. (b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. |
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex 1, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Annex 1 as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex I and II and personal data, the data exporter may redact part of the text of the Annexes to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex 1. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
| (a) | The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security. |
| (b) | The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. |
| (c) | In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. |
| (d) | The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer. |
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Appendices 1 and 2.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
| (i) | The onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer; |
| (ii) | The third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question; |
| (iii) | The onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; |
| (iv) | The onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person. Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation. |
8.9 Documentation and compliance
| (a) | The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses. |
| (b) | The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter. |
| (c) | The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer. |
| (d) | The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice. |
| (e) | The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request. |
| Clause 10 | Data subject rights |
| (a) | The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter. |
| (b) | The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required. |
| (c) | In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter. |
| Clause 11 | Redress |
| (a) | The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject. |
| (b) | In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them. |
| (c) | Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to: (i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13; (ii) refer the dispute to the competent courts within the meaning of Clause 18. |
| (d) | The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679. |
| (e) | The data importer shall abide by a decision that is binding under the applicable EU or Member State law. |
| (f) | The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws. |
| Clause 12 | Liability |
| (a) | Each Party shall be liable to the other Party for any damages it causes the other Party by any breach of these Clauses. |
| (b) | The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses. |
| (c) | Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. |
| (d) | The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage. |
| (e) | Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties. |
| (f) | The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party that part of the compensation corresponding to its/their responsibility for the damage. |
| (g) | The data importer may not invoke the conduct of a sub-processor to avoid its own liability. |
| Clause 13 | Supervision |
| (a) | The supervisory authority ensuring compliance by the data exporter with Regulation (EU) 2016/679 concerning the data transfer will act as the competent supervisory authority. |
| (b) | The data importer commits to jurisdiction and cooperation with the competent supervisory authority. It agrees to respond to inquiries, undergo audits, and adhere to measures set by the authority. |
| Clause 14 | Local laws and practices affecting compliance with the Clauses |
| (a) | The Parties believe that the laws in the third country of destination will not prevent the data importer from fulfilling obligations under these Clauses. |
| (b) | The Parties have considered multiple factors, such as the transfer circumstances, third country laws, and the application of safeguards to make this warranty. |
| (c) | The data importer has done its best to provide relevant information to the data exporter about the third country's laws and will continue cooperating to ensure compliance. |
| (d) | The assessment in paragraph (b) must be documented and presented to the supervisory authority upon request. |
| (e) | The data importer will notify the data exporter if it finds itself under laws not aligned with paragraph (a). |
| (f) | Upon notification from the data importer or if the data exporter believes that the data importer cannot comply, the data exporter will take measures. It may suspend or even terminate the data transfer contract if needed. |
| Clause 15 | Notification |
| 15.1(a)(i) | If the data importer receives a legally binding request for data disclosure from a public authority in the destination country, they must notify the data exporter and possibly the data subject. |
| 15.1(a)(ii) | The data importer should notify the data exporter if they become aware of direct access by public authorities to transferred personal data. |
| 15.1(b) | If the data importer is prohibited from notifying the data exporter/data subject due to laws, they must make efforts to waive this prohibition and document these efforts. |
| 15.1(c) | The data importer should provide the data exporter with information on the received requests regularly throughout the contract's duration. |
| 15.1(d) | The information from paragraphs (a) to (c) should be preserved and made available to the supervisory authority upon request. |
| 15.1(e) | This section ensures the data importer's obligation to promptly notify the data exporter if they cannot comply with these Clauses. |
| 15.2 | Review of legality and data minimisation |
| (a) | The data importer agrees to review the legality of the request for disclosure, especially if it remains within the powers granted to the requesting public authority. It will challenge any request seen as unlawful and seek interim measures to suspend the request's effects until a judicial authority decides. No personal data will be disclosed unless required by procedural rules. These requirements don't affect the obligations under Clause 14(e). |
| (b) | The data importer will document its legal assessment and challenges to any disclosure request. Where permissible, this documentation will be made available to the data exporter and, on request, the competent supervisory authority. |
| (c) | The data importer will provide the minimum amount of information permissible when responding to a disclosure request, based on a reasonable interpretation of the request. |
SECTION IV – FINAL PROVISIONS
| Clause 16 | Non-compliance with the Clauses and termination | |
| (a) | The data importer will inform the data exporter if it cannot comply with these Clauses for any reason. | |
| (b) | If the data importer breaches or cannot comply with these Clauses, the data exporter will suspend data transfers until compliance is ensured or the contract is terminated. This doesn't affect Clause 14(f). | |
| (c) | The data exporter can terminate the contract concerning data processing under these Clauses if: (i) data transfers have been suspended and compliance isn't restored within a month; (ii) the data importer substantially breaches these Clauses; or (iii) the data importer doesn't follow a binding decision about its obligations. If more than two Parties are involved, termination can apply only to the relevant Party unless agreed otherwise. | |
| (d) | Transferred personal data before termination should be returned or deleted. The data importer will certify its deletion. Until deletion or return, compliance with these Clauses must continue. If local laws prevent data return or deletion, the data importer ensures compliance with these Clauses and will process the data only as required by that local law. | |
| (e) | Either Party can revoke its agreement to these Clauses if: (i) the European Commission adopts a decision under Article 45(3) of Regulation (EU) 2016/679 covering the data transfer; or (ii) Regulation (EU) 2016/679 becomes law in the destination country. This doesn't affect other obligations under Regulation (EU) 2016/679. |
| Clause 17 Governing law | These Clauses are governed by the law of the EU Member State where the data exporter is established. If such law doesn't allow for third-party beneficiary rights, they're governed by another EU Member State's law that does, which the Parties agree to be the law of Ireland. |
| Clause 18 Choice of forum and jurisdiction | |
| (a) | Disputes from these Clauses will be resolved by the courts of an EU Member State. |
| (b) | The Parties agree that this will be the courts of Ireland. |
| (c) | Data subjects can also bring proceedings against the data exporter and/or importer before the courts of the Member State where they reside. |
| (d) | The Parties agree to submit to the jurisdiction of such courts. |
Annex 1
Data processing information
This Annex forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Annex.
Data exporter
The data exporter is:
- Customer
Data importer
The data importer is:
- Vast.ai Inc.
Data subjects The personal data transferred concern the following categories of data subjects (please specify):
- Customers
Categories of data
The personal data transferred concern the following categories of data:
- Ordinary contact information (including, but not limited to telephone number, e-mail)
- Tracking technologies and persistent identifiers such as Google pixel
Processing operations
The personal data transferred will be subject to the following basic processing activities:
- For the provision of the Services as specified in the Principal Agreement.
- The data will be transferred on a continuous basis.
- The personal data will be retained for so long as is necessary to maintain the business relationship and perform services.
Supervisory Authority: Data Protection Commission of Ireland
ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The data importer will implement and maintain security standards at least as protective as those set out in Appendix 2 to the Data Processing and Security Terms.
The technical and organisational measures to be taken by Subprocessors are described in the "Subprocessor Security" section of that Appendix.
The technical and organisational measures taken by the data importer to assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 are set out in Sections 8 (Impact Assessments and Consultations) and 9 (Access etc.; Data Subject Rights; Data Export) of the Data Processing and Security Terms.
ANNEX III
The controller has authorized the use of the following sub-processors: - Stripe - Google - Meta - Twitter - Microsoft
ANNEX IV SUPPLEMENTARY TERMS FOR UK GDPR TRANSFERS ONLY
The following United Kingdom International Data Transfer Addendum to the European Commission Standard Contractual Clauses supplements the Clauses only if and to the extent the Clauses apply with respect to transfers of personal data subject to the UK GDPR.
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date (a) 21 September 2022, where the Terms Effective Date is before 21 September 2022; or (b) otherwise, on the Terms Effective Date.
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer) Parties’ details Full legal name: Vast.ai Inc. Trading name (if different): As specified in the Agreement.
Main address (if a company registered address): As specified in the Agreement.
Official registration number (if any) (company number or similar identifier): As specified in the Agreement.
Full legal name: Trading name (if different): As specified in the Agreement.
Main address (if a company registered address): As specified in the Agreement.
Official registration number (if any) (company number or similar identifier): As specified in the Agreement.
Key Contact Contact details for the data exporter are specified in the Agreement. Details about the data exporter’s data protection officer are available to the data importer in the Admin Console (where such details have been provided by the data exporter). Contact details for the data importer are specified in the Agreement. The data importer can be contacted as described in the Data Processing and Security Terms.
Signature (if required for the purposes of Section 2) The parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of this Addendum by both parties. The parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of this Addendum by both parties. Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: 4 June 2021
Reference (if any): Module 2: Controller-to-Processor
Other identifier (if any): N/A
Table 3: Appendix Information
"Appendix Information" means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: Annex I(A) Annex 1B: Description of Transfer: Annex I(B) Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex II Annex III: List of Sub processors (Modules 2 and 3 only): Annex III Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19: ✔ Importer
✔ Exporter
☐ neither Party
Part 2: Mandatory Clauses
Mandatory Clauses Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 Febr/uary 2022, as it is revised under Section 18 of those Mandatory Clauses. Part 3: Supplementary Clauses
Supplementary Clauses Part 3: Supplementary Clauses of the Approved Addendum, being the following: The data importer may not end this Addendum as set out in Section 19 of the Mandatory Clauses unless the data importer has adopted an Alternative Transfer Solution for the Restricted Transfers by the end date. An "Alternative Transfer Solution" for this purpose means a solution, other than Standard Contractual Clauses, that enables the lawful transfer of personal data to a third country in accordance with Chapter V of the UK GDPR.
Any written notice provided by the data exporter pursuant to Section 19 of the Mandatory Clauses in order to end this Addendum will be deemed to terminate the Agreement for convenience.
Appendix 2 Security Measures - Access control to systems
Measures are taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:
Password procedures (incl. special characters, minimum length, forced change of password)
No access for guest users or anonymous accounts
Access control to data
Measures are taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized input, reading, copying, removal modification or disclosure of data.
- Encryption
Encryption at rest (AES 256) and in transit (BoringSSL) is implemented across the cloud infrastructure.
The Customer remains responsible for the following security measures: - Protection of Customer’s user credentials - Appropriate technical and organizational measures to protect the confidentiality, integrity, and availability of Customer’s networks, endpoints and br/owsers used to access the Services
