CloudBees Data Processing Agreement

Capitalized terms shall have the meaning set out below. Any capitalized terms not defined in this DPA shall have the meaning set out in the Agreement or as otherwise defined in the applicable data protection laws and regulations:

“Breach Event”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transmitted, stored, or otherwise processed by CloudBees.

“CCPA” refers to the California Consumer Privacy Act of 2018 and its implementing regulations, as well as the California Privacy Rights Act of 2020.

“Processing”: any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, which may be supplied to and Processed by Processor on behalf of the Controller pursuant to or in connection with the Agreement.

“Processor”: CloudBees as the legal person who processes the Personal Data on behalf of the Customer.

“Standard Contractual Clauses”: (i) the Standard Contractual Clauses approved by the Commission Decision 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) and (ii) the International Data Transfer Agreement issued by the Information Commissioner’s Office in the United Kingdom.

“Sub-Processor”: an entity engaged by the Processor exclusively for the Processing activities to be carried out pursuant to or in connection with the Agreement on behalf of the Controller and in accordance with its instructions, as transmitted by the Controller.

2.1 Unless otherwise agreed in writing, this DPA will take effect on the date of the Agreement’s effective date and, notwithstanding its expiry, remain in effect until, and automatically expire upon, deletion of all Personal Data by CloudBees as described in this DPA.

2.2. This DPA applies when Personal Data is Processed by CloudBees as part of the provision of the CloudBees Products, as further specified in the Agreement and the applicable order form, quote, SoW or equivalent document.

2.3. The parties acknowledge and agree that the european data protection legislation, such as GDPR will apply to the processing of Controller Personal Data if, for example: i) the processing is carried out in the context of the activities of an establishment of Controller in the territory of the EEA; and/or ii) the Controller provides data that is personal data relating to Data Subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behavior in the EEA.

2.4. The Parties acknowledge and agree that non-european data protection legislation, such as the CCPA or the Brazilian Lei Geral de Proteção de Dados, may also apply to the processing of Controller Data.

3.1. To the extent that the GDPR or other privacy Laws and regulations with analogous terms apply to CloudBees’s Processing of Personal Data on behalf of the Customer under the Agreement, CloudBees is the Processor to the Customer, who can act either as the controller or processor of Personal Data, as those or analogous terms are defined under applicable legislation.

3.2. To the extent that the CCPA applies to CloudBees Processing of Personal Data on behalf of Customer under the Agreement, (a) Customer is the “Business” and CloudBees is the “Service Provider”; (b) CloudBees will Process Personal Data solely on behalf of Customer and for the specific business purposes set forth in the Agreement; and (c) CloudBees will not retain, use, disclose, or otherwise Process such Personal Data for any purpose other than for the specific purpose of performing the Service as specified in the Agreement.

3.3. CloudBees will process the Personal Data in accordance with the Customer’s instructions and applicable laws: (a) to provide the Service, (b) as documented in the Agreement, including this DPA; and (c) as further documented in any other written instructions given by Customer and acknowledged by CloudBees as constituting instructions for purposes of this DPA. CloudBees will comply with all lawful and reasonable Controller instructions. If CloudBees cannot comply with an instruction, it will notify the Customer without undue delay.

3.4. The nature and purpose of the Processing and the type of Personal Data and categories of Data Subjects about whom Personal Data shall be processed are determined by Customer, based on Customer’s use of the CloudBees Products and the Personal Data that Customer chooses to upload to the Service(s) or otherwise provide to CloudBees for the purpose of Processing. The categories of Data Subjects may include Customer’s employees, staff, vendors, end users, or the Personal Data of any other Individuals whom Customer chooses to provide to CloudBees under the Agreement. Details of the data processing are further described in Appendix 1.

3.5. At Customer’s request, CloudBees will reasonably support the Customer or any Data Controller in dealing with requests from Data Subjects or regulatory authorities regarding CloudBees’s processing of Personal Data under this DPA. Where requested to do so by the Customer, CloudBees shall disclose the information reasonably required to demonstrate compliance with the applicable data protection Laws, including the necessary information for the Customer to carry out a privacy impact assessment of the CloudBees Products and implement mitigation actions agreed by the Parties to address privacy risks which may have been identified.

3.6. CloudBees shall, upon request, make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and/or the necessary information for the Controller to carry out a privacy impact assessment of the Service and in implementing mitigation actions agreed by the Parties to address privacy risks which may have been identified.

3.7. Upon termination of the Agreement for whatever reason, and upon Customer’s written request made within thirty (30) days after such termination, CloudBees will (as applicable) return to Customer or destroy all Personal Data. After such 30-day period, CloudBees will destroy such Personal Data.

4.1. CloudBees will implement and maintain technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (“Security Measures”). Those are further described in Appendix 2. CloudBees may update or modify the Security Measures from time to time at its discretion, provided that such updates and modifications do not result in the degradation of the overall security of the Service.

4.2. CloudBees will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, and Sub-processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3.CloudBees will make commercially reasonable efforts to assist Customers in ensuring compliance with their obligations in respect to the applicable laws.

4.4. CloudBees shall notify Customers without undue delay but in no event later than seventy-two (72) hours after becoming aware of any Breach Event.

5.1. Customer acknowledges and agrees that may engage Subprocessor(s) in the performance of the Service(s) on Customer’s behalf. All Subprocessors to whom CloudBees transfers Personal Data are bound by substantially the same material obligations as CloudBees undertakes under this DPA and provide adequate guarantees of security and compliance. CloudBees will be liable for the acts and omissions of its Subprocessors to the same extent that CloudBees would be liable if performing the Service directly, under the terms of the Agreement.

5.2. The current Subprocessors are mentioned in Appendix 1-A. CloudBees may use new Subprocessors provided it notifies the Customer in advance of any changes to the list of Subprocessors in place on the Effective Date. If Customer has a legitimate reason, Customer may object to CloudBees’s use of a Subprocessor, by notifying CloudBees in writing within thirty days after receipt of CloudBees’s notice. If the Customer objects to the use of the Subprocessor, the parties will come together in good faith to discuss a resolution. CloudBees may choose to: (i) not use the Subprocessor or (ii) take the corrective steps requested by Customer in its objection and use the Subprocessor. If none of these options is reasonably possible and Customer continues to object for a legitimate reason, either party may terminate the Agreement on thirty days' written notice. If Customer does not object within thirty days of receipt of the notice, Customer is deemed to have accepted the new Subprocessor.

6.1. Where (i) Customer transfers Personal Data within the European Economic Area, the United Kingdom, or Switzerland to CloudBees (where such transfer includes Personal Data subject to the GDPR), and (ii) CloudBees will be Processing such Personal Data in a country that (a) is not subject to an adequacy decision of the EU Commission (or in case such adequacy decision is invalidated) and (b) does not provide an adequate level of protection within the meaning of applicable Privacy Laws and Regulations, the Parties shall be subject to the appropriate Standard Contractual Clauses mentioned in Appendix 1. Nothing in this DPA will be construed to prevail over any conflicting clause of the Standard Contractual Clauses.

This DPA shall be governed by, and construed and enforced in accordance with, the governing clause established in the Agreement. In the absence of a governing clause, the law of CloudBees’s registered office shall apply.