1. Data Processing
1.1 Scope and Roles. This DPA applies when Customer Personal Data is processed by Taco. In this context, Taco will act as processor to Customer and Customer will act either as controller or processor of Customer Personal Data.
1.2 Customer as Controller of Customer Personal Data. If Customer is Controller of Customer Personal Data, Customer agrees that (i) it will comply with its obligations as a Controller under Applicable Data Protection Law in respect of its processing of Customer Personal Data and any processing instructions it issues to Taco; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary for Taco to process Customer Personal Data pursuant to the EULA and this DPA.
1.3 Customer as Processor of Customer Personal Data. If Customer is Processor of Customer Personal Data, Customer warrants on an ongoing basis that the relevant Controller has authorized: (i) Taco's processing of Customer Personal Data as outlined in this DPA and in Annex 1; (ii) Customer's appointment of Taco as another processor; and (iii) Taco's engagement of Subprocessors as described in Section 6. To the extent required by Applicable Data Protection Law, Customer will immediately forward to the relevant Controller any notice provided by Taco in connection to this DPA.
1.4 Customer Instructions. Taco will process Customer Personal Data only: (i) for the purpose of providing Cilantro services and in accordance with Customer's documented lawful instructions as set forth in the EULA and this DPA; (ii) as part of the direct business relationship between Customer and Taco; (iii) to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity; or (iv) as required by law, provided Taco shall inform Customer of such legal requirement prior to commencing such processing unless prohibited by law. The parties agree that the Customer's complete and final instructions with regard to the nature and purposes of the processing are set out in this DPA.
1.5 Details of Data Processing.
- 1.5.1 Subject matter. The subject matter of the data processing under this DPA is Customer Personal Data.
- 1.5.2 Duration. As between Taco and Customer, the duration of the data processing under this DPA is the term of the EULA.
- 1.5.3 Purpose. The purpose of the data processing under this DPA is to enable the transfer of Customer Data (which may include Customer Personal Data) between third party applications.
- 1.5.4 Nature of the processing. Cilantro connects two or more of Customer’s third party applications (Connected Apps) via APIs to enable the transfer of Customer Data (which may include Customer Personal Data) between the Connected Apps as described in the Documentation and initiated by Customer from time to time. Taco processes Customer Personal Data for the purposes of a transfer between Connected Apps and does not retain Customer Personal Data within its systems.
- 1.5.5 Categories of data subjects. The data subjects could include Customer’s customers, end users, employees, suppliers and other third parties whose personal data is included in Customer Data which is transferred between the Connected Apps.
- 1.5.6 Type of Customer Personal Data. Customer Personal Data which forms part of the Customer Data transferred between the Connected Apps. Customer acknowledges that Taco will be generally unaware of the content of Customer Data (including Customer Personal Data) transferred between Connected Apps.
1.6 Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Law.
2. Customer Instructions
The parties agree that this DPA and the EULA (including Customer providing instructions via configuration tools within Cilantro and APIs made available by Taco for Cilantro) constitute Customer’s documented instructions regarding Taco’s processing of Customer Personal Data (Documented Instructions). Taco will process Customer Personal Data only in accordance with Documented Instructions (which if Customer is acting as a processor, could be based on the instructions of its controllers).
3. Confidentiality of Customer Personal Data
Taco will not access or use, or disclose to any third party, any Customer Personal Data, except, in each case, as necessary to maintain or provide Cilantro, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Taco a demand for Customer Personal Data, Taco will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Taco may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Personal Data to a governmental body, then Taco will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Taco is legally prohibited from doing so.
4. Confidentiality Obligations of Taco Personnel
Taco restricts its personnel from processing Customer Personal Data without authorization by Taco as described in the Technical and Organisational Measures. Taco imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
5. Security of Data Processing
5.1 Technical and Organisational Measures. Taco has implemented and will maintain appropriate technical and organizational security measures to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data when processed by Cilantro (Technical and Organisational Measures), as updated or replaced from time to time in accordance with Section 5.2.
5.2 Updates to Technical and Organisational Measures. Customer warrants that it has carried out its own review of the information made available by Taco relating to data security and has made an independent determination that Cilantro and the Technical and Organisational Measures meet Customer’s requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that the Technical and Organisational Measures are subject to technical progress and development and that Taco may update or modify the Technical and Organisational Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of Cilantro.
5.3 Customer responsibility. Customer is responsible for implementing technical and organisational measures to protect Customer Personal Data stored in the Connected Apps, including:
- 5.3.1 pseudonymisation and encryption to ensure an appropriate level of security for Customer Personal Data transferred between the Connected Apps;
- 5.3.2 measures to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services that are operated by Customer, including the Connected Apps;
- 5.3.3 measures to allow Customer to backup and archive appropriately in order to restore availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
- 5.3.4 processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Customer.
6. Sub-processing
6.1 Authorised Subprocessors. Customer agrees that in order to provide Cilantro, Taco may engage Subprocessors to process Customer Personal Data.
6.2 Subprocessor Obligations. Where Taco authorizes a Subprocessor to process Customer Personal Data:
- 6.2.1 Taco will restrict the Subprocessor’s access to Customer Personal Data to what is necessary to assist Taco in providing or maintaining Cilantro, and will prohibit the Subprocessor from accessing Customer Personal Data for any other purpose;
- 6.2.2 Taco will enter or has already entered into a written agreement with the Subprocessor imposing data protection terms that require the Subprocessor to protect the Customer Personal Data to the standard required by applicable Data Protection Laws; and
- 6.3.3 Taco will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Taco to breach any of its obligations under this DPA.
6.3
Subprocessor Updates. Taco will provide Customer with a 30-day prior notice on its website if it intends to make any changes to its Subprocessors. Customer may receive notifications of new Sub Processors and updates to existing Subprocessors by subscribing for updates at https://taco.cilantro.au/security. Customer may, within 90 days of notification, object in writing to Taco’s appointment of a new Subprocessor, provided that such objection is based on reasonable grounds relating to the processing of Customer Personal Data by the new Subprocessor. In such event, the parties will discuss such objection in good faith with a view to achieving resolution. If this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).
7. Cooperation
7.1 Taco Assistance with Data Subject Requests. Taco will assist Customer in fulfilling Customer’s obligations to respond to data subjects’ requests under Applicable Data Protection Law. If a data subject makes a request to Taco in relation to Customer Personal Data, Taco will promptly forward such request to Customer once Taco has identified that the request is from a data subject for whom Customer is responsible. Customer authorizes on its behalf, and on behalf of its controllers when Customer is acting as a processor, Taco to respond to any data subject who makes a request to Taco, to confirm that Taco has forwarded the request to Customer. The parties agree that Taco forwarding data subjects’ requests to Customer in accordance with this Section, represent the scope and extent of Taco’s required assistance.
7.2 Request from authorities. If Taco receives a subpoena, court order, warrant or other legal demand from law enforcement or public or judicial authorities seeking the disclosure of Customer Personal Data, Taco shall, to the extent permitted by applicable laws, promptly notify Customer in writing of such request and reasonably cooperate with Customer to limit, challenge or protect against such disclosure.
8. Security Incident Notification
8.1 Security Incident. Taco will:
- 8.1.1 notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and
- 8.1.2 take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
8.2 Taco Assistance. To enable Customer to notify a Security Incident to supervisory authorities or data subjects (as applicable), Taco will cooperate with and assist Customer by including in the notification under Section 8.1.1 such information about the Security Incident as Taco is able to disclose to Customer, taking into account the nature of the processing, the information available to Taco, and any restrictions on disclosing the information, such as confidentiality. Taking into account the nature of the processing, Customer agrees that it is best able to determine the likely consequences of a Security Incident.
8.3 Unsuccessful Security Incidents. Customer agrees that:
- 8.3.1 an unsuccessful Security Incident will not be subject to this Section 8. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Personal Data or to any of Taco’s equipment or facilities storing Customer Personal Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
-
8.3.2 Taco’s obligation to report or respond to a Security Incident under this Section 8 is not and will not be construed as an acknowledgement by Taco of any fault or liability of Taco with respect to the Security Incident.
8.4 Communication. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Taco selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on the Taco management console and secure transmission at all times.
8.5 Notification Obligations. If Taco notifies Customer of a Security Incident, or Customer otherwise becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data, Customer will be responsible for:
- 8.5.1 determining if there is any resulting notification or other obligation under Applicable Data Protection Law; and
-
8.5.2 taking necessary action to comply with those obligations. This does not limit Taco’s obligations under this Section 8.
9. Audits
9.1 Taco Audits. Taco uses external auditors to verify the adequacy of its Technical and Organisational Measures. This audit will:
- 9.1.1 be performed at least annually;
- 9.1.2 be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001;
- 9.1.3 be performed by independent third-party security professionals at Taco’s selection and expense; and
- 9.1.4 result in the generation of an audit report (Report), which will be Taco’s Confidential Information.
9.2 Audit Reports. At Customer’s written request, and provided that the parties have an applicable NDA in place, Taco will provide Customer with a copy of its SOC2 Report so that Customer can reasonably verify Taco’s compliance with its obligations under this DPA.
9.3 Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to Taco, Taco will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation, by providing the information Taco makes available under this Section 9.
9.4 Customer Audit Rights. To the extent Customer’s audit requirements under Applicable Data Protection Laws cannot reasonably be satisfied through the Reports, documentation or compliance information Taco makes generally available to its customers, Taco will promptly respond to Customer’s additional audit requests. Before the commencement of an audit, Customer and Taco will mutually agree upon the scope, timing, duration, and control and evidence requirements. To the extent needed to perform the audit, Taco will make the processing systems, facilities and supporting documentation relevant to the processing of Customer Personal Data by Taco available. Neither Customer nor the third-party auditors, if any, shall have access to any data from Taco’s other customers or to Taco systems or facilities not involved in the processing of Customer Personal Data. Customer is responsible for all costs and expenses related to such audit, including all reasonable costs and expenses for time Taco expends for any such audit.
10. GDPR and UK GDPR compliance.
10.1 This Section 10 applies to the extent that Customer Personal Data includes data which is a protected by the GDPR or UK GDPR.
10.2 Regions. Customer can specify the location(s) where Customer Personal Data will be processed within the available locations(Region), including Regions in the EEA. Once Customer has made its choice, Taco will not transfer Customer Personal Data from Customer’s selected Region(s) except as necessary to comply with the law or valid and binding order of a governmental body.
10.3 Cross-Border Transfers. Where the transfer of Customer Personal Data is from the EEA, Switzerland or the United Kingdom to a territory which has not been recognized by the European Commission as providing an adequate level of protection for Customer Personal Data on the basis of Article 45 GDPR (or in the case of transfers from the United Kingdom, by the United Kingdom Government), Taco agrees to process that Customer Personal Data as follows:
- 10.3.1 subject to clause 10.3, where Customer is a controller of Customer Personal Data, the EU SCCs (Controller-to-Processor) will apply and are incorporated into this DPA;
- 10.3.2 subject to clause 10.3, where Customer is a processor of Customer Personal Data, the EU SCCs (Processor-to-Processor) will apply and are incorporated into this DPA and Customer agrees that it is unlikely that Taco will know the identity of Customer’s controllers because Taco has no direct relationship with Customer’s controllers and therefore, Customer will fulfill Taco’s obligations to Customer’s controllers under the Processor-to-Processor Clauses;
- 10.3.3 for transfers of Customer Personal Data from the United Kingdom, the UK Addendum will apply and is incorporated into this DPA; and
10.4
Alternative Transfer Mechanism. The SCCs and UK Addendum will not apply to a data transfer if Taco has adopted an alternative data export solution (as recognized under Applicable Data Protection Laws) and the alternative data export solution shall apply instead.
11. Australian Privacy Act compliance
This Section 11, Taco will not transfer Customer Personal Data to a Subprocessor outside Australia without Customer’s prior written consent. Where Taco transfers Customer Personal Data to a Subprocessor outside Australia, Taco shall ensure that the Subprocessor provides a level of protection to the Customer Personal Data that is at least equivalent to the protection afforded by the Australian Privacy Principles.
12. CCPA Compliance
12.1 Applicability. This Section 12 applies to the extent Customer is a Business that is subject to the CCPA and submits Personal Information (as that term is defined under CCPA) as part of Customer Personal Data in connection with Taco’s performance of the EULA or use of Cilantro. Customer appoints Taco as its Service Provider to collect and process the Customer Personal Data for the purposes outlined in this DPA.
12.2 Service Provider Commitments. Taco will not;
- 12.2.1 Sell Customer Personal Data;
- 12.2.2 retain, use, or disclose the Customer Personal Data for any purpose other than for the Business Purpose, including to retain, use, or disclose the Customer Personal Data for a commercial purpose other than providing its Services under the Agreement;
- 12.2.3 retain, use, or disclose the Customer Personal Data outside of the direct business relationship between Taco and the Customer;
- 12.2.4 process the Customer Personal Data for targeted and/or cross context behavioural advertising;
- 12.2.5 combine Customer Personal Data that it receives from, or on behalf of, Customer, with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Consumer, if and to the extent such combination would be inconsistent with the limitations on Service Providers under the CCPA or other laws.
13. Termination of the DPA
This DPA will continue in force until the termination of the EULA (Termination Date).
14. Return or Deletion of Customer Personal Data
Taco does not retain any Customer Personal Data in its systems. Customer is responsible for ensuring the return or deletion of any Customer Personal Data which is transferred by Cilantro to and stored in Connected Apps.
15. Entire Agreement; Conflict
If applicable, this DPA incorporates the SCCs and UK Addendum by reference. Except as amended by this DPA, the EULA will remain in full force and effect. If there is a conflict between the EULA and this DPA, the terms of this DPA will prevail to the extent necessary to resolve the conflict. Nothing in this document varies or modifies the SCCs or the UK Addendum.
16. Definitions
Unless otherwise defined in the EULA, all capitalized terms used in this DPA will have the meanings given to them below:
“API” means an application program interface.
“Applicable Data Protection Law” means all laws and regulations applicable to and binding on the processing of Customer Personal Data by a party, including, as applicable, the GDPR, Australian Privacy Act 1988 (Cth) and CCPA.
“CCPA” means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), as amended by the California Privacy Rights Act of 2020 (“CPRA”) or otherwise, or superseded from time to time.
“Connected Apps” has then meaning given to that term in Section 1.5.4.
“Customer Personal Data” means the Personal Data that is processed by Cilantro when Cilantro is used by Customer to transfer data between Connected Apps.
“Documentation” means the then-current documentation for Cilantro located https://taco.cilantro.au/portal/document-hub.
“EEA” means the European Economic Area.
“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“EU SCCs (Controller-to-Processor)” means the terms located at:
“EU SCCs (Processor-to-Processor)” means the terms located at: [NEED LINK}
“GDPR” means, as applicable, the EU GDPR and/or the UK GDPR.
“Personal Data” means personal data, personal information, personally identifiable information or other equivalent term (each as defined in Applicable Data Protection Law).
“Region” has the meaning given to it in Section 10.2 of this DPA.
“SCCs” means the EU SCCs (Controller-to-Processor) or the EU SCCs (Processor-to-Processor) as applicable.
"Security Incident" means an unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.
“Sell” or “Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing or by electronic or other means, Customer Personal Data to a third party for monetary or valuable consideration.
"Subprocessor" means any processor engaged by Taco to assist in fulfilling its obligations with respect to providing Cilantro pursuant to the EULA or this DPA. Subprocessors may include third parties or Taco’s related entities.
“Taco Network” means the servers, networking equipment, and host software systems (for example, virtual firewalls) that are within Taco’s control and are used to provide Cilantro.
“Technical and Organisational Measures” means the security standards attached to this DPA as Annex 1.
“UK Addendum” means the terms located at: http://www.confluent.io/dpa/uksccs-c2p
“UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.
The terms “Business”, “collect”, “Consumer”, “Controller”, “Data Subject”, “Processor,” “process,”, “processing” and “Service Provider” have the meanings given to them in Applicable Data Protection Laws.