EFFECTIVE: April 3, 2023
THIS DATA SHARING ADDENDUM (including its Annexes attached hereto and referenced herein) (“DSA”) to the Agreement is entered into as of the Addendum Effective Date by and between: (1) Scaled Agile, Inc., a Delaware corporation with its principal business address at 5400 Airport Blvd Suite 300, Boulder, CO 80301, USA (“SAI”); and (2) the entity or other person who is a counterparty to the Agreement into which this DSA is incorporated and forms a part (“Customer”), together the “parties” and each a “party.”
1. Definitions.
1.1 In this DSA the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:
(a) “Addendum Effective Date” means the effective date of the Agreement.
(b) “Agreement” means the SAFe Enterprise Agreement, Partner Program Agreement, piplanning.io Agreement and/or other agreement entered into by and between the parties.
(c) “Applicable Data Protection Laws” means all laws governing the privacy, confidentiality, and security of Personal Data under the Agreement, including, to the extent applicable to the relevant Personal Data/Processing, the GDPR, the FADP or the CCPA.
(d) “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder.
(e) “Clauses” means the clauses of the SCCs.
(f) “Controller” means the party that determines the means and purposes for Processing Personal Data.
(g) “Customer Provided Data” means electronic data or information provided by Customer to SAI to the extent such electronic data or information constitutes Personal Data.
(h) “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
(i) “EEA” means the European Economic Area.
(j) “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 and its revised version of 25 September 2020.
(k) “FDPIC” means Swiss Federal Data Protection and Information Commissioner.
(l) “GDPR” means, as applicable to the Processing concerned: (i) Regulation (EU) 2016/679 of the European Parliament and of the Counsel of 27 April 2016 (“EU GDPR”), and/or (ii) the EU GDPR as it forms part of the laws of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018, including, in each case, any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing.
(m) “Information Security Incident” means a breach of SAI’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Provided Data (to the extent it constitutes Personal Data) in SAI’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Provided Data (to the extent it constitutes Personal Data), including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
(n) “Personal Data” means any information that constitutes “personal data,” “personal information,” or similar information governed by Applicable Data Protection Laws.
(o) “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
(p) “Restricted Transfer” means the disclosure, grant of access or other transfer of Personal Data under this Agreement to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EEA Restricted Transfer”); (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”); and (iii) in the context of Switzerland, a country or territory outside of Switzerland which does not benefit from an adequacy decision from the Swiss Government (a “Swiss Restricted Transfer”), in each case, which would be prohibited without a legal basis under the GDPR and/or FADP.
(q) “SAFe Platform” means SAI’s web-based SAFe Enterprise platform, piplanning.io platform and/or other designated websites designed to achieve and sustain business agility.
(r) “Security Measures” has the meaning given in Section 2.1.
(s) “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
(t) “UK Transfer Addendum” means the template Addendum B.1.0 issued by the United Kingdom’s Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under section 18 of the Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
(u) “User Personal Data” means (i) Customer Provided Data; and (ii) Personal Data which SAI receives from time to time directly from users, or is otherwise derived from users, via the SAFe Platform or otherwise.
1.2 The parties acknowledge and agree that the parties:
(a) are independent Controllers in respect of User Personal Data; and
(b) shall comply with their respective obligations as independent Controllers under Applicable Data Protection Laws.
1.3 For the avoidance of doubt, the parties acknowledge and agree that the parties are not “joint Controllers” as such term is interpreted under Applicable Data Protection Laws.
2. Data Security.
2.1 SAI will implement and maintain administrative, technical, physical, and organizational measures designed to protect User Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, User Personal Data as described in Annex 3 (Security Measures) (the “Security Measures“). SAI may update the Security Measures from time to time, provided the updated measures do not decrease the overall protection of User Personal Data.
2.2 SAI will notify Customer without undue delay of any Information Security Incident affecting Customer Provided Data of which SAI becomes aware to the extent that Customer Provided Data constitutes Personal Data. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps SAI recommends Customer take to address the Information Security Incident. SAI’s notification of or response to an Information Security Incident will not be construed as SAI’s acknowledgement of any fault or liability with respect to the Information Security Incident.
2.3 Customer agrees that, without limitation of SAI’s obligations under this Section 2, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Provided Data; (b) securing the account authentication credentials, systems and devices Users uses to access the Services; (c) securing Customer’s systems and devices that SAI uses to provide the Services; and (d) backing up Customer Provided Data.
3. SAI’s Data Subject Request Assistance.
SAI will provide Customer with assistance reasonably necessary for Customer to perform its obligation under Applicable Data Protection Laws to fulfill requests by Data Subjects to exercise their rights under Applicable Data Protection Laws with respect to Customer Provided Data in SAI’s possession (“Data Subject Requests“). Customer shall compensate SAI for any such assistance at SAI’s then-current professional services rates, which shall be made available to Customer upon request. If SAI receives a Data Subject Request, SAI will notify Customer and Customer will be responsible for responding to any such request.
4. Data Transfers.
4.1 Where SAI is certified under a scheme (such as the EU-U.S. Data Privacy Framework, UK Extension and/or Swiss-U.S. Data Privacy Framework (as applicable)) that benefits from an adequacy decision from the European Commission, UK Government and/or Swiss Government (as applicable) (each a “Transfer Scheme”), SAI will rely on the Transfer Scheme to appropriately safeguard Restricted Transfers.
4.2 To the extent that the transmission of Personal Data under this DSA constitutes an EEA Restricted Transfer and is not otherwise appropriately safeguarded under a Transfer Scheme, the parties shall comply with their respective obligations set out in the SCCs, which are deemed to be populated in accordance with Part 1 of Annex 2 (Restricted Transfer Details), entered into with effect from the first date of any such EEA Restricted Transfer and incorporated by reference into this DSA. To the extent of any conflict or inconsistency between the SCCs and this Agreement, the SCCs will govern.
4.3 To the extent that the transmission of Personal Data under this DSA constitutes a UK Restricted Transfer and is not otherwise appropriately safeguarded under a Transfer Scheme, the parties shall comply with their respective obligations set out in the SCCs, which are deemed to be varied to address the requirements of the UK GDPR in accordance with the UK Transfer Addendum and populated in accordance with Part 2 of Annex 2 (Restricted Transfer Details), entered into with effect from the first date of any such UK Restricted Transfer and incorporated by reference into this DSA.
4.4 To the extent that the transmission of Personal Data under this DSA constitutes a Swiss Restricted Transfer and is not otherwise appropriately safeguarded under a Transfer Scheme, the parties shall comply with their respective obligations set out in the SCCs, which are deemed to be populated in accordance with Part 1 of Annex 2 (Restricted Transfer Details), varied to address the requirements of the FADP in accordance with Part 3 of Annex 2 (Restricted Transfer Details), entered into with effect from the first day of any such Swiss Restricted Transfer and incorporated by reference into this DSA.
5 SAI may on notice vary this Section 4 and replace the SCCs or the UK Transfer Addendum with: (i) any new or replacement set(s) of standard contractual clauses; or (ii) any other transfer mechanism that enables the lawful transfer of Personal Data under this Agreement in compliance with Chapter V of the GDPR and/or the FADP.
5. Customer Responsibilities.
Customer represents and warrants to SAI that Customer Provided Data does not and will not contain any Social Security numbers or other government-issued identification numbers, protected health information subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords to any online accounts; credentials to any financial accounts; tax return data; any payment card information subject to the Payment Card Industry Data Security Standard; Personal Data of children under 16 years of age; or any other information that falls within any special categories of data (as defined in the Applicable Data Protection Laws). Customer shall ensure (and is solely responsible for ensuring) that it has given such notices to and obtained such consents and permissions from third parties (including, without limitation, Data Subjects), and has reserved all rights, in each case, as may be required under Applicable Data Protection Laws or otherwise for Customer to provide Customer Provided Data to SAI as contemplated by the Agreement.
6. Liability.
The total combined liability of either party and its affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with this DSA will be limited to the limitations on liability or other liability caps agreed to by the parties in the Agreement; provided that nothing in the Agreement or this DSA will affect any party’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs, where applicable, to the extent limitation of such rights is prohibited by Applicable Data Protection Laws.
7. CCPA.
7.1 For purposes of this Section 7, the terms “business,” “commercial purpose,” “sell,” “share” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information ” shall mean Customer Provided Data that constitutes “personal information” governed by the CCPA.
7.2 In respect of any Processing by SAI of Personal Data not in relation SAI’s provision of those elements of the Services to Customer, SAI (A) does not act as a service provider; (B) independently determines the purposes and means of such Processing; (C) shall comply with Applicable Data Protection Laws; and (D) shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than those required by this DSA.
7.3 SAI (a) acknowledges that personal information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to personal information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that SAI’s use of personal information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by SAI that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
7.4 It is the parties’ intent that with respect to any personal information within the scope of this Section 7, SAI is a service provider. SAI shall not (A) sell such personal information; (B) retain, use or disclose such personal information for any purpose other than for the specific purpose of (i) enrolling and authenticating Users in the Courseware, the Courses, and the SAFe Platform; and (ii) performing its other obligations and exercising its rights under the Agreement, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services; or (C) retain, use or disclose such personal information outside of the direct business relationship between SAI and Customer. SAI hereby certifies that it understands its obligations under this Section 7.3 and will comply with them.
7.5 The parties acknowledge that SAI’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DSA are integral to SAI’s provision of the Services and the business relationship between the parties.
7.6 SAI agrees to cooperate in good faith with Customer concerning any amendments as may be necessary to address compliance with the CCPA.
ANNEX 1
DATA SHARING DETAILS
PART 1: DETAILS OF THE PARTIES
A. SAI / ‘DATA IMPORTER’ DETAILS
Name: | Scaled Agile, Inc. |
Address: | 5400 Airport Blvd Suite 300, Boulder, CO 80301, USA |
Contact Details for Data Protection: | support@scaledagile.com |
SAI Activities: | SAI is the provider of the SAFe Platform |
Role: | Controller |
B. CUSTOMER / ‘DATA EXPORTER’ DETAILS
Name: | The entity or other person who is a counterparty to the Agreement |
Address: | Customer’s address is (i) the address shown in the Agreement; or (ii) if no such address is contained within the Agreement, the Customer’s principal business trading address |
Contact Details for Data Protection: | Customer’s contact details are: (i) the contact details shown in the Agreement; or (ii) if no such contact details are contained within the Agreement, Customer’s contact details submitted by Customer and associated with Customer’s account for the Services |
Customer Activities: | Customer’s activities relevant to this DSA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement |
Role: | Controller |
PART 2: DETAILS OF DATA SHARING
Where the SAFe Enterprise Agreement and/or piplanning.io Agreement applies:
Categories of Data Subjects: | Customer may submit Personal Data of users to the Services |
Categories of Personal Data: | Customer may submit Personal Data of Users to the Services, including first name, surname, and business email address |
Sensitive Categories of Data, and associated additional restrictions/safeguards: | N/A |
Frequency of transfer: | Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services |
Nature of the Processing: | Processing operations required in order to provide the Services in accordance with the Agreement |
Purpose of the Processing: | Customer Provided Data will be processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DSA |
Duration of Processing / Retention Period: | Concurrent with the term of the Agreement and then thereafter pursuant to the terms of the Agreement, unless otherwise agreed in writing |
Where the Partner Program Agreement applies:
Categories of Data Subjects: | Customer may submit Personal Data of users to SAI |
Categories of Personal Data: | Customer may submit Personal Data of users to SAI, including first name, surname, and business email address |
Sensitive Categories of Data, and associated additional restrictions/safeguards: | N/A |
Frequency of transfer: | Ongoing – as initiated by Customer |
Nature of the Processing: | Processing operations required in order to provide the Services in accordance with the Agreement |
Purpose of the Processing: | Customer Provided Data will be processed in order to (i) validate and verify users’ attendance at courses held by Customer; and (ii) provide information to users regarding their course |
Duration of Processing / Retention Period: | Concurrent with the term of the Agreement and then thereafter pursuant to the terms of the Agreement, unless otherwise agreed in writing |
ANNEX 2
RESTRICTED TRANSFER DETAILS
PART 1: EEA RESTRICTED TRANSFERS
- Population of the body of the SCCs. The following selections within the text of Module One and the Clauses thereof are agreed:
1.1 In Clause 7: the optional ‘Docking Clause’ is included in full.
1.2 In Clause 11: the optional language is not used and is deleted.
1.3 In Clause 13: all square brackets are removed, and all text therein is retained.
1.4 In Clause 17: the parties agree that the SCCs shall be governed by the law of Ireland in relation to any EEA Restricted Transfer, and Clause 17 is populated accordingly.
1.5 In Clause 18: the parties agree that any dispute arising from the SCCs in relation to any EEA Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
2 Population of Annexes to the Appendix to the SCCs.
2.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Sharing Details) to the Agreement, with: Customer being ‘data exporter’; and SAI being ‘data importer’.
2.2 Part C of Annex I to the Appendix to the SCCs is populated as below:
(a) The competent supervisory authority shall be determined as follows:
(i) Where Customer is established in an EU Member State: the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.
(ii) Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).
(iii) Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR the competent supervisory authority shall be the Irish Data Protection Commission will be the competent supervisory authority; unless no data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located in Ireland, in which case the parties agree to work together to agree the appropriate competent supervisory authority, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
2.3 Annex II to the Appendix to the SCCs is populated as below:
(a) General: Please refer to Annex 3 (Security Measures).
PART 2: UK RESTRICTED TRANSFERS
1 UK Transfer Addendum
1.1 Where relevant in accordance with Section 4.3 of the DSA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum as follows:
(a) Part 1 to the UK Transfer Addendum. The parties agree:
(i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Sharing Details) of this DSA and Part 1 of this Annex 2 (Restricted Transfer Details) (subject to the variations effected by the UK Mandatory Clauses described in Paragraph 1.1(b) below); and
(ii) Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
(b) Part 2 to the UK Transfer Addendum. The parties agree to be bound by the UK Mandatory Clauses of the UK Transfer Addendum.
1.2 As permitted by section 17 of the UK Mandatory Clauses, the parties agree to the presentation of the information required by ‘Part 1: Tables’ of the UK Transfer Addendum in the manner set out in Paragraph 1.1 of this Part 2; provided that the parties further agree that nothing in the manner of that presentation shall operate or be construed so as to reduce the Appropriate Safeguards (as defined in section 3 of the UK Mandatory Clauses).
1.3 In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DSA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.
PART 3: SWISS RESTRICTED TRANSFERS
1.1 Where relevant in accordance with Section 4.4 of the DSA, the SCCs are varied as follows:
(a) the FDPIC is the sole Supervisory Authority for Swiss Restricted Transfers exclusively subject to the FADP;
(b) the terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the SCCs are interpreted to include the FADP with respect to Swiss Restricted Transfers;
(c) references to Regulation (EU) 2018/1725 are removed; and
(d) references to the “Union”, “EU” and “EU Member State” are interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCCs.
ANNEX 3
SECURITY MEASURES
- Organizational management and dedicated staff responsible for the development, implementation, and maintenance of SAI’s information security program.
- Periodic review and assessment of security risks to SAI’s organization, monitoring and maintaining compliance with SAI’s security policies and procedures, and reporting the condition of its information security and compliance to internal senior management as needed.
- Data security controls which include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for User Personal Data that is transmitted over public networks (i.e., the Internet) or when transmitted wirelessly or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).
- Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that SAI’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on SAI’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity.
- Physical and environmental security of data centers, server room facilities and other areas containing User Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor, and log movement of persons into and out of SAI’s facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
- Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from SAI’s possession. Change management procedures and tracking mechanisms designed to test, approve, and monitor all material changes to SAI’s technology and information assets.
- Incident management procedures design to allow SAI to investigate, respond to, mitigate, and notify of events related to SAI’s technology and information assets.
- Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
- Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.