1.1 This Data Protection DPA including all Appendices (the “DPA”) forms part of and supplements any Master Agreement it is attached to or that contains a link to this DPA. In the event of a conflict between this DPA and the Master Agreement, the terms of this DPA shall prevail. Capitalized terms used in this DPA and not otherwise defined have the meanings given to such terms in the Master Agreement.
1.2 The parties agree the provisions of this DPA shall apply to any Customer Personal Data which Sandbox AQ processes in the course of providing Services.
1.3 In this DPA, the following defined terms shall have the following meanings:
Customer Personal Data
Any personal data processed by Sandbox AQ or by any sub-contractors on behalf of the Customer pursuant to or in connection with the Master Agreement including (a) any personal data that the Customer uploads or inputs into a Product or otherwise makes available to Sandbox AQ, including in connection with Professional Services and (b) any personal data that is generated and made available to Customer by any Product through use of the personal data described in (a) above. For the avoidance of doubt, Customer Personal Data forms a subset of the Customer Data.
Data Protection Legislation
The GDPR, Directive 2002/58/EC and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.
EU personal data
The processing of personal data to which Data Protection Legislation of the European Union, or of a Member State or the European Union or European Economic Area, was applicable prior to its processing by Sandbox AQ.
FADP
The new Swiss Federal Act on Data Protection.
GDPR
In each case to the extent applicable to the processing activities: (i) Regulation (EU) 2016/679 (“EU GDPR”); and (ii) UK GDPR.
Log in Credentials
Means user name/email, password, IP address, device identifiers or any other personal data used to authenticate/verify Users’ access to the Products and Professional Services.
Protected Area
(i) in the case of EU personal data, the members states of the European Union and the European Economic Area and any country, territory, sector or international organisation in respect of which an adequacy decision under Art.45 EU GDPR is in force;
(ii) in the case of UK personal data, the United Kingdom and any country, territory, sector or international organisation in respect of which an adequacy decision under United Kingdom adequacy regulations is in force; and
(iii) in the case of Swiss personal data, any country, territory, sector or international organisation which is recognised as adequate under the laws of Switzerland;
Security Breach
Any personal data breach relating to the Customer Personal Data in Sandbox AQ’s possession, custody or control.
Standard Contractual Clauses
Means:
In respect of EU personal data, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, including the text from Module(s) one and two of such clauses as indicated in clause 1.17 and not including any clauses marked as optional (“EU Standard Contractual Clauses”);
In respect of Swiss personal data, the EU Standard Contractual Clauses, provided that any references in the clauses to the EU GDPR shall refer to the FADP; and the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the clauses;
In respect of UK personal data:
The International Data Transfer DPA to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 but, as permitted by clause 17 of such DPA, the parties agree to change the format of the information set out in Part 1 of the DPA so that:
The details of the parties in table 1 shall be as set out in clause 1.21 (with no requirement for signature)
For the purposes of table 2, the DPA shall be appended to the EU Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as noted above) and clause 1.20 below selects the option and timescales for clause 9 (Module 2 only); and
the appendix information listed in table 3 is set out in clause 1.21; and
For the purposes of table 4, the importer may end this DPA as set out in clause 19 of the DPA.
Swiss personal data
Personal data to which the FADP was applicable prior to its processing by Sandbox AQ.
UK GDPR
Means the GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended).
UK personal data
The processing of personal data to which data protection laws of the United Kingdom were applicable prior to its processing by Sandbox AQ.
The terms "controller", “data subject”, "processor", "personal data", “personal data breach”, "process" and “appropriate technical and organisational measures” shall be interpreted in accordance with the GDPR, or other applicable Data Protection Legislation in the relevant jurisdiction.
1.4 The parties agree that:
1.4.1 to the extent Sandbox AQ processes business contact information or Log-in Credentials relating to the Customer and its Users in the course of the performance of its obligations under the Master Agreement, it shall act as an independent controller and shall comply with its respective obligations under applicable Data Protection Legislation in relation thereto and shall process such information in accordance with its privacy notice at Our Privacy Policy - Safeguarding Your Information | SandboxAQ; and
1.4.2 where Sandbox AQ processes any other Customer Personal Data in connection with the performance of its obligations under the Master Agreement, the Sandbox AQ is the processor. The Parties agree that the Customer shall be the controller.
1.5 In its use of the Products, the Customer shall:
1.5.1 comply with the requirements of Data Protection Legislation;
1.5.2 only share personal data with Sandbox AQ where there is an appropriate legal basis in place; and
1.5.3 if required, notify data subjects that their personal data will be processed by Sandbox AQ and of their rights under Data Protection Legislation.
1.6 When Sandbox AQ processes Customer Personal Data in the course of performing its obligations under the Master Agreement, Sandbox AQ will:
1.6.1 process the Customer Personal Data only in accordance with documented instructions from the Customer. The Master Agreement (including this DPA) constitutes such documented instructions. If Sandbox AQ is required to process the Customer Personal Data for any other purpose by applicable laws to which Sandbox AQ is subject, Sandbox AQ will inform Customer of this requirement first, unless such law(s) prohibit this on important grounds of public interest; and
1.6.2 notify the Customer immediately if, in Sandbox AQ's opinion, an instruction for the processing of the Customer Personal Data given by the Customer infringes applicable Data Protection Legislation, it being acknowledged that Sandbox AQ shall not be obliged to undertake additional work to determine if Customer's instructions are compliant.
1.7 The subject-matter of the data processing is the performance of the Master Agreement. The obligations and rights of the Customer are as set out in the Agreement. The Appendix to this DPA sets out the nature, duration and purpose of the processing, the types of personal data Sandbox AQ processes and the categories of data subjects whose personal data is processed.
1.8 The Customer instructs Sandbox AQ to process Customer Personal Data as reasonably necessary (i) to provide the Products and Professional Services to the Customer (including, without limitation, to support, improve and update the Products and Professional Services (including any data analytics and service modelling) and to carry out processing initiated by Users in their use of the Products, and (ii) to perform Sandbox AQ’s obligations and exercise Sandbox AQ’s rights under the Master Agreement. The Customer agrees and acknowledges that Sandbox AQ may aggregate the Customer Personal Data in a manner that does not identify individuals for Sandbox AQ’s internal use to improve, develop and optimise Sandbox AQ’s and its Affiliates’ products and services and for other business purposes as determined in Sandbox AQ’s sole discretion.
1.9 Sandbox AQ shall assist the Customer, always taking into account the nature of the processing:
1.9.1 by appropriate technical and organisational measures and, in so far as is practicable, in fulfilling the Customer’s obligations to respond to requests from data subjects exercising their rights;
1.9.2 in reasonably ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the information available to Sandbox AQ; and
1.9.3 by making available to the Customer all available information which the Customer reasonably requests to allow the Customer to demonstrate that the obligations set out in Article 28 of the GDPR relating to the appointment of processors have been met.
1.10 To the extent that assistance under Clause 1.9 is not included within the Master Agreement, Sandbox AQ may charge a reasonable fee for any such assistance, save where assistance was required directly as a result of Sandbox AQ's own acts or omissions, in which case such assistance will be at Sandbox AQ's expense.
1.11 Sandbox AQ shall implement and maintain appropriate technical and organisational measures to protect the Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the Customer Personal Data and having regard to the nature of the Customer Personal Data which is to be protected. As a minimum, this shall include the Data Security Requirements in Exhibit D of the Master Agreement.
1.12 Sandbox AQ shall ensure that personnel required to access the Customer Personal Data are subject to a binding duty of confidentiality in respect of such Customer Personal Data.
1.13 In the event of a Security Breach, Sandbox AQ will: (a) use all reasonable endeavours to investigate the Security Breach and to identify and mitigate the effects of the Security Breach and to remedy the Security Breach; and (b) notify the Customer without undue delay.
1.14 The Customer agrees that Sandbox AQ may engage third-party sub-contractors (including any Affiliates) for the purposes of processing the Customer Personal Data under the Agreement (“Subprocessors”). A list of Subprocessors approved by the Customer as at the date of this Agreement is as follows: (1) Amazon Web Services, (2) Google Cloud Platform, (3) Okta, Inc., (4) Datadog, Inc., and (5) Atlassian Corporation. Sandbox AQ can at any time appoint a new Subprocessor provided that the Customer is given 7 days prior notice and the Customer does not object to such changes within that timeframe. If Customer has a legitimate objection to the appointment of a new Subprocessor within such period Sandbox AQ shall use reasonable efforts to make available to Customer a change in the Products or Professional Services or recommend a change to Customer’s configuration or use of the Products or Professional Services, in each case to avoid the processing of Customer Personal Data by the objected-to Subprocessor for Customer’s consideration and approval.
1.15 Sandbox AQ must include in any contract with the Subprocessor, provisions in favour of the Customer which are substantially similar as those in this DPA and as are required by applicable Data Protection Legislation. For the avoidance of doubt, where a Subprocessor fails to fulfil its obligations under any sub-processing agreement or any applicable Data Protection Legislation, Sandbox AQ will remain fully liable to the Customer for the fulfilment of Sandbox AQ's obligations under these terms.
1.16 Sandbox AQ will allow the Customer and its respective auditors or authorised agents to conduct audits or inspections during the term of the Agreement and provide all reasonable assistance in order to assist the Customer in exercising its audit rights under this Clause 1.16. If the Customer's request for information or access relates to a Subprocessor, or information held by a Subprocessor which Sandbox AQ cannot provide to the Customer itself, Sandbox AQ will promptly submit a request for additional information in writing to the relevant Subprocessor(s). The Customer acknowledges that access to the Subprocessor’s premises or to information about the Subprocessor’s previous independent audit reports is subject to agreement from the relevant Subprocessor, and that Sandbox AQ cannot guarantee access to that Subprocessor’s premises or audit information at any particular time, or at all. The purposes of an audit pursuant to this Clause include verifying that Sandbox AQ and its Subprocessors are processing Customer Personal Data in accordance with the obligations under this DPA.
1.17 Sandbox AQ shall not, and shall ensure that none of its Affiliates or subcontractors, transfer, access or use EU, Swiss or UK personal data outside of the Protected Area without Customer’s prior authorisation. Customer agrees to authorise the transfers set out in the Appendix of this DPA and Sandbox AQ and Customer agree to comply with the obligations set out in the Standard Contractual Clauses as though they were set out in full in this Agreement, with Customer as the ‘data exporter’ and Sandbox AQ as the ‘data importer’, with the parties signature and dating of the Master Agreement or Order Form, as applicable being deemed to be the signature and dating of the Standard Contractual Clauses and with the Annexes and/ or Appendices to the Standard Contractual Clauses being as set out in clause 1.21 to this DPA. Module 1 of the Standard Contractual Clauses shall apply where Sandbox AQ acts an independent controller as described in clause 1.4.1 and Module 2 shall apply in where Sandbox AQ processes Customer Personal Data as a processor as described in clause 1.4.2.
1.18 At the end of the Services, upon the Customer's request, Sandbox AQ shall securely destroy or return such Customer Personal Data to the Customer and delete existing copies thereof unless applicable laws require storage of such Customer Personal Data.
1.19 The parties agree that the aggregate liability of parties to each other under or in connection with the Standard Contractual Clauses shall be limited as set out in clause 13 of the Master Agreement.
1.20 For the purposes of the EU Standard Contractual Clauses, the following shall apply:
1.20.1 Clause 9 option b (where Module 2 applies): general written authorization for sub-processors, and the parties agree that the notice period for advising of any intended changes to the agreed list of sub-processors shall be 7 days in advance;
1.20.2 Clause 17 (Governing law): the clauses shall be governed by the laws of France;
1.20.3 Clause 18 (Choice of forum and jurisdiction) the courts of France shall have jurisdiction.
1.21 For the purposes of the Annexes to the EU SCCs:
1.21.1 Annex 1 A (List of Parties):
1.21.2 Annex 1 B (Description of Transfer):
1.21.3 Details of any transfers to subprocessors are as follows:
Annex 1 C (Competent Supervisory Authority):
1.21.4 Annex II (technical and organizational measures)
1.21.5 Annex III (List of Sub-Processors)
1.22 In the event that the Customer gives its consent to Sandbox AQ transferring personal data outside the Protected Area and a relevant European Commission decision or other valid adequacy method under applicable Data Protection Legislation on which the Customer has relied in authorising the data transfer is held to be invalid, or that any supervisory authority requires transfers of personal data made pursuant to such decision to be suspended, then the Parties agree to discuss in good faith and facilitate use of an alternative transfer mechanism.
Appendix: Data Processing Information
Nature and purpose of processing operations
The nature of the processing operations is the provision of the Products and Professional Services pursuant to the Agreement. Sandbox AQ will process Customer Personal Data as reasonably necessary to provide the Products and Professional Services pursuant to the Master Agreement, as further specified in the DPA.
Categories of data subject
The personal data concern the following categories of data subjects (please specify):
Categories of data
The personal data concern the following categories of data (please specify):
Sandbox AQ will process Log in Credentials about Users of the Products and business contact details about its Customers and their Affiliates as controller
Other Customer Personal Data which Sandbox AQ processes as processor will depend upon the Customer’s use of the Products and Professional Services but it is likely to be incidental and processed in a very limited manner.
To the extent the Customer Data contains Customer Personal Data, it may consist of:
Special categories of data (if appropriate)
The personal data concern the following special categories of data (please specify):
N/A
Duration of Processing
The personal data may be processed as long as reasonably necessary to provide the Products and Professional Services
List of any Sub-Processors
Amazon Web Services, Google Cloud Platform, Okta, Inc, , Datadog, Inc, and Atlassian Corporation (Jira).
