- Data Processing Agreement
- 1. Definitions
- 2. Processing of Personal Information
- 3. Rights of Data Subjects
- 4. Agency Personnel
- 5. Subprocessors
- 6. Security
- 7. Customer Data Incident Management and Notification
- 8. Return and Deletion of Customer Data
- 9. Transfer Mechanisms for Data Transfers
- 10. Governing Law
- 11. Limitation of Liability
- 12. Notifications
- 13 Severability
- Annex I (A, B) to the Standard Contractual Clauses
- Annex II to the Standard Contractual Clauses
Data Processing Agreement
Effective Date May 7th, 2024 | Version 2024-05-07 | Previous versions archived here
This Data Processing Agreement (“DPA”) forms part of the Services Agreement between StrongDM, Inc. (“StrongDM”) and the customer identified in the Services Agreement (“Customer”), for the provision of Services by StrongDM (the “Agreement”), to reflect the parties’ agreement with regard to the Processing of Customer Personal Information (as such terms are defined herein).
In the course of providing the Services to Customer pursuant to the Agreement, StrongDM may Process Customer Personal Information on behalf of Customer and the parties agree to comply with the following provisions with respect to such Processing of Customer Personal Information
1. Definitions
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means ownership (directly or indirectly) of more than 50% of the voting rights in the applicable entity.
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act.
“Customer Group Member” means Customer or any Customer Affiliate.
“Customer Personal Information” means any Personal Information that is provided by or on behalf of Customer to StrongDM or any Subprocessor and Processed by StrongDM or a Subprocessor on behalf of Customer to provide the Services pursuant to the Agreement;
“Data Protection Laws” means all applicable foreign and domestic privacy and data protection laws and regulations, including, as applicable, all such laws and regulations of the European Union (“EU”), the European Economic Area (“EEA”) and their Member States, Switzerland, and the United Kingdom, and California,
“GDPR” means EU General Data Protection Regulation 2016/679.
“Personal Information” means information that is defined as “personal information,” “personal data,” or any analogous term under applicable Data Protection Laws, including any such information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household.
“SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61), as amended or replaced from time to time;
“Subprocessor” means any third party appointed by StrongDM to Process Customer Personal Information on behalf of Customer in connection with the Agreement.
“Third-Party Controller” means a Controller for which Customer is a Processor.
“UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
The terms “Aggregated”, “Business”, “Controller”, “Data Subject”, “Deidentified”, “Member State”, “Process”, “Processor,” “Sale”, “Share,” “Service Provider” and “Supervisory Authority” shall have the same meaning as in the GDPR or the CCPA, as applicable, and their cognate terms shall be construed accordingly.
2. Processing Of Personal Information
2.1 Roles of the Parties
The parties acknowledge and agree that with regard to the Processing of Customer Personal Information, Customer is the Controller or Business (as applicable), StrongDM is the Processor or Service Provider (as applicable), and that StrongDM will engage Subprocessors pursuant to the requirements set forth in Section 5 below. The parties acknowledge and agree that neither of them has reason to believe that the other party is unable to comply with the provisions of this DPA or otherwise that such party is in violation of any Data Protection Law.
2.2 Customer’s Processing of Personal Information
Customer shall not provide Personal Information to StrongDM except as is necessary for StrongDM’s performance of Services. Customer warrants and represents that it has provided any necessary notices, and obtain any necessary consents, rights, and authorizations, including from any applicable Data Subjects, for StrongDM to Process Personal Information for the Permitted Purposes (defined below). If Customer is a Processor on behalf of a Third-Party Controller, then Customer is the single point of contact for StrongDM, shall obtain all necessary authorizations from such Third-Party Controller, and shall issue all instructions and exercise all rights on behalf of such other Third-Party Controller. Customer shall not provide StrongDM with any Personal Information defined or treated as sensitive or special categories of personal data under Data Protection Laws without StrongDM’s prior written consent. Customer shall, in its use of the Services, Process Customer Personal Information in accordance with the requirements of Data Protection Laws and shall immediately notify StrongDM if Customer is in breach of any Data Protection Law. For the avoidance of doubt, Customer’s instructions for the Processing of Customer Personal Information shall comply with Data Protection Laws. As between the parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Information and the means by which Customer acquired Customer Personal Information.
2.3 StrongDM’s Processing of Personal Information
StrongDM shall treat Customer Personal Information as confidential and shall only Process Customer Personal Information as necessary to perform its obligations on behalf of and in accordance with Customer’s documented instructions for the following permitted purposes (the “Permitted Purposes”): (i) in accordance with the Agreement, this DPA, and the applicable order or scope of work; (ii) if initiated by any End User or Data Subject in connection with the use of the Services; and/or (iii) to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement, this DPA, and Data Protection Laws. Unless prohibited by applicable law, StrongDM will inform Customer if StrongDM is subject to a legal obligation that requires StrongDM to Process Customer Personal Information in contravention of Customer’s documented instructions. .
2.4 No Selling or Sharing
StrongDM shall not: (a) Sell or Share Customer Personal Information; (b) retain, use or disclose Customer Personal Information for any purpose other than for the Permitted Purposes; (c) retain, use, or disclose the information outside of the direct business relationship between StrongDM and Customer; or (d) combine Customer Personal Information with Personal Information obtained from, or on behalf of, sources other than Customer except as permitted under applicable Data Protection Law.
2.5 Details of the Processing
The subject-matter of Processing of Customer Personal Information by StrongDM is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Information and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 attached hereto.
2.6 Instructions for Processing
Each Customer Group Member instructs StrongDM to: Process Customer Personal Information; and in particular, transfer Customer Personal Information to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement; and warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in this section.
3. Rights Of Data Subjects
3.1 Data Subject Request
StrongDM shall, to the extent legally permitted, promptly notify Customer if StrongDM receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of or objection to Processing and/or the Sale or Sharing of Personal Information, erasure (“right to be forgotten”), data portability or any other request with respect to Customer Personal Information of the applicable Data Subject as set forth under applicable Data Protection Laws (“Data Subject Request”). Taking into account the nature of the Processing and the Customer Personal Information, StrongDM shall assist Customer by implementing reasonable and appropriate technical and organizational measures designed to enable Customer to fulfil Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request directly, StrongDM shall, upon Customer’s written request, exercise commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent StrongDM is legally permitted to do so. Unless prohibited by applicable law, Customer shall solely be responsible for any costs, including outside counsel fees and expenses, arising from StrongDM’s provision of such assistance.
4. Agency Personnel
4.1 Confidentiality
StrongDM shall ensure that its personnel engaged in the Processing of Customer Personal Information are informed of the confidential nature of the Customer Personal Information and bound by confidentiality obligations, and have received appropriate training regarding the Processing of Customer Personal Information.
4.2 Limitation of Access
StrongDM shall ensure that StrongDM’s access to Customer Personal Information is limited to those personnel performing Services in accordance with the Agreement.
4.3 Policies
Certain policies are available for Customer to review as part of StrongDM’s standard security package upon written request to Customer’s StrongDM Customer Success Manager, at most annually, as defined in the Information Security Exhibit.
5. Subprocessors
5.1 Appointment of Subprocessors
With respect to the Processing of Customer Personal Information, each Customer Group Member authorises StrongDM to appoint (and permit each Subprocessor appointed in accordance with this Section 5.1 to appoint) Subprocessors in accordance with this section 5. StrongDM may continue to use those Subprocessors already engaged by StrongDM as of the date of this DPA, subject to StrongDM, as soon as practicable, meeting the obligations set out in this section. StrongDM has entered or will enter into a written agreement with each Subprocessor containing data protection obligations substantially similar to those in this Agreement with respect to the protection of Customer Personal Information to the extent applicable to the nature of the Services provided by such Subprocessor. Alternatively, StrongDM shall ensure that such Subprocessors publicly post comparable policies online. A list of StrongDM’s current Subprocessors is available at https://security.strongdm.com/subprocessors.
5.2 Notification of New Subprocessors and Customer’s Right to Object
Upon written request from Customer and to the extent required by Data Protection Laws, StrongDM shall give Customer written notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor, at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Information. If, within five (5) business days of receipt of that notice, Customer (acting reasonably and in good faith) notifies StrongDM in writing of any objections to the appointment of such Subprocessor, StrongDM shall use commercially reasonable efforts to make available to Customer an alternative Subprocessor or recommend changes in Customer’s configuration or use of the Services to avoid the Processing of Customer Personal Information by such objected-to Subprocessor. Customer acknowledges and agrees that its objection to any Subprocessors may frustrate StrongDM’s ability to provide the Services and, notwithstanding anything to the contrary in the Agreement or this DPA, will entitle StrongDM to terminate the Agreement without penalty or liability in connection with such termination.
6. Security
6.1 Controls for the Protection of Customer Data
StrongDM shall maintain appropriate technical and organizational measures designed to protect the security (including against unauthorized or unlawful Processing of, and against accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or access to, Customer Personal Information), confidentiality and integrity of Customer Personal Information; and StrongDM shall monitor compliance with these measures in accordance with its internal information security program. Customer acknowledges that StrongDM’s technical and organizational measures are appropriate in relation to the risks associated with Customer’s intended Processing and will notify StrongDM prior to any intended Processing for which StrongDM’s security measures may not be appropriate.
6.2 Audit; Data Protection Impact Assessment
6.2.1 Upon written request, StrongDM shall provide Customer with a copy of StrongDM’s SOC 2 Report no more than annually. StrongDM shall reasonably cooperate with Customer, in relation to any audit of StrongDM reasonably necessary to enable Customer solely to the extent necessary to comply with its obligations under applicable Data Protection Laws and shall use commercially reasonable efforts to seek such cooperation from relevant Subprocessors. Any such audit shall be (i) at Customer’s sole expense, (ii) subject to a mutually agreed upon scope and duration, (iii) conducted by an independent third party reasonably acceptable to StrongDM and who has signed a nondisclosure agreement with the applicable StrongDM or Subprocessor audited party (“Auditor”), (iv) subject to the confidentiality obligations set forth in the Agreement and StrongDM’s standard policies and procedures, and (v) not involve any penetration testing or vulnerability assessment of any production environment or system. Any information disclosed in connection with such audit shall be the Confidential Information of StrongDM (and/or Subprocessor, as the case may be).
6.2.2 Customer accepts that certain sensitive information in relation to information technology and security will be redacted before being audited and may only be audited in a manner reasonably determined by StrongDM. Customer shall use reasonable endeavours to minimise any disruption caused to the StrongDM’s business activities as a result of such audit. No audit shall last more than five (5) business days each time unless a longer period is required to fulfil any request or comply with any requirement of any regulator. Audits shall take place no more than once in any calendar year unless otherwise required by a Supervisory Authority.
6.2.3 StrongDM shall be entitled to a reasonable time to review any audit report prepared by the Auditor and to consult with the Auditor prior to the report being submitted to Customer. For the avoidance of doubt, all information obtained by Customer pursuant to any audit shall be maintained in confidence by Customer and may not be disclosed to any third party, including, without limitation, any other agents or representatives of Customer, except to the extent necessary to assert or enforce any of Customer’s rights under this DPA or if otherwise required to be disclosed by Data Protection Law, by any Supervisory Authority or by a court or other authority of competent jurisdiction. If any such disclosure is so required, Customer agrees to give StrongDM as much advance notice of the disclosure as possible (where notice of disclosure is not prohibited) and Customer shall meaningfully consult with StrongDM (unless legally prohibited from doing so) in relation to the content and scope of the disclosure.
6.2.4 Upon Customer’s request, StrongDM shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is reasonably available to StrongDM. StrongDM shall provide reasonable assistance to Customer in the cooperation or prior consultation with the applicable Supervisory Authority in the performance of its tasks relating to this Section of this DPA, to the extent required under the GDPR. Unless prohibited by applicable law, Customer shall solely be responsible for any costs, including outside counsel fees and expenses, arising from StrongDM’s provision of such cooperation and assistance.
7. Customer Data Incident Management And Notification
StrongDM maintains security incident management policies and procedures and shall notify Customer without undue delay and in line with the timelines required by applicable Data Protection Laws after becoming aware of any unauthorized destruction, loss, alteration, use, or disclosure of, or access to, Customer Personal Information that is transmitted, stored or otherwise Processed by StrongDM or its Subprocessors (a “Data Security Incident”). StrongDM shall make reasonable efforts to identify the cause of such Data Security Incident and take those steps as StrongDM deems reasonably necessary in order to remediate the cause of any such Data Security Incident to the extent the remediation is within StrongDM’s reasonable control. StrongDM shall have no liability for costs arising from a Data Security Incident unless caused by StrongDM’s breach of the security obligations under section 6 of this DPA or other violation of Data Protection Laws by StrongDM. In the event of a Data Security Incident, Customer shall be responsible for notifying Data Subjects and or Supervisory Authorities. Before any such notification is made, Customer shall consult with and provide StrongDM an opportunity to comment on any notification made in connection with a Customer Data Incident.
8. Return And Deletion Of Customer Data
StrongDM shall, on the written request of Customer and solely to the extent required by Data Protection Laws, return all Customer Personal Information to Customer and/or at Customer's request delete the same from its systems, so far as is reasonably practicable and other than any back-up copies which StrongDM or its Affiliates are required to retain for compliance with applicable laws or regulatory requirements or otherwise pursuant to StrongDM’s internal data backup procedures, provided that such copies are kept confidential and secure in accordance with this Agreement.
9. Transfer Mechanisms For Data Transfers
9.1 Customer hereby authorizes StrongDM to perform international data transfers to: (i) any country deemed to have an adequate level of data protection by the European Commission or the competent authorities; (ii) on the basis of adequate safeguards in accordance with Data Protection Laws; or (iii) pursuant to the SCCs and the UK Addendum referred to in Sections 9.2 and 9.3.
9.2 By signing this DPA, StrongDM and Customer conclude Module 2 (Controller-to-Processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is StrongDM; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is thirty (30) days; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Dublin, Ireland; Annex I and II to Module 2 and 3 of the SCCs are Annex I and II to this DPA respectively. For international data transfers from Switzerland, data subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.
9.3 By signing this DPA, StrongDM and Customer conclude the UK Addendum, which is hereby incorporated and applies to international data transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is StrongDM, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex I and II respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
9.4 If StrongDM’s compliance with Data Protection Laws applicable to international data transfers is affected by circumstances outside of StrongDM’s control, including if a legal instrument for international data transfers is invalidated, amended, or replaced, then Customer and StrongDM will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, StrongDM reserves the right to amend the Agreement and this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Laws.
10. Governing Law
Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses, the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA shall be governed by the laws of the country or territory stipulated for this purpose in the Agreement.
11. Limitation of Liability
StrongDM's total liability arising out of or related to this DPA, whether based in contract, tort (including negligence or strict liability), or any other theory of liability, shall be subject to Section 11 of the Agreement.
12. Notifications
Customer will send all notifications, requests and instructions under this DPA to StrongDM as set forth in Section 13.7 of the Agreement.
13. Severability
If any provision of this DPA is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this DPA will otherwise remain in full force and effect and enforceable.
Schedule 1
Details of Processing of Customer Personal Information
This Schedule 1 includes certain details of the Processing of Customer Personal Information as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Customer Personal Information
The subject matter and duration of the Processing of the Customer Personal Information are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Customer Personal Information
StrongDM will Process personal information as necessary to perform the Services pursuant to the Agreement and this DPA.
The types of Customer Personal Information to be Processed
StrongDM will Process different types of personal information on behalf of the Customer to perform the Services pursuant to the Agreement and this DPA, which may include, but is not limited to the following types of personal data:
- First and last name
- IP address
- Geolocation
The categories of Data Subject to whom the Customer Personal Information relates
Customer’s authorized personnel with access to the Customer’s StrongDM account
The obligations and rights of Customer and Customer Affiliates
The obligations and rights of Customer and Customer Affiliates are set out in the Agreement and this DPA.
Annex I (A, B, C)
to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
A. List of Parties
Data Exporters
Name:
Customer (as defined above)
Address:
As defined and found in the Agreement and StrongDM’s customer account record
Contact person's name, position and contact details:
As defined and found in the Agreement and StrongDM’s customer account record
Activities relevant to the data transferred under these Clauses:
Customer receives StrongDM’s services as described in the Agreement and Customer provides Personal Data to StrongDM in that context.
Signature and date:
The parties agree that the execution of the Agreement shall, as applicable, constitute execution of the Standard Contractual Clauses by both parties.
Role (controller/processor):
Controller or Processor
Data Importer
Name:
StrongDM (as defined above)
Address:
228 Hamilton Ave, 3rd Floor, Palo Alto, CA 94301
Contact person’s name, position and contact details:
Craine Runton, Data Protection Officer, dpo@strongdm.com
Activities relevant to the data transferred under these Clauses:
StrongDM provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
Signature and date:
The parties agree that the execution of the Agreement shall, as applicable, constitute execution of the Standard Contractual Clauses by both parties.
Role (controller/processor):
Processor
B. Description of International Data Transfer
Categories of data subjects whose personal data is transferred
The personal data transferred concern the following categories of data subjects (please specify):
- Customer’s authorized personnel with access to the Customer’s StrongDM account.
Categories of personal data transferred
The personal data transferred concern the following categories of data (please specify):
Categories of personal data are typically determined and controlled by Customer in its sole discretion, and may include, but is not limited to the following types of personal data:
- First and last name
- IP address
- Geolocation
Special categories of data (if applicable)
The personal data transferred concern the following special categories of data (please specify):
StrongDM does not intentionally collect or process any special categories of personal data in the provision of its services.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
On a continuous basis
Nature of the processing
The personal data will be processed and transferred as described in the Agreement.
Purpose(s) of the data transfer and further processing:
The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.
C. Competent Supervisory Authority
The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority a) of Customer’s country of establishment, or, where not applicable, b) of the country where Customer’s EU data protection representative is located, or, where not applicable, c) of one of the EEA countries where the Data Subjects are located.
The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
Annex II
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with the terms above:
StrongDM, Inc. (“StrongDM”) will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data transmitted to the Services, as described in the StrongDM, Inc. Information Security Addendum, located at the following URL which is updated from time to time for accuracy: https://www.strongdm.com/security/addendum