Last updated on: July 29, 2023

This Data Processing Agreement (the "DPA") forms an integral part of all agreements between the Customer and writefastly, and the Customer, identified in the signature block below.

This DPA includes the Master Subscription Agreement or any services agreement or similar agreement (collectively "Agreement") and outlines the Parties' agreement regarding the Processing of Controller Data.

In the provision of Services to the Customer under the Agreement, writefastly may Process Personal Data on behalf of the Customer. Both Parties agree to comply withthe following provisions concerning any Personal Data, each acting reasonably and in good faith.

This DPA supplements the Agreement, and if there is any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA prevail with regard to the specific subject matter of this DPA. This DPA becomes effective on the date that both Parties have duly executed it ("Effective Date") and supersedes any previous agreements related to data processing and/or data protection between the Parties.

1. Definitions

Any capitalized terms used but not defined in this DPA have the meaning provided in the Agreement.

(a) "Affiliate" refers to any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. Control, for the purposes of this definition, means direct or indirect ownership or control of over 50% of the voting interests of the subject entity.

(b) "Applicable Data Protection Law" encompasses (a) all data protection laws and regulations applicable to the European Economic Area and Switzerland, including (i) the General Data Protection Regulation 2016/679 ("GDPR"), and EU Member State laws supplementing the GDPR; (b) the UK Data Protection Act of 2018, and the UK GDPR ("UK Data Protection Laws"); and (c) any other laws and regulations applicable to Processor's Processing of Controller Data under the Agreement.

(c) "Authorized Affiliate" means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with the Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

(d) "California Privacy Law" refers to the California Consumer Privacy Act until January 1, 2023, and subsequently the California Privacy Rights Act.

(e) "Controller" as used in this DPA, refers to the Customer.

(f) "Controller Data" refers to any Personal Data Processed by Processor on behalf of Customer in connection with the Agreement.

(g) "Customer" refers to the entity determining the purposes and means of the Processing of Personal Data, and includes any Authorized Affiliates of the Customer, to the extent applicable, as well as a "Business" as defined under the California Privacy Law.

(h) "Data Breach" refers to a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Data transmitted, stored, or otherwise processed by Processor.

(i) "Permitted Purpose" means the use of Controller Data to the extent necessary for the provision of Services by Processor to the Controller.

(j) "Personal Data" refers to information relating to an identified or identifiable natural person that relates to or describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular natural person.

(k) "Processing" refers to any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, sharing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(l) "Processor" refers to writefastl, and any writefastly entities, including its Affiliates, which Processes Personal Data on behalf of the Customer, and to the extent applicable, includes a "Service Provider" as defined under the California Privacy Law.

(m) "Regulator" means any supervisory authority with authority under Applicable Data Protection Law concerning all or any part of the provision or receipt of the Services or the Processing of Personal Data.

(n) "Restricted Transfer" refers to:

(o) "Services" refers to products and services ordered by the Controller through a link or an Order under the Agreement and made available online by Processor.

(p) "Sub-processor" means any third-party data processor engaged by Processor who receives Personal Data from Processor for processing on behalf of the Controller and according to the Controller's instructions (as communicated by Processor) and the terms of its written subcontract.

(q) The terms "Commission", "Data Subject", "Member State", and "Supervisory Authority" maintain the same meanings as in the Applicable Data Protection Laws, and their cognate terms should be construed accordingly.

2. Purpose

2.1
Controller and Processor have entered into the Agreement, which grants the Controller the right to access and use the Services. Processor will engage in the processing of Personal Data that Controller submits and stores within the Services on Controller's behalf in providing the Services.

2.2
The Parties enter this DPA to ensure that such Processing by Processor of Controller Data, within the Services provided by Controller and/or on its behalf, complies Data Processing Agreement - writefastly. 4 with Applicable Data Protection Law and the requirements regarding collection, use, and retention of Personal Data for Data Subjects.

3. Authority

3.1 Roles of the Parties

(a) When the GDPR or UK Data Protection Laws apply to Controller Data, the Parties acknowledge and agree that Customer is a Controller and writefastly is a Processor acting on behalf of Customer. When Customer is acting as a Processor of Controller Data, writefastly is a Sub-processor of the Customer.

(b) For purposes of the California Privacy Law, writefastly will act as a Service Provider in performing its obligations under the Agreement. writefastly (i) will use Controller Data solely to provide the Services under the Agreement;

(ii) will not collect, retain, use, sell, disclose or otherwise process Controller Data for any purpose other than providing the Services under the Agreement or as otherwise permitted. Despite any provisions in the Agreement (including this DPA), Controller acknowledges that Processor has the right to process Personal Data for legitimate business purposes, such as billing, account management, technical support, product development, sales, and marketing. 

writefastly understands the restrictions in Section 3.1(b) and certifies its compliance with the California Privacy Law.

3.2 Controller’s Instructions.

Customer warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Law, concerning its Processing of Controller Data and any processing instructions issued to Processor;

and (ii) it has provided, and will continue to provide, all notice and obtained, and will continue to obtain, all consents and rights necessary under Applicable Data Protection Law for Processor to process Controller Data for the purposes described in the Agreement.

Customer is solely responsible for the accuracy, quality, and legality of Controller Data and the means by which Customer acquired it. Controller specifically recognizes that its use of the Services will not violate the rights of any Data Subject who has opted out of sales or other disclosures of Personal Data, to the extent applicable under the California Privacy Law.

3.3 Purpose Limitation.

Processor will process Controller Data only according to Customer's documented lawful instructions, as outlined in this DPA, for Permitted Purposes, as required to comply with applicable law or as otherwise agreed upon in writing. The Parties agree that the Agreement and this DPA set forth Customer's complete and final instructions to Processor concerning the processing of Controller Data, with processing outside the scope of these instructions requiring prior written agreement between the Parties.

3.4 Data Subject and Regulator Requests.
Customer will be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Applicable Data Protection Law and all communications from Regulators relating to Controller Data.

4. Obligations of Processor

4.1 Confidentiality.

Processor shall limit access to Controller Data to its personnel who need access to fulfill Processor's obligations under the Agreement. Processor will take commercially reasonable steps to ensure the reliability of any Processor personnel engaged in the Processing of Controller Data.

4.2 Disclosure to Third Parties.

Processor will not disclose Controller Data to third parties except as permitted by this DPA or the Agreement. If required or requested by a competent governmental authority to disclose Controller Data, Processor, to the extent legally permissible and practicable, shall provide Customer with sufficient prior written notice to allow Customer the opportunity to oppose such disclosure.

4.3 Retention.

Processor will retain Controller Data as long as Customer deems it necessary for the Permitted Purpose or as required by Applicable Data Protection Law. Upon the termination of this DPA, or at Customer's written request, Processor will either destroy or return the Controller Data to Customer, unless legal obligations necessitate the storage of Controller Data.

4.4 Data Subject and Regulator Requests.

Processor shall, to the extent legally permitted, promptly notify Controller in writing of any complaints, questions, or requests received from Data Subjects or Regulators regarding Controller Data. Taking into account the nature of the Processing and the extent possible, Processor will provide Customer with commercially reasonable assistance in handling a Data Subject's request.

If Controller, in its use of the Services, does not have the ability to correct, block, or delete Controller Data, Processor shall comply with any commercially reasonable request by Controller to facilitate such actions, to the extent Processor is legally permitted to do so.

4.5 Data Protection Impact Assessment.

If required under Applicable Data Protection Law, Processor will, upon Customer's request, provide reasonable assistance necessary for Customer to fulfill its obligation to carry out a data protection impact assessment related to Customer's use of the Services, to the extent Customer does not otherwise have access to the relevant information and that such information is available to Processor.

4.6 Security.

Processor will implement and maintain appropriate technical, physical, and administrative measures to protect Controller Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access.

These measures will consider the state of the art, costs of implementation, nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ensuring a level of security suitable to the risks associated with the processing and nature of Controller Data.

(a) Customer acknowledges that security measures are subject to technical progress and development, allowing Processor to update or modify the security measures if such updates or modifications do not result in the degradation of the overall security level of Services purchased by Customer.

Customer is responsible for reviewing the information provided by Processor concerning data security and making an independent determination as to whether the Services meet Controller's requirements and legal obligations under Applicable Data Protection Law.

(b) Notwithstanding the above, Customer agrees that, except as provided by this DPA, Customer is responsible for the secure use of the Services, which includes securing its account authentication credentials, ensuring the security of Controller Data in transit to and from the Services, and taking appropriate steps to securely encrypt or back up any Controller Data uploaded to the Services.

5. Data breach

5.1 Data Breach.

If Processor becomes aware of a Data Breach, Processor will promptly: notify Customer of the Data Breach, but no later than seventy-two (72) hours after Processor has confirmed the Data Breach impacting Controller Data;

investigate the Data Breach and provide Customer with information about the Data Breach; and take reasonable steps to mitigate the effects and minimize any damage resulting from the Data Breach. Processor's obligation to report or respond to a Data Breach under Data Processing Agreement - writefastly 7 this Section does not imply an acknowledgment by Processor of any fault or liability concerning the Data Breach.

5.2 Coordination.
Processor will provide reasonable assistance to Customer in fulfilling its obligations to notify Data Subjects and relevant authorities concerning a Data Breach, provided that nothing in this section will prevent either party from complying with its obligations under Applicable Data Protection Laws. The Parties agree to cooperate in good faith on developing the content of any related public statements.

5.3 Caused by Controller.
The obligations in this section do not apply to a Data Breach caused by Customer.

6. Audits

6.1
Customer may audit Processor's compliance with this DPA up to once per year unless requested by a Supervisory Authority. An audit will be conducted by an independent third party ("Auditor") reasonably acceptable to Processor.

Before commencing any on-site audit, Customer must submit a detailed proposed audit plan to Processor at least 30 business days in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and date of the audit, as well as the proposed Auditor.

Processor will review the proposed audit plan and provide Customer with any concerns or questions, working cooperatively with Customer to agree on a final audit plan. Prior to the start of an audit, the Parties will agree upon reasonable time, duration, place, and manner conditions for the audit, as well as a reasonable reimbursement rate payable by Customer to Processor for Processor's audit expenses.

The audit results and all information reviewed during the inspection will be deemed Processor's confidential information and subject to the Confidentiality provisions in the Agreement. The Auditor may only disclose to the Customer specific violations of the DPA, if any, and the basis for such findings but cannot disclose to the Customer any records or information reviewed during the inspection.

7. Use Of Sub-Processors

7.1 General Consent.

Customer acknowledges and agrees that Processor may appoint Sub-processors to assist in providing the Service and Processing Controller Data, provided that such Sub-processors agree to (a) act only on Processor’s instructions when Processing the Controller Data (which instructions will be consistent with Controller's processing instructions to Processor), and (b) protect the Controller Data to a standard consistent with the requirements of this DPA.

7.2 Sub-processor List.

The list of all Sub-processors used as of the Effective Date for processing Controller Data under this DPA is available at https://writefastly.com/page/security .

7.3 Objection to New Sub-Processor.

Processor will provide ten (10) days' notice of a new sub-processor to Customer. Customer may object to Processor's appointment or replacement of a sub-processor before its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection, and made within ten (10) days after Processor provides notice of the new sub-processor. Any such written objection must include Customer's specific reasons for its objection and proposed options to mitigate any alleged risk.

The Parties agree to discuss commercially reasonable alternative solutions in good faith. If a resolution cannot be reached within sixty (60) days from the date of Processor’s receipt of Customer's written objection, Customer may discontinue the use of the affected Services by providing written notice to Processor. In the absence of a timely and valid objection by Customer, the new Sub-processor may be commissioned to Process Controller Data.

7.4 Liability.

Processor shall be liable for the acts and omissions of its Sub-processors in providing the Services to the same extent that Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as set forth otherwise in the Agreement.

8. International Provisions

8.1 Jurisdiction Specific Terms.

To the extent Processor Processes Controller Data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 5 (Jurisdiction Specific Terms) of this DPA, the terms specified in Schedule 5 for the applicable jurisdiction(s) apply in addition to the terms of this DPA.

8.2 Restricted Transfers.

In cases where Customer's use of the Services involves a Restricted Transfer of Controller Data, the terms outlined in Schedule 4 (Cross Border Transfer Mechanisms) will apply. If there is any conflict or inconsistency between this DPA and the terms set forth in Schedule 4, the terms in Schedule 4 shall apply.

9. Limitation On Liability

9.1
Neither Party or their respective directors, officers, agents, or employees will be liable to the other party for any reason, whether in contract or tort, for any claims or liability arising out of or based upon this DPA.

The maximum liability shall be the amount actually paid by the Customer to Processor in the twelve months preceding the first incident from which the liability arose, regardless of the form in which any legal or equitable action may be brought.

9.2

For the avoidance of doubt, Processor's and its Affiliates' total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Authorized Affiliates, and shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.

10. Miscellaneous

10.1
If any provision of this DPA is prohibited or unenforceable in any jurisdiction, such provision shall be ineffective to the extent of such prohibition or unenforceability in that jurisdiction alone without invalidating the remaining provisions of this DPA. The parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and will incorporate such substitute provision into this DPA.

10.2
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement unless otherwise required by Applicable Data Protection Law.

10.3
Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Law, in the name and on behalf of its Authorized Affiliates if and to the extent writefastly processes Personal Data for which such Authorized Affiliates qualify as the Controller.

10.4
This DPA may not be amended or modified except through the mutual agreement of the Parties; however, Customer will be notified thirty (30) days in advance of any amendments or modifications to this DPA, which will take effect in the next billing cycle. Customer's continued use of the Services shall constitute acceptance of any such amendments and/or modifications.

This DPA may be executed in counterparts. The terms and conditions of this DPA are confidential, and each Party agrees and represents, on behalf of itself, its employees, and agents to whom it is permitted to disclose such information, that it will not disclose such information to any third party.

Each Party has the right to disclose such information to its officers, directors, employees, auditors, attorneys, and third-party contractors under an obligation to maintain confidentiality and may disclose such information as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction or as reasonably necessary to comply with any applicable law or regulation.

Controller may not directly or indirectly assign any part of its rights under this DPA or delegate performance of its duties under this DPA without Processor's prior consent, which consent will not be unreasonably withheld.

Processor may, without Controller's consent, assign this DPA to any affiliate or in connection with any merger or change of control of Processor or the sale of all or substantially all of its assets, provided that any such successor agrees to fulfill its obligations pursuant to this DPA.

Subject to the foregoing restrictions, this DPA will be fully binding, inure to the benefit of, and enforceable by the Parties and their respective successors and assigns.

Schedule 1 – Details of Processing

1. Categories of Data Subjects
The personal data transferred concern the following categories of Data Subjects: The categories of data subjects are within the control of the Controller and may include individuals about whom data is provided to Processor by or at the direction of the Controller pursuant to the Agreement.

2. Types of Personal Data Transferred
The personal data transferred concern the following categories of data: the categories of Personal Data are within the control of the Controller and may include data relating to individuals to the extent provided to Processor by or at the direction of the Controller pursuant to applicable terms of service between them.

3. Sensitive Data Transferred
The personal data transferred concern the following special categories of data: the categories of Personal Data are within the control of the Controller and may include data relating to individuals to the extent provided to Processor by or at the direction of the Controller pursuant to applicable terms of service between them.

4. Frequency of the Transfer
Continuous.

5. Nature of Processing
The Personal Data transferred will be subject to the following basic processing activities: Processor will Process Controller Data as necessary to perform the Services pursuant to the Agreement, and as further instructed by Customer in its use of the Services. The processing operations are the Services that are used by the Controller.

6. Purpose of Processing
The purpose of the Processing of Controller Data by Processor is to provide Customer with the Services under the Agreement.

7. Duration of the Processing
The Term of the Agreement plus the period from the expiry of such Term until deletion of all Controller Data by the Processor in accordance with the DPA.

Schedule 2 – Technical and Organizational Security Measures

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing and the risks for the rights and freedoms of natural persons.

 

Schedule 3 – Sub-processor List

The Customer has authorized the use of the Sub-processors located at page security.

Schedule 4 – Jurisdiction Specific Terms

1. Australia
1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988). 1.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

2. Brazil
2.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD). 2.2 The definition of “Data Breach” includes a security incident that may result in any relevant risk or damage to data subjects. 2.3 The definition of “Processor” includes “operator” as defined under Applicable Data Protection Law.

3. Canada
3.1 The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).

4. European Economic Area (EEA)
4.1 The definition of “Applicable Data Protection Law” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).

4.2 Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

5. Israel
5.1 The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).

5.2 The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law.

5.3 The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law.

6. Japan
6.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).

6.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

6.3 The definition of “Controller” includes “Business Operator” as defined under Applicable Data Protection Law.

6.4 The definition of “Processor” includes a business operator entrusted by the Business Operator with the handling of Controller Data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, Processor will ensure that the use of the Controller Data is securely controlled.

7. Singapore
7.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).

8. Switzerland
8.1 The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection.

9. United Kingdom (UK):
9.1 References in this Addendum to GDPR will, to that extent, be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

9.2 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.