This GDPR Data Processing Addendum (“GDPR DPA”) is an addendum to the ScaleGrid End User License (EULA) and Terms of Service Agreement (“Service Agreement”), available here entered into by and between you (hereinafter referred to as “Customer”) and ScaleGrid, Inc., a Washington State corporation located at 1425 Broadway #20-7913, Seattle WA 98122 on behalf of itself and its Affiliates (hereinafter referred to as “ScaleGrid”). Customer and ScaleGrid shall be referred to jointly as the “Parties” and individually as a “Party”. Pursuant to the Service Agreement, Processor provides to Controller certain database management and hosting services (the “Services”). This GDPR DPA is effective, as applicable: With respect to the General Data Protection Regulation ((EU) 2016/679) and any applicable national implementing laws (“GDPR”):
This GDPR DPA will only apply to the extent that the Data Protection Legislation applies to the processing of Customer Personal Data (defined below), including if:
1.1 Definitions. The following definitions and rules of interpretation apply in this GDPR DPA; other definitions have the meaning given to them elsewhere in this GDPR DPA.
1.2 This GDPR DPA is subject to the terms of the Service Agreement and is incorporated into the; Service Agreement. Interpretations and defined terms set forth in the Service Agreement apply to the interpretation of this GDPR DPA. Except as amended by this GDPR DPA, the Service Agreement will remain in full force and effect. If there is a conflict between the Service Agreement and this GDPR DPA, the terms of this GDPR DPA will control. Any claims brought under this GDPR DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Service Agreement.
1.5 In the case of conflict or ambiguity between:
2.1 Relationship. The Customer and ScaleGrid acknowledge that for the purpose of the Data Protection Legislation, the Customer is a Controller or Processor and ScaleGrid is the Processor of Customer Personal Data. Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to ScaleGrid. Except as set forth herein, all provisions of the Services Agreement apply to this GDPR DPA, including the limitations of liability.
2.2 Personal Data And Processing Purposes. Annex A describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which ScaleGrid may process to provide the Services pursuant to the Service Agreement. Customer acknowledges that it determines the categories of Personal Data, if any, that it processes through the Services.
2.4 Warranty And Authorization. Customer warrants and represents that its use of the Services and ScaleGrid’s use of the Personal Data as permitted by this GDPR DPA will comply with the Data Protection Legislation. Customer further warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions on behalf of each relevant Customer Affiliate, if applicable. If Customer is a Processor, Customer represents and warrants that Customer’s instructions and actions with respect to Customer Personal Data, including the appointment of ScaleGrid as another Processor, have been authorized by the relevant Controller.
2.5 Customer’s Security Responsibilities And Assessment.
3.1 Processing Instructions. ScaleGrid will only process the Personal Data to the extent, and in such a manner, as is necessary for providing the Services in accordance with the Customer’s documented or written instructions (including as set forth in this GDPR DPA). ScaleGrid will not process the Personal Data for any other purpose or in a way that does not comply with this GDPR DPA or the Data Protection Legislation, unless required by applicable laws. ScaleGrid shall notify Customer if, in its opinion, Customer’s instruction would not comply with the Data Protection Legislation. An instruction, approval, request or similar, given via the ScaleGrid online platform is considered a documented or written data processing instruction from Customer.
3.2 ScaleGrid shall use commercially reasonable efforts to promptly comply, within 30 days, with any Customer request or instruction requiring the ScaleGrid to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized processing, to the extent required by the Data Protection Legislation.
3.3 Assistance. ScaleGrid will reasonably assist Customer, at Customer’s expense based on ScaleGrid’s standard rates, with meeting Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of ScaleGrid’s processing and the information available to ScaleGrid, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation. The scope of such assistance shall be limited to the processing of the Customer Personal Data by ScaleGrid.
4.1 Personnel. ScaleGrid shall ensure that all employees or contractors (“ScaleGrid Personnel”) of ScaleGrid who may have access to the Customer Personal Data, have such access only as necessary for the purposes of providing the Services and complying with applicable laws. Furthermore, all ScaleGrid Personnel shall be subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.2 Technical And Organizational Security Measures. ScaleGrid shall in relation to the Customer Personal Data implement, or provide options for Customer to implement, appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to the GDPR. In assessing the appropriate level of security, each Party shall take into account the risks that are presented by processing, in particular from a Personal Data Breach. ScaleGrid’s current security measures are described in Annex B, attached hereto, which ScaleGrid may modify from time to time provided that such modifications do not result in degradation of the overall security of the Services. For the avoidance of doubt, Customer determines the categories of Personal Data, if any, that are processed by the Services, and where ScaleGrid makes available different security options (e.g., whether or not to encrypt certain data), Customer is solely responsible for, and shall fully indemnify, defend, and hold ScaleGrid harmless from such choices.
4.3 Confidentiality. ScaleGrid will take appropriate steps to maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless Customer or this GDPR DPA specifically authorizes the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires ScaleGrid to process or disclose Personal Data, ScaleGrid shall first inform Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
5.1 Notification. ScaleGrids shall notify Customer without undue delay, and within 36 hours, upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data. ScaleGrid shall provide Customer with sufficient information to the extent in the possession of ScaleGrid to allow Customer to meet any obligations to report or inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Data Protection Legislation. Customer shall not issue any public statements regarding ScaleGrid unless ScaleGrid has first agreed in writing to the issuance of the public statement. Customer shall notify ScaleGrid in advance of any written statements it makes to regulators or law enforcement regarding ScaleGrid, unless otherwise prohibited by law. ScaleGrid’s notification of or response to a Data Breach shall not be construed as acknowledgement by ScaleGrid of any fault or liability with respect to the Data Breach.
5.2 Cooperation. ScaleGrid shall cooperate with Customer and take such commercially reasonable steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Customer’s sole expense, to the extent required by Data Protection Legislation.
5.3 Remediation. Notwithstanding the above, ScaleGrid may take any steps to remediate or respond to Personal Data Breach, as required by applicable law, including providing notifications to the data subjects and/or relevant authorities.
Customer grants ScaleGrid general authorization to engage Sub-Processors to provide the Services (including without limitation data center operators, hosting services, providers of anti-fraud and reporting services and other outsourced providers), provided that
8.1 Customer Obligations. Customer is and shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Legislation (e.g., for access, rectification, deletion of Customer Personal Data, etc.) ScaleGrid shall reasonably assist Customer to the extent feasible in responding to requests to exercise Data Subject rights under the EU Data Protection Laws. As part of the Services, Customer may download Customer’s Personal Data through the Services (“Data Portability Right”). This Data Portability Right shall be provided as part of the service at no additional charge for the Customer.
8.2 ScaleGrid Obligations. ScaleGrid shall:
9.1 ScaleGrid shall make available to Customer, upon prior written request, all information necessary to reasonably demonstrate compliance with this GDPR DPA. ScaleGrid may provide industry-standard third-party audit certifications to demonstrate compliance.
9.2 ScaleGrid shall allow for and contribute to audits, including inspections, by a reputable auditor mandated by Customer. The scope, duration and methods of such audit will be determined by both Parties in good faith. In any event, a third-party auditor shall be subject to confidentiality obligations. ScaleGrid may object to the selection of the auditor if it reasonably believes that an auditor does not guarantee confidentiality, security or otherwise puts at risk the ScaleGrid business.
9.3 Provisions of information and audits are at Customer’s sole expense, including fees charged by third party auditors appointed by Customer.
10.1 This GDPR DPA will remain in full force and effect so long as:
10.2 Any provision of this GDPR DPA that expressly or by implication should come into or continue in force on or after termination of the Service Agreement in order to protect Personal Data will remain in full force and effect.
10.3 Either Party’s failure to comply with the terms of this GDPR DPA is a material breach of the Service Agreement. In such event, the non-breaching Party may terminate the Service Agreement effective immediately on written notice to the non-breaching Party without further liability or obligation.
10.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Service Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 30 days, they may terminate the Service Agreement on written notice to the other party.
11.1 Upon termination of the provision of Services, ScaleGrid shall promptly delete or return all copies of Customer Personal Data, except as authorized or required to be retained in accordance with applicable law.
11.2 Upon Customer’s prior written request, ScaleGrid shall provide written certification to Customer that it has fully complied with this section.
12.1 Any notice or other communication given to a party under or in connection with this GDPR DPA must be in writing and delivered to:
12.2 Section 12.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
12.3 A notice given to ScaleGrid under this GDPR DPA is not valid if sent by email unless the receipt of such email has been confirmed.
13.1 ScaleGrid may change this GDPR DPA if the change:
13.2 Notification of Changes. If ScaleGrid intends to change this GDPR DPA under Section 13.1(b) or (c), ScaleGrid will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either:
A. LIST OF PARTIES
Data Exporter | Customer as defined above
Role: Controller |
Data Importer | ScaleGrid, Inc., a Washington State corporation located at 1425 Broadway #20-7913, Seattle WA 98122
Role: Processor |
Categories of data subjects whose personal data is transferred
| Data subject about whom personal data is transferred to ScaleGrid in connection with the Services by, at the direction of, or on behalf of Customer.
|
Categories of personal data transferred
| Any personal data the Customer determines the categories of personal data that it processes through the Services.
|
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures
| Potentially depending on what categories of personal data a Customer processes through the services.
|
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
| Continuous |
Nature of the processing
| ScaleGrid provides database management services to assist its customers manage their own databases, including computing, storage, reporting, deleting.
|
Purpose(s) of the data transfer and further processing
| For ScaleGrid to provide the Services to the Customer.
|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
| The Term plus the period from the expiration of the Term until the deletion of all Customer Personal Data by ScaleGrid in accordance with this GDPR DPA.
|
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing | Approved Subcontractors: List
|
C. COMPETENT SUPERVISORY AUTHORITY
Physical access controls.
System access controls.
See section above on Physical Access control
Data access controls.
Transmission controls.
Input controls.
Data backups.
Data segregation.
Module Two (Controller to processor) of Annex to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679
Subject to the following:
Clause 7 – Optional Docking Clause | Included
|
Clause 9(a) – Authorisation for use of Sub-processors
| Option 2 – General authorisation and the time period for notification is 30 days
|
Clause 11(a) – Optional Data Subject Redress Clause
| Removed
|
Clause 13(a) – Supervisory Authority
|
|
Clause 17 – Governing Law
| Irish law
|
Clause 18 – Jurisdiction
| Ireland |
Annex I (Data Processing Particulars) | Annex A of this GDPR DPA
|
Annex II (Technical and Organizational Measures) | Annex B of this GDPR DPA
|
Annex III (Sub-processors) | See the list of sub-processors linked in Annex A of this GDPR DPA
|
Explore free for a full month—no credit card, no hassle.
Discover our platform's capabilities with a guided demo.
Have questions? Get in touch—we're here to help.
Platform
Resources
Company
Dive into the world of database management. Receive expert tips, in-depth articles, exclusive event invitations, and free resources directly in your inbox.
MySQL, PostgreSQL, MongoDB, Greenplum Database, and SQL Server are trademarks and property of their respective owners. *Redis is a registered trademark of Redis Ltd. and the Redis box logo is a mark of Redis Ltd. Any rights therein are reserved to Redis Ltd. Any use by ScaleGrid is for referential purposes only and does not indicate any sponsorship, endorsement or affiliation between Redis and ScaleGrid. All product and service names used in this website are for identification purposes only and do not imply endorsement.