Eclypsium Data Processing Addendum

This Data Processing Addendum, including all schedules and exhibits attached hereto, (“Addendum”) is entered into between Eclypsium, Inc. (“Eclypsium”) and the entity or other person who is a counterparty  (“Customer”) to the agreement pursuant to which Eclypsium provides services into which this DPA is incorporated and forms a part   (collectively, “Agreement”). This Addendum is effective as of the date it is incorporated into the Agreement (“Effective Date”). All capitalized terms not otherwise defined in this Addendum will have the meaning given to them in the Agreement. In the event of any inconsistency or conflict between this Addendum and the Agreement, this Addendum will govern. This Addendum will survive termination of the Agreement. Customer and Eclypsium agree as follows:

  1. Definitions.
    1. Applicable Data Protection Law” means all applicable data protection laws, rules, regulations, orders, ordinances, regulatory guidance, and industry self-regulations, including subsequent amendments, that relate to the confidentiality, Processing, privacy, security, protection, disclosure, sharing, transfer, or trans-border data flow of Personal Data, including, but not limited to, the CCPA, FADP, the Gramm-Leach-Bliley Act, GDPR, and UK GDPR. .
    2. CCPA” means the California Consumer Privacy Act of 2018, including (a) as amended by the California Privacy Rights Act of 2020 or otherwise and (b) any regulations promulgated thereunder.
    3. Controller” means an entity that, alone or jointly with others, determines the purposes for and means of Processing of Personal Data. A Controller includes “businesses” and other similar terms under Applicable Data Protection Law that refer to persons or entities that determine the purposes and means of the Processing of Personal Data.
    4. Data Subject” means an identified or identifiable person or household under Applicable Data Protection Law and includes “consumer” and other similar terms.
    5. Data Subject Access Request” means a request pertaining to Personal Data from a Data Subject to exercise its rights pursuant to Applicable Data Protection Laws.
    6. De-Identified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a Customer or any Data Subject or as that term is otherwise defined under Applicable Data Protection Law.
    7. FADP” means the Swiss Federal Act on Data Protection of September 25, 2020.
    8. GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
    9. Personal Data” means information that Eclypsium Processes on behalf of Customer that identifies, relates to, describes, could be associated with or linked, directly or indirectly, to a Data Subject, or as that term or a similar term is defined under Applicable Data Protection Law.
    10. Personal Data Breach” means a misuse, compromise, or unauthorized, accidental, or unlawful access, disclosure, acquisition, destruction, loss, or alteration of Personal Data, including without limitation, any circumstance pursuant to which Applicable Data Protection Law requires either notification to be given to affected parties or other activity in response to such circumstance.
    11. Process” “Processed” or “Processing” means any operation or set of operations performed, whether or not by automated means, such as the access, collection, use, storage, retention, disclosure, sale, dissemination, combination, recording, organization, structuring, adaptation, alteration, copying, transfer, retrieval, consultation, disposal, restriction, erasure, and/or destruction.
    12. Processor” means an entity that Processes Personal Data on behalf of a Controller. A Processor includes “service providers,” “processors,” “third-party service providers,” “third-party agents,” and other similar terms under Applicable Data Protection Law that refer to persons or entities that process Personal Data on behalf of a Controller.
    13. SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be replaced or superseded by the European Commission.
    14. Services” means the services provided by Eclypsium pursuant to the Agreement.
    15. UK GDPR” means the GDPR as incorporated into United Kingdom (“UK”) law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).
    16. UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
  2. Roles and Responsibilities. Eclypsium will Process Personal Data on behalf of Customer, as described in more detail in Schedule 1. As between Customer and Eclypsium, Customer will be the Controller and Eclypsium will be the Processor.
    1. Eclypsium agrees to:
      1. Process Personal Data solely for the purpose of performing the Services and in accordance with Customer’s documented instructions, including to improve the Services and prevent fraud and as otherwise set forth in this Addendum, the Agreement, or any other written agreement between the parties;
      2. not Process the Personal Data outside the direct business relationship between Eclypsium and Customer or for any commercial purpose other than providing the Services as described in more detail in Schedule 1 to Customer, except as permitted by Applicable Data Protection Law;
      3. not “sell” or “share” Personal Data, as those terms are defined under Applicable Data Protection Law;
      4. treat all Personal Data as the confidential information of Customer and ensure that all personnel who Process Personal Data have undergone data protection training and are bound by obligations of confidentiality;
      5. promptly notify Customer if Eclypsium directly receives a Data Subject Access Request that explicitly identifies Customer, and Eclypsium shall not respond to such requests except as instructed by Customer unless otherwise required by Applicable Data Protection Law, provided, however, that Eclypsium may: (i) confirm receipt; (ii) advise that such request relates to Customer; (iii) direct such Data Subject to Customer; or (iv) take other action as may be necessary to comply with Applicable Data Protection Laws;
      6. reasonably cooperate with and assist Customer in complying with Applicable Data Protection Law, including but not limited to assisting with data protection impact assessments, audits, and consultations with regulatory bodies; and
      7. upon receipt of a government access request or other legally-mandated disclosure and where permitted by applicable law, promptly notify Customer of the access request and provide details about the requesting party, the types of Personal Data requested, and the purpose and methods of the disclosure (so as to provide Customer the opportunity to comply with its notice and consent obligations with respect to affected Data Subjects or oppose the disclosure and obtain a protective order or seek other relief)
    1. Customer instructs Eclypsium to Process Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this Addendum and the Agreement, including as specified in Schedule 1. Customer will not instruct Eclypsium to perform any Processing of Personal Data that violates any Applicable Data Protection Law. If Eclypsium believes or becomes aware that any of Customer’s instructions conflict with Applicable Data Protection Law, Eclypsium shall promptly inform Customer.
    1. Customer shall provide all required notices to and obtain all necessary consents from Data Subjects to permit and instruct Eclypsium’s Processing of Personal Data under the Agreement and this Addendum.
  1. Deidentified Data. Notwithstanding anything to the contrary in this Addendum, Eclypsium may create and derive Deidentified Data for its business purposes. Eclypsium will: (a) take reasonable measures designed to ensure that Deidentified Data cannot be associated with a Data Subject and (b) publicly commit to maintain and use Deidentified Data in a deidentified form and not attempt to re-identify such data except as permitted by Applicable Data Protection Laws
  2. Sub-processors. Customer authorizes Eclypsium to use subcontractors to Process Personal Data in connection with providing the Services (each, a “Sub-processor”). Customer specifically consents to Eclypsium’s appointment of the Sub-processors identified in Schedule 1. Eclypsium will notify Customer of its intent to update the list of approved Sub-processors in Schedule 1 at least 15 days prior to engaging a new Sub-processor. Customer may object to the use of a new Sub-processor within 10 days of receiving such notice clearly indicating its desire to object to such change. If Customer objects to the change in Sub-processors, Customer and Eclypsium will work in good faith to resolve Customer’s objection. If the parties are unable to resolve Customer’s objection within twenty (20) days of Eclypsium receiving the objection, either party may terminate the Agreement only with respect to those Services under the Agreement that Customer indicates cannot be provided without the objected-to Sub-processor. Eclypsium will remain fully responsible for its obligations under the Agreement and will remain the primary point of contact regarding any Processing of Personal Data. Eclypsium will be responsible for the acts and omissions of its Sub-processors and will impose contractual obligations on its Sub-processors that are at least equivalent to those obligations imposed on Eclypsium under this Addendum.
  3. Cross-Border Data Transfers.
    1. The parties will collaborate to ensure that the Processing of Personal Data under this Addendum complies with any data transfer restrictions under Applicable Data Protection Law. If Customer and Eclypsium will engage in cross-border or onward transfers of Personal Data about individuals in:
      1. the European Economic Area, and such Personal Data is subject to the GDPR, the parties will conduct such transfers pursuant to the SCCs, which are hereby incorporated by reference and deemed executed by the parties as of the Effective Date, or by certifying to and participating in another lawful cross-border transfer mechanism.
      2. the UK, and such Personal Data is subject to the UK GDPR, the parties will conduct such transfers pursuant to the SCCs in tandem with the UK Addendum, which are hereby incorporated by reference and deemed executed by the parties as of the Effective Date, or by certifying to and participating in another lawful cross-border transfer mechanism.
      3. Switzerland, and such Personal Data is subject to the FADP, the parties will conduct such transfers pursuant to the SCCs, which are hereby incorporated by reference and deemed executed by the parties as of the Effective Date, or by certifying to and participating in another lawful cross-border transfer mechanism. In the event the parties rely on the SCCs for such transfers, the following modifications will apply: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the Data Transfer is governed by the FADP; references to a “Member State” and “EU Member State” will not be read to limit or prevent Data Subjects in Switzerland from seeking to exercise their rights; and references to “GDPR” in the SCCs will be understood as references to the FADP.
    2. If the parties will engage in cross-border or onward transfers of Personal Data subject to the SCCs and/or the UK Addendum, Eclypsium will be the “data importer” and Customer will be the “data exporter”. If there is any conflict between this Addendum and the SCCs and/or UK Addendum, the SCCs and UK Addendum will prevail.
    3. For purposes of the SCCs, Module 2 will apply to the Processing of Personal Data by Eclypsium on behalf of Customer. Whereby:
      1. Clause 7 (“Docking clause”) shall apply.
      2. The audits contemplated by Section 8.9 shall be conducted according to the audit provisions of this Addendum.
      3. In Clause 9, Option 2 will apply and the time period for notice of Sub-processor changes will be as set forth in this Addendum.
      4. In Clause 11 the optional language will not apply to the SCCs.
      5. In Clause 17, the SCCs shall be governed by the laws of Ireland.
      6. In Clause 18(b), the parties agree to resolve disputes arising from the SCCs in the courts of Ireland.
      7. The parties will complete Schedule 1 of this Addendum, which includes information called for in the SCC’s Annexes I and III.
      8. The information needed to complete Annex 2 of the SCCs is included in Schedule 2 of this Addendum.
    4. In the event Eclypsium subsequently engages in cross-border or onward transfers of Personal Data with a subcontractor or other third-party recipient, Eclypsium will conduct such transfers pursuant to the relevant Module of the Standard Contractual Clauses promulgated by the EU Commission Decision (EU) 2021/914, available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914) and/or another lawful mechanism.
  1. Security Safeguards. Eclypsium will implement and maintain appropriate technical, organizational, and administrative security measures to safeguard Personal Data and provide the level of protection required by Applicable Data Protection Law as set forth in the Information Security Addendum attached as Schedule 2 to this Addendum.
  2. Personal Data Breach Notice and Management. Eclypsium will notify Customer without undue delay after becoming aware of a Personal Data Breach and take commercially reasonable steps to remediate the Personal Data Breach. Eclypsium will provide Customer with information, to the extent feasible or known at the time of notification, that is designed to allow Customer to meet its obligations under Applicable Data Protection Law. Eclypsium’s notification of, or response to, a Personal Data Breach under this Section will not be construed as an acknowledgement by Eclypsium of any fault or liability with respect to the Personal Data Breach.
  3. Audits.
    1. Eclypsium will make available to Customer all information as Eclypsium, acting reasonably, considers appropriate to demonstrate its compliance with this Addendum and Applicable Data Protection Law. Eclypsium may procure audits by third parties to assess Eclypsium’s compliance with this Addendum and Applicable Data Protection Law. These audits may include assessments of Eclypsium’s then-current audit reports on Customer’s request. Such reports will be Eclypsium’s confidential information.
    2. Customer will exercise their audit rights by first requesting the audit reports as described in Section 8(a). Customer may request additional information or an on-site audit of Eclypsium if the audit reports do not reasonably demonstrate Eclypsium’s compliance with this Addendum and/or Applicable Data Protection Law. Except in the event of a Personal Data Breach or regulatory investigation, Customer will not request an on-site audit more than once per year, Customer will provide no less than 30 days’ advance notice of its request for an on-site audit, Customer will cooperate in good faith with Eclypsium to schedule any such audit on a mutually agreeable date and time during Eclypsium’s normal business hours, and Customer will be responsible for all costs associated with the audit. Any such on-site audit must be conducted by Customer or a qualified, independent auditor that has agreed to confidentiality provisions reasonably acceptable to Eclypsium and is not a competitor of Eclypsium. Customer is responsible for ensuring that the audit will comply with Eclypsium’s applicable on-site policies and procedures and will not unreasonably interfere with Eclypsium’s business activities. Customer will provide a written summary of any audit findings to Eclypsium, and the results of the audit will be Eclypsium’s confidential information.
  1. Compliance. Both Customer and Eclypsium will comply with their respective obligations under Applicable Data Protection Law. Eclypsium will notify Customer if it determines that it cannot meet its obligations under Applicable Data Protection Law.
  2. Return or Destruction of Personal Data. Upon the expiration or termination of the Agreement, Eclypsium will cease all Processing of Personal Data and, at Customer’s direction, either (a) return such data to Customer or (b) destroy such data and certify such destruction to Customer in writing. Eclypsium will comply with such Customer instruction as soon as reasonably practicable. Eclypsium is permitted to retain Personal Data where it has a legal requirement to do so.
  3. Records. Eclypsium will maintain accurate and up-to-date records of all Processing activities carried out on Customer’s behalf, in compliance with its requirements under Applicable Data Protection Law.
  4. Miscellaneous. No supplement, modification, or amendment of this Addendum will be binding unless executed in writing by each party to this Addendum.

Schedule 1: Scope of Processing

  1. Controller / Data Exporter:
Name:
Customer as set forth in the Agreement
Address:
As set forth in the Agreement
Activities relevant to the data Processed under the Addendum:
Customer is contracting with Eclypsium for the Services as set forth in the Agreement.
Point of Contact
As set forth in the Agreement
  1. Processor / Data Importer:
Name:
Eclypsium, Inc.
Address:
919 SW Taylor Street, Suite 300
Portland, OR 97205
Activities relevant to the data Processed under the Addendum:
Eclypsium’s Supply Chain Security Platform protects organizations by securing hardware and the technology supply chain from cyber threats.
Point of Contact
  1. Subject Matter of Processing: The Processing is in relation to Eclypsium’s provision of Services in accordance with the Agreement.
  2. Duration of Processing: The Processing will begin after the Effective Date and will end upon expiration or termination of the Agreement.
  3. Nature and Purpose of Processing: The nature and purposes of Processing include protecting organizations by securing hardware and the technology supply chain from cyber threats.
  4. Types of Personal Data: IP addresses, MAC Address, Serial Number, Operating System host name, name of Customer assigned administrator accounts and authorized user accounts of the Eclypsium platform
  5. Special Categories of Data (as applicable): Eclypsium does not anticipate that Customers will submit special categories of data to the Services.
  6. Categories of Data Subjects: Customer devices, assigned Administrators and users logging into the Eclypsium platform
  7. Frequency of Cross-Border Data Transfers: Eclypsium will import Personal Data on a continuous basis.
  8. Period of Data Retention by Processor: Eclypsium will retain the Personal Data until the termination of the Agreement, unless otherwise agreed to by the parties.
  9.  Approved Subprocessors and Data Transfers
Subprocessor Name & Registered Address
Countries where Subprocessor will Process and Store Personal Data
Countries where Subprocessor will Process and Store Personal Data
Google Cloud Platform:
Acts as an infrastructure as a Service (IaaS) subprocessor for Eclypsium, providing cloud hosting, underlying compute, storage, and networking resources required to run Eclypsium’s cloud-based scalable data center operations platform securely.
One or more of the following Global Cloud Platform zones:
The Dalles, Oregon, USA (us-west1),
Los Angeles, California, USA (us-west2),
Salt Lake City, Utah, USA (us-west3),
Las Vegas, Nevada, USA (us-west4)
  1. Table 4 of the UK Addendum: Which Party can Terminate this Addendum if the UK Data Protection Authority Changes this “Approved Addendum”
Ending This Addendum When the Approved Addendum Changes
Which Parties may end this Addendum as set out in Section 19 of the UK Addendum:
✔ Data Importer
☐ Data Exporter
☐ Neither Party

Schedule 2: Information Security Addendum

This Information Security Addendum describes the technical and organizational measures that Eclypsium, as Processor and data importer, implements and maintains to protect Personal Data, and constitutes the description of measures required by Annex II of the SCCs. Eclypsium delivers the Services from a third-party cloud environment operated by its Sub-processor and relies on that Sub-processor for the physical and environmental security of the underlying data-center facilities. Eclypsium reviews these measures periodically and may update them provided that the level of protection is not materially reduced.

  1. Pseudonymisation and encryption of Personal Data. Personal Data is encrypted in transit using current versions of Transport Layer Security (TLS) with strong cipher suites and at rest. Sensitive configuration values are additionally encrypted at the application layer. Stored authentication credentials are salted and hashed one-way rather than retained in plaintext. Encryption keys are managed through a cloud key management service, and customer-managed encryption keys (CMEK) are available for eligible deployments. Because the Services collect only limited Personal Data (principally device identifiers and administrator contact details), the scope for re-identification is inherently constrained.
  1. Ongoing confidentiality, integrity, availability and resilience of processing systems. Each SaaS customer is provisioned in a logically segregated, single-tenant environment as part of Eclypsium’s Secure by Design data segregation. The production environment is protected by layered network and perimeter controls, including firewalls, web application firewall functionality, intrusion detection and monitoring, and encrypted secure tunnels with zero-trust network access. Workstations run managed anti-malware and endpoint detection and response. The platform is engineered for high availability using redundant, replicated infrastructure.
  1. Restoring availability and access to Personal Data after a physical or technical incident. Eclypsium maintains a Business Continuity Plan and Disaster Recovery procedures that are tested at least annually against defined Recovery Time and Recovery Point Objectives. Production data is backed up through automated snapshots that are geo-replicated and retained for at least thirty (30) days, and restorations are tested on a recurring basis. Critical systems can fail over to replicated infrastructure in a separate region.
  1. Regular testing, assessment and evaluation of effectiveness. Eclypsium undergoes an annual independent SOC 2 examination covering the Security and Confidentiality criteria, annual third-party penetration testing, and weekly vulnerability and monthly web-application scanning of internet-facing assets. Security policies, internal controls, and the network environment are reviewed at least annually, and user access is reviewed on a recurring basis no less than semi-annually.
  1. User identification and authorisation. Access follows least-privilege and role-based principles. Workforce access is governed through single sign-on with multi-factor authentication enforced; privileged and administrator access requires hardware-token-based multi-factor authentication and separate credentials. Access is granted commensurate with role, recorded centrally, reviewed periodically, and revoked on the same business day a termination takes effect. Password standards align with NIST SP 800-63B, and secrets are held in an encrypted vault restricted to a limited number of administrators.
  1. Protection of Personal Data during transmission. All Personal Data transmitted over public or untrusted networks is encrypted using TLS, and workforce access to production traverses encrypted VPN or secure tunnels. Programmatic access to the Services is authenticated using token-based mechanisms such as OAuth2.
  1. Protection of Personal Data during storage. Personal Data is encrypted at rest, logically segregated by customer, and accessible only to authorized personnel with a need to know. Asset and data inventories are maintained, and data is retained and disposed of in accordance with a documented retention and destruction schedule.
  1. Physical security of locations at which Personal Data is processed. All production systems that process Personal Data are hosted within the facilities of Eclypsium’s cloud Sub-processor. Physical and environmental data-center controls – including perimeter security, access control and logging, surveillance, fire detection and suppression, and power and climate management – are the responsibility of that Sub-processor under its own audited control framework. No Personal Data processed under the Agreement is stored on systems located in Eclypsium offices; office premises are secured by building access controls and surveillance provided by facility management.
  1. Events logging. Security-relevant events and system activity are captured through centralized logging and monitoring. Logs are retained, protected against unauthorized access and alteration, and reviewed periodically; alerts on suspicious activity are routed to security personnel for investigation under the incident response process.
  1. System configuration, including default configuration, and change management. Infrastructure is deployed from hardened baseline configurations aligned with recognized industry benchmarks such as CIS. Changes follow a documented change-management process requiring review and approval, including peer review for significant changes, with impact assessment, testing, and rollback planning. Baseline configurations are reviewed at least annually.
  1. Internal IT and information-security governance and management. Eclypsium maintains a documented information security program governed by a charter and overseen by a Chief Information Security Officer, supported by a suite of security policies that are reviewed and approved at least annually. Eclypsium performs an annual enterprise risk assessment maintained in a risk register and operates a vendor and Sub-processor risk-management program.
  1. Personnel security. Personnel are bound by confidentiality and acceptable-use obligations, undergo background screening where legally permitted before being granted access to sensitive data, and complete security awareness training at onboarding and at least annually.
  1. Certification and assurance of processes and products. Eclypsium maintains an annual SOC 2 Type II report covering the Security and Confidentiality criteria, available to Customers under confidentiality on request, and aligns its controls with recognized frameworks, including the CIS Controls and NIST SP 800-63B for authentication.
  1. Data minimisation, data quality and limited retention. The Services are designed to collect only the limited Personal Data necessary to provide them, principally device identifiers and administrator or authorized-user business contact details, sourced from customer-deployed sensors and customer-administered accounts. Personal Data is retained for the duration of the Agreement and disposed of thereafter in accordance with Section 10 of the Addendum and Eclypsium’s retention schedule, subject to expiry of routine backups.
  1. Accountability. Eclypsium maintains records of processing activities, defined security roles and responsibilities, and evidence of policy acknowledgement and training.
  1. Data portability and erasure. Customers may export their data through the platform console and APIs during the term. On expiry or termination of the Agreement, Eclypsium will return or securely delete Personal Data in accordance with Section 10 of the Addendum and will certify deletion on request.

 

© Eclypsium, Inc.