In the course of using Veeam Services, when you (the “Customer”) may transfer to Veeam Personal Data (as defined below) for processing on your behalf, the processing of such data is governed by this Data Processing Addendum (the “Addendum” or “DPA”).
Veeam acts as a “Processor,” as defined in the General Data Protection Regulation ((EU) 2016/679) and relevant member state implementations thereof (collectively, “GDPR”), a “Service Provider,” as this term is defined in the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq, and regulations adopted pursuant thereto (collectively, “CCPA”) or other relevant term as defined by applicable law. This Addendum contains the mandatory stipulations for contracts between Controllers and Processors, or between Businesses and Service Providers in accordance with Data Protection Laws.
This Addendum is by and between the Customer on behalf of itself and, to the extent required under applicable data protection laws and regulations, in the name and on behalf of its Authorized Affiliates (collectively, the “Customer”), and the Veeam entity (as defined in the Agreement of specific Veeam Services order by the Customer) and Veeam Affiliates (collectively, “Veeam,” and Veeam and Customer together, the “Parties”), and is incorporated by reference into the Agreement between Customer and Veeam for the purpose of setting forth the terms and conditions under which the Parties may exchange Personal Data to ensure compliance with Data Protection Laws.
Authorized Persons or Affiliates: the persons, categories of persons, or entities that the Controller or Business authorizes to give the Processor or Service Provider Personal Data processing instructions.
Agreement: agreement between the Parties that sets out the terms and conditions of the relationship between the Parties.
Data Protection Laws: means all applicable privacy and data protection laws of the European Union, the EEA and its member states, the United Kingdom, Switzerland, and the United States, including the GDPR (Regulation (EU) 2016/679) (“EU GDPR”); the EU GDPR as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018 (“UK GDPR”); the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”); any other applicable U.S. Data Protection Laws; and any national implementing laws, regulations and secondary legislation relating to the processing of Personal Data, in each case as amended, replaced or updated from time to time.
Data Subject: means the individual natural person to whom any Personal Data may relate.
Effective Date: the date on which Agreement goes into effect as between the Parties.
Personal Data: means the same as the term “Personal Data” or “Personal Information” in the Data Protection Laws.
Personal Data Breach: a breach of Veeam’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Veeam’s possession, custody, or control. Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data.
Processing, processes, and process: means either any activity that involves the use of Personal Data, or as Data Protection Laws may otherwise define these terms.
Services: means the services contracted for in the Agreement.
Standard Contractual Clauses (SCC): the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to Controllers established in third countries, as set out in the Annex to Commission Decision 2021/914/EU, as may be amended from time to time.
U.S. Data Protection Laws: means any applicable U.S. federal or state privacy laws or regulations relating to the protection of Personal Data, whether in existence as of the Effective Date or promulgated thereafter.
Veeam Affiliates: Veeam VaaS Corporation, Veeam Software Group GmbH, Veeam Software UK Limited, Veeam Software France SARL, Veeam Software GmbH, Veeam Pty Ltd, Veeam Software Corporation, Veeam Software Portugal Unipessoal LDA, Veeam Software (Czech Republic) s.r.o., VS International Holdings Limited, Coveware™ Inc., Kasten® Inc., Veeam Software SRL, Veeam Software Private Limited, and Veeam Software Costa Rica SRL.
1.2.1 The Appendices to this Addendum form part of this Addendum and will have effect as if set out in full in the body of this Addendum.
1.2.2 In the event of any conflict or inconsistency: (i) the Appendices prevail over the body of this Addendum and over any accompanying invoice or annexed documents; (ii) this Addendum prevails over the Agreement; and (iii) any executed (or deemed executed) SCCs prevail over this Addendum.
1.2.3 This Addendum is drafted in the English language, and its text will prevail over the text of any version of this Addendum translated into another language. Each notice, instrument, certificate, or other communication to be given under this Addendum will be in the English language, and its text will prevail over the text of any version of such notice, instrument, certificate, or other communication translated into another language.
2.1.1 Veeam shall Process the Personal Data only on documented instructions from the Customer, unless otherwise required by applicable Data Protection Laws. Veeam agrees to process any Personal Data only to perform the Services or any related processing as described in this Addendum.
2.1.2 Veeam shall ensure that personnel authorized by Veeam to process Personal Data have committed themselves to confidentiality.
2.1.3 To the extent required by Data Protection Laws, Veeam will immediately inform the Customer if, in Veeam’s opinion, any Customer instruction would violate Data Protection Laws.
2.1.4 If Veeam receives a valid request or legal process (such as a subpoena or court order) for Personal Data, Veeam will attempt to redirect the governmental entity or third-party requester to request Personal Data directly from the Customer. If compelled to disclose Personal Data to a governmental entity or third-party requester, Veeam will give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy, unless Veeam is legally prohibited from providing such notice. Veeam will not disclose or provide access to Personal Data to any law enforcement or government authority unless required by law.
2.1.5 If Veeam receives a request from a Customer’s Data Subject to exercise one or more of their rights under the Data Protection Laws, Veeam will redirect the Data Subject to make their request directly to Customer. Veeam will promptly notify Customer if Veeam receives a request from a Data Subject to exercise their rights under applicable Data Protection Laws (“Data Subject Request”). Customer shall be solely responsible for responding to any such Data Subject Request or communications involving Personal Data. Veeam shall, to the extent legally required, provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the processing of Personal Data.
2.1.6 To the extent that information is reasonably available to Veeam, and Customer does not otherwise have access to the required information, Veeam will provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities as required by Data Protection Laws and solely in relation to Processing Personal Data.
2.1.7 To the extent U.S. Data Protection Laws apply, Veeam agrees that: (a) Customer discloses Personal Data to Veeam solely for a valid business purpose and to perform the Services; (b) Veeam does not sell or share Personal Data; (c) Veeam will not combine Personal Data with Personal Data Veeam receives from another source except as permitted by applicable law and this Addendum; (d) Veeam will not use Personal Data for cross-context behavioral advertising or other purposes outside the direct business relationship; and (e) Veeam will make available information reasonably necessary to demonstrate compliance with this Addendum and applicable Data Protection Laws.
2.2.1 Customer shall: (i) Ensure that, throughout the Term, it has and maintains a valid legal basis for the Processing of Personal Data by Veeam and for its collection and disclosure of such Personal Data to Veeam, in each case in accordance with this DPA, the Agreement (including Customer’s instructions), and all applicable Data Privacy Laws (including, where applicable, Articles 6, 9(2), and 10 of the GDPR).); (ii) comply with all necessary transparency and lawfulness requirements under applicable Data Protection Law for the collection and use of Personal Data; (iii) ensure it has the right to transfer, or provide access to, Personal Data to Veeam for processing in accordance with the terms of the Agreement; and (iv) ensure that its instructions to Veeam regarding the processing of Personal Data are lawful and comply with, and do not cause Veeam to violate, applicable laws, including the Data Protection Laws. Customer shall promptly inform Veeam if any of the foregoing representations are no longer accurate.
2.2.2 Customer acknowledges and agrees that Veeam does not have a means to verify any of the following: (i) the residency of each Data Subject, or (ii) specific data identifiers that are provided to Veeam by the Customer in connection with each Customer request to process Personal Data. Accordingly, it shall be the sole responsibility of the Customer to identify and verify, as necessary, the relevant Data Protection Laws that may apply.
3.1 Both Parties shall maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access.
3.2 Customer agrees that the Service, the Security Measures, and Veeam’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Provided Data.
4.1 Veeam shall notify Customer without undue delay upon becoming aware of a Personal Data Incident. Veeam shall provide Customer with information (insofar as such information is within Veeam’s possession and knowledge and does not otherwise compromise the security of any Personal Data processed by Veeam) to allow Customer to meet its obligations under the Data Protection Laws. Veeam’s notification of response to a Personal Data Incident shall not be construed as Veeam’s acknowledgment of any fault or liability with respect to the Personal Data Incident.
4.2 Veeam shall reasonably cooperate with Customer and take commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Personal Data Incident.
4.3 Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Incidents.
4.4 If Customer determines that a Personal Data Incident must be notified to any Supervisory Authority, Data Subject(s), or others under Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Veeam, where permitted by applicable laws, Customer agrees to: (a) notify Veeam in advance; and (b) in good faith, consult with Veeam and consider any clarifications or corrections Veeam may reasonably recommend or request to any such notification, which: (i) relate to Veeam’s involvement in or relevance to such Personal Data Incident; and (ii) are consistent with applicable laws.
5.1 Upon termination of the Agreement, Veeam will allow the Customer to retrieve their data from the Services as Section 9 (“Term and Termination”) of the Agreement prescribes. Additionally, upon the Customer’s written request, Veeam will either return or delete the Personal Data unless such data is permitted to be maintained by Data Protection Laws. In that case, it shall be held by the terms of this Addendum.
6.1 Customer provides general authorization for Veeam to engage Sub-Processors to Process Personal Data in connection with the provision of the Services. A current list of Veeam’s Sub-Processors, including a description of the Services for which each Sub-Processor is engaged, is set out in Appendix B. The Sub-Processors applicable to Customer will depend on the specific Services purchased under the Agreement.
6.2 If and to the extent Veeam engages third-party Sub-Processors, Veeam will impose data protection terms on those Sub-Processors that provide at least the same level of protection as those in this Addendum, to the extent applicable to the nature of the services provided by such Sub-Processors. Veeam will remain responsible for each Sub-Processor’s compliance with the obligations of this Addendum and for any acts or omissions of such Sub-Processor that cause Veeam to breach any of its obligations under this Addendum.
6.3 Veeam will provide notice at least thirty (30) days prior to engaging a new Sub-Processor. Customer may object to the engagement of a new Sub-Processor by providing written notice to Veeam within fourteen (14) business days of receiving such notice, specifying the reasonable grounds for objection. Upon receipt of a valid objection, the Parties will work in good faith to achieve a commercially reasonable resolution. If the Parties are unable to reach a resolution, Veeam may, at its discretion, either (i) refrain from engaging the proposed Sub-Processor with respect to Customer’s Personal Data, or (ii) permit Customer to suspend or terminate the affected portion of the Services that cannot be provided without the use of the objected-to Sub-Processor.
7.1 Where Customer transfers or directs the transfer of Personal Data from the European Union to a country that has not received an adequacy decision by the European Commission, the Parties agree that the EU Standard Contractual Clauses shall be deemed executed by the Parties and incorporated into this Addendum as follows:
7.2 Where Customer transfers or directs the transfer of Personal Data from the United Kingdom to a third country that is not subject to the UK adequacy regulations (or where such transfer otherwise constitutes a restricted transfer under the UK GDPR), the Parties agree to be bound by and incorporate into this Addendum and the EU Standard Contractual Clauses by reference any additional modifications and amendments required by the UK Transfer Addendum. The information set forth herein shall be used to complete Parts 1 and 3 of the UK Transfer Addendum. In accordance with Section 19 of the UK Transfer Addendum, neither the Data Exporter nor Data Importer may terminate the UK Transfer Addendum for convenience.
7.3 Where Customer transfers or directs the transfer of Personal Data from Switzerland to a third country that Switzerland does not recognize as providing an adequate level of protection (or where such transfer otherwise constitutes a cross-border disclosure requiring appropriate safeguards under applicable Data Protection Law), the EU Standard Contractual Clauses as set forth above will apply to the transfer in a manner compliant with the Swiss Federal Act on Data Protection.
7.4 For EEA, UK, and Swiss transfers within the scope of Veeam’s participation in the EU-U.S. Data Privacy Framework (including the UK Extension) and the Swiss-U.S. Data Privacy Framework (together, the “DPF”), Veeam relies on the DPF. For any transfers not covered by the DPF, or if the DPF, the UK Extension, or the Swiss framework is invalidated or limited, or if Veeam’s certification is not current, the Standard Contractual Clauses, the UK Addendum, and the Swiss alignment in §§7.1–7.3 automatically apply to the affected transfers without further action. Veeam will notify Customer without undue delay of any such change.
The total aggregate liability of either Party, howsoever arising, under or in connection with this DPA and the SCC’s (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 8 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
9.1 This Addendum will remain in full force and effect so long as: (a) the Agreement remains in effect or (b) Veeam retains any Personal Data.
9.2 Any provision of this Addendum that expressly or by implication should survive termination of the Agreement in order to protect Personal Data will remain in full force and effect.
9.3 Either Party’s failure to comply with the terms of this Addendum is a material breach of the Agreement. In such an event, the non-breaching party may terminate the relationship as set forth in the Agreement, without further liability or obligation.
9.4 Veeam shall be entitled to terminate the Agreement, insofar as it concerns the processing of personal data under this DPA, where:
i) Veeam is unable to adhere to, perform, or implement any instructions issued by Customer due to the technical limitations of its systems, equipment, and/or facilities;
ii) Veeam is unable to adhere to, perform, or implement any such instructions which would require disproportionate effort (whether in terms of time, cost, available technology, manpower, or otherwise);
iii) In the event there is a change in the applicable Data Privacy Laws that Veeam considers (acting reasonably) would mean that Veeam is no longer able to provide the Services (including any Processing and/or restricted transfer(s) of Customer’s Personal Data) in accordance with its obligations under applicable Data Protection Laws. In such case, Veeam reserves the right to make changes to the Services and to amend any part of the attached DPA as it considers reasonably necessary to ensure that Veeam is able to provide the Services in accordance with applicable Data Protection Laws.
10.1 Veeam agrees to make available to the Customer on request, such information as Veeam, acting reasonably, considers appropriate in the circumstances to demonstrate its compliance with this DPA.
10.2 In the event that Customer, acting reasonably, is able to provide documentary evidence that the information made available by Veeam pursuant to paragraph 10.1 is not sufficient in the circumstances to demonstrate Veeam’s compliance with this DPA, Veeam shall allow for and contribute to audits by Customer or an auditor mandated by Customer in relation to the Processing of Personal Data by Veeam subject to paragraphs 10.3 to 10.8.
10.3 Customer shall provide Veeam with reasonable prior written notice of any audit under Paragraph 10.2, which shall not be less than thirty (30) business days, unless a shorter period is required by a Supervisory Authority pursuant to Paragraph 10.6(f). Customer shall, and shall ensure that its auditors, use reasonable efforts to avoid causing any damage, injury, destruction, or disruption to Veeam’s premises, equipment, personnel, data, or business operations, including any interference with the confidentiality or security of other customers’ data or the availability of Veeam’s services. Customer shall indemnify Veeam for any loss or damage arising from a breach of this obligation.
10.4 Prior to conducting any audit, Customer shall submit a detailed audit plan that provides for the confidential treatment of all information exchanged in connection with the audit and any resulting reports. The audit plan must specify the proposed scope, duration, and start date of the audit. Veeam will review the audit plan and may raise concerns regarding any aspect that could compromise its security, privacy, employment, or other applicable policies. The Parties will work in good faith to agree on a final audit plan prior to the audit commencing.
10.5 If the controls or measures to be assessed in the requested audit are addressed in a audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and Veeam has confirmed in writing that there are no known material changes in the controls covered by such Audit Reports, Customer agrees to accept provision of such Audit Reports in lieu of requesting an audit of such controls or measures.
10.6 Veeam is not required to grant access to its premises for an audit:
(a) where an Audit Report shall be accepted in accordance with Paragraph 10.5;
(b) to any individual who does not provide reasonable evidence of identity and authority;
(c) to any auditor not reasonably approved in advance by Veeam;
(d) to any individual who has not executed a non-disclosure agreement with Veeam;
(e) where, or to the extent that, access would reasonably be expected to compromise the confidentiality or security of other customers’ data or the availability of Veeam’s services;
(f) outside normal business hours; or
(g) more than once in any calendar year during the Term, except where Customer (i) reasonably determines that an additional audit is necessary due to a Personal Data Breach affecting Personal Data, or (ii) is required to conduct such audit under applicable Data Protection Laws or by a Supervisory Authority, provided that Customer identifies the relevant breach or legal requirement in its audit notice.
10.7 Nothing in this DPA shall require Veeam to provide more information about its Sub-Processors than such Sub-Processors make generally available to their customers.
10.8 Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Veeam (at Veeam’s then-current professional services rates) in Veeam’s provision of any cooperation and assistance provided to Customer under this Paragraph 10 (excluding any costs incurred in procurement, preparation, or delivery of Audit Reports to Customer pursuant to Paragraph 10.5), and shall, on demand, reimburse Veeam any such costs incurred by Veeam. The audits described in Clauses 8.9(c) and 8.9(d) of the SCC shall be subject to any relevant terms and conditions detailed in this Paragraph 10.
11.1 Notices in connection with this Addendum must be in writing and delivered consistent with the requirements in the Agreement.
| VENDOR: DATA IMPORTER DETAILS | |
|
Name: |
As defined in the Agreement |
|
Address: |
As defined in the Agreement |
|
Contact Details for Data Protection: |
Email: privacy@veeam.com |
|
Veeam Activities: |
As defined in the Agreement |
|
Role: |
Processor |
| CUSTOMER: DATA EXPORTER DETAILS | |
|
Name: |
As defined in the Agreement |
|
Address: |
As defined in the Agreement |
|
Contact Details for Data Protection: |
As communicated by Customer to Veeam |
|
Customer Activities: |
As defined in the Agreement |
|
Role: |
Controller, with respect to Processing of Personal Data for which it determines the purposes and means; and |
DETAILS OF PROCESSING:
Categories of Data Subjects:
Personal Data transferred may relate to the following categories of Data Subjects, depending on the Services provided under the Agreement:
Categories of Personal data:
Personal Data transferred may include Personal Data contained in email, documents, databases, and other electronic data processed through the Services, which may include, depending on Customer’s use of the Services:
Frequency of Transfer:
The frequency of the transfer shall be ongoing, as initiated by Customer through its use of, or use on its behalf, the Services.
Nature of Processing:
Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of Processing:
Personal Data will be processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
Duration of Processing/Retention Period:
Ongoing as initiated by Customer in and through its use, or use on its behalf, of the Services.
Transfers to (Sub-)Processors:
Transfers to Sub-Processors are as, and the for the purposes, described from time to time in the Sub-Processor List (as may be updated from time to time in accordance with paragraph 4 of this DPA).
In accordance with the obligations set forth in this Addendum, it is within Veeam’s sole discretion to determine how to provide a secure technology environment that adheres to industry best practices, applicable laws, rules, and regulations. The following sets forth Veeam’s general security controls.
Information Security Policy.
Veeam has established and maintains an Information Security Policy that is aligned with the principles and requirements of ISO 27001 and NIST Cybersecurity Framework.
Secure Network.
Maintain a secure Network. “Network” means Veeam’s corporate and product/services networks and Systems. “System” means all hardware, software, applications, infrastructure, peripheral equipment, (i.e., all technology resources) that comprise a computer environment and are used in the provision of the services provided under the Agreement.
Protect Personal Data. This includes controls such as:
Encryption of Personal Data at rest and in motion;
Processes and controls to prevent the unauthorized disclosure of Personal Data (such as data loss prevention systems);
Regular backup procedures; and
Data segmentation to prevent unauthorized access to Persona Data.
Maintain a Vulnerability Management Program. This includes:
Regular identification of vulnerabilities in the Network, application, database, software and operating systems, and remediation;
Where applicable, secure code development techniques in adherence with the OWASP standard; and
Annual penetration testing of the Network and assets by a qualified third party.
Access Controls.
Provide strong technical and organizational access control measures to prevent unauthorized access. This includes:
Non-generic, complex, periodically changing passwords;
Segregation of functions and duties;
Multi-factor authentication for administrative access;
Monitoring and logging access to assets processing or storing Personal Data;
Implementation and enforcement of the least privilege access principle.
Security Controls for Devices Accessing Personal Data. This includes:
Industry standard end point protection, such as antivirus and antimalware software;
VPN to remotely access secure Network or Veeam Networks or Systems containing Personal Data.
Incident Management.
Veeam has prepared and maintains an information security incident response plan. Veeam has controls and tools in place to detect and respond to information security incidents, including tools or services that identify, log, and alert of security incidents.
Security Awareness, Training, and Background Checks.
Veeam maintains and complies with information security policies and standards that comply with industry standards, including, without limitation, conducting respective periodic company-wide information security awareness training, including training on the collection, handling, transport, maintenance, and disposal of information, and security incident response;
Veeam performs employee background checks for employees with responsibilities for or access to Veeam Networks and Systems, as well as Personal Data (to the extent permitted by law).
Physical Security.
Veeam provides physical controls to protect Personal Data and the Network, which may include as appropriate:
Physical protection and maintenance of Veeam’s Systems and assets to prevent loss, disclosure, damage, theft, or compromise of Personal Data; and
Labeling and secure disposal of equipment, physical and electronic media that may contain Customer-Provided Data.
Business Continuity and Disaster Recovery.
Veeam maintains a consistent framework and a managed process for business continuity and disaster recovery that addresses information security requirements.
Updates to security measures.
Veeam may update the security measures outlined in this Appendix C as necessary to reflect changes in technology, the processing environment, or to address emerging security threats, provided the updated measures do not materially decrease the overall protection of Customer-Provided Data.