September 19, 2023
Your use of the Lens Cloud Services is subject to these Lens Cloud Services Data Processing Agreement (“DPA”) terms, which supplement and are incorporated into the Lens Terms of Service Agreement and the Lens Cloud Services Additional Terms (collectively; the “Agreement”). By using the Lens Cloud Services in any manner, you represent and affirm that you have read, understand and agree to be legally bound by and comply with the Agreement. If you do not agree with the Agreement, you are not authorized to use the Lens Cloud Services in any manner.
The following capitalized terms shall have the following meanings in this DPA:
“Applicable Data Protection Laws” means all laws and regulations, applicable to the Processing of Personal Data under the Agreement as amended from time to time, including (but not limited to) laws and regulations of the European Economic Area, Switzerland, the United Kingdom and the United States and its states.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
“Customer” means the individual or legal entity that entered into the Agreement referring to this DPA.
“Customer Account Data” means information about the Customer provided to Mirantis in relation to the creation and administration of the Customer’s account (such as profile information or contact information).
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“EEA” or “European Economic Area” means the member states of the European Union, Iceland, Liechtenstein and Norway.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information within the User Content relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable household or a legal entity (where such information is protected similarly as personal data or personally identifiable information under Applicable Data Protection Laws).
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of a Controller, including as applicable any “service provider” as that term is defined by the CCPA or similar terms under another Applicable Data Protection Laws.
“Security Incident” means a breach of Mirantis’ security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to User Content.
“Sensitive Personal Data” means (i) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited and (ii) Personal Data relating to criminal convictions and offenses of Data Subjects.
“Services” means the services provided by Mirantis to the Customer under the Agreement.
“Standard Contractual Clauses” means the clauses adopted by the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or any successor clauses approved by the EU Commission, and/or UK Addendum.
“Third Country” means a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for Personal Data.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission’s Standard Contractual Clauses or any subsequent clauses issued by the UK Information Commissioner’s Office.
“User Content” means the User Content as defined in the Agreement.
For Personal Data contained in the User Content, Customer is the Controller or the Processor processing the data on behalf of another Controller and Mirantis will be the Processor with respect to such data.
3.1. Scope of Processing. This DPA applies when Customer uploads or submits User Content through the Services that is qualified as Personal Data under the relevant Applicable Data Protection Laws.
3.2. Subject matter. The subject matter of the Processing under this DPA is Personal Data contained in User Content.
3.3. Duration. Duration of the data processing of Personal Data under this DPA is determined by Customer’s decision to store Personal Data within the Services.
3.4. Frequency. Personal Data is processed under this DPA on an ongoing/continuous basis as part of the provision of the Services.
3.5. Purpose. The purpose of the data processing under this DPA is the provision of the Services under the Agreement.
3.6. Nature of the processing: Storage of Personal Data included in User Content and further operations initiated by Customer from time to time or allowed by the Services features.
3.7. Categories of Personal Data: Any category of Personal Data uploaded to the Services by Customer under Customer’s account.
3.8. Categories of Data Subjects: Any category of data subjects whose Personal Data is uploaded to the Services by Customer under Customer’s account.
The parties agree that this DPA and the Agreement constitute Customer’s documented instructions regarding Mirantis’ processing of Personal Data together with the provision of instructions through the features and settings of the Services made available by Mirantis (“Documented Instructions”). Mirantis will process Personal Data only in accordance with Documented Instructions of the Customer and/or other Controller, where Customer is not the Controller. Additional instructions outside the scope of the Documented Instructions (if any) require a prior written agreement between Mirantis and Customer. Mirantis agrees and certifies that Mirantis will not: (i) retain, use, or disclose Personal Data except for other purpose that as allowed in the Agreement, this DPA or Applicable Data Protection Laws (including for other commercial purposes than providing services under the Agreement or retaining, using, or disclosing the information outside the relationship between the parties, unless agreed otherwise); or (b) sell Personal Data.
Each party will comply with all Applicable Data Protection Laws applicable to it and binding on it in the performance of this DPA, including the GDPR, CCPA or similar regulations. Customer warrants that it has all necessary consents or other legal titles to upload and process the Personal Data as the User Content into the services and that it complies with all other legal obligations necessary to transfer the Personal Data into Services.
Mirantis will not access or use, or disclose to any third party, any Personal Data, except, in each case, (i) as necessary to maintain or provide the Services, or (ii) as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order), or (iii) as determined by Customer through a feature of the Service or other Documented Instructions. When Mirantis is required to disclose User Content to a governmental body, then Mirantis will attempt to redirect the governmental body to request the data directly from the Customer or the Controller. If compelled to disclose Customer Data to a governmental body, then Mirantis will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Mirantis is legally prohibited from doing so.
Mirantis shall make the Personal Data available only to the personnel bound by appropriate contractual or equivalent legal obligation of confidentiality.
8.1. Mirantis has implemented and will maintain the technical and organizational measures for the Services whose minimum standards are described in Exhibit 1 to this DPA. Customer acknowledges that it has reviewed the technical and organizational measures and, with regards to the type of Personal Data to be processed by the Services, Customer considers such technical and organizational measures appropriate in the context of transferred Personal Data.
8.2. Customer can elect to implement on its own costs additional technical and organizational measures in relation to Personal Data which will meet the adequate level of protection when the measures described in Exhibit 1 when necessary, taking into account all circumstances of Data Processing. Such technical and organizational measures may include: (i) pseudonymization and encryption to ensure an appropriate level of security; (ii) measures to allow Customer to backup and archive appropriately in order to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iii) processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Customer.
Customer acknowledges that the Services are not designed for processing of Sensitive Personal Data on behalf of the Customer and agrees that it will not upload or submit any User Content that would contain Sensitive Personal Data to the Services.
To the extent Personal Data is subject to Applicable Data Protection Laws of a country from the European Economic Area, the United Kingdom or Switzerland, the following additional terms of this Section 10 shall apply:
10.1.1. Authorized Sub-processors. Customer generally authorizes Mirantis to use its affiliates and other sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf (“Sub-processors”) that are listed at https://mirantis.com/company/affiliates-and-subcontractors.
10.1.2. Change of Sub-processors. At least 15 days before Mirantis engages any new Sub-processor to carry out processing activities on Personal Data on behalf of Customer, Mirantis will update the list and notify Customer about the changes through a mechanism to obtain notice about the intended change to email address registered by Customer. When Mirantis offers such mechanism, Customer agrees to register its email address to which it wishes to receive the notifications as a precondition for delivery of such information by Mirantis. Unless such mechanism is available, Mirantis will provide the notice by another appropriate manner.
10.1.3. Objections. If Customer reasonably objects to a new Sub-processor and written Customer’s objection is not resolved to Customer’s reasonable satisfaction, then Customer has the ability to object the Processing by a new Sub-processor by (i) removing the Personal Data from the Customer Content in order to avoid further Processing by the new Sub-processor or (ii) terminating the Agreement by delivering Mirantis a termination notice with respect to the Agreement.
10.1.4. Sub-processor Obligations. Where Mirantis uses any Sub-processor as described in this Section 10: (i) Mirantis will restrict the Sub-processor’s access to Personal Data only to what is necessary to maintain the Services or to provide the Services to Customer; (ii) Mirantis will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services that are being provided by Mirantis under this DPA, Mirantis will impose on the Sub-processor substantially the same contractual obligations that Mirantis has under this DPA; and (iii) Mirantis will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processors that cause Mirantis to breach any of Mirantis’ obligations under this DPA.
10.2. Security Incident Notification.
10.2.1. Security Incident. Mirantis will (a) notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident, and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
10.2.2. Mirantis Assistance. To assist Customer in relation to any Personal Data breach notifications Customer is required to make under the Applicable Data Protection Laws, Mirantis will include in the notification under section 10.2.1 such information about the Security Incident as Mirantis is reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to Mirantis, and any restrictions on disclosing the information, such as confidentiality. Taking into account the nature of the processing, Customer agrees that it is best able to determine the likely consequences of a Security Incident.
10.2.3. Unsuccessful Security Incidents. Customer agrees that: (i) an unsuccessful Security Incident will not be subject to this Section 10.2. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Mirantis’ or its subcontractors’ equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and (ii) Mirantis’ obligation to report or respond to a Security Incident under this Section 10 is not and will not be construed as an acknowledgement by Mirantis of any fault or liability of Mirantis with respect to the Security Incident.
10.2.4. Communication. Notification(s) of Security Incidents, if any, will be delivered to the Customer by any means Mirantis selects, including via notifications displayed in the Services or by an email. It is Customer’s sole responsibility to maintain accurate contact information within the Customer’s account.
10.3. Assessments and Documentation. Taking into account the nature of the Services and the information available to Mirantis, Mirantis will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR (or equivalent provisions of other Applicable Data Protection Laws) or other assessments under Standard Contractual Clauses, by providing the information regarding the Services that are not generally available to the Customer. Mirantis’ assistance under this Section can be provided as a separate service and subject to a reasonable compensation of the actual effort spent by Mirantis on such a service. The parties agree that where the GDPR or Standard Contractual Clauses require from the parties a documentation of any assessments related to transfer of Personal Data, taking into account the fact that Customer decides which data will be processed, Customer will keep the documentation of the necessary assessments and make it available to the competent supervisory authorities when requested.
10.4. Provision of Information and Audits. Mirantis shall make available to Customer all information necessary to demonstrate compliance with the obligations under Article 28 of the GDPR or Standard Contractual Clauses and allow for and contribute to the audits and inspections as described further. Mirantis and its subcontractors are audited by an external third party at least as stated in Exhibit 1. To the extent that Mirantis is audited by such an independent auditor, Customer chooses to mandate such auditor to carry out the audit and inspection over Mirantis instead of Customer. Customer may ask for additional audits or inspections (i) when it proves that the information made available by Mirantis or the third-party auditor is not sufficient to demonstrate compliance with the obligations set out in this DPA, or (ii) Customer received a notification of a Security Incident, or (iii) such auditor inspection is required by Data Protection Laws or by a competent supervisory authority. Mirantis may allow for such additional audits or inspections subject to a prior agreement on the scope of such additional audit, security measures and reasonable compensation of Mirantis resources assisting the Customer with such audit. The parties agreed that any audit or inspection under the Standard Contractual Clauses shall be carried out according to this Section 10.4.
10.5. Transfers of Personal Data from EEA, Switzerland and the United Kingdom.
10.5.1. Additional Terms for Transfers outside EEA and Switzerland. If, in the performance of the Services, Personal Data that is subject to the GDPR is transferred to a Third Country, then the parties shall comply with the Standard Contractual Clauses. Where Customer is the Controller of the Personal Data, the Standard Contractual Clauses with sections applicable for Module Two, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN shall apply. Where Customer is the Processor acting on behalf of a third party Controller, the Standard Contractual Clauses with sections applicable for Module Three, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN shall apply. In each case incorporating Annexes I and II of this DPA. The parties agree to be bound by the Standard Contractual Clauses as referenced herein.
10.5.2. Additional Terms for Transfers outside the United Kingdom. If, in the performance of the Services, Personal Data that is subject to the Applicable Data Protection Laws of the United Kingdom is transferred to a Third Country, the parties agree that the Standard Contractual Clauses as supplemented and amended by the UK Addendum located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf shall apply to such transfers.Table 1 to the UK Addendum shall be deemed to include the information in Annex I of this DPA. Table 2 to the UK Addendum shall refer to the contractual clauses set forth in clause 10.5.1 above. Table 3 to the UK Addendum shall refer to the information contained in Annexes I and II of this DPA. For purposes of Table 4 to the UK Addendum, the parties agree that Exporter may end this Addendum as set out in Section 19 of the UK Addendum. The governing law for this purpose will be the laws of England and Wales and any disputes will be resolved by the courts of England and Wales.
10.5.3. Interpretation of Standard Contractual Clauses for transfers outside United Kingdom and Switzerland. In case of any transfers of Personal Data from the United Kingdom subject exclusively to Applicable Data Protection Laws of the United Kingdom (“UK Data Protection Laws”) and/or transfers of Personal Data from Switzerland subject exclusively to Applicable Data Protection Laws of Switzerland (“Swiss Data Protection Laws”), (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the UK Data Protection Laws or Swiss Data Protection Laws, as applicable; and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK Data Protection Laws or Swiss Data Protection Laws, as applicable, and (iii) references to EU authorities shall be replaced by references to the competent data protection authority of the United Kingdom or Switzerland, as applicable. In respect of data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.
Taking into account the nature of the Services, Mirantis offers Customer with such functionality that Customer may elect to use to comply with its obligations towards data subjects. Should a data subject contact Mirantis with regard to correction or deletion of its Personal Data, Mirantis will use commercially reasonable efforts to forward such requests to Customer. Taking into account the nature of the processing, Customer agrees that it is unlikely that Mirantis would become aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if Mirantis becomes aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform Customer without undue delay. Mirantis will cooperate with Customer to erase or rectify inaccurate or outdated Customer Data transferred under the Standard Contractual Clauses by providing technical features that Customer can use to erase or rectify Customer Data.
This DPA shall continue in force until the termination of the Agreement (the “Termination Date”).
The Services provide Customer with controls that Customer may use to retrieve or delete User Content including Personal Data. Up to the Termination Date, Customer will continue to have the ability to retrieve or delete User Content including Personal Data in accordance with this Section. For 90 days following the Termination Date, Customer may retrieve or delete any remaining User Content including Personal Data from the Services, subject to the terms and conditions set out in the Agreement, unless prohibited by law or the order of a governmental or regulatory body or it could subject Mirantis or its Affiliates to liability. After the expiry of this period Mirantis will remove all the User Content including Personal Data as described in the Agreement. The parties agree that any certification of deletion of data pursuant to Standard Contractual Clauses will be provided only upon Customer’s written request.
The liability of Mirantis arising out of or related to this DPA whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement. For the avoidance of doubt, Mirantis’ total liability for all claims from Customer arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement.
Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control, except that the Service Terms will control over this DPA. Nothing in the DPA shall be construed to prevail over any conflicting clause of the Standard Contractual Clauses.
This DPA shall be governed by the law that is governing for the Agreement and any disputes from this DPA shall be resolved by the courts that are agreed as competent to resolve the disputes from the Agreement. However, where the Standard Contractual Clauses apply, this DPA will be governed by the law and any disputes will be resolved by the courts agreed in the Standard Contractual Clauses.
Technical and Organizational Security Measures
1.1 Systems Security. The systems dedicated for the provision of Services will be electronically accessible to employees, contractors and any other person as necessary to provide the Services. Mirantis ensures access controls and policies to manage what access is allowed to the systems, including the use of firewalls or functionally equivalent technology and authentication controls.
1.2 Physical Security 1.2.1 Physical Access Controls. Physical components of the system where Services are hosted are housed in nondescript facilities (the “Facilities”). Physical barrier controls are used to prevent unauthorized entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Persons with access to the system are assigned photo-ID badges that must be worn while the persons are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities. 1.2.2 Limited Employee and Contractor Access. The access to the Facilities is provided only to those persons who have a legitimate business need for such access privileges. When a person no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked. 1.2.3 Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. Electronic intrusion detection systems designed to detect unauthorized access to the Facilities are maintained by the provider of the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by individuals is logged and routinely audited. 1.2.4 Continued Evaluation. Provider of hosting Facilities will conduct periodic reviews of the security of its Facilities and adequacy of its information security program as measured against industry security standards and its policies and procedures.
1.3 Security Roles and Responsibilities. All Mirantis personnel with access to User Content are subject to confidentiality obligations and regular security trainings.
1.4 Measures for Ensuring Ongoing Integrity, availability and resilience of processing systems and services. Methodology follows Mirantis Secure Development Lifecycle: plan, develop, validate, operate, launch, monitor. Risks are identified with threat modelling and then mitigated. In testing, security issues can be found and mitigated. By monitoring the system, security problems can be identified and mitigated.
1.5 Restoration of Availability. Daily backups of data are captured. There’s a process in place to restore the system from the backup.
1.6 Protection of Data During Transmission. Data is transmitted using TLS.
1.7 Protection of Data During Storage. Data is encrypted at rest using AWS RDS functionality.
1.8 Events logging. Events logging is incorporated into the system code and into system components provided by AWS. Event logs are collected in AWS Cloudwatch.
1.9 Measures for Ensuring System Configuration. System is deployed using an “infrastructure as code” approach where the configuration is kept in source control and reviewed before changes.
TO THE STANDARD CONTRACTUAL CLAUSES
Name: The entity identified as “Customer” in the Agreement or Order Form.
Address: The address for Customer associated with its account or as otherwise specified in the Agreement or Order Form.
Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as otherwise specified in the Agreement or Order Form.
Activities relevant to the data transferred under these Clauses: The activities specified in Section 3 of the DPA.
Signature and date: By using Lens Cloud Services, the data exporter will be deemed to have signed this Annex I.
Role (controller/processor): Controller or Processor
Name: “Mirantis” as identified in the DPA.
Address: The address of Mirantis specified in the DPA.
Contact person’s name, position and contact details: Data Protection Officer, email@example.com.
Activities relevant to the data transferred under these Clauses: The activities specified in Section 3 of the DPA.
Signature and date: By making Lens Cloud Services available to the data exporter, the data importer will be deemed to have signed this Annex I.
Role (controller/processor): Processor
Categories of data subjects whose personal data is transferred Categories of data subjects are specified in Section 3 of the DPA.
Categories of personal data transferred The personal data is described in Section 3 of the DPA.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The data exporter agrees in the DPA not to transfer any sensitive data.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). The frequency of the processing is described in Section 3 of the DPA.
Nature of the processing The nature of the processing is described in Section 3 of the DPA.
Purpose(s) of the data transfer and further processing The purpose of the data transfer is to provide the Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period As determined by the data exporter in accordance with the terms of the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing The subject matter, nature of processing and duration of the processing are described in Annex I of the DPA. Duration of the sub-processing is the whole period of processing by the data importer.
Where the data exporter entering into the Agreement is established in EEA, UK or Switzerland or the transfer falls within the territorial scope of application of such a country – the competent supervisory authority with responsibility for ensuring compliance by the data exporter with the Applicable Data Protection Laws as determined by the Applicable Data Protection Laws.
The parties agree that data exporter will not export to data importer, and data importer will not process on behalf of the data exporter, any personal data of data subject in relation to the offering of goods or services to them, or whose behavior is monitored and for this purpose, it is not relevant to determine an alternative competent supervisory authority under Sec. 13.
The parties agree that the governing law for the Standard Contractual Clauses shall be Polish and the forum and jurisdiction for any disputes shall be in Poland.
The parties agree not to include Clause 7, to include option 2 in Clause 9, and to include the entire Clause 11.
TO THE STANDARD CONTRACTUAL CLAUSES
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Security measures are described in Exhibit 1 to the DPA.