Data Processing Addendum
DATA PROCESSING ADDENDUM
(Effective as of November 10, 2023)
This Data Processing Addendum (“DPA”), offered by Ouster, Inc. and its affiliates (collectively, “Ouster”) forms part of the agreement (the “Agreement”) that covers the purchase, access, and/or use of the products or services offered by or on behalf of Ouster, Inc. and its affiliates (the “Ouster Offerings”) entered into by and between Ouster and the purchasers and/or users of such Ouster Offerings (the “Users”).
The purpose of this DPA is to establish minimum privacy, data protection and security standards and related requirements for Ouster in connection with its provision and operation of the Ouster Offerings in accordance with the Agreement.
Definitions. Unless defined differently elsewhere in the Agreement or in applicable Data Protection Laws, for the purposes of this DPA the following defined terms will have the meanings set forth in this Section 1:
“Data Protection Laws” means all applicable laws and regulations and conventions - including the laws, regulations or other legal requirements relating to data protection, privacy, security or otherwise with respect to the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of personal data including, where applicable and without limitation, (i) EU Regulation 2016/674 (“EU GDPR”), (ii) the Swiss Federal Act on Data Protection (“FADP”), (iii) United States federal and/or state data protection or privacy statutes, including the California Consumer Protection Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”), and/or (iv) any other data protection and privacy laws applicable to a party and its Processing of Personal Data in connection with the Agreement; in each case, as may be amended, superseded or replaced from time to time.
“EEA/EU” means the European Economic Area and European Union, respectively.
“Personal Data” means the personal data of any type, as a subset of User Data, that could identify an individual, whether alone or when combined with any other data, as defined by the applicable Data Protection Laws.
“User Data” means User’s data, content, video, images, point cloud data, objects, patterns, or other materials of any type that Ouster hosts or otherwise processes for User in performance of the Ouster Offerings.
The terms “controller”, “processor”, “processing”, “personal data” and “personal data breach” shall have the meaning given to them in the applicable Data Protection Laws. The term “controller” shall also include a “business” as defined in the CCPA and the CPRA or analogous terms in the applicable Data Protection Laws, and the term “processor” shall also include a “service provider” as defined in the CCPA and CPRA or analogous terms in the applicable Data Protection Laws.
Relationship of the Parties. The Parties acknowledge and agree that, with respect to the processing of User Data, User may act either as a controller or processor and Ouster is a processor. User appoints Ouster as a processor to process User Data (i) in accordance with User’s instructions as set forth in the Agreement and this DPA and as otherwise necessary to provide the Products to User and its authorized users, (ii) as necessary to comply with applicable laws including Data Protection Laws, and (iii) additional instructions as otherwise agreed-upon in writing by the Parties, including any additional fees for fulfilling additional instructions. User represents that its instructions will comply with Data Protection Laws and acknowledges that Ouster is neither responsible for determining which laws are applicable to User’s business nor whether Ouster’s provision of the Products meets or will meet the requirements of such applicable laws. Ouster will inform User if it reasonably believes that any User instructions violate applicable laws including Data Protection Laws.
Third Party Requests. In the event any third-party request is made directly to Ouster in connection with User Data, Ouster will promptly inform User to the extent legally permitted. Ouster will not respond to any such request without User’s prior consent, except as legally required.
Ouster Affiliates and Personnel. Ouster will ensure that any affiliates or employees it authorizes to process User Data are subject to non-disclosure and confidentiality obligations consistent with Ouster’s confidentiality obligations in the Agreement and this DPA.
Authorization for Onward Sub-processing. User provides a general authorization for Ouster to engage onward sub-processors that is conditioned on the following requirements: (A) Ouster will restrict the onward sub-processor’s access to User Data only to what is strictly necessary to provide the Products, and Ouster will prohibit the sub-processor from processing the personal data for any other purpose; (B) Ouster agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that requires such sub-processor to protect User Data as required by Data Protection Laws; and (C) Ouster will remain liable for any breach of this DPA that is caused by an act, error, or omission of its sub-processors as if such breach is attributable to Ouster itself, subject to the terms on liability and indemnity under the Agreement.
Notifications Regarding Sub-processors. User consents to Ouster engaging third-party sub-processors to process User Data within the Products as provided herein, provided that Ouster notify User of new sub-processors (including via email). Ouster will provide such notice no less than thirty (30) days prior to the addition of any sub-processor (the “Notice Period”). User may object to the addition of a sub-processor during the Notice Period, provided such objection is in writing and based on reasonable grounds relating to data protection. In such event, the Parties agree to discuss the objection in good faith, and if the Parties cannot reach a resolution within thirty (30) days of User’s written objection, User may discontinue use of the affected Products by providing written notice to Ouster, without prejudice to any fees incurred by User prior to discontinuation of the affected Products. If no objection is received during the Notice Period, the User is deemed to have authorized the new sub-processor.
Data Subject Rights. Ouster will endeavor to provide User with means to delete, obtain a copy of, or restrict use of User Data. User may use this functionality to comply with Data Protection Laws in response to data subject requests. To the extent User is unable to fulfill a data subject request accordingly, Ouster will, upon request, provide reasonable additional and timely assistance to assist User in complying with Data Protection Laws in response to the data subject request.
Impact Assessments and Audits. Ouster will provide reasonable cooperation to User in connection with any data protection impact assessment or similar undertaking (at User’s expense only if such reasonable cooperation will require Ouster to assign significant resources to that effort) or cooperation with regulatory authorities that may be required under Data Protection Laws.
Deletion of User Data. Ouster will delete or return to User any User Data stored upon request, subject to any legal retention obligations. Ouster may delete all User Data upon expiration or termination of the Agreement and/or this DPA, unless otherwise agreed-upon in writing. User Data stored in backup and disaster recovery repositories may be retained for a longer duration provided that it remains subject to this DPA until deleted.
Security. Ouster has implemented and will maintain technical and organizational security measures as set forth in the Agreement and this DPA. Ouster will share more detailed descriptions of such security measures with User from time-to-time.
- Cross Border Data Transfers. To the extent User’s use of the Products requires an onward transfer mechanism to lawfully transfer personal data from one jurisdiction to another, the following shall apply:
- Transfer Mechanism: The transfer of personal data will be subject to a single transfer mechanism in accordance with the following order of precedence:
One-Time Transfers. The Parties may expressly agree in writing (including via email) that a specified one-time transfer of personal data will be subject to a designated transfer mechanism (e.g., consent or another derogation);
- EU Standard Contractual Clauses. The Parties agree that the Standard Contractual Clauses approved by the European Commission in decision 2021/914 and as amended or replaced thereafter (“EU SCCs”) will apply to personal data that is transferred via the Products from the EEA/EU or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA that is: (a) not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For data transfers from the EEA that are subject to the EU SCCs:
In Clause 7 of the EU SCCs, the optional docking clause may be exercised by User’s legal affiliates; In Clause 9 of the EU SCCs, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in this DPA; In Clause 11 of the EU SCCs, the optional language will not apply; In Clause 17 (Option 1), the EU SCCs will be governed by Irish law; In Clause 18(b) of the EU SCCs, disputes will be resolved before the courts of Ireland.
In Annex I, Part A of the EU SCCs: User is the data exporter, and its contact is identified in the Agreement. By entering into the Agreement, data exporter is deemed to have signed these EU SCCs incorporated herein, including their Annexes, as of the effective date of the Agreement. Ouster is the data importer, and its contact is identified in the Agreement. By entering into the Agreement, data importer is deemed to have signed these EU SCCs incorporated herein, including their Annexes, as of the effective date of the Agreement.
In Annex I, Part B of the EU SCCs: The categories of data subjects are individuals captured in a recording or other form of data processed by Ouster as User Data on behalf of User; no sensitive data is anticipated to be processed by Ouster hereunder; the frequency of the transfer is a continuous basis for the duration of the Agreement; the nature and purpose of the processing is to provide the Products for User as contemplated in the Agreement; the period for which the personal data will be retained is primarily the duration of the Agreement. For transfers to sub-processors, the subject matter, nature, and duration of the processing will be included in the list of its sub-processors referenced in, and made available pursuant to, the DPA.
In Annex I, Part C of the EU SCCs: The Irish Data Protection Commission will be the competent supervisory authority unless otherwise agreed upon by the Parties in writing. Security Measures in support of Annex II of the EU SCCs are described in the Agreement and DPA and will be supplemented upon User’s request.
- UK International Data Transfer Addendum. The Parties agree that the EU SCCs supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022 and as amended or replaced thereafter (“UK IDTA”) will apply to personal data that is transferred via the Products from the UK, either directly or via onward transfer, to any country or recipient outside of the UK that is not recognized by the competent UK regulatory authority or governmental body for the UK as providing an adequate level of protection for personal data. For data transfers from the UK that are subject to the UK IDTA, the UK IDTA is hereby entered into, incorporated by reference in this DPA, and completed as follows:
In Table 1 of the UK IDTA, the Parties’ details and key contact information is located in the Agreement.
In Table 2 of the UK IDTA, information about the version of the approved EU SCCs is provided herein.
In Table 3 of the UK IDTA: The list of Parties is located in the Agreement; the description of the transfer is set forth in regard to the EU SCCs above; Security Measures in support of Annex II of the EU SCCs are described in the Agreement and DPA, and will be supplemented upon User’s request; The list of sub-processors is referenced in, and made available pursuant to, the DPA.
In Table 4 of the UK IDTA, both the importer and the exporter may end the UK IDTA in accordance with the terms of the UK IDTA.
Transfers From Other Jurisdictions. Except as otherwise addressed under the DPA, any jurisdiction requiring a transfer mechanism not otherwise provided for under this DPA or the Agreement will be subject to EU SCCs as provided above.
- Transfer Mechanism: The transfer of personal data will be subject to a single transfer mechanism in accordance with the following order of precedence:
Term and Termination. This DPA survives termination of the Agreement, for as long as Ouster or its sub-processors hold any copies of User Data.
Conflicts. To the extent there is any conflict or inconsistency between the (i) EU SCCs or UK IDTA and (ii) any other terms in the Agreement or this DPA, the provisions of the EU SCCs or UK IDTA, as applicable, will prevail. Notwithstanding the foregoing, any liability or indemnity claims brought in connection with this DPA (with the EU SCCs and UK IDTA) will be subject to the limitations of liability and other liability and indemnity terms and disclaimers set forth in the Agreement except to the extent prohibited by applicable law.