Superceded February 28, 2019

This Data Privacy Addendum ("DPA") relates to the processing by Ping Identity Corporation ("Ping Identity") of Personal Data (as defined below) provided by the company or entity that is party ("Customer") to the applicable subscription or license agreement and ordering documentation between Customer and Ping Identity (collectively, the "Agreement") governing Customer’s use of Ping Identity’s software and/or hosted service products. This DPA is incorporated into and forms part of, and is subject to the terms and conditions of, the Agreement. If an Affiliate of Customer has executed an Order Form with Ping Identity but is not the original signatory to the Agreement, this DPA is an DPA to and forms part of such Order Form. As used in this DPA, any capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

This DPA consists of two parts: the main body of this DPA and Exhibit A. Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement, including any policies or schedules referenced therein, and the terms of this DPA, the relevant terms of this DPA shall take precedence.

1.     Definitions

"Data Controller" means the entity which determines the purposes and means of the Processing of Personal Data.

"Data Processor" means the entity which Processes Personal Data on behalf of the Data Controller.

"Data Protection Laws and Regulations" means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; and any other similar data protection laws in any other applicable territory, each as amended, replaced, or superseded.

“Data Sub-processor” means any Data Processor engaged by Ping Identity to Process Personal Data.

“Data Subject” means the individual to which the Personal Data relates.

“Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws and Regulations that is: (i) Processed by Ping Identity’s products that are provided as a hosted, software-as-a-service application; (ii) provided to Ping Identity by Customer in the form of a log file generated by Ping Identity products that are provided as downloadable software in connection with support activities; or (iii) obtained by Ping Identity personnel in the performance of professional services ((i) through (iii) hereunder collectively referred to as “Services”).

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.     Processing of Personal Data

2.1   Provision of Service. Ping Identity provides a Service to Customer as specified in the Agreement. In connection with this Service, the parties anticipate that Customer may transfer to Ping Identity some Customer Data that contains Personal Data relating to Data Subjects. The Agreement may include restrictions regarding the types of Personal Data that may be provided by Customer to Ping Identity. Such restrictions are hereby incorporated into this DPA.

2.2   The parties’ roles. The parties agree that with regard to the Processing of Personal Data, Customer is the Data Controller, Ping Identity is the Data Processor and Ping Identity may engage Data Sub-processors pursuant to the requirements of this DPA. Customer is the owner of any and all Personal Data.

2.3   Purpose limitation. Ping Identity will only Process Personal Data for the duration of the Agreement and on behalf of and in accordance with Customer’s documented instructions as reasonably contemplated by the Agreement. Ping Identity shall not be required to comply with or observe Customer’s instructions if, in its reasonable discretion, such instructions would violate any Data Protection Laws and Regulations, and Ping Identity shall promptly notify Customer thereof. This DPA, the Agreement, and Customer’s use of the Service’s features and functionality, are Customer’s complete set of instructions to Ping Identity in relation to the processing of Personal Data.

3.     Responsibilities

3.1   Ping Identity’s responsibility. Ping Identity shall cooperate and provide Customer with assistance that Customer deems reasonably necessary to comply with applicable Data Protection Laws and Regulations in regards to Ping Identity’s Processing of Personal Data. Customer acknowledges that the Services are provided from certain fixed locations in the world that cannot be altered to suit each individual customers’ needs and are also engineered and designed based on principles that may not accommodate every potential Data Protection Law and Regulation. Customer acknowledges that Ping Identity is not responsible for determining the requirements of Data Protection Laws and Regulations applicable to Customer’s business.

3.2   Privacy Shield. Ping Identity represents that it has a valid certification to the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield (collectively, “Privacy Shield”) as of the date of this DPA, evidencing its placement and good standing on the U.S. Department of Commerce’s Privacy Shield List.  Ping Identity agrees that at any and all times during which Ping Identity Processes Personal Data outside the European Economic Area (“EEA”) or Switzerland that originates from the EEA and/or Switzerland, or concerns citizens or residents of the EEA and/or Switzerland , Ping Identity will: (i) provide at least the same level of protection for such Personal Data received pursuant to this DPA as is required by Privacy Shield; and (ii) ensure Ping Identity maintains its EEA and/or Swiss Privacy Shield self-certification(s) for so long as it retains such Personal Data pursuant to this DPA, or as otherwise set forth in Section 3.3 of this DPA.

3.3   Modifications. If Privacy Shield is deemed inadequate by a government or regulatory authority or Ping Identity fails to maintain a valid Privacy-Shield certification during the term of the Agreement, then the parties will negotiate in good faith and in a timely manner to implement appropriate standard contractual clauses between controllers and processors approved by the European Commission or implement an alternative legal mechanism of ensuring an adequate level of protection for Personal Data under applicable Data Protection Laws and Regulations.  In the event that a change in Data Protection Laws and Regulations occurs during the term of this Agreement such that the Services do not enable compliance with such change, and as a result of such change Ping Identity is unable to alter the Services without undue burden (in Ping Identity’s sole discretion), then Customer may elect to terminate the Agreement and all outstanding subscriptions to Ping Identity’s Products without penalty, and receive a refund of any prepaid, unused Fees.

3.4   Customer’s responsibility. Customer shall be responsible for ensuring that it has, and will continue to have, the right to transfer, or provide access to, Personal Data to Ping Identity for Processing. Customer’s instructions for the Processing of Personal Data by Ping Identity shall at all time comply with applicable Data Protection Laws and Regulations and Customer shall ensure that Ping Identity’s Processing of Personal Data in accordance with Customer’s instructions will not cause Ping Identity to violate any applicable Data Protection Laws and Regulations. In the event Customer becomes aware that provided instructions are in conflict with applicable Data Protection Laws and Regulations, Customer will promptly notify Ping Identity. Customer recognizes that Ping Identity does not have a means to verify (i) the residency of each Data Subject, (ii) the aspects of Personal Data that are provided to Ping Identity by Customer in connection with each request by Customer to Process such Personal Data, nor (iii) the location of third parties that Customer chooses to exchange Personal Data with as part of the intended functionality of the Service (such as in a single-sign on transaction).  Customer shall be responsible for ensuring that all such Personal Data may be Processed by Ping Identity’s Services in compliance with Data Protection Laws and Regulations, and Ping Identity will provide all reasonably necessary information to Customer to allow Customer to make such determination upon Customer’s written request.  If any authorizations or consents of Data Subjects are required for the Processing of Personal Data by Ping Identity, Customer shall be required to obtain any such consents directly from the Data Subjects.

3.5   Ping Identity’s duty of cooperation. In particular, but without limiting the generality of the foregoing, if Customer reasonably determines that applicable Data Protection Laws and Regulations require an assessment of privacy impacts of any Processing of Personal Data carried out by Ping Identity (“Data Protection Impact Assessment”), Ping Identity will reasonably cooperate with Customer’s conduct of the assessment to the extent applicable to Ping Identity’s responsibilities under this DPA and the Agreement. If Customer reasonably determines that applicable Data Protection Laws and Regulations require Customer to notify, seek guidance from, or consult with any governmental authority or representative body, concerning Ping Identity’s Processing of Personal Data, Ping Identity will reasonably cooperate with Customer in connection with such advisory request or consultation to the extent applicable to Ping Identity’s responsibilities under this DPA and the Agreement, and as allowed by Data Protection Laws and Regulations.

3.6   Data Protection Officer. Ping Identity has appointed a data protection officer. The appointed person may be reached at dpo_privacy@pingidentity.com.

4.     Storage and access to Personal Data

4.1   Data residency. With respect to Ping Identity’s hosted service, Customer may select the data center(s) in which Personal Data shall be stored. Personal Data received through the Services may be disclosed to, transferred to, and/or allowed to be accessed by or otherwise Processed by Ping Identity’s personnel or the Data Sub-processors. Personal Data may be transferred to personnel of Ping Identity located in Europe, Australia, Canada, United States, or Israel in the course of the Services. Ping Identity will notify Customer if the foregoing list of countries changes (which notice may be provided through support channels, Ping Identity’s website, Ping Identity’s status notifications that may be subscribed to at https://status.pingidentity.com, or such other reasonable means).  In the event that the foregoing list of countries to which Personal Data may be transferred is changed, the parties agree to cooperate in good faith in meeting any additional regulatory or legal requirements necessary to allow such transfers. Notwithstanding the foregoing, with the exception of Personal Data processed through the hosted service, certain Personal Data may be stored by Ping Identity or its Data Sub-processors in the U.S. for operational purposes.

4.2   Ping Identity’s access to Personal Data. Ping Identity shall ensure that access to Personal Data is restricted to only those personnel who have a need to know to enable Ping Identity to perform its obligations under the Agreement and this DPA. Ping Identity’s personnel engaged in the Processing of Personal Data shall be informed of the confidential nature of the Personal Data, have received appropriate training regarding their responsibilities, and be bound in writing by obligations of confidentiality sufficient to protect Personal Data in accordance with the terms of this DPA.

4.3   Access by authorities. To the extent permitted by Data Protection Laws and Regulations, Ping Identity will promptly, and no later than five (5) business days following receipt, notify Customer of (i) any request for access to any Personal Data from any regulatory body or government official, and (ii) any warrant, subpoena, or other request to Ping Identity regarding any Personal Data.  Ping Identity will comply with any legal hold from Customer regarding Personal Data and will provide reasonable support so that Customer can comply with third party requests as required by Data Protection Laws and Regulations if Customer cannot otherwise reasonably obtain such information. Ping Identity will reasonably cooperate with Customer if Customer or its regulators properly requests access to Personal Data for any reason in accordance with the Agreement, this DPA, or applicable Data Protection Laws and Regulations.

5.     Data Sub-processors

5.1   Ping Identity’s use of Data Sub-Processors. By executing this DPA, Customer has given its general written consent and authorization for Ping Identity to engage Data Sub-processors in connection with the Services. The current list of Data Sub-processors is set forth at https://www.pingidentity.com/sub-processors (which link may be updated by Ping Identity from time to time in accordance with Section 5.3 of this DPA).

5.2   Onward Transfer of Personal Data. Any transfer by Ping Identity of Personal Data to a Data Sub-processor will be governed by a written contract providing that the Data Sub-processor will process Personal Data in accordance with Ping Identity’s instructions as required by Data Protection Laws and Regulations. Ping Identity conducts an annual review and assessment of its Data Sub-processors to ensure such Data Sub-processors have in place proper organizational and technical safeguards to ensure the protection of Personal Data.

5.3   Appointment of new Data Sub-processors. Ping Identity may not transfer Personal Data to any other Data Sub-processor without providing prior written notice to Customer (which notice may be provided through https://www.pingidentity.com/sub-processors or such other reasonable means); provided, that Customer will have ten (10) business days to reasonably object that such change causes Customer to be in violation of Data Protection Laws and Regulations. In the event that Customer has not provided an objection to such changes within ten (10) business days, Customer will be deemed to have waived its right to object and to have consented to the use of the new or alternative Data Sub-processor. In the event that Customer reasonably objects to such change, Ping Identity shall, in its sole discretion, use commercially reasonable efforts to (1) offer an alternative to provide the Service to Customer; (2) take the corrective steps requested by Customer in its objection and proceed to use the new Data Sub-processor; or (3) cancel its plans to use the Data Sub-processor. If Ping Identity is unable or unwilling to achieve either (1) through (3) in its sole discretion and the objection has not been resolved to the mutual satisfaction of the parties within thirty (30) days after Ping Identity’s receipt of the objection, Customer may, as its sole and exclusive remedy available under this Section 5.3, terminate its applicable subscriptions from Ping Identity with respect only to those aspects of the Service which cannot be provided by Ping Identity without the use of the new Data Sub-processor.  In such event, Ping Identity shall refund Customer any unused, prepaid Fees for the applicable Service covering the remainder of the subscription term after the date of termination.

5.4   Liability. Ping Identity shall be liable for the performance of its Data Sub-processors to the same extent Ping Identity would be liable if Processing Personal Data itself.

6.     Data Subject’s rights

6.1   Requests and complaints. To the extent legally permitted, Ping Identity shall promptly notify Customer in writing if Ping Identity receives any request from a Data Subject with respect to Personal Data being Processed. Ping Identity shall not directly respond to any such request, unless authorized and directed to do so by Customer or required by applicable Data Protection Laws and Regulations. Ping Identity shall reasonably cooperate with Customer and may charge Customer a reasonable fee for such cooperation with respect to any action taken relating to such request.

7.     Security measures

7.1   Ping Identity’s obligations. Ping Identity shall provide appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Ping Identity shall, at a minimum, maintain the security of the Service and the Customer Data in accordance with Ping Identity’s Security Exhibit, accessible via https://www.pingidentity.com/en/legal/security-exhibit.html.

7.2   Determination of security requirements. Customer acknowledges that the Service includes certain features and functionalities that Customer may elect to use that impact the security of Personal Data, such as, but not limited to, encryption of voice recordings and availability of multi-factor authentication on Customer’s Ping Identity account. Customer is responsible for reviewing the information Ping Identity makes available regarding its data security, including its audit reports, and making an independent determination as to whether Ping Identity’s Service meets Customer’s requirements and legal obligations, including its obligations under this DPA. Customer is further responsible for properly configuring Ping Identity’s products to maintain appropriate security in light of the nature of the data processed by such products.

8.     Security Incident response and notification

8.1   Discovery and investigation of a breach. Ping Identity will notify Customer without undue delay upon becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Ping Identity (a “Personal Data Incident”). Ping Identity shall make reasonable efforts to identify the cause of a Personal Data Incident and take those steps as Ping Identity deems necessary and reasonable in order to remediate the cause of such Personal Data Incident, to the extent that the remediation is within Ping Identity’s reasonable control. The obligations set forth herein shall not apply to incidents that are caused directly or indirectly by either the Customer or Users.

8.2   Notification format and contents. Ping Identity shall direct its notice by email to the address provided by Customer in Ping Identity’s customer portal. Such notice shall include, if known by Ping Identity: (i) a description of the Personal Data Incident, (ii) the categories and approximate numbers of impacted individuals, (iii) possible consequences of the Personal Data Incident, (iv) corrective actions taken or to be taken by Ping Identity, if any, (v) internal point(s) of contact that Customer may engage for managing or responding to Customer about the Personal Data Incident, and (vi) Ping Identity’s Data Protection Officer’s contact information.

9.     Retention, return and deletion of Personal Data

9.1.   Personal Data retention. Ping Identity will retain Personal Data only as long as reasonably necessary and in accordance with Ping Identity’s retention policy, and only to accomplish the intended purpose for which the Personal Data has been Processed pursuant to this DPA.

9.2   Return and deletion of Personal Data upon termination. When Personal Data is no longer necessary for the purposes set forth in this DPA or at an earlier time as Customer requests in writing,  Ping Identity will (i) provide to Customer, in the format and on the media as mutually agreed between the parties, a copy of all or, if specified by Customer, any part of the Personal Data; and/or (ii) delete all, or if specified by the Customer, any part of the Personal Data in Ping Identity’s possession, except for backups and monitoring data which will be deleted per Ping Identity’s data retention policy. Any Personal Data that is not immediately deleted will continue to be protected as set forth in this DPA. 

9.3   Customer’s copy of Personal Data. During the term of the Agreement, Ping Identity will provide Customer with the capability to obtain a copy of its Personal Data by way of an API and/or console. Upon termination or expiry of the Agreement, and upon request, Ping Identity will provide a reasonable opportunity for Customer to obtain a copy of its Personal Data and delete the same. This requirement shall not apply to the extent that Ping Identity is required by Data Protection Laws and Regulations to retain some or all of the Customer Data it has archived on back-up systems, which Ping Identity shall securely isolate and protect from any further processing except to the extent required by Data Protection Laws and Regulations.  

10.   Limitation of liability. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a party means the aggregate liability of the party under the Agreement and this DPA together. 

11.   Security audits

11.1   Audit reports.  Ping Identity uses external auditors to verify the adequacy of its security measures with respect to its processing of Personal Data. Such audits are conducted at least annually, are performed at Ping Identity’s expense by independent third-party audit professionals at Ping Identity’s selection, and result in a confidential audit report. A list of Ping Identity’s certifications and/or standards for audit as of the date of this DPA can be found at https://www.pingidentity.com/en/legal/security-exhibit.html. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Ping Identity shall make available to Customer a copy of Ping Identity’s most recent applicable audit report(s) as described in this Section 11.1. For the avoidance of doubt, nothing in this Agreement shall be construed as permitting Customer access to Ping Identity’s production or non-production systems, source code, or access to anything that may expose confidential information of other customers of Ping Identity. 

11.2   Ping Identity’s duty of cooperation. Upon Customer’s reasonable written request at any time during the term of this DPA, Ping Identity shall promptly provide Customer with information related to Ping Identity’s information security safeguards and practices, which may include  one or more of the following as Customer may request: (i) responses to a reasonable information security-related questionnaire; (ii) copies of relevant third party audits, reviews, tests, or certifications of Ping Identity’s systems or processes, including an annual SOC 2 report; (iii) a summary of Ping Identity’s operational practices related to data protection and security; and (iv) making Ping Identity personnel reasonably available for security-related discussions with Customer.

12.   Miscellaneous

12.1   Order of precedence. Except as specifically set forth in this DPA, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms and provisions of this DPA shall prevail.

12.2   Duration of this DPA. This DPA shall remain in effect until, and automatically expire upon, deletion of all Personal Data by Ping Identity as described in this DPA.

12.3   Amendments. If an amendment to this DPA, including its exhibits, is required in order to comply with applicable Data Protection Laws and Regulations, both parties will work together in good faith to promptly execute a mutually agreeable amendment to this DPA reflecting the requirements set out by the applicable Data Protection Laws and Regulations.

12.4   Severability. If any provision of this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. Any such change is subject to a written agreement by both parties.