Data Privacy Addendum
Effective June 8, 2021
This Data Privacy Addendum (“DPA”) relates to the processing by Ping Identity Corporation (“Ping Identity”) of Personal Data (as defined below) provided by the company or entity that is party (“Customer”) to the applicable subscription or license agreement and ordering documentation between Customer and Ping Identity (collectively, the “Agreement”) governing Customer’s use of Ping Identity’s software and/or hosted service products. This DPA is incorporated into and forms part of, and is subject to the terms and conditions of, the Agreement. If an Affiliate of Customer has executed an Order Form with Ping Identity but is not the original signatory to the Agreement, this DPA is an addendum to and forms part of such Order Form. As used in this DPA, any capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.
1. Definitions
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws and Regulations” means any and all data protection and privacy laws throughout the world to the extent they apply to the subject matter of this Agreement, which may include: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; (ii) California Consumer Privacy Act of 2018 (the “CCPA”) (iii) after the end of the Transition Period, the UK GDPR; and (iv) any other similar data protection laws in any other applicable territory, each as amended, replaced, or superseded.
“Data Sub-processor” means any Processor engaged by Ping Identity to Process Personal Data.
“Data Subject” means the individual to which the Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable natural person or that is otherwise defined as "personal data" "personal information" (or any analogous concept) under applicable Data Protection Laws and Regulations that is: (i) Processed by Ping Identity’s products that are provided as a hosted, software-as-a-service application; (ii) provided to Ping Identity by Customer in the form of a log file generated by Ping Identity products that are provided as downloadable software in connection with support activities; or (iii) obtained by Ping Identity personnel in the performance of professional services ((i) through (iii) hereunder collectively referred to as “Services”).
“Processing (or Process or Processed)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” means the agreement executed by and between Customer and Ping Identity and attached hereto as Attachment 1 pursuant to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Transition Period” means the period set out in Article 126 of the EU-UK Withdrawal Agreement during which EU law continues to apply to the UK as if it is an EU Member State.
“UK GDPR” means the GDPR as it applies in UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
2. Processing of Personal Data
2.1 Provision of Service. Ping Identity provides a Service to Customer as specified in the Agreement. In connection with this Service, the parties anticipate that Ping Identity may Process some Customer Data that contains Personal Data relating to Data Subjects on behalf of the Customer. The Agreement may include restrictions regarding the types of Personal Data that may be provided or made available by Customer to Ping Identity. Such restrictions are hereby incorporated into this DPA.
2.2 The parties’ roles. The parties agree that with regard to the Processing of Personal Data, Customer is the Controller, Ping Identity is the Processor and Ping Identity may engage Data Sub-processors pursuant to the requirements of this DPA. Customer is the owner of any and all Personal Data.
2.3 Purpose limitation. Ping Identity will only Process Personal Data for the duration of the Agreement and on behalf of and in accordance with Customer’s documented instructions as reasonably contemplated by the Agreement. Ping Identity shall not be required to comply with or observe Customer’s instructions if, in its reasonable discretion, such instructions would violate any Data Protection Laws and Regulations, and Ping Identity shall promptly notify Customer thereof. This DPA, the Agreement, and Customer’s use of the Service’s features and functionality, are Customer’s complete set of instructions to Ping Identity in relation to the processing of Personal Data.
2.4 CCPA. For purposes of the CCPA, the Parties agree to the following: (i) Ping Identity is a Service Provider (as defined in the CCPA) for purposes of the Agreement and this DPA; (ii) Ping Identity shall not retain, use, or disclose Personal Data for any purpose other than for the specific purposes of performing the Services and as set forth in the Agreement or as otherwise permitted by the CCPA; (iii) Ping Identity shall not sell (as defined in the CCPA) Personal Data provided by Customer or processed on Customer’s behalf; and (iv) Customer is responsible for verifying a consumer request with respect to Personal Data processed by Ping Identity before requesting applicable information from Ping Identity.
3. Responsibilities
3.1 Ping Identity’s responsibility. Ping Identity shall cooperate and provide Customer with assistance that Customer deems reasonably necessary to comply with applicable Data Protection Laws and Regulations in regards to Ping Identity’s Processing of Personal Data. Customer acknowledges that Ping Identity is not responsible for determining the requirements of Data Protection Laws and Regulations applicable to Customer’s business.
3.2 Application of Standard Contractual Clauses. Subject to the terms and conditions of Exhibit 1 attached hereto (“Exhibit 1”), the Standard Contractual Clauses will apply to the extent: (i) Customer is subject to the Data Protection Laws and Regulations in the European Union, European Economic Area, Switzerland, or the United Kingdom; (ii) Personal Data is transferred, either directly or via onward transfer, from the European Union, European Economic Area, Switzerland, or, prior to the end of the Transition Period, the United Kingdom to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Laws and Regulations) or once the Transition Period has ended, Personal data is transferred either directly or via onward transfer from the United Kingdom to any country not specified under the UK GDPR as providing an adequate level of protection for personal data; and (iii) an alternative legal mechanism of ensuring an adequate level of protection for Personal Data is not available with respect to such transfer(s) as set forth herein. The Standard Contractual Clauses will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the European Union, European Economic Area, Switzerland, and the United Kingdom. For the purpose of the Standard Contractual Clauses, Customer and its Affiliates shall be deemed “data exporters.”
3.3 Modifications. The parties will negotiate in good faith and in a timely manner to implement an alternative legal mechanism of ensuring an adequate level of protection for Personal Data under applicable Data Protection Laws and Regulations if the Standard Contractual Clauses are deemed inadequate or are disapplied by a court, a government, or regulatory authority during the term of the Agreement or alternatively are replaced . Notwithstanding anything to the contrary herein, in the event that Ping Identity provides Customer with thirty (30) days’ notice (which notice may be provided through support channels, Ping Identity’s website, Ping Identity’s status notifications that may be subscribed to at https://www.pingidentity.com/data-supplement, or such other reasonable means) that Ping Identity has elected to rely on an alternative adequacy mechanism for the transfer of any Personal Data in connection with the Services, the parties shall use such alternative adequacy mechanism, provided such alternative mechanism is approved by the applicable data processing authorities or otherwise permitted by Data Protection Laws and Regulations. In the event that a change in Data Protection Laws and Regulations occurs during the term of this Agreement such that the Services do not enable compliance with such change, and as a result of such change Ping Identity is unable to alter the Services without undue burden (in Ping Identity’s reasonable discretion), then Customer may, as its exclusive remedy, elect to terminate the Agreement and all outstanding subscriptions to Ping Identity’s Products without penalty, and receive a refund of any prepaid, unused Fees.
3.4 Customer’s responsibility. Customer shall be responsible for ensuring that it has, and will continue to have, the right to transfer, or provide access to, Personal Data to Ping Identity for Processing. Customer’s instructions for the Processing of Personal Data by Ping Identity shall at all times comply with applicable Data Protection Laws and Regulations and Customer shall ensure that Ping Identity’s Processing of Personal Data in accordance with Customer’s instructions will not cause Ping Identity to violate any applicable Data Protection Laws and Regulations. In the event Customer becomes aware that provided instructions are in conflict with applicable Data Protection Laws and Regulations, Customer will promptly notify Ping Identity. Customer recognizes that Ping Identity does not have a means to verify (i) the residency of each Data Subject, (ii) the aspects of Personal Data that are provided to Ping Identity by Customer in connection with each request by Customer to Process such Personal Data, nor (iii) the location of third parties that Customer chooses to exchange Personal Data with as part of the intended functionality of the Service (such as in a single-sign on transaction). Customer shall be responsible for ensuring that all such Personal Data may be Processed by Ping Identity’s Services in compliance with Data Protection Laws and Regulations, and Ping Identity will provide all reasonably necessary information to Customer to allow Customer to make such determination upon Customer’s written request. If any authorizations or consents of Data Subjects are required for the Processing of Personal Data by Ping Identity, Customer shall be required to obtain any such consents directly from the Data Subjects.
3.5 Ping Identity’s duty of cooperation. In particular, but without limiting the generality of the foregoing, if applicable Data Protection Laws and Regulations require Customer to conduct an assessment of the privacy impacts of any Processing of Personal Data carried out by Ping Identity (“Data Protection Impact Assessment”), Ping Identity will reasonably cooperate with Customer’s conduct of the assessment to the extent applicable to Ping Identity’s responsibilities under this DPA and the Agreement. If applicable Data Protection Laws and Regulations require Customer to notify, seek guidance from, or consult with any governmental authority or representative body, concerning Ping Identity’s Processing of Personal Data, Ping Identity will reasonably cooperate with Customer in connection with such advisory request or consultation to the extent applicable to Ping Identity’s responsibilities under this DPA and the Agreement, and as allowed by Data Protection Laws and Regulations.
3.6 Data Protection Officer. Ping Identity’s data protection officer may be contacted via dpo_privacy@pingidentity.com.
4. Storage and access to Personal Data
4.1 Data residency. With respect to Ping Identity’s hosted service, Customer may select the data center(s) in which Personal Data shall be stored. Personal Data received through the Services may be disclosed to, transferred to, and/or allowed to be accessed by or otherwise Processed by Ping Identity’s personnel or the Data Sub-processors. Personal Data may be transferred to personnel of Ping Identity located in Europe, Australia, Canada, United States, Singapore, Mexico, India, or Israel in the course of the Services. Ping Identity will notify Customer if the foregoing list of countries changes (which notice may be provided through support channels, Ping Identity’s website, Ping Identity’s status notifications that may be subscribed to at https://www.pingidentity.com/data-supplement, or such other reasonable means). In the event that the foregoing list of countries to which Personal Data may be transferred is changed, the parties agree to cooperate in good faith in meeting any additional regulatory or legal requirements necessary to allow such transfers. Notwithstanding the foregoing, with the exception of Personal Data processed through the hosted service, certain Personal Data may be stored by Ping Identity or its Data Sub-processors in the U.S. for operational purposes.
4.2 Ping Identity’s access to Personal Data. Ping Identity shall ensure that access to Personal Data is restricted to only those personnel who have a need to know to enable Ping Identity to perform its obligations under the Agreement and this DPA. Ping Identity’s personnel engaged in the Processing of Personal Data shall be informed of the confidential nature of the Personal Data, have received appropriate training regarding their responsibilities, and be bound in writing by obligations of confidentiality sufficient to protect Personal Data in accordance with the terms of this DPA.
4.3 Access by authorities. To the extent legally permitted, Ping Identity will promptly, and no later than five (5) business days following receipt, notify Customer of (i) any request for access to any Personal Data from any regulatory body or government official, and (ii) any warrant, subpoena, or other request to Ping Identity regarding any Personal Data. Ping Identity will comply with any legal hold from Customer regarding Personal Data and will provide reasonable support so that Customer can comply with third party requests as required by Data Protection Laws and Regulations if Customer cannot otherwise reasonably obtain such information. Ping Identity will reasonably cooperate with Customer if Customer or its regulators properly requests access to Personal Data for any reason in accordance with the Agreement, this DPA, or applicable Data Protection Laws and Regulations.
5. Data Sub-processors
5.1 Ping Identity’s use of Data Sub-Processors. By executing this DPA, Customer has given its general written consent and authorization for Ping Identity to engage Data Sub-processors in connection with the Services. The current list of Data Sub-processors is set forth at https://www.pingidentity.com/sub-processors (which link may be updated by Ping Identity from time to time in accordance with Section 5.3 of this DPA).
5.2 Onward Transfer of Personal Data. Any transfer by Ping Identity of Personal Data to a Data Sub-processor will be governed by a written contract providing that the Data Sub-processor will process Personal Data in accordance with Ping Identity’s instructions as required by Data Protection Laws and Regulations. Ping Identity conducts an annual review and assessment of its Data Sub-processors to ensure such Data Sub-processors have in place proper organizational and technical safeguards to ensure the protection of Personal Data.
5.3 Appointment of new Data Sub-processors. Ping Identity may not transfer Personal Data to any other Data Sub-processor without providing prior written notice to Customer (which notice may be provided through by Customer subscribing to receive updates to https://www.pingidentity.com/sub-processors or such other reasonable means); provided, that Customer will have ten (10) business days to reasonably object that such change causes Customer to be in violation of Data Protection Laws and Regulations. In the event that Customer has not provided an objection to such changes within ten (10) business days, Customer will be deemed to have waived its right to object and to have consented to the use of the new or alternative Data Sub-processor. In the event that Customer reasonably objects to such change, Ping Identity shall, in its sole discretion, use commercially reasonable efforts to (1) offer an alternative to provide the Service to Customer; (2) take the corrective steps requested by Customer in its objection and proceed to use the new Data Sub-processor; or (3) cancel its plans to use the Data Sub-processor. If Ping Identity is unable or unwilling to achieve either (1) through (3) in its sole discretion and the objection has not been resolved to the mutual satisfaction of the parties within thirty (30) days after Ping Identity’s receipt of the objection, Customer may, as its sole and exclusive remedy, terminate its applicable subscriptions from Ping Identity with respect only to those aspects of the Service which cannot be provided by Ping Identity without the use of the new Data Sub-processor. In such event, Ping Identity shall refund Customer any unused, prepaid Fees for the applicable Service covering the remainder of the subscription term after the date of termination.
5.4 Liability. Ping Identity shall be liable for the performance of its Data Sub-processors to the same extent Ping Identity would be liable if Processing Personal Data itself.
6. Data Subject’s rights
6.1 Requests and complaints. To the extent legally permitted, Ping Identity shall promptly notify Customer in writing if Ping Identity receives any request from a Data Subject with respect to Personal Data being Processed. Ping Identity shall not directly respond to any such request, unless authorized and directed to do so by Customer or required by applicable Data Protection Laws and Regulations. Ping Identity shall reasonably cooperate with Customer and may charge Customer a reasonable fee for such cooperation with respect to any action taken relating to such request.
7. Security measures
7.1 Ping Identity’s obligations. Ping Identity shall provide appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Ping Identity shall, at a minimum, maintain the security of the Service and the Personal Data in accordance with Ping Identity’s Security Exhibit, accessible via www.pingidentity.com/security-exhibit.
7.2 Determination of security requirements. Customer acknowledges that the Service includes certain features and functionalities that Customer may elect to use that impact the security of Personal Data, such as, but not limited to, encryption of voice recordings and availability of multi-factor authentication on Customer’s Ping Identity account. Customer is responsible for reviewing the information Ping Identity makes available regarding its data security, including its audit reports, and making an independent determination as to whether Ping Identity’s Service meets Customer’s requirements and legal obligations, including its obligations under this DPA. Customer is further responsible for properly configuring Ping Identity’s products to maintain appropriate security in light of the nature of the data processed by such products.
8. Security Incident response and notification
8.1 Discovery and investigation of a breach. Ping Identity will notify Customer without undue delay upon becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Ping Identity (a “Personal Data Incident”). Ping Identity shall make reasonable efforts to identify the cause of a Personal Data Incident and take those steps as Ping Identity deems necessary and reasonable in order to remediate the cause of such Personal Data Incident, to the extent that the remediation is within Ping Identity’s reasonable control. The obligations set forth herein shall not apply to incidents that are caused directly or indirectly by either the Customer or Users.
8.2 Notification format and contents. Ping Identity shall direct its notice by email to the address provided by Customer in Ping Identity’s customer portal. Such notice shall include, if known by Ping Identity: (i) a description of the Personal Data Incident, (ii) the categories and approximate numbers of impacted individuals, (iii) possible consequences of the Personal Data Incident, (iv) corrective actions taken or to be taken by Ping Identity, if any, (v) internal point(s) of contact that Customer may engage for managing or responding to Customer about the Personal Data Incident, and (vi) Ping Identity’s Data Protection Officer’s contact information.
9. Retention, return and deletion of Personal Data
9.1 Return and deletion of Personal Data upon termination. When Personal Data is no longer necessary for the purposes set forth in this DPA or at an earlier time as Customer requests in writing, Ping Identity will (i) provide to Customer, in the format and on the media as mutually agreed between the parties, a copy of all or, if specified by Customer, any part of the Personal Data; and/or (ii) delete all, or if specified by the Customer, any part of the Personal Data in Ping Identity’s possession, except for backups and monitoring data which will be deleted per Ping Identity’s data retention policy. Any Personal Data that is not immediately deleted, will continue to be protected as set forth in this DPA.
9.2 Customer’s copy of Personal Data. During the term of the Agreement, Ping Identity will provide Customer with the capability to obtain a copy of its Personal Data by way of an API and/or console. Upon termination or expiry of the Agreement, and upon request, Ping Identity will provide a reasonable opportunity for Customer to obtain a copy of its Personal Data and delete the same. This requirement shall not apply to the extent that Ping Identity is required by Data Protection Laws and Regulations to retain some or all of the Personal Data it has archived on back-up systems, which Ping Identity shall securely isolate and protect from any further processing except to the extent required by Data Protection Laws and Regulations.
10. Limitation of liability. Each party’s liability arising out of or related to this DPA, including its exhibits and attachments, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a party means the aggregate liability of the party under the Agreement and this DPA, including its exhibits and attachments, together.
11. Security audits
11.1 Audit reports. Ping Identity uses external auditors to verify the adequacy of its security measures with respect to its processing of Personal Data. Such audits are conducted at least annually, are performed at Ping Identity’s expense by independent third-party audit professionals at Ping Identity’s selection, and result in a confidential audit report. A list of Ping Identity’s certifications and/or standards for audit as of the date of this DPA can be found at https://www.pingidentity.com/security-exhibit. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Ping Identity shall make available to Customer a copy of Ping Identity’s most recent applicable audit report(s) as described in this Section 11.1. For the avoidance of doubt, nothing in this Agreement shall be construed as permitting Customer access to Ping Identity’s production or non-production systems, source code, or access to anything that may expose confidential information of other customers of Ping Identity.
11.2 Ping Identity’s duty of cooperation. Upon Customer’s reasonable written request at any time during the term of this DPA, Ping Identity shall promptly provide Customer with information related to Ping Identity’s information security safeguards and practices, which may include one or more of the following as Customer may request: (i) responses to a reasonable information security-related questionnaire; (ii) copies of relevant third party audits, reviews, tests, or certifications of Ping Identity’s systems or processes, including an annual SOC 2 report; (iii) a summary of Ping Identity’s operational practices related to data protection and security; and (iv) making Ping Identity personnel reasonably available for security-related discussions with Customer.
12. Miscellaneous
12.1 Order of precedence. Except as specifically set forth in this DPA, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms and conditions of the Standard Contractual Clauses, Exhibit 1, the Agreement, and this DPA, the conflict shall be resolved in the following order of precedence: (i) Standard Contractual Clauses, (ii) Exhibit 1, (iii) this DPA, and (iv) the Agreement.
12.2 Duration of this DPA. This DPA shall remain in effect until, and automatically expire upon, deletion of all Personal Data by Ping Identity as described in this DPA.
12.3 Amendments. If an amendment to this DPA is required in order to comply with applicable Data Protection Laws and Regulations, both parties will work together in good faith to promptly execute a mutually agreeable amendment to this DPA reflecting the requirements set out by the applicable Data Protection Laws and Regulations.
Exhibit 1
SCC ADDENDUM
(EU Standard Contractual Clauses)
1. Processing Generally.
a. Objective and Duration. The objective of Processing of Personal Data by Ping Identity is the performance of the Services pursuant to the Agreement.
b. Instructions. Customer’s complete and final documented instructions for the Processing of Personal Data are as set forth in Section 2.3 of the DPA. Any additional or alternate instructions must be agreed upon in a writing executed by authorized representatives of each party. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to Process Personal Data: (i) Processing in accordance with this Addendum and the Agreement; and (ii) Customer’s use of the Service’s features and functionality.
c. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by Ping Identity only upon Customer’s request. Additionally, backups and monitoring data will be deleted per Ping Identity’s data retention policy.
d. Termination. The parties agree that in the event Customer terminates the Agreement and/or this Addendum as described in Clause 5(a) and Clause 5(b) of the Standard Contractual Clauses, Customer shall remain liable for all fees set forth on any outstanding Order Form(s), regardless of whether such fees have been invoiced or are yet payable at the time of such termination.
2. Data Sub-Processors. The parties agree that Customer’s consent to the Data Sub-processors described in Clause 5(h) and Clause 11 of the Standard Contractual Clauses shall be carried out in accordance with Section 5 of the DPA. The parties agree that the copies of the Data Sub-processor agreements that must be provided by Ping Identity to Customer pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Ping Identity beforehand; and, that such copies will be provided by Ping Identity, in a manner to be determined in its discretion, only upon written request by Customer.
3. Security Incident Response and Notification. The parties agree that the notification described in Clause 5(d)(ii) of the Standard Contractual Clauses shall be carried out in accordance with Section 8 of the DPA.
4. Security Audits. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with Section 11 of the DPA.
5. Conflict. Except as specifically set forth in this Addendum, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms and conditions of the Standard Contractual Clauses, the Agreement, this Addendum, and any other previously executed data protection or data privacy agreement (“DPA”), the conflict shall be resolved in the following order of precedence: (i) Standard Contractual Clauses, (ii) this Exhibit 1, (iii) the DPA, and (iv) the Agreement.
Attachment 1
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organisation:...........................................................................................
Address:....................................................................................................................................
Tel.:................................................ ; Fax:.................................. ; E-mail:...................................
Other information needed to identify the organisation:
……………………………………………………………
(the data exporter)
and
Name of the data importing organisation: Ping Identity Corporation
Address: 1001 17th Street, Suite 100, Denver, CO 80202, USA
Tel.: +1 303-468-2900; fax: +1 303-468-2909; e-mail: privacy@pingidentity.com
Other information needed to identify the organisation: Not applicable
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
Company name:
Printed Name of Signatory (written out in full):
Position:
Address:
Other information necessary in order for the contract to be binding (if any):
Signature……………………………………….
On behalf of the data importer, Ping Identity Corporation:
Name (written out in full):
Position:
Address: 1001 17th Street, Suite 100, Denver, CO 80202
Other information necessary in order for the contract to be binding (if any):
Signature……………………………………….
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer): Data Exporter is (i) the legal entity that has executed the Standard Contractual Clauses as a data exporter and (ii) all Affiliates (as defined in the Agreement) of Customer established within the European Economic Area (EEA) and Switzerland that have purchased Services on the basis of one or more Order Form(s).
Data importer
The data importer is (please specify briefly activities relevant to the transfer): Ping Identity is a provider of enterprise identity access management solutions which processes personal data upon the instruction of the data exporter in accordance with the terms of the Agreement and Addendum.
Data subjects
The personal data transferred concern the following categories of data subjects (please specify): Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
- Prospects, customers, business partners and vendors of data exporter (who are natural persons)
- Employees or contact persons of data exporters’s prospects, customers, business partners and vendors
- Employees, agents, advisors, freelancers of data exporter (who are natural persons)
- Data exporter’s Users authorized by data exporter to use the Services
Categories of data
The personal data transferred concern the following categories of data (please specify): Data exporter may submit Personal Data to the Services consistent with the Agreement, the extent of which is determined and controlled by the Data Exporter, and which may include, but is not limited to the following categories of Personal Data:
- First and last name, title, position, employer, contact information (company, email, phone, physical business address), ID and device data, connection data, localisation data
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify): Not applicable
Processing operations
The Personal Data transferred will be subject to the following basic processing activities (please specify): The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to the Agreement.
[Remainder of page intentionally left blank]
DATA EXPORTER
Name of Company:………………………………
Printed Name of Signatory:……………………
Authorised Signature ……………………
DATA IMPORTER, PING IDENTITY CORPORATION
Name: ……………………
Authorised Signature ……………………
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Data Importer shall provide appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Ping Identity shall, at a minimum, maintain the security of the Service and the Personal Data in accordance with the security exhibit, as updated from time to time, available at https://www.pingidentity.com/security-exhibit.
DATA EXPORTER
Name of Company:………………………………
Printed Name of Signatory:……………………
Authorised Signature ……………………
DATA IMPORTER, PING IDENTITY CORPORATION
Name: ……………………
Authorised Signature ……………………
Archived - Data Privacy Addendum 06/08/2021 Archived - Data Privacy Addendum 12/07/2019 Archived - Data Privacy Addendum 2/28/2019 Archived - Data Privacy Addendum 10/12/2018
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a free demo
Thank you! Keep an eye on your inbox. We’ll be in touch soon.
