Superceded October 12, 2018

This Data Privacy Addendum ("Addendum") relates to the processing by Ping Identity Corporation ("Ping Identity") of Personal Data (as defined below) provided by the company or entity that is party ("Customer") to the applicable subscription or license agreement(s) and ordering documentation between Customer and Ping Identity (collectively, the "Agreement") governing Customer’s use of Ping Identity’s software and/or hosted service products. This Addendum is incorporated into and forms part of, and is subject to the terms and conditions of, the Agreement. If an Affiliate of Customer has executed an Order Form with Ping Identity but is not the original signatory to the Agreement, this Addendum is an addendum to and forms part of such Order Form. As used in this Addendum, any capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

This Addendum consists of two parts: the main body of this Addendum and Exhibit A. Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement, including any policies or schedules referenced therein, and the terms of this Addendum, the relevant terms of this Addendum shall take precedence.

1. Definitions

"Data Controller" means the entity which determines the purposes and means of the Processing of Personal Data.

"Data Processor" means the entity which Processes Personal Data on behalf of the Data Controller.

"Data Protection Laws and Regulations" means, each only to the extent applicable: (i) prior to May 25, 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data; (ii) on and after May 25, 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; and (iii) any other similar data protection laws in any other applicable territory, each as amended, replaced, or superseded.

"Data Sub-processor" means any Data Processor engaged by Ping Identity.

"Data Subject" means the individual to which the Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws and Regulations that is: (i) Processed by Ping Identity’s products that are provided as a hosted, software-as-a-service application; (ii) provided to Ping Identity by Customer in the form of a log file generated by Ping Identity products that are provided as downloadable software in connection with support activities; or (iii) obtained by Ping Identity personnel in the performance of professional services ((i) through (iii) hereunder collectively referred to as "Services").

"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2. Processing of Personal Data

2.1 Provision of Service. Ping Identity provides a Service to Customer as specified in the Agreement. In connection with this Service, the parties anticipate that Customer may transfer to Ping Identity some Customer Data that contains Personal Data relating to Data Subjects. Exhibit A specifies the types of Personal Data that may be transferred to Ping Identity by the Customer. Customer represents and warrants that it will not transmit or expose to Ping Identity any Personal Data not specifically listed in Exhibit A.

2.2 The parties’ roles. The parties agree that with regard to the Processing of Personal Data which is provided to Ping Identity in accordance with this Addendum, Customer is the Controller, Ping Identity is the Processor and Ping Identity will engage Data Sub-processors pursuant to the requirements of this Addendum. Customer is the owner of any and all Personal Data.

2.3 Purpose limitation. Ping Identity will treat Personal Data as Confidential Information (or such similar term as is set forth in the Agreement) and impose confidentiality obligations on all personnel who Process Personal Data in accordance with this Addendum. Ping Identity will only Process Personal Data for the duration of the Agreement and on behalf of and in accordance with Customer’s documented instructions as reasonably contemplated by the Agreement. Ping Identity shall not be required to comply with or observe Customer’s instructions if, in its reasonable discretion, such instructions would violate any Data Protection Laws and Regulations, and Ping Identity shall promptly notify Customer thereof. The Agreement constitutes Customer’s complete instructions to Ping Identity for the Processing of Personal Data.

3. Responsibilities

3.1 Ping Identity’s responsibility. Ping Identity shall cooperate and provide Customer with assistance that Customer deems reasonably necessary to comply with applicable Data Protection Laws and Regulations in regards to Ping Identity’s responsibilities under this Addendum and the Agreement. Customer acknowledges that Ping Identity’s Services are provided from certain fixed locations in the world that cannot be altered to suit each individual customers’ needs and are also engineered and designed based on principles that may not accommodate every potential Data Protection Law and Regulation. However, Ping Identity will cooperate and provide Customer with any assistance that Customer deems reasonably necessary to assess compliance with applicable Data Protection Laws and Regulations in regards to Ping Identity’s responsibilities under the Agreement and the Addendum.

3.2 Privacy Shield. Ping Identity represents that it has a valid certification to the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield (collectively, "Privacy Shield") as of the date of this Addendum, evidencing its placement and good standing on the U.S. Department of Commerce’s Privacy Shield List.  Ping Identity agrees that at any and all times during which Ping Identity Processes Personal Data outside the European Economic Area ("EEA") or Switzerland that originates from the EEA and/or Switzerland, or concerns citizens or residents of the EEA and/or Switzerland (collectively, "EU Personal Data"), Ping Identity will: (i) provide at least the same level of protection for EU Personal Data received pursuant to this Addendum as is required by Privacy Shield; and (ii) ensure Ping Identity maintains its EEA and/or Swiss Privacy Shield self-certification(s) for so long as it retains EU Personal Data pursuant to this Addendum, or as otherwise set forth in Section 3.3 of this Addendum.

3.3 Modifications. If Privacy Shield is deemed inadequate by a government or regulatory authority or Ping Identity fails to maintain a valid Privacy-Shield certification during the term of the Agreement, then the parties will negotiate in good faith and in a timely manner to implement appropriate European Commission Standard Contractual clauses between controllers and processors or implement an alternative legal mechanism of ensuring an adequate level of protection for Personal Data under applicable Data Protection Laws and Regulations.  In the event that a change in Data Protection Laws and Regulations occurs during the term of this Agreement such that the Services do not enable compliance with such change, and as a result of such change Ping Identity is unable to alter the Services without undue burden (in Ping Identity’s sole discretion), then Customer may elect to terminate the Agreement and all outstanding subscriptions to Ping Identity’s products without penalty, and receive a refund of any prepaid, unused fees under the Agreement.

3.4 Customer’s responsibility. Customer shall be responsible for ensuring that it has, and will continue to have, the right to transfer, or provide access to, Personal Data to Ping Identity for Processing in accordance with the terms of the Agreement and this Addendum. Customer’s instructions for the Processing of Personal Data by Ping Identity shall at all time comply with applicable Data Protection Laws and Regulations and Customer shall ensure that Ping Identity’s Processing of Personal Data in accordance with Customer’s instructions will not cause Ping Identity to violate any applicable Data Protection Laws and Regulations. In the event Customer becomes aware that provided instructions are in conflict with applicable Data Protection Laws and Regulations, Customer will promptly notify Ping Identity. Customer shall have sole responsibility for the accuracy, quality, and legality of the Personal Data and the means by which Customer has acquired Personal Data. Customer  recognizes that Ping Identity does not have a means to verify (i) the residency of each Data Subject, (ii) the aspects of Personal Data that are provided to Ping Identity by Customer in connection with each request by Customer to Process such Personal Data, nor (iii) the location of third parties that Customer chooses to exchange Personal Data with as part of the intended functionality of the Service (such as in a single-sign on transaction). Customer shall be responsible for ensuring that all such Personal Data may be Processed by Ping Identity’s Services in compliance with Data Protection Laws and Regulations, and Ping Identity will provide all reasonably necessary information to Customer to allow Customer to make such determination upon Customer’s written request. If any consents of Data Subjects are required for the Processing of Personal Data by Ping Identity, Customer shall be required to obtain any such consents directly from the Data Subjects.

3.5 Ping Identity’s duty of cooperation. In particular, but without limiting the generality of the foregoing, if Customer reasonably determines that applicable Data Protection Laws and Regulations require an assessment of privacy impacts of any Processing of Personal Data carried out by Ping Identity ("Data Protection Impact Assessment"), Ping Identity will reasonably cooperate with Customer’s conduct of the assessment to the extent applicable to Ping Identity’s responsibilities under this Addendum and the Agreement. If Customer reasonably determines that applicable Data Protection Laws and Regulations require Customer to notify, seek guidance from, or consult with any governmental authority or representative body, concerning Ping Identity’s Processing of Personal Data, Ping Identity will reasonably cooperate with Customer in connection with such advisory request or consultation to the extent applicable to Ping Identity’s responsibilities under this Addendum and the Agreement, and as allowed by Data Protection Laws and Regulations. If Ping Identity reasonably determines that any instruction from Customer is in violation of, or would result in Processing of Personal Data being in violation of applicable Data Protection Laws and Regulations, then Ping Identity shall notify Customer thereof.

3.6 Data Protection Officer. Ping Identity has appointed a data protection officer. The appointed person may be reached at dpo_privacy@pingidentity.com.

4. Storage and access to Personal Data

4.1 Data residency. With respect to Ping Identity’s hosted service, Customer may select the data center(s) in which Personal Data shall be stored. Personal Data received through the Services may be disclosed to, transferred to, and/or allowed to be accessed by or otherwise processed by Ping Identity’s personnel or the Data Sub-processors. Personal Data may be transferred to personnel of Ping Identity located in Europe, Australia, Canada, United States, or Israel in the course of the Services. Ping Identity will notify Customer if the foregoing list of countries changes (which notice may be provided through support channels, Ping Identity’s website, Ping Identity’s status notifications that may be subscribed to at https://status.pingidentity.com, or such other reasonable means). In the event that the foregoing list of countries to which Personal Data may be transferred is changed, the parties agree to cooperate in good faith in meeting any additional regulatory or legal requirements necessary to allow such transfers. Notwithstanding the foregoing, with the exception of Personal Data processed through the hosted service, certain Personal Data may be stored by Ping Identity or its Data Sub-processors in the U.S. for operational purposes.

4.2 Ping Identity’s access to Personal Data. Ping Identity shall ensure that access to Personal Data is restricted to only those personnel who have a need to know to enable Ping Identity to perform its obligations under the Agreement and this Addendum. Ping Identity’s personnel engaged in the Processing of Personal Data shall be informed of the confidential nature of the Personal Data, have received appropriate training regarding their responsibilities, and be bound in writing by obligations of confidentiality sufficient to protect Personal Data in accordance with the terms of this Addendum.

4.3 Access by authorities. To the extent permitted by Data Protection Laws and Regulations, Ping Identity will promptly, and no later than five (5) business days following receipt, notify Customer of (i) any request for access to any Personal Data from any regulatory body or government official, and (ii) any warrant, subpoena, or other request to Ping Identity regarding any Personal Data.  Ping Identity will comply with any legal hold from Customer regarding Personal Data and will provide reasonable support so that Customer can comply with third party requests as required by Data Protection Laws and Regulations if Customer cannot otherwise reasonably obtain such information. Ping Identity will reasonably cooperate with Customer if Customer or its regulators properly requests access to Personal Data for any reason in accordance with the Agreement, this Addendum, or applicable Data Protection Laws and Regulations.

5. Data Sub-processors

5.1 Ping Identity’s use of Data Sub-Processors. By executing this Addendum, Customer has given its written authorization for Ping Identity to engage the Data Sub-processors set forth at https://www.pingidentity.com/sub-processors (which link may be updated by Ping Identity from time to time) to provide various services related to the Service.

5.2 Onward Transfer of Personal Data. Any transfer by Ping Identity of Personal Data to a Data Sub-processor will be governed by a written contract providing that the Data Sub-processor will process Personal Data in accordance with Ping Identity’s instructions as required by Data Protection Laws and Regulations. Ping Identity conducts an annual review and assessment of its Data Sub-processors to ensure such Data Sub-processors have in place proper organizational and technical safeguards to ensure the protection of Personal Data.

5.3 Appointment of new Data Sub-processors. Ping Identity may not transfer Personal Data to any other Data Sub-processor without providing prior written notice to Customer (which notice may be provided through https://www.pingidentity.com/sub-processors or such other reasonable means); provided, that Customer will have ten (10) business days to reasonably object that such change causes Customer to be in violation of Data Protection Laws and Regulations. In the event that Customer has not provided an objection to such changes within ten (10) business days, Customer will be deemed to have waived its right to object and to have consented to the use of the new Data-Sub-processor. In the event that Customer reasonably objects to such change, Ping Identity shall, in its sole discretion, use commercially reasonable efforts to (1) offer an alternative to provide the Service to Customer; (2) take the corrective steps requested by Customer in its objection and proceed to use the new Data Sub-processor; or (3) cancel its plans to use the Data Sub-processor. If Ping Identity is unable or unwilling to achieve either (1) through (3) in its sole discretion and the objection has not been resolved to the mutual satisfaction of the parties within 30 days after Ping Identity’s receipt of the objection, Customer may, as its sole and exclusive remedy available under this Section 5.3, terminate its applicable subscriptions from Ping Identity with respect only to those aspects of the Service which cannot be provided by Ping Identity without the use of the new Data Sub-processor. In such event, Ping Identity shall refund Customer any unused, prepaid fees for the applicable Service covering the remainder of the subscription term after the date of termination.

5.4 Liability. Ping Identity shall be liable for the acts and omissions of its Data Sub-processors to the same extent Ping Identity would be liable if performing the services of each Data Sub-processor directly.

6. Data Subject’s rights

6.1 Requests and complaints. To the extent legally permitted, Ping Identity shall promptly notify Customer in writing if Ping Identity receives: (i) any request from a Data Subject with respect to Personal Data being Processed including, but not limited to, opt-out requests, requests for access and/or rectification, erasure, restriction, requests for data portability, and all similar requests; or (ii) any complaint, notice, or other communication from Data Subject relating to Ping Identity’s privacy practices or either party’s compliance with applicable Data Protection Laws and Regulations in relation to how Personal Data is collected, accessed, used, stored, processed, disposed of and disclosed. Ping Identity shall not directly respond to any such request, complaint, notice or other communication unless authorized and directed to do so by Customer or required by applicable Data Protection Laws and Regulations. Ping Identity shall reasonably cooperate with Customer and may charge Customer a reasonable fee for such cooperation with respect to any action taken relating to such request or complaint.

7. Security measures

7.1 Ping Identity’s obligations. Ping Identity shall provide reasonable and appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Security measures applied by Ping Identity are further detailed in the security policy applicable to the Service, as updated from time to time, and accessible via https://www.pingidentity.com/en/legal/security-exhibit.html, or otherwise made reasonably available by Ping Identity.

7.2 Determination of security requirements. Customer acknowledges that the Service includes certain features and functionalities that Customer may elect to use that impact the security of Personal Data, such as, but not limited to, encryption of voice recordings and availability of multi-factor authentication on Customer’s Ping Identity account. Customer is responsible for reviewing the information Ping Identity makes available regarding its data security, including its audit reports, and making an independent determination as to whether Ping Identity’s Service meets Customer’s requirements and legal obligations, including its obligations under this Addendum. Customer is further responsible for properly configuring Ping Identity’s products to maintain appropriate security in light of the nature of the data processed by such products.

Security Incident response and notification

8.1 Discovery and investigation of a breach. Ping Identity will notify Customer without undue delay upon becoming aware of an actual or suspected unauthorized, unlawful, or accidental access, disclosure, transfer, destruction, loss, alteration, or unavailability of Personal Data Processed by Ping Identity or its Data Sub-processors ("Security Incident"). Ping Identity shall make reasonable efforts to identify the cause of a Security Incident and take those steps as Ping Identity deems necessary and reasonable in order to remediate the cause of such Security Incident, to the extent that the remediation is within Ping Identity’s reasonable control. The obligations set forth herein shall not apply to incidents that are caused directly or indirectly by either the Customer or Customer’s end users.

8.2 Notification format and contents. Ping Identity shall direct its notice by email to the address provided by Customer in Ping Identity’s customer portal. Such notice shall include, if known by Ping Identity:  (i) a description of the Security Incident, (ii) whether Personal Data is suspected to be lost, stolen, unavailable, or compromised, (iii) possible consequences of the Security Incident, (iv) corrective actions taken or to be taken by Ping Identity, if any, (v) internal point(s) of contact responsible for managing or responding to the Security Incident, and (vi) Ping Identity’s Data Protection Officer’s contact information.

9. Retention, return and deletion of Personal Data

9.1. Personal Data retention. Ping Identity will retain Personal Data only as long as reasonably necessary and in accordance with Ping Identity’s retention policy, and only to accomplish the intended purpose for which the Personal Data has been processed pursuant to this Addendum.

9.2 Return and deletion of Personal Data upon termination. When Personal Data is no longer necessary for the purposes set forth in this Addendum or at an earlier time as Customer requests in writing,  Ping Identity will (i) provide to Customer, in the format and on the media as mutually agreed between the parties, a copy of all or, if specified by Customer, any part of the Personal Data; and/or (ii) delete all, or if specified by the Customer, any part of the Personal Data in Ping Identity’s possession, except for backups and monitoring data which will be deleted per Ping Identity’s data retention policy. Any Personal Data that is not immediately deleted will continue to be protected as set forth in this Addendum.  

9.3 Customer’s copy of Personal Data. During the term of the Agreement, Ping Identity will provide Customer with the capability to obtain a copy of its Personal Data by way of an API and/or console. Upon termination or expiry of the Agreement, and upon request, Ping Identity will provide a reasonable opportunity for Customer to obtain a copy of its Personal Data and delete the same. This requirement shall not apply to the extent that Ping Identity is required by Data Protection Laws and Regulations to retain some or all of the Customer Data it has archived on back-up systems, which Ping Identity shall securely isolate and protect from any further processing except to the extent required by Data Protection Laws and Regulations.  

10. Limitation of liability. Each party’s liability arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability as set forth in the Agreement and any reference to such limitation of liability of a party means the aggregate liability of the party under the Agreement and this Addendum together.  

11. Security audits

11.1 Audit Reports.  Ping Identity uses external auditors to verify the adequacy of its security measures with respect to its processing of Personal Data. Such audits are conducted at least annually, are performed at Ping Identity’s expense by independent third-party audit professionals at Ping Identity’s selection, and result in a confidential audit report. A list of Ping Identity’s certifications and/or standards for audit as of the date of this Addendum can be found at https://www.pingidentity.com/en/legal/security.html. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Ping Identity shall make available to Customer a copy of Ping Identity’s most recent applicable audit report(s) as described in this Section 11.1. For the avoidance of doubt, nothing in this Agreement shall be construed as permitting Customer access to Ping Identity’s production or non-production systems, source code, or access to anything that may expose confidential information of other customers of Ping Identity.  

11.2 Ping Identity’s duty of cooperation. Upon Customer’s reasonable written request at any time during the term of this Addendum, Ping Identity shall promptly provide Customer with information related to Ping Identity’s information security safeguards and practices, which may include  one or more of the following as Customer may request: (i) responses to a reasonable information security-related questionnaire; (ii) copies of relevant third party audits, reviews, tests, or certifications of Ping Identity’s systems or processes, including an annual SOC 2 report; (iii) a summary of Ping Identity’s operational practices related to data protection and security; and (iv) making Ping Identity personnel reasonably available for security-related discussions with Customer.

12. Miscellaneous

12.1 Order of precedence. Except as specifically set forth in this Addendum, the terms and provisions of the underlying Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of the Agreement and the terms of this Addendum, the terms and provisions of this Addendum shall prevail.

12.2 Duration of this Addendum. This Addendum shall take effect upon signature and, notwithstanding expiry of the Agreement, will remain in effect until, and automatically expire upon, deletion of all Personal Data by Ping Identity as described in this Addendum.

12.3 Amendments. If an amendment to this Addendum, including its exhibits, is required in order to comply with applicable Data Protection Laws and Regulations, both parties will work together in good faith to promptly execute a mutually agreeable amendment to this Addendum reflecting the requirements set out by the applicable Data Protection Laws and Regulations.

12.4 Severability. If any provision of this Addendum is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. Any such change is subject to a written agreement by both parties.

EXHIBIT A

Types of Personal Data that may be transferred to Ping Identity by Customer:

• First and last name

• Employee phone number

• Employee e-mail address

• IP address

• User name