Data Processing Addendum
This Data Processing Addendum (this “DPA”), forms part of the written agreement between CS Disco, Inc. and Customer (as amended from time to time, the “Agreement”). This DPA is effective as of the effective date of Agreement (“Effective Date”). For the purposes of this DPA, “DISCO” means the CS Disco, Inc. contracting entity identified in the Agreement, and “Customer” means the customer contracting entity identified in the Agreement. DISCO and Customer may be referred to herein collectively as the “Parties” or individually as a “Party”.
Customer enters into this DPA on behalf of itself and its Affiliates to the extent DISCO Processes Customer Personal Data in performance of the DISCO Offerings for such Affiliates. For the purposes of this DPA only, and except where indicated otherwise in this DPA, the term “Customer” will include Customer and its Affiliates.
WHEN THIS DPA APPLIES
This DPA is binding on the Parties only to the extent Data Protection Laws govern the Processing of Customer Personal Data in performance of the DISCO Offerings and where DISCO Processes Customer Personal Data only on Customer’s instructions. This DPA is fully incorporated into the Agreement. This DPA replaces any existing terms, exhibits, schedules, appendices, addendums, or other attachments related to the Processing of Customer Personal Data unless otherwise expressly stated in this DPA.
Accordingly, this DPA does not apply to DISCO’s Processing of any Personal Data for its own business/customer relationship administration purposes, its own marketing or service analytics (e.g., involving data collected by DISCO relating to Customer’s users’ use of the DISCO Offerings), its own information and systems security purposes supporting the operation of the DISCO Offerings, nor its own legal, regulatory or compliance purposes.
DATA PROCESSING TERMS
The Parties agree that the terms of this DPA govern the Processing of Customer Personal Data in performance of the DISCO Offerings. Each Party, acting reasonably and in good faith, will comply with the terms of this DPA. Any Processing of Personal Data that is not Customer Personal Data conducted by DISCO, including business relationship administration and system security, will be carried out by DISCO as an independent Controller.
1. Definitions and Interpretation
Capitalized terms used in this DPA have the meanings set forth in this Section 1 and elsewhere in this DPA. All other capitalized terms not defined in this DPA have the meanings set forth in the Agreement or Data Protection Laws.
1.1. “Affiliate” of a Party means any other entity that directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, such Party. The term “control” (including the terms “controlled by” and “under common control with”) means the direct or indirect power to direct or cause the direction of the management and policies of an entity, whether through the ownership of voting securities, by contract, or otherwise.
1.2. “Controller” (or equivalent term under Data Protection Laws) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
1.3. “Data Protection Laws” means any applicable laws or regulations governing the Processing of Customer Personal Data in performance of the DISCO Offerings, including, to the extent applicable, the General Data Protection Regulation 2016/679 (the “GDPR”), the GDPR as it forms part of the UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (the “UK GDPR”), the Swiss Federal Act on Data Protection of 25 September 2020, as amended (“FADP”), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”), in each case as amended and supplemented.
1.4. “Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.5.“Customer Personal Data” means Personal Data Processed by DISCO (or any Sub-Processor) as a Processor on behalf of and at the direction of Customer in performance of the DISCO Offerings.
1.6. “Personal Data” means any information that relates to an identified or identifiable natural person as defined under Data Protection Laws.
1.7. “Personal Data Breach” means a breach of DISCO’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in DISCO’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
1.8. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, retaining, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.
1.9. “Processor” (or equivalent term under Data Protection Laws) means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
1.10. “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the European Union, any country or territory outside the European Union which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); (ii) in the context of the United Kingdom, any country or territory outside the United Kingdom, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”); and (iii) in the context of Switzerland, any country or territory outside Switzerland, which does not benefit from an adequacy decision from the Swiss authorities (a “Swiss Restricted Transfer”), which would be prohibited by Data Protection Laws in the absence of appropriate safeguards.
1.11. “Service Data” means any data relating to the use, support and/or operation of the DISCO Offerings collected directly by DISCO for use for its own purposes.
1.12. “Standard Contractual Clauses” or “SCCs” means the Commission Implementing Decision (EU) 2021/914 establishing Standard Contractual Clauses for data transfers to third countries (as amended, modified, or replaced from time to time).
1.13. “Sub-Processor” means a Processor engaged by DISCO for the purpose of Processing Customer Personal Data in performance of the DISCO Offerings.
1.14. “Supervisory Authority” means the relevant governmental body or bodies having jurisdiction over the Processing of Customer Personal Data under this DPA.
1.15. “Transfer Mechanism(s)” means the SCCs, UK Transfer Addendum, and/or Swiss transfer mechanism; as applicable to the relevant Restricted Transfer.
1.16. “Trust Center” means the website located at https://trust.csdisco.com/ where individuals may learn about DISCO’s security posture and certifications, subscribe to updates to Sub-Processors, and, subject to the completion of a nondisclosure agreement, request access to DISCO security documentation.
1.17. “UK International Data Transfer Addendum” means the template Addendum B.1.0 issued by the UK Information Commissioner’s Office (ICO) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the UK Mandatory Clauses included in Part 2 thereof.
2. Processing of Customer Personal Data
2.1. Roles of the Parties. To the extent DISCO Processes Customer Personal Data in performance of the DISCO Offerings, the Parties agree that Customer is the Controller and DISCO is the Processor.
2.2. DISCO as Processor. DISCO, as Processor, will Process Customer Personal Data only on the documented instructions of Customer. DISCO will not Process Customer Personal Data for any other purpose, except to the extent Processing of Customer Personal Data is required by applicable laws.
2.3. CCPA-specific Terms. If DISCO is Processing Customer Personal Data protected by the CCPA in performance of the DISCO Offerings, DISCO makes the following additional commitments to Customer:
(a) DISCO will not retain, use, or disclose such Customer Personal Data outside of the direct business relationship between DISCO and Customer for any purpose other than for the business purposes set out in this DPA or as otherwise permitted under the CCPA.
(b) In no event will DISCO sell any such Customer Personal Data nor share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, such Customer Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
(c) Unless otherwise provided by the DISCO Offerings or as otherwise permitted under the CCPA, DISCO will not combine such Customer Personal Data with personal information which it receives from or on behalf of any other Customer, or that DISCO collects from its own interaction with any individuals.
(d) DISCO shall only Process such Customer Personal Data for the limited and specified purposes described in the Agreement and the DPA.
(e) DISCO will comply with any direct requirements as a service provider under the CCPA and provide the same level of protection to such Customer Personal Data as is required under the CCPA.
(f) DISCO will notify Customer if it makes a determination that it can no longer meet its obligations under this Section 2.3 and, in such event, shall reasonably comply with Customer’s reasonable instructions regarding ceasing and remediating such Processing that is not in compliance with this Section 2.3.
(g) With respect to CCPA-covered Customer Personal Data, these CCPA-specific terms take precedence over any conflicting data protection commitments DISCO makes to Customer in this DPA.
2.4. Customer as Controller. Customer, as Controller, agrees that Customer:
(a) is solely responsible for the accuracy, quality, and legality of Customer Personal Data, including the means by which Customer acquires Customer Personal Data;
(b) is solely responsible for any registration, notice, or other authorization under applicable laws to engage DISCO to perform the DISCO Offerings;
(c) has the authority to transmit or disclose Customer Personal Data to DISCO (or permit DISCO to access Customer Personal Data); and
(d) will provide DISCO with lawful instructions with respect to the Processing of Customer Personal Data.
2.5. Customer’s Instructions. Customer instructs DISCO (and authorizes DISCO to instruct each Sub-Processor) to Process Customer Personal Data in performance of the DISCO Offerings, including any necessary Restricted Transfers. The Parties agree that the scope of Customer’s instructions for the Processing of Customer Personal Data is defined by: (i) the Agreement, including this DPA; and (ii) any Modified Instructions (as defined in Section 2.6).
2.6. Modified Instructions. Customer may request amendments to Customer’s instructions, where such amendments are required to ensure that Customer complies with Data Protection Laws and Customer cannot achieve Customer’s compliance with Data Protection Laws unless DISCO implements such instructions (“Modified Instructions”), by submitting a written request to DISCO in accordance with the change control or amendment procedures set forth in the Agreement. Customer and DISCO may mutually agree in writing to amend the Agreement to effect such Modified Instructions. If DISCO notifies Customer that it is not feasible or practicable to implement any Modified Instructions, Customer may terminate the applicable DISCO Offering in accordance with the Agreement. This Section 2.6 states Customer’s sole and exclusive remedy, and DISCO’s sole liability, with regard to Modified Instructions.
2.7. Duty to Inform. To the extent required by Data Protection Laws, DISCO will inform Customer if, in DISCO’s opinion, any Customer instruction violates such Data Protection Laws.
2.8. Details of the Processing of Customer Personal Data. The details of the Processing of Customer Personal Data are set forth in Appendix 1 (Processing Details) to this DPA.
3. Confidentiality Obligations of DISCO Personnel
3.1. Confidentiality Obligations of DISCO Personnel. DISCO will ensure that any person it authorizes to Process Customer Personal Data is: (a) subject to confidentiality and restricted use obligations that are no less protective than the confidentiality and restricted use obligations set forth in the Agreement; or (b) under an appropriate statutory obligation of confidentiality.
4. Information Security Program
4.1 Information Security Program. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, DISCO will in relation to Customer Personal Data implement a written information security program that includes technical and organizational measures designed to protect such Customer Personal Data against unauthorized access, use, disclosure, alteration, or destruction, including the measures set forth in Article 32(1) of the GDPR (and corresponding provisions of the UK GDPR and/or the FADP) to the extent such measures are applicable to DISCO’s Processing of Customer Personal Data in performance of the DISCO Offerings (“Information Security Program”). As of the Effective Date of this DPA, the details of such Information Security Program is set forth in Appendix 2 (Information Security Program) to this DPA. DISCO may update the Information Security Program from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
5. Subprocessing
5.1. Use of Sub-Processors; Liability. Customer generally authorizes DISCO to use Sub-Processors, including DISCO’s Affiliates, for the purpose of providing the DISCO Offerings. DISCO will enter into a written agreement with each Sub-Processor containing data protection obligations no less protective than those set forth in this DPA with respect to the Processing of Customer Personal Data. DISCO will remain responsible for any Processing of Customer Personal Data by Sub-Processors.
5.2. Sub-Processor Site. Customer authorizes the use of the Sub-Processors detailed in the list available at https://csdisco.com/subprocessors (the “Sub-Processor Site”). DISCO may engage new Sub-Processors in accordance with Section 5.3 (Customer’s Right to Object to New Sub-Processors) of this DPA.
5.3. Customer’s Right to Object to New Sub-Processors. DISCO shall give Customer prior notice of the appointment of any proposed Sub-Processor by updating the Sub-Processor Site and providing notification to Customer via subscription to DISCO’s Trust Center. Customer agrees that Customer is solely responsible for ensuring that it subscribes to updates to the Sub-Processor Site via DISCO’s Trust Center. If, within fourteen (14) days of any such updates to the Sub-Processor Site, Customer notifies DISCO in writing of any objections (on reasonable grounds) to a proposed appointment of a Sub-Processor:
(a) DISCO shall use reasonable efforts to make available a commercially reasonable change in the provision of the DISCO Offerings, which avoids the use of that proposed Sub-Processor; and
(b) where such a change cannot be made within fourteen (14) days from DISCO’s receipt of Customer’s notice, then either Party may by written notice to the other Party with immediate effect terminate the Agreement, either in whole or to the extent that it relates to the DISCO Offerings which require the use of the proposed Sub-Processor, as its sole and exclusive remedy.
5.4. Sub-Processor Approval. If Customer does not object to DISCO’s appointment of a Sub-Processor during the objection period referred to in Section 5.3, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.
5.5. Restricted Transfers to Sub-Processors. To the extent DISCO makes a Restricted Transfer to a Sub-Processor, DISCO will establish appropriate safeguards for such Restricted Transfer as required by Data Protection Laws.
6. Assistance to Customer Related to Data Subject Requests
6.1. Data Subject Request Notification. DISCO will promptly notify Customer if DISCO receives a request from a Data Subject to exercise his or her rights under Data Protection Laws with respect to Customer Personal Data.
6.2. Customer’s Responsibility with respect to Data Subject Requests. Customer will be solely responsible for responding to requests, complaints, and all other communications from Data Subjects; provided, however, DISCO may confirm to the Data Subject that DISCO received his or her communication. To the extent that Customer can respond to such requests by using its access to Customer Personal Data or any “self-service” functionality of the DISCO Offerings, Customer will do so.
6.3. Assistance in Responding to Data Subject Requests. Upon Customer’s written instruction, to the extent required by Data Protection Laws, and in accordance with Section 14.1, DISCO will provide Customer with assistance to fulfill Customer’s obligations to respond to requests from Data Subjects to exercise his or her rights under Data Protection Laws by implementing appropriate and technical organizational measures, insofar as it is possible, taking into account the nature of the Processing.
7. Assistance with Customer’s Other Data Protection Rights and Obligations
7.1. Assistance Related to Customer’s Other Data Protection Rights and Obligations. Taking into account the nature of the Processing and the information available to DISCO, DISCO will provide assistance required to be provided by Processors to Controllers under Data Protection Laws, including the assistance required under Article 28(3) of the GDPR (and the corresponding provisions of the UK GDPR) to the extent such assistance is applicable to DISCO’s Processing of Customer Personal Data in performance of the DISCO Offerings.
8. Customer Audit Rights
8.1. Customer Audit Rights. In order to satisfy any audit or inspection request by Customer under Data Protection Laws or the Standard Contractual Clauses and/or UK International Data Transfer Addendum, upon reasonable request DISCO will provide Customer with copies of DISCO’s audit reports or certifications performed no more than twelve (12) months prior to Customer’s audit request by a qualified third party auditor (“Audit Reports”). Customer agrees to accept the Audit Report findings in lieu of requesting an audit of the controls covered by the Audit Reports. Any information provided under this Section 8.1 is the Confidential Information of DISCO.
9. Return or Deletion of Customer Personal Data
9.1. Return or Deletion of Customer Personal Data. Upon termination of the Agreement, DISCO will delete, return, or provide Customer with a mechanism to allow Customer to obtain a copy of or delete all Customer Personal Data, except to the extent DISCO or its Affiliates are required to retain such Customer Personal Data under applicable laws or document retention policies adopted in accordance with such laws; provided, however, the confidentiality and restricted use obligations set forth in the Agreement will continue to apply to such Customer Personal Data for the duration of such retention.
Personal Data Breach of Customer Personal Data
10.1. Personal Data Breach Notification. If DISCO becomes aware of a Personal Data Breach involving Customer Personal Data, DISCO will notify Customer of such Personal Data Breach without undue delay unless prohibited by law or as otherwise requested by a Supervisory Authority.
10.2. Personal Data Breach Assistance. If DISCO notifies Customer of a Personal Data Breach in accordance with Section 10.1 of this DPA, DISCO will assist Customer with its response to a Supervisory Authority’s request for information with respect to such Personal Data Breach as required by Data Protection Laws.
11. Restricted Transfers
11.1. Standard Contractual Clauses. To the extent that Customer makes an EU Restricted Transfer to DISCO that is subject to the GDPR, the Parties agree that the Standard Contractual Clauses will apply to such Restricted Transfer. The Standard Contractual Clauses are incorporated by reference into this DPA, and the remaining details required under the Standard Contractual Clauses are deemed completed, as appropriate, with the information set forth in this DPA, including the appendices to this DPA. The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Appendix 1): (i) Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Personal Data in respect of which Customer is a data controller in its own right; and/or Module Three of the SCCs applies to any EU Restricted Transfer involving Processing of Personal Data in respect of which Customer is itself acting as a data processor on behalf of any other person. For purposes of the Standard Contractual Clauses, the Parties agree:
(a) Clause 7 (Docking Clause) shall not apply;
(b) Option 2 (General Authorization) of Clause 9 shall apply, and the “time period” shall be 14 days;
(c) the optional language in Clause 11 (Redress) shall not apply;
(d) for Clause 13 (Supervision), the Supervisory Authority with responsibility for ensuring compliance by the data exporter with the GDPR with regard to Restricted Transfers, namely, the lead Supervisory Authority of the data exporter, shall act as the competent Supervisory Authority;
(e) for Clause 17 (Governing Law), Option 2 shall apply and that, in the event that the law of the jurisdiction in which the data exporter is established does not allow for third-party beneficiary rights, the Standard Contractual Clauses shall be governed by the laws of Ireland; and
(f) for Clause 18 (Choice of Forum and Jurisdiction), the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland.
11.2. Details of the Standard Contractual Clauses. To the extent the Standard Contractual Clauses apply in accordance with Section 11.1, the Standard Contractual Clauses shall be deemed populated in accordance with Appendix 1, Appendix 2, and the Sub-Processor Site.
11.3. UK Restricted Transfers. To the extent that Customer makes a UK Restricted Transfer to DISCO subject to the UK GDPR, the Parties agree that the UK International Data Transfer Addendum will apply to such UK Restricted Transfer. The UK International Data Transfer Addendum is incorporated by reference into this DPA, and the remaining details required under the UK International Data Transfer Addendum are deemed completed, as appropriate, with the information set forth in this DPA, including the appendices to this DPA. The additional details required to be provided under Part 1 and Part 2 of the UK International Data Transfer Addendum shall be deemed populated in accordance with Appendix 1, Appendix 2, and the Sub-Processor Site. In the event of any inconsistency between the terms of the UK International Data Transfer Addendum and any terms of this DPA with respect to UK Restricted Transfers subject to the UK GDPR, the terms of the UK International Data Transfer Addendum will govern and control with respect to such UK Restricted Transfers.
11.4. Swiss Restricted Transfers. To the extent that Customer makes a Swiss Restricted Transfer to DISCO subject to the FADP, the Parties agree that the Standard Contractual Clauses will apply to such Swiss Restricted Transfer. The Standard Contractual Clauses are incorporated by reference into this DPA, varied to address the requirements of the FADP, and the remaining details required under the Standard Contractual Clauses are deemed completed, as appropriate, with the information set forth in this DPA, including Section 11.1, Section 11.2, and the appendices to this DPA. Nothing in any applicable Standard Contractual Clauses (as deemed amended pursuant to this Section 11.4) should be interpreted or construed in such a way as would limit or exclude the rights of Data Subjects under Clause 18(c) of those Standard Contractual Clauses (as deemed amended pursuant to this Section 11.4) to bring legal proceedings before the courts in Switzerland where Switzerland is that Data Subject’s habitual place of residence.
11.5. Provision of full-form SCCs. In respect of any given Restricted Transfer, if requested by a Party, a Supervisory Authority, or Data Subject – on specific written request, the other Party shall provide the requesting Party with an executed version of the relevant set(s) of Transfer Mechanism(s) responsive to the request for countersignature by the requesting Party.
11.6. Access to Customer Personal Data by public authorities. In case of any given Restricted Transfer:
(a) To the extent permitted by applicable laws, each Party shall notify the other Party promptly in writing of any subpoena or other judicial or administrative order by a public authority or proceeding seeking access to or disclosure of Customer Personal Data. Such notification shall, to the extent permitted by applicable laws, include details regarding the Data Subject concerned, Customer Personal Data requested, the requesting authority, the legal basis for the request, and any responses provided.
(b) Where DISCO receives such request, Customer shall have the right to defend such legal challenge in lieu of and/or on behalf of DISCO to the extent permitted by applicable laws. Customer may, if it so chooses, seek a protective order. DISCO shall reasonably cooperate with Customer in such defense at the expense of the Customer.
(c) To the extent permitted by applicable laws, each Party shall not disclose the Customer Personal Data requested until all reasonable challenges have been exhausted and shall provide the minimum of information permissible when responding to an order to disclose the Customer Personal Data.
(d) Where a Party becomes aware of any direct access by public authorities to Customer Personal Data (including the reasonable suspicion thereof), this Party shall promptly notify the other Party with all information available, unless otherwise prohibited by applicable laws.
(e) DISCO represents and warrants that: (i) DISCO has not purposefully created ‘backdoors’ or similar programming designed to, or that could, be used to access its systems used to store or otherwise Process Customer Personal Data; (ii) DISCO has not purposefully created or changed its business processes in a manner that facilitates access to its relevant systems or to Customer Personal Data by any governmental authority, law enforcement agency, public body or judicial body and shall not voluntarily cooperate with any such authorities, agencies or bodies in relation to the same; and (iii) no applicable law or government policy to which DISCO is subject requires DISCO to create or maintain ‘backdoors’ or to otherwise enable or facilitate access to Customer Personal Data or systems.
12. Service Data
12.1. Customer acknowledges that DISCO may collect, use and disclose Service Data for its own business purposes, such as:
(a) for accounting, tax, billing, audit, and compliance purposes;
(b) to provide, improve, develop, optimize and maintain the DISCO Offerings;
(c) to investigate fraud, spam, wrongful or unlawful use of the DISCO Offerings; and/or
(d) as otherwise permitted or required by applicable law.
12.2. In respect of any such Processing described in Section 12.1, DISCO:
(a) independently determines the purposes and means of such Processing;
(b) shall comply with applicable Data Protection Laws (if and as applicable in the context); and
(c) where possible, shall apply technical and organizational safeguards to any relevant Service Data that are no less protective than the security measures described in Appendix 2.
12.3. Customer acknowledges and agrees that DISCO may derive aggregated and anonymized data from Service Data and use such data to build or improve the quality of the DISCO Offerings and for its other legitimate business purposes provided that such data does not constitute Personal Data or Customer Personal Data. Company acknowledges and agrees that these Processing purposes are compatible with the Processing to provide the DISCO Offerings under the Agreement.
13. Liabiltiy
13.1. The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 13 will affect any person’s liability to Data Subjects under relevant third-party beneficiary provisions of Data Protection Laws (if and as they apply).
14. Miscellaneous
14.1. Assistance Costs. To the extent legally permitted, Customer is responsible for the reasonable costs and fees associated with DISCO’s provision of assistance under this DPA and implementation of any Modified Instructions.
14.2. Expansion or Modification of Customer Audit Rights. For the avoidance of doubt, no provision in this DPA will be deemed to expand or modify the audit rights of Customer under the Agreement.
14.3. Choice of Law. Except with respect to the Standard Contractual Clauses and UK International Data Transfer Addendum, this DPA is governed by the laws that govern the Agreement, and any dispute between the Parties will be handled as set forth in the Agreement.
14.4. Entire Agreement; Amendments and Modifications. This DPA, together with all exhibits, schedules, addenda, and appendices attached to this DPA and any other documents incorporated into this DPA by reference, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this DPA and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. Except as expressly provided in this DPA, the terms of the Agreement are and will remain in full force and effect. From time to time, DISCO may modify this DPA by providing notice to Customer, so long as the updates and modifications do not materially decrease the overall security of the DISCO Offerings. Such notice may be provided in writing, electronically (including through e-mail or through the applicable Technology Offering), or by DISCO posting an updated version of this DPA to its website. Continued use of any DISCO Offerings after a modified version of this DPA goes into effect will constitute Customer’s acceptance of such modified version.
14.5. Hierarchy. In the event of any conflict or inconsistency between: (i) this DPA and the Agreement, this DPA shall prevail; or (ii) any Transfer Mechanism(s) entered into and this DPA and/or the Agreement, the Transfer Mechanism(s) (as applicable) shall prevail in respect of the Restricted Transfer to which they apply.
Updated July 22, 2025
Appendix 1
Processing Details
Appendix 2
Information Security Program
As from the Effective Date, DISCO will implement and maintain the Security Measures set out in this Appendix 2.
1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of DISCO’s information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to DISCO’s organization, monitoring and maintaining compliance with DISCO’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management. See DISCO’s Trust Center for more information on DISCO’s certifications.
3. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Customer Personal Data that is:
(a) transmitted over public networks (i.e. the Internet) or when transmitted wirelessly; or
(b) at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access when employment terminates or changes in job functions occur).
5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that DISCO passwords that are assigned to its employees: (i) be at least twelve (12) characters in length, (ii) not be stored in readable format on DISCO’s computer systems; (iii) must be changed upon evidence of compromise; must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
6. Physical and environmental security of data center, server room facilities and other areas containing Customer Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
7. Change management procedures and tracking mechanisms designed to test, approve and monitor material changes to DISCO’s technology and information assets.
8. Incident / problem management procedures designed to allow DISCO to investigate, respond to, mitigate and notify of events related to DISCO’s technology and information assets.
9. Network security controls that provide for the use of enterprise firewalls, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
10. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
11. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
DISCO may update or modify such Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of the DISCO Offerings.