Please note:  This Agreement only applies to Rubrik Vendors, Contractors and Consultants

This Data Processing Agreement (“DPA”) forms part of the Vendor End User License Agreement or other mutually accepted written agreement between Rubrik, Inc. (“Rubrik”) and Vendor (as set forth in the applicable Agreement as defined below) and is effective on the signed date on the Agreement (“Effective Date”). This DPA reflects the parties’ agreement with respect to the Processing of Rubrik Data in the provision of Products and Services pursuant to the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1.  DEFINITIONS.

1.1    “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2    “Agreement” means a writing between Rubrik and Vendor detailing the rights and duties regarding past or future performance such as a Master Services Agreement, a Professional Services Agreement, a Professional Staffing Services Agreement, a Statement of Work or other similar writing. 

1.3    “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.4    “Controller-to-Controller SCCs” means the Standard Contract Clauses located at https://www.rubrik.com/en/legal/controller-to-controller  which are based on Standard Contractual Clauses (controller to controller transfers) in the Annex to the European Commission Decision of December 27, 2004.

1.5     “Controller-to-Processor SCCs” means the Standard Contract Clauses located at https://www.rubrik.com/en/legal/controller-to-processor which are based on Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010.

1.6     “Data Breach” means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Rubrik Data.

1.7      “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the Processing of Personal Data under this DPA.

1.8    “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.9     “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC.

1.10    “Personal Data” means any information relating to an identified or identifiable natural person.

1.11     “Privacy Shield” means the EU-US and Swiss-US framework designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

1.12    “Processor" means the entity which is Processing Rubrik Data on behalf of the Controller.

1.13    "Process", “Processing”, or “Processed” means any operation or set of operations which is performed upon Rubrik Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.14    “Rubrik Data” means Personal Data Processed by Vendor in the course of providing the Products and Services under the Agreement.

1.15    "Subprocessor" means any Processor engaged by Vendor to process Rubrik Data under the Agreement.

1.16    “SCCs” means all Controller-to-Processor SCCs and Controller-to-Controller SCCs entered into between the parties under the Agreement.

1.17     “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

2. Scopes and Duration.

2.1    In the course of providing the Products and Services to Rubrik pursuant to the Agreement, Vendor may Process Rubrik Data on behalf of Rubrik and the parties agree to comply with the following provisions and instructions with respect to any Rubrik Data. The parties acknowledge and agree that in the context of the Agreement, Vendor will act as Processor to Rubrik who may act either as Controller or Processor with respect to Rubrik Data. Vendor will Process Rubrik Data for the Term of the Agreement, unless otherwise agreed to by the parties in writing or pursuant to a requirement under Data Protection Laws.

3. INSTRUCTIONS.

3.1    Vendor shall not use Rubrik Data, except to perform and provide the Products and Services pursuant to the Agreement. Vendor will Process Rubrik Data only in accordance with this Agreement, which contains Rubrik’s instructions in this respect, unless required to do so otherwise by Data Protection Laws to which Vendor is subject; in such a case, Vendor shall inform Rubrik of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Further, Vendor shall immediately inform Rubrik if, in its opinion, an instruction infringes Data Protection Laws. Rubrik is solely responsible for the accuracy and legality of Rubrik Data provided to Vendor.

4. SECURITY AND CONFIDENTIALITY.

4.1    Vendor shall ensure that persons authorised by Vendor to Process Rubrik Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Vendor will maintain appropriate technical and organizational security measures to protect the security and confidentiality of Rubrik Data against a Data Breach. In the event of a Data Breach, Vendor will notify Rubrik without undue delay after becoming aware of the Data Breach. Vendor will take reasonable steps to: (i) identify the cause of such Data Breach; and (ii) take the steps necessary and reasonable to remediate the cause of such Data Breach to the extent such remediation is within Vendor's reasonable control. To the extent Vendor has the information, Vendor will provide reasonable assistance to Rubrik with respect to Rubrik’s obligations under Article 33(3) of the GDPR.

5. AUDITS AND ASSISTANCE.

5.1    Vendor undertakes audits performed by independent external auditors to verify its technical and organisational measures. Such audits will be conducted: (a) by a qualified independent third party; (b) at least annually; (c) in accordance with SOC 2 or ISO 27001 standards or substantially equivalent standards; and (d) will result in an audit report ("Report"). Upon Rubrik's written request, and subject to the confidentiality obligations set forth in the Agreement, Vendor agrees to make available the Report and its applicable certifications in order to demonstrate the technical and organizational measures implemented by Vendor.

5.2    Vendor will provide reasonable assistance to the Rubrik so that Rubrik may comply with Rubrik's obligations to perform a data protection impact assessment related to Rubrik’s use of the Products and Services, to the extent Rubrik does not otherwise have access to the relevant information and to the extent such information is available to Vendor. Vendor shall provide reasonable assistance to Rubrik in the cooperation or prior consultation with the Supervisory Authority in relation to this Agreement, to the extent required by GDPR. Further, Vendor will take such steps as are reasonably required to assist the Rubrik in ensuring compliance with its obligations under Articles 32 to 36 of GDPR taking into account the nature of the Processing.

6. DATA ERASURE.

6.1    Upon Rubrik’s request, Vendor will return or delete all Rubrik Data following the termination of the Agreement, unless such Rubrik Data is required to be maintained by Data Protection Laws, in which case it shall be held in accordance with the terms of this DPA.

7.  SUBJECT ACCESS REQUESTS.

7.1    Taking into account the nature of the Processing, Vendor will reasonably assist the Rubrik with Data Subject requests. For the avoidance of doubt Vendor will not respond directly to Data Subjects requests, but to the extent legally permissible, Vendor will advise the Data Subject to submit their request to Rubrik and Rubrik will be responsible for responding to any such request.

8. SUBPROCESSORS.

8.1    Vendor will only appoint any new Subprocessors pursuant to Article 28(2) of the GDPR. For the avoidance of doubt, the Rubrik agrees to Vendor’s current Subprocessors required to provide the Products and Services under the Agreement, the current list to be provided in Exhibit 1 of this DPA. Vendor will notify Rubrik in writing when adding new Subprocessors. If Rubrik does not object to the appointment of the new Subprocessors following 30 days notification of such appointment by Vendor, this will be deemed consent by Rubrik. Should Rubrik object (acting reasonably) to a new Subprocessor, upon prior written notice, Rubrik may terminate the Agreement. Such termination right is Rubrik’s sole and exclusive remedy with respect to such objection. Vendor undertakes to enter into a written agreement with any applicable Subprocessors in accordance with the requirements under Data Protection Laws and such obligations will in no event be less protective than this DPA. Vendor will restrict the Subprocessor's access to only what is necessary to provide or maintain the Products and Service. Vendor will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessors.

9. CROSS-BORDER TRANSFERS.

9.1    Rubrik and Vendor agree that any transfers Rubrik Data outside the European Economic Area to a third country that has not been given adequacy by the European Commission, will a) provide at least the same level of privacy protection for EEA Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks; or (b) agree to the Rubrik Controller-to-Processor Standard Contract Clauses located at https://www.rubrik.com/en/legal/controller-to-processor.html . The parties agree that no third-party beneficiary rights for any individual data subject is created unless otherwise specified herein. With respect to such individual data subjects and their personal data, this DPA shall take precedent over any conflicting terms in any commercial agreements between Rubrik and Vendor.

9.2     In some instances, Vendor may transfer EEA Personal Data to Rubrik which Vendor has collected through independent means and not on behalf of Rubrik.  For such cases, the parties agree that Rubrik and the customer would each act as a data controller with respect to their particular copy of the Personal Data. Each party will act as Controller with respect to Personal Data, reasonably cooperate with the other party to enable the exercise of data protection rights as set forth in GDPR and in other Data Protection Laws. Where both parties each act as data controller with respect to Personal Data, and the transfer of data between the parties results in a transfer of EEA Personal Data to a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, each party agrees it will (a) provide at least the same level of privacy protection for European Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks; or (b) use the Rubrik Controller-to-Controller Standard Contract Clauses located at https://www.rubrik.com/en/legal/controller-to-controller.html . If data transfers under this DPA rely on Controller-to-Controller SCCs to enable the lawful transfer of Personal Data the parties agree that no third-party beneficiary rights for any individual data subject is created unless otherwise specified herein.  The parties acknowledge and agree that each is acting independently as Controller with respect to Personal Data and the parties are not joint controllers as defined in GDPR.

Published:  03/30/2020

Schedule A: California Consumer Privacy Act Addendum

PRIVACY OBLIGATIONS Vendor agrees that will adhere to all applicable privacy regulations and laws related to the services it provides Rubrik. For the absence of doubt, privacy regulations may, but are not limited to the California Consumer Privacy Act of 2018 CA CIV§1798 (“CCPA”), the Nevada Security and Privacy of Personal Information NRS §603A and any other state or replacement acts imposing similar obligations

NO INFORMATION SELLING Vendor acknowledges and confirms that Vendor does not receive any Rubrik Data as consideration for any services or other items that Vendor provides to Rubrik. Vendor shall not have, derive or exercise any rights or benefits regarding Rubrik Data. Vendor must not sell any Rubrik Data, as the term “sell” is defined in the California Consumer Privacy Act of 2018 (“CCPA”). In addition, Vendor must not collect, share, retain, or use any Rubrik Data except as necessary to perform services for Rubrik and only within the direct business relationship with Rubrik. Vendor certifies that Vendor understands the rules, requirements and definitions of the CCPA, and all restrictions in the applicable data protection regulations. Vendor agrees to refrain from taking any action that would cause any transfers of Rubrik Data to or from Vendor to qualify as “selling personal information” under CCPA.