Policies

Rubrik, Inc. Data Processing Agreement

Please note:  This Agreement only applies to Rubrik Vendors, Contractors and Consultants

This Data Processing Agreement (“DPA”) forms part of the Agreement (as defined below) between Rubrik, Inc. (“Rubrik”) and Vendor (as set forth in the applicable Agreement as defined below) and is effective on the signed date on the Agreement (“Effective Date”). This DPA reflects the Parties’ agreement with respect to the Processing of Rubrik Data in the provision of Products and Services, as applicable, to be provided by Vendor pursuant to the Agreement. This DPA also consists of Exhibit 1 - The Details and Nature of the Processing.  In the event the Parties require a data transfer mechanism for compliance with applicable Data Protection Laws, the Parties agree to enter into the Standard Contractual Clauses with Appendices 1-3 (“SCCs”), found at: https://www.rubrik.com/en/legal/controller-to-processor, which shall then also form part of this DPA. In the event of any conflict or inconsistency between the terms of the Agreement and this DPA, the terms of this DPA shall prevail. The terms of this DPA shall also supersede any privacy policies or privacy statements made by Vendor. In the event of any conflict or inconsistency between the terms of this DPA and the SCCs, if applicable, the SCCs shall prevail. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1.  DEFINITIONS.

1.1    “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2   “Agreement” means a writing that has been signed between Rubrik and Vendor detailing the rights and duties regarding past or future performance such as a Master Services Agreement, a Professional Services Agreement, or a Professional Staffing Services Agreement. 

1.3    “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.4    “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, including any regulatory guidance issued by the applicable Supervisory Authority, and the United States and its states, including without limitation, the California Consumer Privacy Act (“CCPA”), applicable to the Processing of Rubrik Personal Data under this DPA.

1.5     “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.6     “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC.

1.7      Personal Data” “Personal Information”, and “Personally Identifiable Information”, which shall be referred to individually or collectively in this DPA as “Personal Data”, mean (i) any information relating to an identified or identifiable national person, and/or (ii) any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

1.8    “Personal Data Breach” means a breach of security leading to any accidental or unlawful ruction, loss, alteration, unauthorized disclosure of, or access to Rubrik Personal Data.

1.9     “Processor" means the entity which is Processing Rubrik Personal Data on behalf of the Controller.

1.10    “Process", “Processing”, or “Processed” means any operation or set of operations which is performed upon Rubrik Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.11     “Rubrik Personal Data means Personal Data owned, licensed, or otherwise controlled or Processed by Rubrik or by Rubrik Affiliates (include Personal Data Processed by Rubrik or by Rubrik’s Affiliates on behalf of Rubrik’s customers) and further Processed by Vendor in the course of providing the Products and Services under the Agreement.

1.12    “Standard Contractual Clauses” or “SCCs” means the standard data protection clauses for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR and approved by the European Commission decision 2010/87/EC, dated 5 February 2010, or any set of clauses later approved by the European Commission which amend, replace or supersede such version

1.13    "Subprocessor" means any party engaged by the Processor to process Rubrik Personal Data under the Agreement, as approved by Rubrik.

1.14    “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

2. Scopes and Duration.

In the course of providing the Products and Services to Rubrik pursuant to the Agreement, Vendor (or its Subprocessor(s)) may Process Rubrik Personal Data on behalf of Rubrik and the Parties agree to comply with the following provisions and instructions with respect to any Rubrik Personal Data. The Parties acknowledge and agree that in the context of the Agreement and this DPA, Vendor will act as Processor to Rubrik who may act either as Controller or Processor with respect to Rubrik Personal Data. Vendor will Process Rubrik Personal Data for the Term of the Agreement, unless otherwise agreed to by the Parties in writing or pursuant to a requirement under Data Protection Laws.

3. INSTRUCTIONS.

Vendor shall not use Rubrik Personal Data, except to perform and provide the Products and Services, as applicable, pursuant to the Agreement. Vendor will Process Rubrik Personal Data only in accordance with this DPA, which contains Rubrik’s instructions in this respect, unless required to do so otherwise by Data Protection Laws to which Vendor is subject; in such a case, Vendor shall inform Rubrik of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Further, Vendor shall immediately inform Rubrik if, in its opinion, an instruction infringes Data Protection Laws. Rubrik is solely responsible for the accuracy and legality of Rubrik Personal Data provided to Vendor.  However, Vendor shall make all reasonable efforts to ensure that Rubrik Personal Data is accurate and up-to-date at all times, while in its custody or under its control, to the extent Vendor has the ability to do so.  Vendor shall (and shall ensure that its Subprocessors) comply with Data Protection Laws in relation to its Processing of Rubrik Personal Data.

4. SECURITY AND CONFIDENTIALITY.

Vendor shall ensure that persons authorised by Vendor to Process Rubrik Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Vendor will maintain appropriate technical and organizational security measures to protect the security and confidentiality of Rubrik Personal Data against a Personal Data Breach, including without limitation, the security measures identified and referenced in the Agreement. In the event of a Personal Data Breach, Vendor will notify Rubrik without undue delay (and in any event within twenty-four (24) hours) after becoming aware of or reasonably suspecting a Personal Data Breach. Vendor will take reasonable steps to: (i) identify the cause of such Personal Data Breach; and (ii) take the steps necessary and reasonable to remediate the cause of such Personal Data Breach to the extent such remediation is within Vendor's reasonable control, including cooperating with Rubrik’s investigation and remediation efforts, mitigating damages and developing and executing a plan, subject to Rubrik’s approval, that promptly reduces the likelihood of a recurrence of the Personal Data Breach. To the extent Vendor has the information, Vendor will provide reasonable assistance to Rubrik with respect to Rubrik’s obligations under Article 33(3) of the GDPR.

5. AUDITS AND ASSISTANCE.

5.1   Vendor agrees to have audits performed by independent external auditors to verify its technical and organisational measures. Such audits will be conducted: (a) by a qualified independent third party; (b) at least annually; (c) in accordance with SOC 2 or ISO 27001 standards or substantially equivalent standards; and (d) will result in an audit report ("Report"). Upon Rubrik's written request, and subject to the confidentiality obligations set forth in the Agreement, Vendor agrees to make available the Report and its applicable certifications in order to demonstrate the technical and organizational measures implemented by Vendor.

5.2.  Vendor will provide reasonable assistance to the Rubrik so that Rubrik may comply with Rubrik's obligations to perform a data protection impact assessment related to Rubrik’s use of the Products and Services, to the extent Rubrik does not otherwise have access to the relevant information and to the extent such information is available to Vendor. Vendor shall provide reasonable assistance to Rubrik in the cooperation or prior consultation with the Supervisory Authority in relation to this DPA, to the extent required by GDPR. Further, Vendor will take such steps as are reasonably required to assist the Rubrik in ensuring compliance with its obligations under Articles 32 to 36 of GDPR taking into account the nature of the Processing.

6. RETENTION OF RUBRIK PERSONAL DATA.

Vendor shall not (and shall ensure that its Subprocessors shall not), retain any Rubrik Personal Data for longer than is necessary for the performance of the Products or Services and/or the fulfilment of its obligations under the Agreement, or as required or permitted by applicable Data Protection Law. Upon expiration or termination of the Agreement, Vendor shall return or delete all Rubrik Personal Data following the termination of the Agreement within 30 days, unless such Rubrik Personal Data is required to be maintained by Data Protection Laws, in which case it shall be held in accordance with the terms of this DPA.

7.  SUBJECT ACCESS REQUESTS.

Taking into account the nature of the Processing, Vendor shall (and shall ensure that its Subprocessors) provide full cooperation and assistance to Rubrik in ensuring that the individuals´ rights requests under Data Protection Laws are timely and appropriately addressed for the fulfilment of Rubrik´s obligation to respond without undue delay to requests by such individuals as required by Data Protection Laws. For the avoidance of doubt Vendor will not respond directly to Data Subjects requests, but to the extent legally permissible, Vendor will advise the Data Subject to submit their request to Rubrik and Rubrik will be responsible for responding to any such request.

8. SUBPROCESSORS.

Vendor will only appoint Subprocessors pursuant to Article 28(2) of the GDPR. Vendor represents and warrants that Vendor has provided to Rubrik with all applicable Subprocessors Vendor currently uses in the provision of its Products and Services applicable to Rubrik.  Vendor will notify Rubrik in writing when adding Subprocessors and obtain Rubrik’s prior written consent to such Subprocessors. Should Rubrik reasonably object to a new Subprocessor, upon prior written notice, Rubrik may terminate the Agreement. Vendor shall enter into a written agreement with any applicable Subprocessors in accordance with the requirements under Data Protection Laws and such obligations will in no event be less protective than this DPA.  Vendor will restrict the Subprocessor's access to only what is necessary to provide or maintain the Products and Service. Vendor will remain responsible and will be liable to Rubrik for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessors.

9. DATA TRANSFERS.

Vendor shall (and ensure that its Subprocessors) comply with the SCCs found here: https://www.rubrik.com/en/legal/controller-to-processor, which is incorporated herein by reference and shall ensure that any international transfers of Rubrik Personal Data comply with Data Protection Laws.  With respect to such individual data subjects and their personal data, this DPA and the SCCs shall take precedent over any conflicting terms of the Agreement in place between Rubrik and Vendor.

10. PROCESSING RUBRIK PERSONAL DATA.

10.1   In the course of providing its Products or Services and/or fulfilling its obligations under the Agreement and this DPA, Vendor shall (and shall ensure that any relevant Subprocessor shall):

10.1.1   ensure it does not cause Rubrik, through any intentional act or omission, to be in breach of any Data Protection Laws;  

10.1.2   notify Rubrik promptly if Vendor (or a Subprocessor) is required by law, court order, warrant, subpoena, or other legal process to disclose any Rubrik Personal Data to any person other than Rubrik, the relevant Rubrik customer, or another sub-processor of Rubrik expressly approved in writing by Rubrik to receive such information, unless prohibited by applicable law from notifying Rubrik.  Unless prohibited by applicable law, Vendor will (a) promptly notify Rubrik prior to such disclosure; (b) cooperate with Rubrik in the event that Rubrik elects to legally contest such disclosure, ensure confidential treatment of such information, or otherwise attempt to avoid or limit such disclosure; and (c) limit such disclosure to the extent legally permissible; and

10.1.3   notify Rubrik immediately in writing of any investigation, litigation, arbitrated matter or other dispute relating to Vendor’s (or Vendor’s Subprocessors’) information security or privacy practices.

11. REMEDIES.

11.1   Vendor acknowledges and agrees that, in the event of a breach of this DPA, neither Rubrik nor any affected Rubrik customer(s) will have an adequate remedy in damages. Therefore, Rubrik or any affected Rubrik customer(s) shall be entitled to seek injunctive or equitable relief, to immediately cease or prevent the Processing, use or disclosure of Rubrik Personal Data not contemplated by the Agreement, and/or to enforce the terms of the Agreement (including this DPA), and/or to ensure compliance with any Data Protection Laws.

11.2   Vendor shall indemnify Rubrik against any loss, liability, cost damage and expense incurred as a result of a breach by the Vendor or its agents or Subprocessors of this DPA.

12. CERTIFICATIONS.

12.1   Vendor acknowledges and agrees that this DPA shall be deemed to constitute any certification that is required under applicable Data Protection Law, including without limitation, the California Consumer Privacy Act of 2018 CA CIV§1798 (“CCPA”), to the restrictions on sale, retention, use or disclosure of Rubrik Personal Data. Vendor agrees that it will adhere to all applicable privacy regulations and laws related to the Services it provides Rubrik. For the absence of doubt, privacy regulations may, but are not limited to the CCPA, the Nevada Security and Privacy of Personal Information NRS §603A and any other state or replacement acts imposing similar obligations.


12.2   Vendor acknowledges and confirms that Vendor does not receive any Rubrik Personal Data as consideration for any Services or other items that Vendor provides to Rubrik. Vendor shall not have, derive, or exercise any rights or benefits regarding Rubrik Personal Data. Vendor must not sell any Rubrik Personal Data, as the term “sell” is defined in the CCPA. In addition, Vendor must not collect, share, retain, or use any Rubrik Personal Data except as necessary to perform Services for Rubrik and only within the direct business relationship with Rubrik. Vendor certifies that Vendor understands the rules, requirements and definitions of the CCPA, and all restrictions in the applicable data protection regulations. Vendor agrees to refrain from taking any action that would cause any transfers of Rubrik Personal Data to or from Vendor to qualify as “selling personal information” under CCPA.

13. LAW ENFORCEMENT ACCESS.

Vendor will not disclose or provide access to any Rubrik Personal Data Processed by Vendor under this DPA to a law enforcement agency, unless required by law. If a law enforcement agency contacts Vendor with a demand for Rubrik Personal Data, Vendor will attempt to redirect the law enforcement agency to request that data directly from Rubrik. If Vendor is compelled to disclose or provide access to any Rubrik Personal Data Processed under this DPA to the law enforcement agency, Vendor will promptly notify Rubrik and provide a copy of the demand unless legally prohibited from doing so.

14. CHANGES IN LAWS.

In the event of (i) any newly enacted Data Protection Law, (ii) any change to an existing Data Protection Law (including generally-accepted interpretations thereof), (iii) any interpretation of a new or existing Data Protection Law by Rubrik, or (iv) any material new or emerging cybersecurity threat, which individually or collectively requires a change in the manner by which Vendor is delivering any Product or Services to Rubrik, the Parties shall agree upon how Vendor’s performance of the Agreement will be impacted and shall make equitable adjustments to the terms of the Agreement.

Exhibit 1 to Data Processing Addendum

Description of Processing of Rubrik Personal Data

Data subjects:

The personal data transferred concern the following categories of data subjects (please specify):

Prospects, customers, business partners, and vendors of data exporter;
Employees or contact persons of data exporter’s prospects, customers, business partners, and vendors;
Employees, contractors, agents, vendors, and advisors of Rubrik

Categories of data:

The personal data transferred concern the following categories of data (please specify):

Direct identifying information (e.g., name, email address, telephone).
Indirect identifying information (e.g., job title, gender, date of birth).
Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs)
Other data as defined in the Agreement.

Special categories of data (if appropriate)

Due to the nature of the Services, the exact types of Rubrik Personal Data cannot be determined by the Parties, and may vary depending on Rubrik’s use of Vendor’s Products and Services. 

Processing operations

The nature and purpose of the Processing of the Rubrik Personal Data are set out in the Agreement and include:

  1. Provision of the relevant Products and Services;

  2. Delivering any additional services, including providing technical support, deployment, and solution/software development services, troubleshooting, detecting, investigating, mitigating, and repairing problems, including security incidents; and,

  3. Ongoing improvement by Vendor of the relevant Products and Services Activities, including without limitation, any maintenance, including installing the latest updates, and making improvements to the reliability, efficacy, quality, and security of the Products and Services.