Data Processing Agreement

Great Expectations Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements any online or other terms of service, privacy policy, or written agreement (collectively the “Agreement”) between Great Expectations Labs, Inc. (“Great Expectations”) and (“Client”), each on behalf of themselves and their Affiliates (together, the “Parties”). This DPA governs the processing of any Personal Data that Client may make accessible to Great Expectations and is effective as of the Agreement’s effective date (“Effective Date”).

1. Precedence; Survival

Terms not defined in this DPA or in applicable Data Protection Laws, have the meaning assigned to them in the Agreement. In the event of any conflict or inconsistency, this DPA supersedes and prevails over any conflicting terms in the Agreement. The provisions of this DPA survive any termination of the Agreement to the extent necessary.

2. Definitions

2.1 “Affiliate” means an entity that now or hereafter controls, is controlled by or is under common control with a specified entity, where “control” means beneficial ownership, directly or indirectly, of more than fifty percent (50%) of the outstanding shares or other ownership interest (representing the right to vote for the election of directors or other managing authority or the right to make the decisions for such entity, as applicable) of an entity. Such entity is deemed to be an Affiliate only so long as such control exists. 

2.2 “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

2.3 “Anonymized Data” means information which does not relate to an identified or identifiable individual or to personal information or data rendered anonymous in such a manner that the individual is not or no longer identifiable.

2.4 “Client Data” means Personal Data that is directly or indirectly supplied by Client to Great Expectations under the applicable Agreement or which Great Expectations is required to Process pursuant to the Agreement.

2.5 “Data Protection Laws” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR and the UK GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time. 

2.6 “Data Subject” means the individual to whom Personal Data relates.

2.7 “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

2.8 “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Client Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws.

2.9 “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Data.

2.10 “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of a Controller.

2.11 “Sensitive Data” means a class of Personal Data including (a) social security number, passport number, driver’s license number, or similar identifier, (b) credit or debit card number (other than truncated digits), financial information, banking account numbers or passwords, (c) employment, financial, genetic, biometric or health information, (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation, (e) account passwords, (f) criminal history, or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable Data Protection Laws. Great Expectations will not Process or transfer any Sensitive Data unless specifically instructed by Client; provided, however, that any transfer or request by Client for Great Expectations to Process Sensitive Data constitutes Client’s assent for Great Expectations to Process Sensitive Data.

2.12 “Services” means the services provided by Great Expectations to Client pursuant to the Agreement.

2.13 “Standard Contractual Clauses” means Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2.14 “Subprocessor” means a natural or legal person, public authority, agency or other body engaged by a Processor who has or may potentially have access to Personal Data, or processes Personal Data.

2.15 “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

2.16 “UK Transfer Addendum” means the addendum pursuant to the International Commissioner's Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022.

3. Details of Processing

3.1 Classification of the Parties. To the extent that Great Expectations Processes Client Data, Great Expectations is deemed a Processor. For the purposes of this DPA and the Agreement, Client is deemed a Controller. 

3.2 Categories of Data Subjects. Client may submit, transfer, or grant access to, Personal Data to Great Expectations, or direct Great Expectations to Process Personal Data as part of the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Data Subjects including Client’s employees, contractors, collaborators, customers, prospects, suppliers, agents, and subcontractors.

3.3 Categories of Personal Data. Personal Data, the extent of which is determined and controlled by Client in its sole discretion, including but not limited to name, address, phone number, email address and associated email data, navigational data (including website usage information), system usage data, and other electronic data submitted, stored, sent, or received by Client, or the Client’s end users, including where applicable Sensitive Data.

3.4 Sensitive Data. The Parties do not anticipate the transfer of Sensitive Data. Client is in sole control over any Sensitive Data it requests Great Expectations to Process.

3.5 Frequency of Transfer. Great Expectations will Process Personal Data on a continuous basis for the duration of the Agreement, subject to limiting provisions in this DPA.

3.6 Purpose of the Processing. Great Expectations will Process Personal Data for purposes of providing the Services, as further instructed by Client in its use of the Services, and otherwise agreed to in the Agreement. For the avoidance of doubt, Client completely controls the amount of Client Data Processed by Great Expectations, including controlling what Processing occurs on Client’s systems compared to what Client Data is Processed through Great Expectations’ cloud.

3.7 Retention. Great Expectations will Process Personal Data for the duration of the Agreement, subject to other limited provisions of this DPA.

4. Client Responsibility

Within the scope of the Agreement and in its use of Great Expectations’ Services, Client shall be solely responsible for complying with the statutory requirements relating to the Data Protection Laws, in particular regarding the disclosure and transfer of Personal Data to Great Expectations and the Processing of Personal Data. For the avoidance of doubt, Client’s instructions for the Processing of Personal Data must comply with Data Protection Laws. This DPA is Client’s complete and final instruction to Processor in relation to Personal Data and that additional instructions outside the scope of this DPA would require prior written agreement between the Parties. Instructions must initially be specified in the Agreement and may, from time to time thereafter, be amended, amplified, or replaced by Client in separate written instructions (as individual instructions).

Client shall inform Great Expectations without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data, including if Client’s instructions or transfer of Personal Data to Great Expectations violate Data Protection Laws.

5. Great Expectations Obligations

5.1 Compliance with Instructions. The Parties acknowledge that Client is the Controller of Personal Data and Great Expectations is the Processor of Personal Data. Great Expectations shall Process Personal Data only within the scope of Client’s instructions. If Great Expectations believes that an instruction of Client violates Data Protection Laws, it will immediately inform Client without delay. If Great Expectations cannot process Personal Data in accordance with the instructions due to a legal requirement under any applicable Data Protection Laws, Great Expectations will (i) promptly notify Client of that legal requirement before the relevant Processing to the extent permitted by Data Protection Laws; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as Client issues new instructions with which Great Expectations is able to comply. If this provision is invoked, Great Expectations will not be liable to Client under the Agreement for any failure to perform the applicable services until such time as Client issues new instructions in regard to the Processing.

5.2 Security. Great Expectations shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, described under Exhibit C.

5.3 Confidentiality. Great Expectations shall ensure that any personnel whom Great Expectations authorizes to process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality continues after the termination of the above-entitled activities.

5.4 Personal Data Breaches. Great Expectations will notify Client without undue delay, and at least within the time required by Data Protection Laws, after it becomes aware of any Personal Data Breach affecting any Personal Data. At Client’s reasonable request, Great Expectations will promptly provide Client with all reasonable assistance necessary to enable Client to notify relevant Personal Data Breaches to competent authorities or affected Data Subjects, if Client is required to do so under the Data Protection Laws.

5.5 Deletion or Retrieval of Personal Data. Other than to the extent required to comply with Data Protection Laws, following termination or expiration of the Agreement, Great Expectations will delete or return all Personal Data (including copies thereof) Processed pursuant to this DPA. If Great Expectations is unable to delete Personal Data for technical or other reasons, Great Expectations will apply reasonable measures to ensure that Personal Data is blocked from any further Processing.

Client shall, upon termination or expiration of the Agreement and by way of issuing an instruction, stipulate, within a period of time set by Great Expectations, the reasonable measures to return Personal Data or to delete stored Personal Data. Client shall pay any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Agreement.

5.6 Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is available to Great Expectations and Client does not otherwise have access to the required information, Great Expectations will provide reasonable assistance to Client with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which Client reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any Data Protection Laws, in each case solely in relation to the processing of Personal Data.

6. Data Subject Requests

Great Expectations will provide reasonable assistance to Client in responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws. If such request is made directly to Great Expectations, Great Expectations will promptly inform Client and will advise Data Subjects to submit their request to Client. Client is solely responsible for responding to any Data Subjects’ requests.

7. Audits

Great Expectations shall, in accordance with Data Protection Laws and in response to a reasonable written request by Client, make available to Client such information in Great Expectations’ possession or control related to Great Expectations’ compliance with the obligations of data processors under Data Protection Laws in relation to its Processing of Personal Data.

Client may, upon written request and at least thirty (30) days’ written notice to Great Expectations, during regular business hours and without interrupting Great Expectations’ business operations, allow for a mutually agreed upon third-party auditor to conduct an inspection of Great Expectations’ business operations solely to determine Great Expectations’ compliance with this DPA.

Great Expectations shall, upon Client’s written request and on at least thirty (30) days’ written notice to Great Expectations, provide Client with all information necessary for such audit, to the extent that such information is within Great Expectations’ control and Great Expectations is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

8. Subprocessors

8.1 Appointment of Subprocessors. Client acknowledges (a) the engagement as Subprocessors of Great Expectations’ Affiliates and the third parties listed, if any, at Exhibit D, and (b) that Great Expectations and its Affiliates respectively may engage third-party Subprocessors in connection with the provision of the Services. Great Expectations may add to or delete from the list of Subprocessors at any time, and Client’s consent extends to any third parties added thereto. For the avoidance of doubt, the above authorization constitutes Client’s general authorization to the subprocessing by Great Expectations for purposes of Clause 9(a), option 2 of the Standard Contractual Clauses.

Where Great Expectations engages Subprocessors, Great Expectations will enter into a contract with the Subprocessor that imposes on the Subprocessor the same or substantially similar obligations that apply to Great Expectations under this DPA. Where the Subprocessor fails to fulfill its data processing obligations, Great Expectations remains liable to Client for the performance of such Subprocessors obligations.

Where a Subprocessor is engaged, Client must be granted the right to monitor and inspect the Subprocessor’s activities in accordance with this DPA and Data Protection Laws, including to obtain information from Great Expectations, upon written request, on the substance of the contract and the implementation of the data protection obligations under the subprocessing contract, where necessary by inspecting the relevant contract documents.

The provisions of this Section mutually apply if Great Expectations engages a Subprocessor in a country outside the European Economic Area (“EEA”) or the United Kingdom ("UK"), not recognized by the European Commission or UK government, respectively, as providing an adequate level of protection for Personal Data. If, in the performance of this DPA, Great Expectations transfers any Personal Data to a Subprocessor located outside of the EEA or UK, Great Expectations shall, in advance of any such transfer, ensure that a legal mechanism in respect of that Processing is in place.

8.2 Current Processor List and Notification or Objection to New Subprocessors. If Great Expectations intends to engage Subprocessors other than the companies listed on the Subprocessors list in Exhibit D, Great Expectations will notify Client in writing. Upon receiving such notification, Client may object to any Subprocessors within thirty (30) days after any addition. The objection must be based on reasonable grounds. If Great Expectations and Client are unable to resolve such objection, either Party may terminate the Agreement by providing written notice to the other Party.

9. Data Transfers

Client acknowledges that, in connection with the performance of the Services under the Agreement, Personal Data will be transferred to Great Expectations in the United States and to its Subprocessors. Great Expectations may access and perform Processing of Personal Data on a global basis as necessary to provide the Services.

The Standard Contractual Clauses apply with respect to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the Data Protection Laws). Details of the Standard Contractual Clauses are attached as Exhibit A.

The UK Transfer Addendum applies with respect to Personal Data that is transferred outside the UK, either directly or via onward transfer, to any country not recognized by the International Commissioner’s Office as providing an adequate level of protection for Personal Data (as described in the Data Protection Laws). Details of the UK Transfer Addendum are attached as Exhibit B.

To the extent that Client or Great Expectations are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently revoked or held in a court of competent jurisdiction to be invalid, Client and Great Expectations shall cooperate in good faith to pursue a suitable alternate mechanism that can lawfully support the transfer.

10. Disposition of Personal Data

At your request (by emailing info@greatexpectations.io) or within sixty (60) days after termination of the Agreement, whichever is sooner, Great Expectations shall delete or return to you all Client Data, including any Personal Data subcontracted to a third party for Processing, except as required by applicable law. At that time, with respect to Client Data that Great Expectations is required by applicable law to retain, Great Expectations will isolate and protect Client Data from further Processing, except as required by applicable law. Great Expectations will use commercially reasonable efforts to ensure that any Subprocessors who are in possession of Client Data will also comply with this provision. Great Expectations’ obligation under this Section does not apply to Anonymized Data that Great Expectations can continue to use for any legal purpose.

11. Confidentiality

Great Expectations will keep Client Data strictly confidential and ensure that any employees, Subprocessors, or other agents who have access to Client Data (1) are informed of and subject to this strict duty of confidentiality; (2) access and Process only such Client Data as is strictly necessary to perform Great Expectations’ obligations under the Agreement; and (3) not permit any person to Process Client Data who is not subject to the foregoing duties. 

12. Security

Great Expectations will at all times take reasonable measures to ensure that Client Data is adequately protected in accordance with the requirements of the Data Protection Laws. To this end, Great Expectations will implement appropriate technical and organizational measures to protect Client Data from security incidents. These measures are described in Exhibit C attached to this DPA.

When Great Expectations becomes aware of any security incident, which consists of the unpermitted, accidental, or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any of Client Data, Great Expectations will inform Client without any undue delay, and in no event longer than forty-eight (48) business hours after discovery of the security incident. Great Expectations will cooperate reasonably with Client and provide information to fulfill Client’s data breach obligations under the Data Protection Laws. Great Expectations will also take additional measures and actions, in its sole discretion or as required by Data Protection Laws, that are necessary to remedy or mitigate the effects of the security incident, and keep Client informed of every material development connected with the security incident.  Except as required by law, Great Expectations will not take action to notify Data Subjects of any security incident.

13. Parties to This DPA

Agreed to this [DAY] day of [MONTH] 202[Y].

Exhibit A

Details of the Standard Contractual Clauses

When applicable, the Parties fully incorporate the Standard Contractual Clauses, including the following options and provisions:

A. Applicable Module

Based on the nature of the Services, the module indicated below applies:

Module One (Controller to Controller)

Module Two (Controller to Processor)

Module Three (Processor to Processor)

Module Four (Processor to Controller)

B. Options

For each module, where applicable, the Parties agree on the following options:

1. Clause 7: the optional docking clause does not apply.

2. Clause 9(a): Option 2 applies. “ten (10) business days” replaces [Specify time period].

3. Clause 11: the optional language does not apply.

4. Clause 13(a): The data exporter is considered established in an EU Member State.

5. Clause 17: Option 1 applies; Ireland law governs.

6. Clause 18(b): The courts of Ireland have jurisdiction.

C. Data Exporter & Importer

Pursuant to Annex I, Part A, the Parties have identified the data exporter and data importer in Section 13 of the DPA.

D. Description of Transfer

Pursuant to Annex I, Part B, the Parties agree that the data transfers are consistent with the descriptions noted in Section 3 of the DPA.

E. Competent Supervisory Authority

For the purposes of Annex I, Part C of the Standard Contractual Clauses, the country in which the Data Exporter is established, if applicable, shall determine the competent supervisory authority.

F. Security of Processing

For the purposes of Annex II of the Standard Contractual Clauses, Exhibit C describes the required Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data. 

Exhibit B

Details of the UK Transfer Addendum

This Exhibit forms part of the DPA and supplements the Standard Contractual Clauses, pursuant to the International Commissioner's Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022.

Part 1 is as follows:

(a) The information required on Table 1 is found in Section 13 of the DPA.
(b) The information required on Table 2 is found on Exhibit A.
(c) The information required on Table 3 is found on Exhibit A.
(d) Table 4 is Data importer.

Part 2 is as follows:

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

Exhibit C

Security Measures

Great Expectations utilizes Amazon Web Services (“AWS”) and relies to a great extent on the technical security measures adopted by AWS. In addition to the security measures adopted by AWS, and to the extent data processing activities occur outside the AWS system, Great Expectations has implemented the following technical and organizational measures to ensure the security of Client Data:  

1. Employees are only allowed access to tasks assigned to them.  

2. We ensure that all computers processing personal data (including computers with remote access) are password protected, both after booting up and when left, even for a short period.

3. We assign individual user passwords for authentication.

4. We only grant system access to our authorized personnel and strictly limit their access to applications required for those personnel to fulfill their specific responsibilities.

5. We have implemented a password policy that prohibits the sharing of passwords, outlines procedures to follow after disclosure of a password, and requires that passwords be changed regularly.

6. We ensure that passwords are always stored in encrypted form.

7. We have adopted procedures to deactivate user accounts when an employee, agent, or administrator leaves the company or moves to another responsibility within the company.

8. We have established rules for the safe and permanent destruction of data that are no longer required.

9. Except as necessary for the provision of the Services, Client Data cannot be read, copied, modified or removed without authorization during transfer or storage.

10. We encrypt data during any transmission.

11. We are able to retrospectively examine and establish whether and by whom Client Data has been entered into data processing systems, modified or removed.

12. We log administrator and user activities.

13. We process the personal data received from different clients so that in each step of the processing the Client can be identified and so that data is always physically or logically separated.

14. We create back-up copies stored in protected environments.

15. We perform regular restore tests from our backups.

16. We have created business recovery strategies.

17. We do not use personal data for any purpose other than what have been contracted to perform.

18. We do not remove Client Data from our business computers or premises for any reason (unless you have specifically authorised such removal for business purposes).

19. We ensure that each computer system runs a current anti-virus solution.

20. We have designated a responsible person to perform the functions of a data protection officer.

21. We have obtained the written commitment of our employees to maintain confidentiality and to comply with our requirements under the DPA and the GDPR.

22. We regularly train our staff on data privacy and data security.

Exhibit D

List of Subprocessors