Effective March 20, 2024
This Data Processing Addendum ("DPA"), is incorporated into and forms part of the terms and conditions of the Matillion Master Subscription Agreement or other agreement under which Matillion Limited ("Matillion") provides services to Customer ("Agreement") executed between the party identified as the "Customer" and Matillion. This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Matillion processes Personal Data on behalf of Customer in connection with Customer's use of Matillion’s services ("Services"). If there is any conflict between the Agreement and this DPA, the terms of this DPA will prevail to the extent of such conflict. Any capitalized terms not defined in this DPA will have the meanings given to them in the Agreement.
1.1 "controller", "processor", "data subject", "personal data" and "processing" (and "process") will have the meanings given in EU/UK Data Protection Law;
1.2 "Applicable Data Protection Law" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, EU/UK Data Protection Law, US Data Protection Law, Canadian Data Protection Law, and the Swiss DPA;
1.3 “Breach” means an accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access that is in violation of Matillion’s security obligations under this Agreement by Matillion or its agents and of which Matillion becomes aware. Breach will not include an unsuccessful Breach, which is one that results in no unauthorized access to Personal Data or to any Matillion equipment or facilities storing the Personal Data, and could include (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents;
1.4 "Canadian Data Protection Law" means: (i) the Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5; (ii) applicable provincial law; (iii) any and all applicable data protection laws made under, pursuant to or that apply in conjunction with any of (i) or (ii); in each case as may be amended or superseded from time to time;
1.5 “Data Privacy Framework” means the EU-US Data Privacy Framework, the UK extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework self-certification program operated by the US Department of Commerce;
1.6 “Data Privacy Principles” means the Data Privacy Framework principles (as supplemented by the Supplemental Principles);
1.7 "EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
1.8 "US Data Protection Law" means: (i) the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act of 2020, codified at Cal. Civ. Code §1798.100 et seq., upon the CPRA’s enforcement date of July 1, 2023 (together with its implementing regulations) (“CPRA”); (ii) the Virginia Consumer Data Protection Act; (iii) the Colorado Privacy Act; (iv) the Connecticut Personal Data Privacy and Online Monitoring Act; (v) the Utah Consumer Privacy Act; (vi) the Iowa Consumer Data Protection Act; (vii) the Indiana Consumer Data Protection Act; (viii) the Tennessee Information Protection Act; (ix) the Montana Consumer Data Privacy Act; (x) the Texas Data Privacy and Security Act; (xi) the Oregon Consumer Privacy Act; (xii) the Delaware Personal Data Privacy Act; and (xiii) any and all applicable comprehensive state data protection laws and regulations that are or are not yet in effect as of the Effective Date; in each case as may be amended or superseded from time to time;
1.9 “Supplemental Principles” will have the meaning given in the Data Privacy Framework;
1.10 "Standard Contractual Clauses" means: (i) where the EU GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs"); and
1.11 "Swiss DPA" means the revised Swiss Federal Act on Data Protection enacted on September 25, 2020, and effective on September 1, 2023, as may be amended or superseded from time to time.
Customer instructs Matillion to process the personal data described in Annex I (the "Personal Data") on its behalf. In respect of such processing, Customer will be the controller (or, where Customer is instructing Matillion on behalf of a third party controller, a processor on behalf of that controller) and Matillion will be a processor (or, where Customer is a processor on behalf of a third party controller, Matillion will be a subprocessor to Customer). Each party will comply with the obligations that apply to it under Applicable Data Protection Law.
Matillion will process Personal Data for the purposes described in Annex I and strictly in accordance with the documented instructions of Customer (which instructions, where Customer is a processor, will reflect the instructions of its controller) (the "Permitted Purpose"), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. In no event will Matillion process Personal Data for its own purposes or those of any third party. Matillion will immediately inform Customer (who, where Customer is a processor, will inform its controller) if it becomes aware that such processing instructions infringe Applicable Data Protection Law.
4.1 Order of precedence: To the extent Customer’s use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction to Matillion located outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in this Section 4 will apply. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism, as applicable, and in accordance with the following order of precedence: (i) the Data Privacy Framework as set forth in Section 4.2 (Data Privacy Framework) of this DPA; (ii) Standard Contractual Clauses as set forth in Section 4.3 (Standard Contractual Clauses) of this DPA; and, if neither (i) nor (ii) is applicable, then (iii) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
4.2 Data Privacy Framework: To the extent Matillion processes any Personal Data via the services subject to EU/UK Data Protection Law and/or Swiss DPA, Matillion takes reasonable measures to protect Personal Data and to comply with the Data Privacy Principles when processing any such Personal Data. To the extent that Customer is either located in the United States of America and is self-certified under the Data Privacy Framework or subject to EU/UK Data Protection Law and/or Swiss DPA, Matillion further agrees to (i) provide at least the same level of protection to any Personal Data as required by the Data Privacy Principles; (ii) notify Customer in writing, without undue delay, if its self-certification to the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated; and (iii) upon written notice, work with Customer to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Personal Data.
4.3 Standard Contractual Clauses: For cross border data transfers that are subject to Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into, and incorporated into this DPA by this reference, and completed as follows:
4.3.a. in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
(i) Module Two will apply to the extent that Customer is a controller of Personal Data, and Module Three will apply to the extent that Customer is a processor of Personal Data on behalf of a third party controller;
(ii) in Clause 7, the optional docking clause will not apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be as set out in Clause 8 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Republic of Ireland law;
(vi) in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;
(vii) Annex I of the EU SCCs will be deemed completed with the information set out in Annex I to this DPA;
(viii) Annex II of the EU SCCs will be deemed completed with the information set out in Annex II to this DPA; and
(ix) Annex III of the EU SCCs will be deemed completed with the information set out in Annex III to this DPA.
4.3.b. in relation to Personal Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
(i) for so long as Customer and Matillion are lawfully permitted to rely on the EU SCCs for transfers of Personal Data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:
A. The EU SCCs, completed as set out above in Section 4.3(a) of this DPA will also apply to transfers of such Personal Data, subject to sub-clauses (B) and (C) below;
B. The UK Addendum will be deemed executed between the transferring Customer and Matillion, and the EU SCCs will be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data; and
C. The optional illustrative indemnification clause will not apply.
(ii) if Customer and Matillion are no longer permitted to rely on the EU SCCs and the UK Addendum, then the Customer and Matillion will cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by the UK GDPR without undue delay;
4.3.c. in relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in 4.3(a), amended as follows:
(i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA;
(ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA;
(iii) references to ‘EU’, ‘Union’ and ‘Member State’ will be deemed replaced with ‘Switzerland’;
(iv) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable);
(v) in Clause 17, the EU SCCs will be governed by the laws of Switzerland; and
(vi) in Clause 18(b), disputes will be resolved before the competent courts of Switzerland.
4.3.d. in the event that any provision of the Agreement (including this DPA) contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
Matillion will not participate in (nor permit any subprocessor to participate in) any other cross border transfers of Personal Data (whether as an exporter or an importer of Personal Data) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Without prejudice to the foregoing, Customer consents to cross border transfers of Personal Data where Matillion has implemented a transfer solution compliant with Applicable Data Protection Law.
Matillion will take appropriate measures to ensure the confidentiality of Personal Data as outlined in the Agreement.
Matillion will implement appropriate technical and organisational measures to protect the Personal Data from a Breach. Such measures will have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures will include, as appropriate:
(a) the pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
(e) at a minimum, such measures will include the measures identified in Annex II.
Customer consents to Matillion engaging third party subprocessors to process the Personal Data. Matillion shall impose data protection terms on any subprocessor it appoints that protect the Personal Data, in substance, to the same standard provided for by this DPA. A list of approved subprocessors as of the date of this DPA is posted at https://trust.matillion.com/?itemUid=e3fae2ca-94a9-416b-b577-5c90e382df57&source=click, which is where Matillion will maintain updated copies of this list when it adds or removes subprocessors. If Customer refuses to consent to Matillion's appointment of a third party subprocessor on reasonable grounds relating to the protection of its Personal Data, then either Matillion will not appoint the subprocessor to access Customerʻs Personal Data or Customer may elect to suspend or terminate the Agreement.
Matillion will provide all reasonable and timely assistance to Customer (at Customer's expense) to enable Customer (or, where Customer is a processor, its controller) to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Matillion, Matillion will (unless prohibited by applicable law) promptly inform Customer (who, where Customer is a processor, will in turn inform its controller) providing full details of the same.
Matillion will provide Customer with all such reasonable and timely assistance (at Customer’s expense) as Customer may require in order to enable it (or, where Customer is a processor, to enable its controller) to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, assistance to Customer (or, where Customer is a processor, its controller) to consult with its relevant data protection authority.
Upon becoming aware of a Breach, Matillion will inform Customer (who, where Customer is a processor, will in turn inform its controller) without undue delay and will provide all such timely information and cooperation as Customer may require in order for Customer (or, where Customer is a processor, its controller) to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Matillion will further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach.
After a written request by Customer or the termination or expiration of the Agreement, Matillion will destroy or return to Customer all Personal Data in its possession or control. This requirement will not apply to the extent that Matillion: (i) is required by any applicable law to retain some or all Personal Data; and/or (ii) retains Personal Data in its backup systems until the backups have been overwritten or expunged in accordance with Matillion’s backup policy; provided that, in the event of either (i) or (ii), Matillion will isolate and protect Personal Data from any further processing except to the extent required until deletion is possible. Until Personal Data is deleted or returned, Matillion will continue to ensure compliance with its security and privacy obligations in the Agreement and this DPA.
Customer (and, where Customer is a processor, its controller) acknowledges that Matillion is regularly audited against ISO 27001 and SOC 2 by independent third party auditors. Upon request, Matillion will supply a summary copy of its audit report(s) to Customer (and, where Customer is a processor, its controller), which report(s) will be subject to the confidentiality provisions of the Agreement. Matillion will also respond to any written audit questions submitted to it by Customer and meet by teleconference to address follow up questions (and, where Customer is a processor, its controller), provided that Customer (and, where Customer is a processor, its controller) will not exercise this right more than once per year, except if and when required by instruction of a competent data protection authority.
14.1 Processing Of Personal Data: Customer appoints Matillion as a processor (or, where Customer is a processor, Customer appoints Matillion as a sub-processor) to process Personal Data only for the Business Purposes (as defined by CPRA) listed in Customer’s instructions under Annex I of this DPA unless Matillion is required by applicable laws to otherwise process that Customer Personal Data. Processing by Matillion is outlined in Annex I that sets out the processing instructions to which Matillion is bound, including the nature and purpose of the processing, the type of Personal Data subject to the processing, and the duration of the processing. Matillion will adhere to Customer instructions as outlined in Annex I, and Matillion will assist Customer in meeting its obligations under US Data Protection Law. Matillion will comply with all applicable sections of US Data Protection Law, including providing the same level of protection for Personal Data as US Data Protection Law requires Customer to provide. Taking into account the nature of processing and the information available to Matillion, Matillion will assist Customer by:
(a) taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to data subject rights requests as outlined in Section 9;
(b) helping Customer meet its obligations in relation to the security of processing Personal Data and in relation to the notification of a breach of the security of the system as outlined in Section 7, Section 11, and Annex II;
(c) providing information to Customer necessary to enable Customer to conduct and document any data protection assessments as outlined in Section 10. Customer and Matillion are each responsible for only the measures allocated to them;
(d) ensuring that each person processing Personal Data is subject to a duty of confidentiality with respect to Personal Data as outlined in Annex II; and
(e) after providing Customer an opportunity to object, engaging any subprocessor pursuant to a written contract in accordance with Section 8 that requires the subprocessor to meet the obligations of Matillion with respect to Personal Data.
14.2 Security measures: Taking into account the context of processing, Customer and Matillion will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures as outlined in Annex II.
14.3 Deletion or return of Personal Data: Matillion will delete or return all Personal Data to Customer at the end of the provision of services as outlined in Section 12.
14.4 Audit rights: Matillion grants Customer the right to take reasonable and appropriate steps to help ensure that Matillion uses Personal Data consistent with US Data Protection Law and to stop and remediate unauthorized use of Personal Data. Matillion will, upon the reasonable request of Customer, make available to Customer information in its possession necessary to demonstrate Matillion's compliance as outlined in Section 13. No more than once annually, Matillion will allow Customer to audit Matillion's policies and technical and organizational measures in support of the obligations under US Data Protection Law and will provide a report of the audit to Customer upon request as outlined in Section 13.
14.5 Restrictions On Processing Personal Data: Matillion is prohibited from: (i) processing Personal Data for any purposes but for the Business Purposes unless otherwise expressly permitted by US Data Protection Law; (ii) processing Personal Data for any additional commercial purpose (other than the Business Purposes) including in the servicing of a different business unless otherwise expressly permitted by US Data Protection Law; (iii) processing Personal Data outside the direct business relationship between Customer and Matillion unless otherwise expressly permitted by US Data Protection Law; (iv) Selling or Sharing (as both are defined by CPRA) Personal Data; (v) combining Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a data subject unless otherwise expressly permitted by US Data Protection Law; or (vi) processing the Personal Data for any other purpose except as permitted by this DPA.
14.6 Inability To Comply With US Data Protection Law: Matillion shall notify Customer after Matillion determines that it no longer can meet its obligations under this DPA or US Data Protection Law. In the event of Matillion’s inability to meet its obligations, Customer may, in its discretion; (i) take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data; or (ii) terminate the Agreement.
14.7 Certification: Matillion certifies that it understands and will comply with the restrictions set forth in this Section 14.
Notwithstanding anything to the contrary in this Agreement, Matillion may collect System Data and use such data internally to develop, improve, support, and operate its products and services. Matillion’s use of System Data will comply with applicable data protection law. Matillion may not share any System Data that includes Personal Data with a third party except to the extent the System Data is aggregated and anonymized such that Customer and Customer’s users cannot be identified.
If and when necessary to accommodate laws, regulations, and/or local business requirements in a particular country outside the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, the parties may enter into a Local Implementation Addendum covering additional requirements under such laws that are not already addressed in the Agreement or this DPA.
Prior to engaging any employee or contractor who may receive access to Personal Data Matillion will conduct background checks (modified as appropriate to comply with applicable law in countries outside the United States) in line with the requirements for its third party auditors.
This DPA is not a standalone agreement and is only effective if an Agreement is in effect between Matillion and Customer. This DPA is part of the Agreement and is governed by its terms and conditions, including limitations of liability set forth therein. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.
If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.
No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party. This DPA may not be construed to create any right or cause of action on behalf of a third party, except to the minimum extent required available to data subjects under Applicable Data Protection Law.
This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.
This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by EU/UK Data Protection Law or Applicable Data Protection Law, in which case this DPA will be governed by the laws outlined in the relevant section of this DPA.
This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
24.1 Documentation and compliance: For the purposes of Clause 8.9 the review and audit provisions in this DPA will apply.
24.2 Notification and transparency:
For purposes of Clause 8.3 – Modules 2 and 3 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Matillion to make the appropriate communications to data subjects and accordingly, Customer will (following notification by Matillion) have the option to be the party who makes any communication to the data subject, and Matillion will provide the level of assistance set out in this DPA.
24.3 Liability: For the purposes of Clause 12(a), the liability of the parties will be limited in accordance with the limitation of liability provisions in the Agreement.
24.4 Signatories: Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without being signed directly, Matillion and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the Standard Contractual Clauses, and that it is duly authorized to do so on behalf of, and to contractually bind, the data exporter or data importer (as applicable) accordingly.
Annex I
| Subject matter and duration of the processing | The subject matter is Customer Personal Data provided by Customer in connection with the performance of the Agreement. The processing of Customer Personal Data shall only be for so long as is required to provide the services set forth under the Agreement or as necessary to comply with Applicable Laws. |
| Nature and purpose of the processing | The purpose of the processing of the Customer Personal Data is to provide the services as set forth in the Agreement. |
| Types of personal data | Customer Personal Data may include: first name, last name, business addresses, mobile phone numbers, email addresses, IP addresses, and such other personal identifiers and data relating to data subjects whose details may be provided to Matillion by Customer in connection with the performance of the services described under the Agreement. |
| Categories of data subjects | Individuals whose details may be provided by Customer in connection with the performance of the services described under the Agreement. |
Annex II
Technical and Organisational Security Measures
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measure
Description
Measures of pseudonymisation and encryption of Personal Data
Technical and Organizational Security Measures
Description of the technical and organisational security measures implemented by Matillion in accordance with Applicable Data Protection Law:
Matillion security measures can be found on Matillion's website at https://trust.matillion.com
Physical access is restricted to approved employees based on the principle of least privilege.
Matillion completes an annual, independent SOC 2 Type 2 audit of its facilities, networks, and systems. Further, Matillion is certified under ISO 27001. On Customer’s request, Matillion will provide the audit results.
Annex III
List of Subprocessors
Matillion’s current list of subprocessors may be found at https://trust.matillion.com
Feature flags are a software development tool that has the capability to control the visibility of any particular feature. ...
BlogImprove your marketing analytics with Matillion Data Productivity Cloud that enables businesses to centralize and integrate ...
BlogData classification enables the targeted protection and management of sensitive information. Personally Identifiable ...