Last updated December 24, 2024
This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to the Terra Terms and Conditions located at https://www.terra.security/terms and the Order Form or similar purchase instruments governing the use of Terra’s services, enteredinto by and between the Customer and Terra Security Inc. (“Terra”) (the DPA together with the Terms and Conditions are collectively referred to as the “Agreement"). Terra and Customer are hereinafter jointly referred to as “Parties” and individually as “Party.” Capitalized terms not otherwise defined here in shall have the meaning given to them in the Terms and Conditions or similar purchase instruments.
By using the Terra services, Customer accepts this DPA, and you represent and warrant that you have full authority to bind the Customer to this DPA. If you cannot, or do not agree to comply with and be bound by this DPA, or otherwise do not have the authority to bind the Customer or any other entity, kindly do not provide Personal Data (or any similar terms under applicable laws) to Terra.
1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% o fthe voting interests of the subject entity.
1.2. “Customer Personal Data” means any Personal Data Processed by Terra on behalf of Customer pursuant to or in connection with the Terms and Conditions.
1.3. “Data Protection Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the United Kingdom Data Protection Act of 2018; the Swiss Federal Act on Data Protection (“FADP”); the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”); and other U.S. state privacy laws, as each may be amended from time to time. For the avoidance of doubt, unless specified otherwise, references to “Data Protection Laws” herein mean Data Protection Laws that are applicable in a given situation.
1.4. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.5. “EU SCC" or “EU Standard Contractual Clauses” mean the annex to the EU Commission Decision of 5 February 2010on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the council as shall be amended from time to time (including without limitation, the standard contractual clauses adopted by the European Commission in its Implementing Decision(EU) 2021/91 of 4 June 2021), in all cases incorporating the Relevant Amendments (as defined above). Upon the effective date of adoption for any revised standard contractual clauses by the European Commission, all references in this DPA tothe "EU SCCs” shall refer to that latest version and the parties shall cooperate to prepare such amendments to this DPA, including the Relevant Amendments, as may be required to take into account and give effect to the European Commission’s adoption of the revised standard contractual clauses. In the event of any conflict or inconsistency between the terms of this DPA and the provisions of the EU SCC (to the extent the latter has been entered into by the parties pursuant to Section 12 (Restricted Transfers) below), the provisions of the EU SCC shall prevail.
1.6. “Sub Processor” means any third party (including any Terra Affiliate, but excluding an employee of Terra or any of its subcontractors) appointed by or on behalf of Terra or any Terra Affiliate to Process Personal Data on behalf of the Customer in connection with the Terms and Conditions.
1.7. “Standard Contractual Clauses” or “SCCs” means the EU SCC, the UK Addendum, and the Swiss Addendum as defined here in, and as applicable to the transfers of Personal Data pursuant to this DPA.
1.8. “Swiss Addendum” means the applicable standard data protection clauses issued, approved or recognized by the SwissFederal Data Protection and Information Commissioner, specifically the Federal Act on Data Protection. Upon thepublication in the Federal Gazette and the entry into force of the revised Federal Act on Data Protection, this term will referto the latter act.
1.9. “UK Addendum” means the International Data Transfer Addendum to the EU Commission standard contractual clausesissued by the UK Information Commissioner’s Office (version, B1.0, in force 21 March 2022).
1.10. “UK GDPR” means the United Kingdom’s Data Protection Act 2018 and the GDPR as adapted into law of the UnitedKingdom by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.
1.11. The terms, “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Special Categories of Data, ”Process/Processing,” “Controller,” “Processor,” and “Supervisory Authority,” shall have the same meanings givento them in the GDPR (or another applicable Data Protection Law).“Controller” is deemed to also refer to “Business,” and“Processor” is deemed to also refer to “Service Provider.
2.1. This DPA shall only apply with respect to Personal Data obtained by Terra as a result of Customer’s use of Terra’s services,as described in Annex 1 (Details of Processing of Customer Personal Data) attached hereto. In connection with eachParty’s rights and obligations under this Agreement, as between the Parties, Terra shall Process Customer Personal Datasolely as a data Processor acting on behalf of Customer, and Customer shall be deemed the Controller of such PersonalData.
2.2. Terra shall not Process Customer Personal Data other than according to the Customer’s documented reasonable andcustomary instructions as specified in the Terms and Conditions or this DPA, which were specifically and explicitly agreedto by Terra, unless such Processing is required by Data Protection Laws. Terra shall inform the Customer of such legalrequirement before processing unless the law prohibits such action on public interest grounds.
2.3. Customer instructs Terra (and authorizes Terra to instruct each Sub Processor) to (i) Process Customer Personal Dataonly to the extent required for the provision of Terra’s Services under the Agreement; and, in particular (ii) transferCustomer Personal Data to any country or territory, all as reasonably necessary for the provision of the Terra services andconsistent with Sections 2.1-2.2 above, Section 12 (Restricted Transfers) below, and the Agreement, and in accordancewith Data Protection Laws.
2.4. Furthermore, Customer warrants and represents that it is and will remain duly and effectively authorized to give theinstruction set out in Section 2.1 and any additional instructions as provided pursuant to the Agreement and/or inconnection with the performance thereof, on behalf of itself and each relevant Customer Affiliate, at all relevant timesand at least for as long as the Agreement is in effect and for any additional period during which Terra is lawfully processingthe Customer Personal Data. In addition, Customer warrants and represents that it has obtained all permissions,consents, authorizations and approvals, including by making all notices, required for it to allow Terra to access andprocess Customer Personal Data as permitted hereunder.
2.5. Customer sets forth the details of the Processing of Customer Personal Data, as required by Article 28(3) of the GDPR in Annex 1 (Details of Processing of Customer Personal Data), attached hereto.
Customer shall comply with all applicable laws in connection with the performance of this DPA. As between the Parties,Customer shall be solely responsible for compliance with applicable laws (including Data Protection Laws) regarding thecollection and transfer of Customer Personal Data to Terra. Customer agrees not to provide Terra with any special categoriesof data, as defined in Article 9 of the GDPR.
Terra shall take reasonable steps to ensure that access to the Customer Personal Data is limited on a need to know/accessbasis, and that all Terra personnel receiving such access are subject to confidentiality undertakings or professional or statutoryobligations of confidentiality in connection with their access/use of Customer Personal Data.
In relation to the Customer Personal Data, Terra shall implement appropriate technical and organizational measures (Technicaland Organizational Measures) including to the extent appropriate and applicable the measures referred to in Article 32(1) of theGDPR, to establish an appropriate level of security for the Customer Personal Data. Such security has to be sustainedthroughout the entire duration of this DPA and must aim to (i) ensure the ongoing confidentiality and security of Processingsystems and services in connection with the Processing of the Customer Personal Data; and (ii) restore the availability andaccess to Customer Personal Data in a timely manner in the event of a physical or technical incident. In assessing the3appropriate level of security, Terra shall consider the risks presented by Processing, paying particular attention to risks arisingfrom a Personal Data Breach.
6.1. Customer authorizes Terra and each Terra Affiliate to appoint (and permit each Sub Processor appointed in accordancewith this Section 6 to appoint) Sub Processors in accordance with this Section 6 and any restrictions in the Agreement.
6.2. Terra and each Terra Affiliate may continue to use those Sub Processors already engaged by Terra or any Terra Affiliate asof the date of this DPA as identified in Annex 2 to this DPA (List of Authorized Sub Processors), including for the purposeof cloud hosting services by reputable Sub Processors, as well as any Sub Processors whom Customer requested Terrato use.
6.3. Terra may appoint new Sub Processors and shall give prior notice of the appointment of any new Sub Processor (e.g., bye-mail), whether by general or specific reference to such Sub Processor (e.g., by name or type of service), includingrelevant details of the Processing to be undertaken by the new Sub Processor. If Customer notifies Terra in writing of anyobjections (on reasonable grounds) to the proposed appointment within seven (7) days of such notice, Terra shall notappoint the proposed Sub Processor for the Processing of Customer Personal Data until reasonable steps have beentaken to address the objections raised by Customer, and Customer has been provided with a reasonable writtenexplanation of the steps taken. Where such steps are not sufficient to relieve Customer’s reasonable objections thenCustomer or Terra may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extentthat it relates to Terra services which require the use of the proposed Sub Processor without bearing liability for suchtermination. Otherwise, Customer shall be deemed to have accepted such appointment.
6.4. With respect to each new Sub Processor, Terra shall:
6.4.1. take reasonable steps (for instance by way of reviewing privacy policies as appropriate) before the Sub Processorfirst Processes Customer Personal Data, to ensure that the Sub Processor is committed to providing the level ofprotection for Customer Personal Data required by the Agreement;
6.4.2. ensure that the arrangement between Terra and the Sub Processor is governed by a written contract, includingterms which offer a materially similar level of protection for Customer Personal Data as those set out in this DPAand meet the requirements of Data Protection Laws; andremain fully liable to Customer for the performance of any and all Processing of Customer Personal Data
6.4.3. performed by Sub Proc
7.1. Customer shall be solely responsible for compliance with any statutory obligations concerning requests to exercise DataSubject rights under Data Protection Laws (e.g., for access, rectification, deletion of Customer Personal Data, etc.). Afterconsidering the nature of the Processing, Terra shall reasonably endeavor to assist Customer insofar as feasible, to fulfilCustomer's said obligations with respect to such Data Subject requests, as applicable, at Customer’s sole expense.
7.2. Terra shall:
7.2.1. unless otherwise required under applicable laws, promptly notify Customer if it receives a request from a DataSubject under any Data Protection Law in respect of Customer Personal Data; andensure that it does not respond to that request except on the documented instructions of Customer or as required
7.2.2. by Data Protection Laws to which the Terra is subject, in which case Terra shall, to the extent permitted by DataProtection Laws, inform Customer of that legal requirement before it responds to the request.
8.1. Terra shall notify Customer without undue delay upon Terra becoming aware of a Personal Data Breach either affecting orrelated to Terra’s or Terra’s Affiliates Processing of such Customer Personal Data. In such event, Terra shall provideCustomer with information (to the extent in Terra’s possession) to assist Customer to meet any obligations to inform DataSubjects or data protection authorities of the Personal Data Breach under the Data Protection Laws.
8.2. At the written request and sole expense of the Customer, Terra shall reasonably cooperate with Customer and take suchcommercially reasonable steps as are agreed by the Parties or necessary under Privacy Protection Laws to assist in theinvestigation, mitigation and remediation of each such Personal Data Breach.
At the written request of the Customer, Terra and each Terra Affiliate shall provide reasonable assistance to Customer, atCustomer 's expense, with any data protection impact assessments or prior consultations with Supervising Authorities or othercompetent data privacy authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely inrelation to Processing of Customer Personal Data by Terra.
10.1. Subject to Section 10.2 below, Terra shall promptly, but no later than sixty (60) days of the date of cessation of any Terraservices involving the Processing of Customer Personal Data (the “Cessation Date”), delete or pseudonymize all copiesof such Customer Personal Data, except any copies that are authorized to be retained under this DPA or required to beretained in accordance with applicable law and/or regulation.
10.2. Subject to the Agreement, Terra may retain Customer Personal Data to the extent authorized or required by applicablelaws, provided that Terra shall ensure the confidentiality of all such Customer Personal Data and shall ensure that it isonly Processed for such legal purpose(s).
10.3. Upon Customer’s prior written request, Terra shall provide written certification to Customer that it has complied with thisSection 10.
11.1. Upon prior written request from the Customer, subject to Sections 11.2 and 11.3, and only to the extent required underapplicable Data Protection Laws, Terra shall coordinate to make available to a reputable independent auditor mandatedby Customer such information necessary to reasonably demonstrate compliance with this DPA, and allow for audits,including inspections by such reputable auditor in relation to the Processing of the Customer Personal Data by Terra,provided that such third-party auditor shall be subject to confidentiality obligations.
11.2. Provisions of information and audits shall be at Customer’s sole expense and may only arise under Section 11.1, but onlyto the extent that the Agreement does not otherwise give Customer any information and audit rights that meet the relevantrequirements of the applicable Data Protection Laws. In any event, all audits or inspections shall be subject to the termsof the Agreement, and to Terra's obligations to third parties, including with respect to confidentiality.
11.3. Customer shall give Terra reasonable prior written notice of any audit or inspection to be conducted under Section 10.1and shall not cause (and ensure that each of its mandated auditors does not cause) any damage, injury or disruption toTerra’s premises, equipment, personnel and business while its personnel are on those premises in the course of such anaudit or inspection. Terra need not give access to its premises for the purposes of such an audit or inspection if:
11.3.1. an individual fails to produce reasonable evidence of their identity and authority;
11.3.2. Terra was not given a written notice of such audit or inspection at least 2 weeks in advance;
11.3.3. the audit or inspection takes place outside normal business hours at those premises, unless the audit orinspection needs to be conducted on an emergency basis and Customer has given notice to Terra that this is thecase before attendance outside those hours begins; or
11.3.4. the audit or inspection is for a premises outside Terra's control (such as data storage farms of Terra's cloudhosting providers)
12.1. Transfers from the EEA, Switzerland, and the United Kingdom to countries offering an adequate level of data protection. Personal Data may be transferred from EU Member States, Norway, Iceland, and Liechtenstein (collectively, the “EEA”), Switzerland, and the United Kingdom (“UK”) to countries deemed to provide an adequate level of data protection under adequacy decisions issued by the respective authorities of the EEA, Switzerland, and/or the UK, as applicable. Such transfers, including those conducted under similarly approved mechanisms and frameworks5 (“Adequacy Decisions”), do not require additional safeguards. For clarity, “Adequacy Decisions” include the European Commission’s adequacy decision of 10 July 2023, establishing the EU-US Data Privacy Framework.
12.2. Direct transfers from the EEA, and the United Kingdom to other countries. Where the Processor’s Processing of Personal Data involves a direct transfer from the Customer to Terra:(i) For transfers from the EEA to countries without an applicable Adequacy Decision, and where such transfers are not conducted via an alternative compliance mechanism recognized by Data Protection Laws (as may be implemented at the Processor’s discretion) (“EEA Transfer”), the terms of the EU SCCs shall apply.(ii) For transfers from the UK to countries without an applicable Adequacy Decision, and where such transfers are not conducted via an alternative compliance mechanism recognized by Data Protection Laws (as may be implemented at the Processor’s discretion) (“UK Transfer”), the terms of the UK Addendum shall apply.
12.3. Onward transfers from the EEA, Switzerland, and the United Kingdom to other countries. Where the Process or on ward transfers Personal Data originating from the EEA, UK, or Switzerland to authorized Sub-processors, including Processor Affiliates, in countries lacking an Adequacy Decision, the SCCs (Module 3) the UK Addendum, and/or the SCCs as adjusted per the Swiss Federal Data Protection and Information Commissioner’s guidance of 27 August 2021, shall apply between the Processor and its Sub-processors or Affiliates.
12.4. Transfers from other jurisdictions. If the Processing of Personal Data by the Processor involves a transfer of such data from a jurisdiction outside the EEA, UK, or Switzerland, where a specific compliance mechanism is mandated for lawful data transfer, the Customer shall inform the Processor of such requirements. The Parties may then seek to amend this DPA as necessary in accordance with Section 14.4 below.
Terra acknowledges and confirms that it does not receive or process any Personal Information (as defined in the CCPA) as consideration for the services or other items it provides to Customer under the Agreement or this DPA. Terra shall refrain from selling or sharing (as those terms are defined under the CCPA) any Personal Information processed under this DPA without Customer’s prior written consent or instruction. Terra further agrees not to take any action that would cause any transfer of Personal Information under the Agreement or this DPA to qualify as “selling” or “sharing” such Personal Information under the CCPA.
14.1. Governing Law and Jurisdiction.
14.1.1. The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms and Conditions with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence,validity or termination or the consequences of its nullity.
14.1.2. This DPA and all non-contractual or other obligations arising out of or in connection therewith are governed by the laws of the country or territory stipulated for this purpose in the Terms and Conditions.
14.2. Limitation of Liability. To the extent permitted by Data Protection Laws, the provisions any exclusions and limitation of liability set out in the Terms and Conditions shall apply to this DPA.
14.3. Order of Precedence. Nothing in this DPA reduces Terra’s obligations under the Agreement in relation to the protectionof Personal Data or permits Terra to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the Terms and Conditions, this DPA shall prevail solely with respect to the subject matter of this DPA and solely if such conflict or inconsistency originates from the requirements of Article 28 of the GDPR (except where explicitly agreed otherwise in writing, signed on behalf ofthe Parties). This DPA is not intended to, and does not in any way limit or derogate from Customer’s own obligations and liabilities towards Terra under the Agreement, and/or pursuant to the GDPR or any law applicable to Customer, in connection with the collection, handling and use of Personal Data by Customer or its Affiliates or other processors or their sub-processors, including with respect to the transfer or provision or Personal Data to Terra and/or providing access thereto to Terra.
14.4. Changes in Data Protection Laws.
14.4.1. Customer may by at least forty-five (45) calendar days' prior written notice to Terra, request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under6any applicable Data Protection Law, to allow Processing of those Customer Personal Data to be made (or continue to be made) without breach of that Data Protection Law.
14.4.2. If Customer gives notice with respect to its request to modify this DPA under Section 14.4.1:
14.4.2.1. Terra shall make commercially reasonable efforts to accommodate such modification request; and
14.4.2.2. Customer shall not unreasonably withhold or delay agreement to any consequential variations to thisDPA proposed by Terra to protect the Terra against additional risks, or to indemnify and compensate Terra forany further steps and costs associated with the variations made herein.
14.4.3. If Customer gives notice under Section 14.4.1, the Parties shall promptly discuss the proposed variations andnegotiate in good faith with a view to agreeing and implementing those or alternative variations designed toaddress the requirements identified in Customer's notice as soon as is reasonably practicable. In the event thatthe Parties are unable to reach such an agreement within thirty (30) days, then Customer or Terra may, by writtennotice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to Terraservices which are affected by the proposed variations (or lack thereof).
14.5. Severance. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii)construed in a manner as if the invalid or unenforceable part had never been contained therein.
Annex 1
Details of Processing of Customer Personal Data
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) or 28(4) GDPR.
Subject Matter and Duration of the Processing of Customer Personal Data. The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement.
The Nature and Purpose of the Processing of Customer Personal Data: Providing the rendering Terra services, as detailed in the Agreement.
The Types of Customer Personal Data to be Processed are as follows: name, phone, organization email address, role, IP address and log-in credentials (e.g. Google sign-up or other account authentication methods made available through the Services)
The categories of Data Subjects to whom the Customer Personal Data relates to are as follows: Customer’s authorized users accessing the Terra services on its behalf (i.e. authorized Customer personnel).
Duration of Processing Subject to any section of the DPA and/or the Agreement concerning the duration of the processing and the consequences of the expiration or termination thereof, Terra will process Customer Personal Data for the duration of the Agreement, unless other wise agreed upon in writing