Cloud Service Subscription Agreement And Cloud Service Free Trial Terms And Conditions

Cloud Service Subscription Agreement

This Couchbase Capella Service Subscription Agreement (“Cloud Agreement”) is made and entered into by and between Couchbase, Inc. (“Couchbase”) and you, on behalf of yourself and as an authorized representative on behalf of an organization (individually and collectively, “Customer”), and sets forth the terms under which Customer may access and use the Cloud Service.

 

BY CREATING AN ACCOUNT TO USE THE CLOUD SERVICE OR BY USING THE CLOUD SERVICE, CUSTOMER AGREES TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH ALL OF THESE TERMS, DO NOT CREATE AN ACCOUNT AND DO NOT USE THE CLOUD SERVICE.

             

If you are using the Cloud Service on behalf of an organization or are otherwise entering into this Agreement on behalf of an organization, you represent and warrant that you are authorized to enter into this Agreement on behalf of the relevant organization.

 

This Agreement was last updated on 29 June, 2020.

 

1. Definitions.

Capitalized terms used herein shall have the following definitions:

 “Affiliate” of a party means any legal entity in which a party, directly or indirectly, holds more than fifty percent (50%) of the entity’s shares or voting rights. Any legal entity will be considered an Affiliate as long as that interest is maintained.

“Authorized Users” means any end user of the Cloud Service to whom Customer, directly or indirectly, granted access to the Cloud Service, including Customer’s employees and subcontractors using the Cloud Service on behalf of Customer.

“Beta Services” means any test, alpha, beta, free and trial versions of the Cloud Service.

“Cloud Service” means Couchbase’s database as a service offering that includes (i) the Cloud Control Plane, (ii) the Couchbase Software as deployed in Customer’s Cloud Environment and any successor services (including web services), (iii) Data Plane, and (iv) Support as ordered by Customer via an Order.

“Clusters” mean any Couchbase-managed database deployments.

“Cloud Control Plane” means the software of the Cloud Service that manages the Data Plane, including the user interface of the Cloud Service.

“Couchbase Software” means Couchbase’s database management software program(s) provided as part of the Cloud Service.

“Customer Cloud Environment” means Customer’s cloud environment provided by a third-party cloud services provider into which the Cloud Service deploy the Data Plane.

“Couchbase Capella Credit” means a unit of database processing capability consumed to use the Cloud Service.

“Customer Content” means all content or data provided by or on behalf of Customer or Authorized Users by or through the Cloud Service. 

“Data Plane” means the components of the Cloud Service that are deployed into the Customer Cloud Environment to manage the Couchbase Software.

“DPA” means Couchbase’s Data Processing Addendum attached hereto in Exhibit A.

“Deliverables” means reports and other deliverables Couchbase may design, develop for, or deliver to Customer during the course of providing Professional Services.

“Documentation” means any technical documentation provided by Couchbase related to the Cloud Service.

“Fees” means the sums or fees (i) specified on the applicable Order or SOW for Cloud Service and/or Professional Service, (ii) accrued through Customer’s usage of Couchbase Capella On-Demand Couchbase Capella Credits, or (iii) any other fees or charges payable to Couchbase under this Agreement.

“Feedback” means any data, feedback or information that Customer makes available to Couchbase or that Couchbase derives or generates from Customer’s use of the Cloud Service or the Documentation.

“Order” means a transaction document (such as a signed sales quote) identifying Customer’s subscription for   prepaid Couchbase Capella Credits, Couchbase Capella On-Demand Couchbase Capella Credits, and/or Professional Service, if applicable, along with the applicable Fees and subscription term(s), if any.

“Professional Services” means consulting services and Deliverables as identified in the applicable Order or SOW, provided by Couchbase to Customer, using commercially reasonable efforts.

“Registration Information” means a username, password and other login credentials.

“Service Level Agreement” means the then-current Couchbase Capella Service Availability document available at https://www.couchbase.com/CloudSLA06292020, as updated from time to time.

“Support” means the technical support and maintenance services as described in the then-current Couchbase support policy (available at https://www.couchbase.com/support-policy/cloud), as updated from time to time.

“SOW” means a statement of work identifying and describing the Professional Services purchased by Customer and entered into between Couchbase and Customer. 

“Website” means Couchbase’s website at https://www.couchbase.com

The term “including” means including but not limited to.

 

2. Scope.

2.1. The terms of this Cloud Agreement, any accompanying or future Order or SOW, if any, issued under this Cloud Agreement, and the DPA, if applicable (collectively referred to herein as the “Agreement“) govern Customer’s access to and use of the Cloud Service provided by Couchbase. Customer may purchase the Cloud Service by placing an Order.

 

2.2. This Cloud Agreement, together with all Orders, SOWs, if any, and the DPA, if applicable, contain the only terms and conditions which govern the relationship between Couchbase and Customer. In the event of any conflict between this Cloud Agreement or an Order, and/or the DPA, if applicable, the following order of precedence will apply (in descending order): (1) the DPA, (2) an Order or a SOW, and (3) the Cloud Agreement, only with respect to such conflict.

 

3. Access and Use the Cloud Service.

3.1. Subject to Customer’s compliance with the terms and conditions of the Agreement, Couchbase hereby grants to Customer, and its Authorized Users a limited, non-exclusive, revocable, non-transferable and non-sublicensable, non-assignable, right to access and use the Cloud Service and the Documentation solely for Customers and its Affiliate(s) (if such Affiliate(s) are authorized in an Order), own internal use if explicitly agreed between the parties in an Order. This right includes a limited, non-exclusive, revocable, non-transferable, non-sublicensable and non-assignable license to use the Couchbase Software that is deployed in Customer’s Cloud Environment as part of the Cloud Service solely for Customers and its Affiliate(s) (if such Affiliate(s) are authorized in the Order) own internal use, limited to the use with the Cloud Service, and subject to Customer’s compliance with the terms and conditions of this Agreement.

 

3.2. Use of the Cloud Service requires Customer and/or its Authorized Users to each create a user account, which may require Customer and Authorized Users to provide certain Registration Information. Customer is and shall remain responsible and liable for all activities that occur under Customer’s and Authorized Users’ Registration Information or as a result of Customer’s or Authorized Users’ access to the Cloud Service and shall notify Couchbase immediately of any unauthorized use. Customer shall ensure that its Authorized Users comply with all terms and conditions of this Agreement and shall be responsible and liable to Couchbase for any breach of this Agreement by any Authorized User.

 

3.3. The Cloud Service licensed shall be for the most current release of the Cloud Service. Customer acknowledges that Couchbase, in its sole discretion, may make improvements, changes and updates to the Cloud Service and the Documentation at any time.

 

4. Customer Restrictions.

4.1. Customer shall not, shall not attempt to, or permit any third party (including any Authorized User) to:

(a) access or use the Cloud Service and/or Documentation in any manner except as expressly permitted in this Agreement;

(b) copy or create derivative works of the Cloud Service and/or Documentation, or transfer, sell, rent, lease, lend, distribute, resell, sublicense, market, assign, publish, download, disclose or otherwise make available any part of the Cloud Service (including Cloud Service Credits) and/or Documentation to any third party;

(c) circumvent, interfere with or endanger the operation or security of the Cloud Service and/or Documentation, including any measures designed to monitor or prevent use of the Cloud Service in contravention of this Agreement;

(d) conduct penetration or performance tests of the Cloud Service;

(e) access or use the Cloud Service to provide services to third parties (such as for time-sharing services, service bureau services or as part of an application services provider or as a service offering primarily designed to offer the functionality of the Cloud Service);

(f) access or use the Cloud Service and/or Documentation for the purposes of benchmarking or competitive analysis of the Cloud Service, or developing, using, providing, or supporting products or services competitive to Couchbase;

(g) alter, modify, adapt, translate, enhance, reverse engineer, disassemble, decompile or prepare any derivative work from or of the Cloud Service or Documentation, or otherwise derive or determine or attempt to derive or determine the source code or other proprietary information or trade secrets from the Cloud Service or Documentation;

(h) remove, delete, efface, obscure or otherwise alter any Couchbase proprietary notices, trademarks, warranties or disclaimers in or relating to the Cloud Service or Documentation;

(i) access or use the Cloud Service or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property rights or other rights of any person or entity, or that violates any applicable law, including the disclosure or transmission of content or data contained in the Cloud Service or Documentation in such a manner or for such a purpose; or

(j) revoke or otherwise limit Couchbase’s access to the Customers Cloud Environment (including any Cluster(s)) or do anything else to limit Couchbase’s ability to monitor Customer’s Cluster(s) or otherwise provide the Cloud Service.

 

5. Couchbase and Customer Shared Obligations.

5.1. General. The parties acknowledge that (i) the Cloud Service is implemented in a manner that divides the Cloud Service between the Data Plane deployed in the Customer Cloud Environment and the Cloud Control Plane, and that accordingly each party must undertake certain technical and organizational measures in order to protect the Cloud Service and the Customer Content, (ii) Couchbase does not host the Customer Cloud Environment into which the Data Plane is deployed or the systems in which Customer Content may be stored, and (iii) Couchbase is not responsible for any loss, destruction, alteration, or corruption of Customer Content, except to the extent caused by the gross negligence or willful misconduct of Couchbase.

 

5.2. Customer Responsibilities. Customer acknowledges and agrees that in order to utilize the Cloud Service, Customer is responsible for: (i) at its sole cost and expense ensuring Customer has a Customer Cloud Environment obtained through a third-party cloud services provider, including the provisioning, maintenance or hosting of the Customer Cloud Environment, (ii) protecting the confidentiality and security of all Registration Information used to access the Cloud Service by Customer or any Authorized User; (iii) properly maintaining and securing the Customer Cloud Environment and any other Customer system connected to the Cloud Service (with such steps to include without limitation the regular rotation of access keys and other industry standard steps to preclude unauthorized access); (iv) not interfering with, and, if necessary, taking steps to enable, updates to the Cloud Service to ensure Customer is using the latest version of the Cloud Service; and (v) implementing and maintaining the appropriate configurations of the Cloud Service to enable the backup services and disaster recovery features of the Cloud Service required for purposes of recovering Customer Content.

 

5.3. Couchbase Responsibilities. Couchbase acknowledges and agrees that, as between the parties and except to the extent caused by the action or intentional or negligent inaction of Customer or Customer’s Authorized Users, including without limitation any customizations or configurations of the Cloud Service by Customer or anything specified to be Customer’s responsibility in Section 5.2 above, Couchbase is primarily responsible for (i) the operation of the Cloud Control Plane (including the user interface of the Cloud Service), and (ii) implementing reasonable technical and organizational measures to protect the security of the foregoing.

 

6. Customer Content.

6.1. Customer hereby grants to Couchbase a limited, non-exclusive, royalty-free, worldwide right and license to use, display, host, copy, process and transmit any and all Customer Content to provide and improve the Cloud Service in accordance with this Agreement. Except with respect to any Free Trial, the terms of the DPA are hereby incorporated by reference and shall apply to the extent Customer Content includes Personal Data, as defined in the DPA.

 

6.2. Customer represents and warrants and shall ensure that it has the right to provide the above right and license and that neither the Customer Content itself nor its use by Couchbase for purposes of this Agreement shall violate any applicable law or infringe, misappropriate or otherwise violate any rights of any third party, including intellectual property rights, privacy rights and other rights under contract or law.

 

7. Professional Services.

7.1 The parties may agree Couchbase to provide Professional Services to Customer, which shall be set forth in a SOW signed by both parties. Couchbase will render the Professional Services in a professional and workmanlike manner in accordance with the terms and conditions of this Cloud Agreement and the applicable Order or SOW.

 

8. Support and Service Levels.

8.1 Except for any Beta Service, Couchbase will provide Customer with the level of Support selected by Customer through the Cloud Control Plane and paid for by Customer and will use commercially reasonable efforts to meet or exceed the service levels set forth in the Service Level Agreement. For prepaid Couchbase Capella Credit subscriptions, Support, if purchased by Customer, expires at the earlier of the consumption or expiration of the prepaid Couchbase Capella Credits. For On-Demand Couchbase Capella Credits, Support, if purchased by Customer, expires upon termination of the On-Demand Couchbase Capella Credits in accordance with Section 17.3 below.

 

9. Beta Services.

9.1 From time to time and at Couchbase’s sole discretion, Couchbase may invite Customer in a separate writing, such as an Order, to participate in certain Beta Services at no additional charge. Customer may elect to participate in such Beta Services trials in its sole discretion, provided that Customer agrees to the restrictions generally applicable to the Cloud Service under this Agreement and any requirements set forth by Couchbase in writing regarding the particular Beta Services. Unless otherwise stated, any Beta Services trial period will expire upon the earlier of one year from the trial start date or the date that a version of the Beta Services becomes generally available without the applicable Beta Services designation. Couchbase may discontinue Beta Services at any time in its sole discretion and is under no obligation to make such Beta Services generally available.

 

9.2 Notwithstanding anything to the contrary in the Agreement, Customer acknowledges and agrees to the following with respect to any Beta Services it elects to use: 

(a) The rights granted to Customer with respect to the Beta Services are revocable and terminable at any time in Couchbase’s sole and absolute discretion. Couchbase may withdraw or discontinue the Beta Services at any time;

(b) The Beta Services are provided exclusive of any Service Level Agreement, Support and related service levels, warranties, servicing obligations (including any updates, patches, enhancement or fixes described in Documentation or on the Website), or any obligation to provide other services with respect to the Beta Services whatsoever under this Agreement or otherwise. Any references to support, updates, patches, enhancements, fixes or service levels (or similar) in any Documentation or any Couchbase website or marketing materials do not apply to the Beta Services;

(c) Couchbase may make changes to the Beta Services at any time without providing any notice to Customer; and

(d) Couchbase, any of its Affiliates’ or licensors (collectively, the “Couchbase Parties”) will have no liability for any harm or damage arising out of or in connection with a Beta Services.

 

10. Proprietary Rights.

10.1. Couchbase and its licensors retain all right, title and interest in and to the Cloud Service (including the Couchbase Software and any and all improvements, enhancements or modifications thereto), all the Documentation and Professional Services, including all intellectual property rights therein, and nothing in this Agreement will be construed as conferring by implication, acquiescence, estoppel, or otherwise, any license or other right upon Customer.

 

10.2. Except as expressly stated in Section 6, Customer retains all right, title and interest in and to the Customer Content, including all intellectual property rights therein.

 

10.3. Couchbase may use any Feedback and Customer hereby grants Couchbase a royalty-free, fully paid-up, non-exclusive, transferable, sublicensable, perpetual, irrevocable license to use, copy, modify, make derivative works of, distribute, perform and display any Feedback for any purpose, including to improve and develop the Cloud Service and the Documentation.

 

10.4. If Customer is the United States Government or any contractor thereof, all licenses granted hereunder are subject to the following: (a) for acquisition by or on behalf of civil agencies, as necessary to obtain protection as “commercial computer software” and related documentation in accordance with the terms of this Agreement and as specified in Subpart 12.1212 of the Federal Acquisition Regulation (FAR), 48 C.F.R.12.1212, and its successors; and (b) for acquisition by or on behalf of the Department of Defense (DOD) and any agencies or units thereof, as necessary to obtain protection as “commercial computer software” and related documentation in accordance with the terms of this Agreement and as specified in Subparts 227.7202-1 and 227.7202-3 of the DOD FAR Supplement, 48 C.F.R.227.7202-1 and 227.7202-3, and its successors, Manufacturer is Couchbase, Inc.

 

11. Fees, Payment Terms and Taxes.

11.1. Fees. Customer may subscribe to the Cloud Service via an Order and shall pay Couchbase the Fees in accordance with this Section 11.

 

11.2. Couchbase Capella Credits and On-Demand Couchbase Capella Credit Fees.

(a) Usage Rate. The Couchbase Capella Credits shall be consumed, and the On-Demand Couchbase Capella Credits shall be accrued, respectively, according to the then-current consumption rates set forth in the Cloud Control Plane. Couchbase shall monitor and provide daily reporting on Customer’s consumption of Couchbase Capella Credits or On-Demand Couchbase Capella Credits, as applicable, to Customer via the Cloud Control Plane. Couchbase may increase the consumption rate by giving Customer at least thirty (30) days’ prior notice via any reasonable means, such as email notice, or a notice published on the Cloud Control Plane or the Website.

(b) Couchbase Capella Credits. Except as explicitly stated otherwise in an Order, Fees for Couchbase Capella Credits purchased are non-cancelable and payable in advance on an annual upfront basis in accordance with Section 11.3. Any unused Couchbase Capella Credits purchased shall expire on the expiration date set forth in the applicable Order and shall be forfeited by Customer.

(c) On-Demand Couchbase Capella Credits. Where Customer (i) subscribes to use the Cloud Service on a pay-as-you-go basis without purchasing Couchbase Capella Credits, or (ii) continues to use a Cluster (or Clusters) in the Cloud Service for which Customer’s prepaid Couchbase Capella Credits designated for such Cluster(s) have all been consumed or have expired, Customer will be deemed to be consuming Couchbase Capella Credits on a pay-as-you-go basis (“On-Demand Couchbase Capella Credits”). Fees for On-Demand Couchbase Capella Credits shall automatically accrue and are payable monthly in arrears, in accordance with Section 11.3. Couchbase may increase the Fees payable for On-Demand Couchbase Capella Credit by giving Customers using the On-Demand Couchbase Capella Credits at the time of notice, at least thirty (30) days’ prior notice via any reasonable means, such as email, or a notice published on the Cloud Control Plane or the Website.

 

11.3. Payment Terms. Unless otherwise stated in the applicable Order or SOW, all payments of Fees under this Agreement shall be in USD and paid using one of the payment methods supported by Couchbase.  Couchbase may issue invoices to Customers via email or in the form accessible via the Cloud Control Plane. Unless otherwise stated in the applicable Order or SOW, Customer shall pay for all invoices issued by Couchbase to Customer under this Agreement within thirty (30) days of the date of the invoice, even if such invoice does not provide a Customer purchase order number.  For invoiced amounts, late payments may, in Couchbase’s discretion, bear interest at the lesser of one and one half percent (1½%) per month or the maximum rate allowed by applicable law, and Customer shall reimburse Couchbase for all reasonable costs and expenses incurred (including reasonable attorneys’ fees) in collecting any overdue amounts. All amounts paid and payable by Customer under this Agreement, are non-refundable, and shall be paid to Couchbase without setoff or counterclaim, and without any deduction or withholding.

 

11.4. Taxes. All Fees payable by Customer are exclusive of applicable taxes and duties (such as, without limitation, VAT, Service Tax, GST, excise taxes, sales and transactions taxes, and gross receipts tax (collectively, the “Transaction Taxes”). If applicable, Couchbase may charge and Customer shall pay all Transaction Taxes that Couchbase is legally obligated or authorized to collect from Customer. Customer will provide such information to Couchbase as reasonably required to determine whether Couchbase is obligated to collect Transaction Taxes from Customer. Couchbase will not collect, and Customer will not pay any Transaction Taxes for which Customer furnishes a properly completed exemption certificate or a direct payment permit certificate for which Couchbase may claim an available exemption from such Transaction Taxes. All payments made by Customer to Couchbase under this Agreement will be made free and clear of any deduction or withholding, as may be required by law. If any such deduction or withholding (including but not limited to cross-border withholding taxes) is required on any payment, Customer will pay such additional amounts as are necessary so that the net amount received by Couchbase is equal to the amount then due and payable under this Agreement. Couchbase will provide Customer with such tax forms as are reasonably requested in order to reduce or eliminate the amount of any withholding or deduction for taxes in respect of payments made under this Agreement.

 

12. Records and Audits.

12.1. Records and Inspection. Customer: (a) shall maintain complete and accurate books and records of all Customers’ activities under this Agreement, to enable Couchbase to verify Customers’ compliance with this Agreement; and (b) shall provide Couchbase with such books and records within ten (10) days of Couchbase’s request, for Couchbase’s inspection to verify Customers’ compliance with this Agreement.

 

12.2. Audits. Upon at least thirty (30) days prior written notice, but no more than once in any twelve (12) month period, Couchbase may audit Customers use of Cloud Service to verify whether Customer is in compliance with the terms of this Agreement. Any such audit will be conducted during regular business hours and may be conducted remotely or at Customers’ facility and will not unreasonably interfere with Customers’ business activities. Customer shall provide Couchbase with access to the relevant records and facilities.  Couchbase retains the right to audit the Customer for one (1) year after termination of this Agreement.

 

12.3. Third Party Auditors. Any inspections or audits under Section 12.1 (Records and Inspections) or 12.2 (Audits) may be conducted by Couchbase or an independent certified public accountant reasonably acceptable to both parties.

 

13. Confidentiality.

13.1. Customer and Couchbase will maintain the confidentiality of the other party’s Confidential Information. “Confidential Information” means any proprietary information disclosed by one party (“Disclosing Party”) to the other party (“Receiving Party”) during, or prior to entering into, this Agreement that Receiving Party should know is confidential or proprietary based on the nature of the information and circumstances surrounding the disclosure, including non-public technical and business information (including pricing). Confidential Information does not include information that (a) is or becomes generally known to the public through no fault of or breach of this Agreement by the Receiving Party; (b) is rightfully known by the Receiving Party at the time of disclosure without an obligation of confidentiality to the Disclosing Party; (c) is independently developed by the Receiving Party without use of the Disclosing Party’s Confidential Information; or (d) the Receiving Party rightfully obtains from a third party without restriction on use or disclosure.

 

13.2. The Receiving Party of any Confidential Information of the Disclosing Party agrees not to use such Confidential Information for any purpose except as necessary to fulfill its obligations and exercise its rights under this Agreement. The Receiving Party will protect the secrecy of and prevent disclosure and unauthorized use of the Disclosing Party’s Confidential Information using the same degree of care that it takes to protect its own confidential information and in no event will use less than reasonable care.

 

13.3. Upon termination of this Agreement, the Receiving Party will, at the Disclosing Party’s option, promptly return or destroy (and provide written certification of such destruction) the Disclosing Party’s Confidential Information. A party may disclose the other party’s Confidential Information to the extent required by law or regulation.

 

14. DISCLAIMER OF WARRANTY.

14.1. THE CLOUD SERVICE (INCLUDING THE COUCHBASE SOFTWARE), DOCUMENTATION AND ANY PROFESSIONAL SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE”, WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND COUCHBASE PARTIES DO NOT REPRESENT OR WARRANT THAT THE CLOUD SERVICE, DOCUMENTATION OR PROFESSIONAL SERVICES PROVIDED WILL MEET CUSTOMER’S REQUIREMENTS, THAT THE OPERATION OF THE CLOUD SERVICE OR DOCUMENTATION WILL BE UNINTERRUPTED, ERROR-FREE, SECURE, ACCURATE, COMPLETE OR FREE OF HARMFUL CODE, THAT DEFECTS WILL BE CORRECTED,OR THAT ANY  INFORMATION OR ADVICE GIVEN BY THE COUCHBASE PARTIES WILL CREATE ANY WARRANTY. THE COUCHBASE PARTIES (A) DO NOT CONTROL THE TRANSFER OF DATA OVER COMMUNICATIONS FACILITIES, INCLUDING THE INTERNET, AND THE CLOUD SERVICE MAY BE SUBJECT TO LIMITATIONS, DELAYS, AND OTHER PROBLEMS INHERENT IN THE USE OF SUCH COMMUNICATIONS FACILITIES, (B) ARE NOT RESPONSIBLE FOR ANY DELAYS, DELIVERY FAILURES, OR OTHER DAMAGES RESULTING FROM SUCH PROBLEMS, AND (C) ARE NOT RESPONSIBLE FOR ANY ISSUES RELATED TO THE PERFORMANCE, OPERATION OR SECURITY OF THE CLOUD SERVICE THAT ARISE FROM CUSTOMER OR THIRD-PARTY CONTENT (AS DEFINED HEREIN).. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE COUCHBASE PARTIES HEREBY DISCLAIM ALL WARRANTIES, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, QUIET ENJOYMENT, AVAILABILITY, NON-INFRINGEMENT, AND TITLE, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING, USAGE OR TRADE.

 

14.2. CUSTOMER ACKNOWLEDGES AND AGREES THAT THE CLOUD SERVICE ARE INTENDED TO BE USED ONLY WITH THE COUCHBASE SOFTWARE THAT IS DEPLOYED IN THE CUSTOMER CLOUD ENVIRONMENT, AND NOT WITH ANY OTHER SOFTWARE OR ENVIRONMENT.

 

15. Indemnification.

15.1. Couchbase Indemnification. Couchbase will indemnify and defend Customer from and against any damages finally awarded against Customer in connection with any third-party claim that the non-open source components of the Cloud Service, Documentation or Professional Services infringe or misappropriate such third party’s intellectual property rights; provided that: (a) Customer promptly notifies Couchbase of the claim; (b) Customer gives Couchbase all necessary information regarding the claim and reasonably cooperates with Couchbase; (c) Customer allows Couchbase exclusive control of the defense and all related settlement negotiations; (d) Customer does not admit fault or liability with respect to this Agreement, Customer’s actions or those of Couchbase; and (e) Customer agrees any damage award does not include any Fees owed to Couchbase. 

 

15.2. Enjoinment. Without limiting the forgoing, and notwithstanding anything to the contrary in this Agreement, if use of the Cloud Service, Documentation or Professional Services are enjoined, or Couchbase determines that such use may be enjoined, Couchbase will, at its sole option and expense, (i) procure for Customer the right to continue using the affected Cloud Service or Documentation or Professional Services; (ii) replace or modify the affected Cloud Service, Documentation or Professional Services that infringe so that they do not infringe; or (iii) if either option (i) or (ii) is not commercially feasible in Couchbase’s reasonable opinion, as applicable, terminate the Cloud Service and affected Professional Services and in the case of such termination refund Customer a pro-rata amount of the Fees for the affected portion of the Cloud Service or Professional Services.

 

15.3. Customer Indemnification. Customer shall indemnify and defend the Couchbase Parties from and against any claims, proceedings, liabilities, costs or damages arising out of or in connection with any third-party claim related to or arising from (i) allegations that Customer Content or its use with the Cloud Service infringes or misappropriates such party’s intellectual property rights or violates any applicable law; (ii) any use, or inability to use, by any third party that receives or obtains access to or relies on the Cloud Service or any component thereof from or through (directly or indirectly) the Customer or any Authorized User, and (iii) Customer’s or any Authorized User’s use, or inability to use, the Cloud Service.  Couchbase will: (a) promptly notify Customer of the relevant claim; (b) give Customer all necessary information regarding the claim and reasonably cooperate with Customer; (c) allow Customer exclusive control of the defense and all related settlement negotiations, provided that Couchbase may participate in the defense and related settlement negotiations with counsel of its own choosing; and (d) not admit fault or liability on behalf of Customer.

 

15.4. Exclusions from Indemnification. Couchbase will not be liable for any claim to the extent it arises from: (i) Customer’s failure to use the Cloud Service in accordance with this Agreement; (ii)  the  Cloud Service being modified by Customer or a third party;  (iii)  the use, operation or combination of the  Cloud Service with software, services, technology, content, data, equipment or materials not provided by  Couchbase (“Customer or Third-Party Content”),  if the claim would have been avoided by using it without such  Customer or Third-Party Content; or (iv) Customer continuation of the allegedly infringing activity after being notified of the alleged infringement claim.

 

15.5. The terms of this Section 15 constitute the entire liability of Couchbase and Customer’s sole and exclusive remedy with respect to any third-party claims of infringement or misappropriation of intellectual property rights.

 

16. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL: (A) THE COUCHBASE PARTIES BE LIABLE TO CUSTOMER OR TO ANY THIRD PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, LOSS OF GOODWILL, BUSINESS INTERRUPTION OR ANY OTHER DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO THIS AGREEMENT, CUSTOMER’S USE OF OR INABILITY TO USE THE CLOUD SERVICE, DOCUMENTATION, OR THE PROFESSIONAL SERVICES; AND (B) COUCHBASE’S AGGREGATE LIABILITY TO CUSTOMER FOR ALL LOSSES, CLAIMS AND DAMAGES EXCEED THE TOTAL AMOUNT OF FEES PAID OR PAYABLE BY CUSTOMER FOR THE CLOUD SERVICE UNDER THIS AGREEMENT IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT FIRST GIVING RISE TO THE LIABILITY. All limitations and exclusions of liability in this Agreement will apply even if the above stated remedies fail of their essential purpose and regardless of the form or source of claim or loss, whether the claim or loss was foreseeable, and whether the Couchbase Parties have been advised of the possibility of the claim or loss.

 

17. Term and Termination.

17.1. Term. Unless otherwise stated in an Order, this Agreement is effective as of the date of Customer’s acceptance of this Agreement and will continue until terminated in accordance with this Agreement.

 

17.2. Termination. Subject to Couchbase’s rights under Section 17.4 below, either party may terminate an Order, SOW or this Cloud Agreement if the other party materially breaches its obligations hereunder and, where such breach is curable, such breach remains uncured for thirty (30) days following written notice of the breach. Customer’s obligation to make a payment of any outstanding, unpaid fees shall survive termination of an Order, SOW or this Agreement. This Agreement shall automatically terminate without notice to Customer after 90 days from the expiration of the last to expire Order or SOW in effect hereunder.

 

17.3. Termination of On-Demand Couchbase Capella Credits. Notwithstanding the above, Customer may terminate On-Demand Couchbase Capella Credits, or where On-Demand Couchbase Capella Credit is part of an Order for prepaid Couchbase Capella Credits, then solely the On-Demand Couchbase Capella Credits portion of an Order, at any time for convenience by decommissioning all live Clusters from the Data Plane and discontinuing consumption of the On-Demand Couchbase Capella Credits and use of the Cloud Service. Such termination shall take effect on the same day the foregoing conditions are satisfied (“On-Demand Termination Date”). Customer shall remain liable for any On-Demand Couchbase Capella Credit Fees incurred up to and including the On-Demand Termination Date and will be charged and invoiced for such Fees in accordance with Section 11.2(c). If the On-Demand Termination Date is to also be served by Customer as notice of Termination of an Order, or this Agreement, then such termination shall be subject to Section 17.5.

 

17.4. Suspension of Cloud Service. Notwithstanding anything in this Agreement to the contrary, Couchbase may suspend or terminate any Cloud Service subscription and delete any Customer Content relating to such account that may be stored within the Cloud Service immediately (i) without notice if Couchbase reasonably determines that Customer or any Authorized User of the Cloud Service threatens the security, integrity or availability of the Cloud Service, or (ii) on written notice if Customer fails to comply with Section 11, or in the event of the circumstances described in Section 15.2. If Couchbase suspends Customer’s right to access or use any portion or all of the Cloud Service, Customer remains responsible for all Fees and charges Customer has incurred up to and during the suspension and Customer will not be entitled to any credit or refund. Couchbase will use commercially reasonable efforts to restore your access to the Cloud Service promptly following resolution of the cause of your suspension.

 

17.5. Effect of Termination. Upon termination or expiration of all active Orders (including termination under Section 17.3), SOWs or this Agreement, Customer shall (i) discontinue the use of a Cluster (or Clusters) and cease to use the Cloud Service (ii) delete the Customer account information including all Authorized User accounts associated with Customer in the Cloud Control Plane  (iii) uninstall the Cloud Service in accordance with the termination instructions in the Cloud Control Plane, and (iv)  promptly return or destroy (and provide written certification of such destruction) the Documentation and Deliverables and all copies and portions thereof, in all forms and types of media. If and to the extent Couchbase has any Customer Data (as defined in the DPA) in its possession after Customer completes the foregoing steps, then Couchbase shall delete any Personal Data (as defined in the DPA) in Couchbase’s possession within 90 days after the Termination Date. The following Sections will survive termination or expiration of this Agreement: 4, 6.2, ‎9.2(d) and 10 to18 (inclusive).

 

18. General.

18.1. Export Compliance. The Cloud Service, Software, and derivatives thereof may be subject to export laws and regulations of the United States and other jurisdictions. Couchbase and Customer each represent that it is not named on any U.S. government denied-party list. Customer shall comply with all applicable international and domestic export and economic sanctions laws or regulations that apply to Customer, the Cloud Service and any related technology or services. In furtherance of this obligation, Customer shall ensure that: (a) Customer’s Authorized Users do not use the Cloud Service or Professional Services in violation of any export restriction or embargo issued by the United States; and (b) it does not provide access to the Cloud Service or Professional Services to (i) persons on the U.S. Department of Commerce’s Denied Persons List or Entity List, or the U.S. Treasury Department’s list of Specially Designated Nationals, (ii) military end-users or for military end-use, or (iii) parties engaged in activities directly or indirectly related to the proliferation of weapons of mass destruction. This provision shall survive termination of the agreement.

 

18.2. Force Majeure. Neither party will be liable for any delay or failure in performance (except for any payment obligations by Customer) due to causes beyond its reasonable control.

 

18.3. Publicity. Customer agrees that Couchbase may include the Customer’s name and logo in client lists that Couchbase may publish for promotional purposes from time to time and grants Couchbase a limited license to its trademark solely for this purpose, provided that Couchbase complies with Customer’s branding guidelines.

 

18.4. Assignment. Customer may not assign this Agreement, in whole or in part, by operation of law or otherwise, without Couchbase’s prior written consent. Any attempt to assign this Agreement without such consent will be null and of no effect. Subject to the previous sentence, this Agreement will bind and inure to the benefit of each party’s successors and permitted assigns.

 

18.5. Severability and Waiver. If for any reason a court of competent jurisdiction finds any provision of this Agreement invalid or unenforceable, that provision of this Agreement will be enforced to the maximum extent permissible and the other provisions of this Agreement will remain in full force and effect. The failure by either party to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision. All waivers must be in writing and signed by both parties.

 

18.6. Notices. Any notice or communication provided by Couchbase under this Agreement may be provided by posting a notice on the Couchbase website, or by mail or email to the relevant address associated with Customer’s Cloud Service account. Any notice or communication provided by Customer under this Agreement shall be provided to Couchbase by certified mail, return receipt requested, to Couchbase Inc, Attn: Legal Dept, 3250 Olcott Street, Santa Clara, CA 95054, United States.

 

18.7. Governing Law and Venue. This Agreement is governed by the laws of the State of California, U.S.A., excluding its conflicts of law rules. The parties expressly agree that the UN Convention for the International Sale of Goods will not apply. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in Santa Clara County, California and the parties hereby irrevocably consent to the personal jurisdiction and venue there. 

 

18.8. Entire Agreement and Amendments. This Agreement constitutes the entire agreement and supersedes all prior or contemporaneous oral or written agreements regarding its subject matter, including any agreement on confidentiality previously executed by the parties and any agreement that governs the licensing of any Couchbase software to Customer that is now being licensed under this Agreement.  Furthermore, no additional or conflicting terms stated on any other document will have any force or effect and are hereby rejected unless expressly agreed upon by the parties’ duly authorized representatives in writing. Except as otherwise set forth in this Agreement or any Order, we may modify this Cloud Agreement (including the Support terms and Service Level Agreement) at any time by posting a revised version on the Website or by otherwise notifying you in accordance with Section 18.6 and by continuing to use the Cloud Service after the effective date of any such modifications to this Agreement, Customer agrees to be bound by this Agreement, as modified. The date Couchbase last modified this Agreement is set forth at the beginning of this Agreement. Notwithstanding the foregoing, any Orders placed under this version of the Agreement may only be modified by a mutually signed amendment by the parties.

 

18.9. No Prejudice. Except as expressly stated in this Agreement, the exercise by either party of any of its remedies under this Agreement will be without prejudice to its other remedies under this Agreement or otherwise.

 

18.10. Relationship of the Parties. The parties to this Agreement are independent contractors and this Agreement will not establish any relationship of partnership, joint venture, employment, franchise, or agency between the parties. Neither party will have the power to bind the other party or incur obligations on the other party’s behalf without the other party’s prior written consent.

 

18.11. Future Functionalities. Customer has not relied on the availability of any future version of the Cloud Service or any future product in making its decision to enter into this Agreement.

 

EXHIBIT A

Couchbase Customer Data Processing Addendum

This Data Processing Addendum (the “DPA”) forms part of the Cloud Service Subscription Agreement (“Cloud Agreement“) between Couchbase, Inc. (“Couchbase”) and the party identified as the “Customer” in the Cloud Agreement (“Customer”) (each a “Party” and together, the “Parties”).

This DPA describes the commitments of the Parties concerning the processing of Personal Data in connection with Customer’s use of the Cloud Service. If there is any conflict between the terms of the Cloud Agreement and the terms of this DPA, the terms of this DPA shall prevail to the extent of such conflict. Any capitalized term not defined in this DPA will have the meaning given it in the Cloud Agreement.

 

The parties agree as follows:

1. Definitions. The following capitalized terms, when used in this DPA, will have the corresponding meanings provided below:

“Applicable Data Protection Laws” means all worldwide privacy and data protection laws, regulations, rules, ordinances and other decrees applicable to the Personal Data, including (but not limited to): (i) European Data Protection Laws; and (ii) all laws and regulations of the United States, including the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq (“CCPA”); as may be amended, superseded or replaced.

“Customer Data” means any Personal Data processed by Couchbase on behalf of Customer as a service provider or processor (as applicable) in connection with the Cloud Service, as more particularly described in Annex A of this DPA.

“EEA” means the Member States of the European Union, plus Iceland, Liechtenstein, Norway and the United Kingdom until the European Union law ceases to apply.

“European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts in domestic law the GDPR, e-Privacy Directive or any other law relating to data and privacy as a consequence of the UK leaving the European Union; in each case as may be amended, superseded or replaced.

“Model Clauses” means the standard contractual clauses for processors as approved by the European Commission pursuant to its decision C(2010)593 of 5 February 2010 and sometimes referred to as Standard Contractual Clauses.

“Personal Data” means any information that relates to an identified or identifiable natural person and which is protected as “personal data”, “personal information” or “personally identifiable information” under Applicable Data Protection Laws.

“Privacy Shield” means collectively the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017, respectively.

“Privacy Shield Principles” means the Privacy Shield Framework Principles contained in Annex II to the European Commission Decision C(2016)4176 dated July 12, 2016; as may be amended from time to time.

“Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise processed by Couchbase and/or its Sub-processors in connection with the provision of the Cloud Service. “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Sub-processor” means any processor engaged by Couchbase or its Affiliates to assist in fulfilling its obligations with respect to providing the Cloud Service pursuant to the Cloud Agreement or this DPA. Sub-processors may include third parties or Couchbase Affiliates but shall exclude any Couchbase employee, contractor or consultant.

The terms “controller”, “processor” and “processing” shall have the meanings given to them in the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly; and the terms “business”, “service provider” and “sell” shall have the meanings given to them in the CCPA.

 

2. Role and Scope of Processing

2.1 Scope. This DPA applies to the extent that Couchbase processes as a processor or service provider (as applicable) any Customer Data protected by Applicable Data Protection Laws.

 

2.2 Role of the Parties. The parties acknowledge and agree that Customer is a business or the controller (as applicable) with respect to the processing of Customer Data, and Couchbase shall process Customer Data only as a processor or service provider (as applicable) on behalf of Customer, as further described in Annex A of this DPA. Any processing by either party of Customer Data under or in connection with the Agreement shall be performed in accordance with Applicable Data Protection Laws. 

 

2.3 Couchbase processing of personal data. Couchbase agrees that it shall process Customer Data only for the purposes described in the DPA and in accordance with Customer’s documented lawful instructions. The parties agree that the Agreement (including this DPA) sets out the Customer’s complete and final instructions to Couchbase in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Couchbase. Without prejudice to Section 2.4 (Customer responsibilities), Couchbase shall notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Laws, if it becomes aware or believes that any data processing instructions from Customer violates Applicable Data Protection Laws.

 

2.4 Customer responsibilities. Customer is responsible for the lawfulness of Customer Data processing under or in connection with the Cloud Agreement. Customer represents and warrants that (i) it has provided, and will continue to provide all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws for Couchbase to lawfully process Customer Data for the purposes contemplated by the Agreement (including this DPA); (ii) it has complied with all Applicable Data Protection Laws as a controller and/or business of Customer Data for the collection and provision to Couchbase and its Sub-processors of such Customer Data; and (iii) it shall ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws) and that the processing of Customer Data by Couchbase in accordance with Customer’s instructions will not cause Couchbase to be in breach of Applicable Data Protection Laws.

 

2.5 Aggregate data. Notwithstanding the foregoing or anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Couchbase and its Affiliates shall have a right to collect and create anonymized, aggregate, and/or de-identified information (as defined by Applicable Data Protection Laws) for its own legitimate business.

 

3. Sub-processing

3.1 Authorized Sub-processors. Customer acknowledges and agrees that Couchbase may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Couchbase and authorized by Customer are available at https://info.couchbase.com/cloud-subprocessors.html. Couchbase shall notify Customer if it changes its Sub-processors at least fifteen 10 days prior to any such changes if Customer opts-in to receive notifications via email by subscribing on the Sub-processors page.

 

4. Security and Audits

4.1 Security Measures. Both Parties should implement and maintain technical and organizational security measures designed to protect Customer Data from Security Incidents in accordance with Section 7 of the Cloud Agreement. (“Security Measures“). Couchbase’s Security Measures will include, at a minimum, those measures described in Annex B of this DPA.  Couchbase shall ensure that any person who is authorized by Couchbase to process Customer Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

 

4.2 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Couchbase may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Cloud Service subscribed to  by the Customer.

 

4.3 Customer Security Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer shall implement and maintain appropriate technical and organizational Security Measures designed to protect Personal Data from Security Incidents and to preserve the security and confidentiality of Customer Data while in its dominion and control. Customer is responsible for (i) protecting the security of all Customer credentials used to access the Cloud Service; (ii) securing the Customer Cloud Environment and any Customer System (with such steps to include without limitation the regular rotation of access keys and other industry standard steps to preclude unauthorized access); and (iii) implementing and maintaining the appropriate configurations of the Cloud Service to enable the backup services and disaster recovery features of the Cloud Service required for purposes of recovering Customer Content.

 

4.4 Security Incident Response. Upon becoming aware of a Security Incident, Couchbase shall notify Customer without undue delay and shall: (i) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (ii) promptly take steps, deemed necessary and reasonable by Couchbase, to contain, investigate, and remediate any Security Incident, to the extent that the remediation is within Couchbase’s reasonable control.  Couchbase’s notification of or response to a Security Incident under this Section 4.4 shall not be construed as an acknowledgment by Couchbase of any fault or liability with respect to the Security Incident. The obligations set forth herein shall not apply to Security Incidents to the extent they are caused by Customer or its Authorized Users.

 

4.5 Security Audits. Couchbase shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its processing of Customer Data, including responses to information security and audit questionnaires that are necessary to confirm Couchbase’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any 12 month rolling period.  Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Couchbase has experienced a Security Incident, or on another reasonably similar basis.

 

5. International Transfers

5.1 Processing locations. Customer acknowledges and agrees that Couchbase may transfer and process Customer Data to and in the United States and anywhere else in the world where Couchbase, its Affiliates or its Sub-processors maintain data processing operations.  Couchbase shall at all times ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this DPA.

 

6. Deletion of Customer Data

6.1 Upon termination or expiry of the Cloud Agreement, on Customer’s request Couchbase shall delete  all Customer Data (including copies) in its possession or control in accordance with Section 17.5 of the Cloud Agreement, save that this requirement shall not apply to the extent Couchbase is required by applicable law to retain some or all of the Customer Data.

 

7. Rights of Individuals and Cooperation

7.1 Data Subject Requests. To the extent that Customer is unable to independently access the relevant Customer Data within the Cloud Service, Couchbase shall, taking into account the nature of the processing, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Data under the Cloud Agreement.  In the event that any such request is made to Couchbase directly, Couchbase shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Couchbase is required to respond to such a request, Couchbase shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

 

7.2 Subpoenas and Court Orders.  If a law enforcement agency sends Couchbase a demand for Customer Data (for example, through a subpoena or court order), Couchbase shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Couchbase is legally prohibited from doing so.

 

8. Jurisdiction Specific Terms

8.1 Europe. To the extent the Customer Data is subject to European Data Protection Laws, the following terms shall apply in addition to the terms in the remainder of this DPA:

(a) Sub-processor Obligations. Couchbase shall: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect personal data to the standard required by applicable European Data Protection Law and this DPA; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Couchbase to breach any of its obligations under this DPA.

(b) Objections to Sub-processors. Customer may object in writing to Couchbase’s appointment of a new Sub-processor on reasonable grounds relating to data protection (e.g. if making Customer Data available to the Sub-processor may violate European Data Protection Law or weaken the protections for such Customer Data) by notifying Couchbase promptly in writing within five (5) calendar days of receipt of Couchbase notice in accordance with Section 3.1 above.  Such notice shall explain the reasonable grounds for the objection and the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution.  If no such resolution can be reached, Couchbase will, at its sole discretion, either not appoint Sub-processor, or permit Customer to suspend or terminate the affected portion of the Cloud Service in accordance with the termination provisions in the Cloud Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

(c) Privacy Shield. To the extent that Couchbase processes (or causes to be processed) any personal data protected by European Data Protection Laws in a third country not recognized as providing adequate protection for personal data (as described in European Data Protection Laws), such personal data shall be deemed to have adequate protection (within the meaning of European Data Protection Law) by virtue of Couchbase having self-certified its compliance with the Privacy Shield Framework. Couchbase agrees to process Customer Data in compliance with the Privacy Shield Principles and to inform Customer if it makes a determination that it can no longer protect Customer Data in accordance with the Privacy Shield Principles.

(d) Model Clauses. To the extent the transfer mechanism identified in sub-section (c) above does not apply to the transfer and/or is invalidated, Couchbase agrees to abide by and process such Customer Data in in compliance with the Model Clauses, which are incorporated in full by reference and form an integral part of this DPA.

(e) For the purposes of the descriptions in the Model Clauses: (i) Couchbase agrees that it is a “data importer” and Customer is the “data exporter” (notwithstanding that Customer may itself be an entity located outside the EEA); (ii) Annex A and Annex B of this DPA shall replace Appendix 1 and Appendix 2 of the Model Clauses; and (ii) Annex C shall form Appendix 3 of the Model Clauses. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail to the extent of such conflict.

(f) Alternative Transfer Mechanism. If and to the extent that Couchbase adopts an alternative data export solution for the transfer of Customer Data as prescribed by applicable European Data Protection Laws (“Alternative Transfer Mechanism“), the Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism applies to the transfer).

(g) Data Protection Impact Assessment. To the extent Couchbase is required under applicable European Data Protection Law, Couchbase shall provide reasonably requested information regarding Couchbase processing of personal data under the Cloud Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by law.

 

8.2 California. To the extent the Customer Data is subject to the CCPA, the parties agrees that Customer is a business and that it appoints Couchbase as its service provider to process Customer Data as permitted under the Cloud Agreement (including this DPA) and the CCPA, or for purposes otherwise agreed in writing (the “Permitted Purposes“). Customer and Couchbase agree that: (a) Couchbase shall not retain, use or disclose personal information for any purpose other than the Permitted Purposes; (b) Customer Data was not sold to Couchbase and Couchbase shall not “sell” personal information (as defined by the CCPA); (c) Couchbase shall not retain, use or disclose personal information outside of the direct business relationship between Customer and Couchbase; and (d) Couchbase may de-identify or aggregate personal information in the course of providing the Cloud Service. Couchbase certifies that it understands the restrictions set out in this Section 8.2 and will comply with them.

 

9. Miscellaneous

9.1 Except for the changes made by this DPA, the Cloud Agreement remains unchanged and in full force and effect.

 

9.2 This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

 

9.3 If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the DPA.

 

9.4 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Cloud Agreement, unless required otherwise by European Data Protection Laws.

 

 

Annex A

Data Processing Description

This Annex A forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.

 

Duration

The duration of the data processing under this DPA is until the termination of the Cloud Agreement in accordance with its terms plus the period from the expiry of the Cloud Agreement until deletion of personal data by Couchbase in accordance with the terms of the Cloud Agreement.

 

Categories of data

The personal data to be processed concern the following categories of data (please specify):

●  Personal Data in Customer Content: Personal Data included in content or data provided by or on behalf of Customer or Authorized Users by or through the Cloud Service, including any Personal Data provided in order to receive Support.

 

Special categories of data (if appropriate)

The parties do not intend for any special category data to be processed under the Cloud Agreement.

 

Data subjects

The personal data to be processed concern the following categories of data subjects (please specify):

● Data subjects include individuals about whom data is provided to Couchbase via the Cloud Service by or at the direction of Customer, including Authorized Users.

 

Processing operations

The personal data will be subject to the following basic processing activities (please specify):

●  processing to provide the Cloud Service in accordance with the Cloud Agreement;

●  processing to perform any steps necessary for the performance of the Cloud Agreement;

●  processing initiated by Customer in its use of the Cloud Service; and

●  processing to comply with other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of this Cloud Agreement.

 

 

Annex B

Security Measures

 

This Annex describes Couchbase’s Security Measures in providing the Cloud Service. Customer acknowledges that the Cloud Service operates pursuant to a shared responsibility model, which requires, among other things, that Customer take certain steps such as protecting the security of Customer Content (which remains stored within Customer’s environment under Customer’s control). If and to the extent Couchbase processes Customer Data on behalf of Customer in connection with the Cloud Service, Couchbase shall implement and maintain the following Security Measures:

 

1. Physical Access Controls: The Cloud Service runs on AWS. The physical security and information security standards for AWS’s data centers are detailed at  https://aws.amazon.com/security/.

 

2. System Access Controls: Couchbase shall take reasonable measures to prevent unauthorized use of the systems used for processing Customer Data. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, strong authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.

 

3. Data Access Controls: Couchbase shall take reasonable measures to provide that any Customer Data in Couchbase’s control in the Cloud Control Plane is accessible and manageable only by properly authorized staff. Direct database query access to the Data Plane is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Customer Data to which they have access privileges; and, that Customer Data cannot be read, copied, modified or removed without authorization in the course of processing.

 

4. Transmission Controls: Couchbase shall take reasonable measures to ensure that Customer Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport. Couchbase uses industry standard firewall and encryption technologies to protect data in transit and at rest.

 

5. Input Controls: Couchbase shall take reasonable measures to provide that it is possible to check and establish whether and by whom Customer Data has been entered into data processing systems, modified or removed; and, any transfer of Customer Data to a third-party service provider is made via a secure transmission.

 

6. Data Protection: Couchbase shall take reasonable measures to ensure that Customer Data is protected against accidental destruction or loss.

 

7. Logical Separation: Customer Data in Couchbase’s control is logically segregated on systems managed by the Couchbase to prevent unauthorized access.

 

 

Annex C

 

This Appendix forms part of the Model Clauses. All defined terms used in this Appendix 3 shall have the meaning given to it in the Model Clauses unless otherwise defined in this Appendix. 

 

Appendix 3 to the Model Clauses

 

This Appendix sets out the parties’ interpretation of their respective obligations under specific clauses identified below.  Where a party complies with the interpretations set out in this Appendix, that party shall be deemed by the other party to have complied with its commitments under the Clauses.

For the purposes of this Appendix, “DPA” means the Data Processing Addendum in place between data importer and data exporter and to which these Clauses are incorporated and “Cloud Agreement” shall have the meaning given to it in the DPA.

 

Clause 4(h) and 8: Disclosure of these Clauses

1. Data exporter agrees that these Clauses constitute data importer’s Confidential Information as that term is defined in the Cloud Agreement and may not be disclosed by data exporter to any third party without data importer’s prior written consent unless permitted pursuant to the Cloud Agreement. This shall not prevent disclosure of these Clauses to a data subject pursuant to Clause 4(h) or a supervisory authority pursuant to Clause 8.

 

Clause 5(a): Suspension of data transfers and termination:

1. The parties acknowledge that data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses.

 

2. The parties acknowledge that if data importer cannot provide such compliance for whatever reason, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract.

 

3. If the data exporter intends to suspend the transfer of personal data and/or terminate these Clauses, it shall endeavour to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”).

 

4. If after the Cure Period the data importer has not or cannot cure the non-compliance then the data exporter may suspend or terminate the transfer of personal data immediately. The data exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to data subjects or their personal data.

 

Clause 5(f): Audit:

1. Data exporter acknowledges and agrees that it exercises its audit right under Clause 5(f) by instructing data importer to comply with the audit measures described in Section 4 (Security and Audits) of the DPA.

 

Clause 5(j): Disclosure of sub-processor agreements

1. The parties acknowledge the obligation of the data importer to send promptly a copy of any onward sub-processor agreement it concludes under the Clauses to the data exporter.

 

2. The parties further acknowledge that, pursuant to sub-processor confidentiality restrictions, data importer may be restricted from disclosing onward sub-processor agreements to data exporter. Notwithstanding this, data importer shall use reasonable efforts to require any sub-processor it appoints to permit it to disclose the sub-processor agreement to data exporter.

 

3. Even where data importer cannot disclose a sub-processor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information it reasonably in connection with such sub-processing agreement to data exporter.

 

Clause 6: Liability

1. Any claims brought under the Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Cloud Agreement. In no event shall any party limit its liability with respect to any data subject rights under these Clauses.

 

Clause 11:  Onward sub-processing

1. The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled “FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC” the data exporter may provide a general consent to onward sub-processing by the data importer.

 

2. Accordingly, data exporter provides a general consent to data importer, pursuant to Clause 11 of these Clauses, to engage onward sub-processors. Such consent is conditional on data importer’s compliance with the requirements set out in Section 8.1 of the DPA.