Frequently Asked Privacy Questions about Couchbase Capella

We prepared this guide based on frequently asked questions we receive about Couchbase Capella. We hope the information answers your questions, but if you would like more information, please reach out to your Couchbase sales representative.

1. How does Couchbase Capella help customers comply with data protection laws (like the European Union General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA))?

Couchbase has designed Couchbase Capella to support our customers’ compliance with global data protection laws in a number of ways. For example:

• Couchbase Capella terms and conditions by default incorporate a data processing addendum designed to address global privacy requirements.
• Couchbase Capella has been designed with many technical and organizational measures to protect personal data.
• Couchbase Capella gives customers control over the selection of the cloud service provider and data hosting region for their deployments.

Additionally, Couchbase has dedicated security and privacy teams to oversee Couchbase’s compliance with data protection laws. Please refer to our Cloud Trust Center for more information.

2. Will Couchbase enter into a data processing addendum (also referred to as a data processing agreement or a DPA) with my company?

Yes, we enter into a data processing addendum with every Capella customer. In fact, our Capella Data Processing Addendum is incorporated into our Capella Master Service Agreement by default, so our Capella customers automatically benefit from the commitments we make in the DPA without needing to complete extra paperwork.

If you use one of our self-hosted products (such as Couchbase Server) and would like to enter into an appropriate data processing agreement for personal data you choose to share with us as a data controller in connection with those products, we are happy to enter into an agreement with your company. Please follow our instructions here.

3. How does Couchbase help customers comply with additional requirements that apply to specific types of regulated data, such as the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that apply to protected health information (PHI)?

Couchbase Capella has been designed to support our customers’ compliance with a wide array of regulations. In particular, Capella can be used with our customers’ HIPAA compliant applications. If you plan on storing PHI in Capella, please contact us to execute the necessary Business Associate Agreement. Please refer to our Cloud Trust Center for more information.

4. What customer personal data does Couchbase process under the Capella Data Processing Addendum?

Couchbase serves as a “data processor” or a “service provider” on behalf of our customers, as those terms are defined under applicable data protection laws. Capella is designed to be data agnostic, meaning our customers may use Capella for all kinds of data. Because our customers choose what personal data to upload or store in Couchbase Capella, our Capella Data Processing Addendum includes a broad description of the personal data that we may receive as a data processor or service provider.

Couchbase may separately receive personal data as a “data controller,” as that term is defined under the GDPR. This includes personal data of customer users that we collect in connection with administering accounts (such as for billing purposes). The Capella Data Processing Addendum does not cover our practices with respect to this personal data. Instead, our Privacy Policy covers any such personal data which we collect or manage as a data controller.

5. Where does Couchbase store personal data it processes on behalf of Capella customers?

It depends on each customer’s selection. Couchbase Capella customers are given the ability to choose a preferred cloud service provider (currently, Amazon Web Services, Microsoft Azure, or Google Cloud) and their preferred data hosting region for each Capella cluster. We have more information about the available data hosting regions in our documentation here.

In order to provide a high-quality managed service, some information about our customers’ Capella configurations is stored in our central orchestration and management layer (which we refer to as our “Couchbase Capella Control Plane”). This resides in infrastructure hosted in the United States. Additionally, depending on a customer’s support needs and the features and configuration selected by a customer, personal data may be processed in locations where our support personnel or subprocessors operate. Additional information regarding our Capella subprocessors, as well as a mechanism to subscribe for email updates about our Capella subprocessors, is available here.

6. Is customer personal data transferred outside of the European Economic Area?

It depends on each customer’s selection. Each Couchbase Capella customer may select a cloud service provider region in the European Economic Area. We give our customers the ability to change designated hosting locations as well. As explained above in question 5, because our managed service includes a management layer hosted in the United States, certain data (including user names) and metadata configurations are stored in the United States. Additionally, depending on feature configurations or customer support requests, limited personal data may transit through our U.S.-based services or otherwise be transferred outside of the European Economic Area. Our Couchbase Capella Data Processing Addendum includes data transfer terms designed to comply with all applicable data transfer restrictions. For the most current information about when data transfers occur, please contact your Couchbase sales representative.

7. Does the Capella Data Processing Addendum include Standard Contractual Clauses (SCCs)?

Yes, our Capella Data Processing Addendum includes appropriate terms to facilitate the international transfer of personal data that Couchbase processes on behalf of our customers. This includes the Standard Contractual Clauses adopted by the European Commission, as well as the United Kingdom international data transfer addendum and modifications for purposes of the Swiss Federal Act on Data Protection. Additionally, under our Capella Data Processing Addendum, we commit to work together with our customers to take any additional steps required under global data protection laws for data transfers.

8. Will Couchbase provide information to support a customer’s transfer impact assessment (TIA) if required under the GDPR or other data privacy laws?

Yes, Couchbase will help our customers conduct their TIAs for personal data uploaded to Couchbase Capella. Because Couchbase does not control what personal data is uploaded to Capella or the timing, volume, or frequency of personal data transfers, Couchbase is not positioned to conduct TIAs on behalf of our customers. Please see question 9 below for information about supplementary measures to protect data transfers if required for a TIA.

9. What supplementary measures does Couchbase offer if a customer’s use of Couchbase Capella involves a transfer of personal data to a third country which may require additional safeguards?

Subject to the European Data Protection Board’s Recommendations 01/2020, a Couchbase Capella customer may identify the following as supplementary measures for purposes of any transfer impact assessment:

• Technical measures: Couchbase Capella gives customers technical controls to manage access to and encryption of data stored in Capella, as further described in our documentation here.
• Contractual measures: Couchbase commits to give a customer reasonable notice of any law enforcement demand, to allow the customer to seek a protective order, as described in our Capella Data Processing Addendum.
• Organizational measures: Couchbase has adopted security and privacy controls audited annually against SOC 2 Type II, PCI DSS, and HIPAA requirements by third-party auditors.

These supplementary measures apply in addition to the technical and organizational security measures described in Annex B of our Capella Data Processing Addendum.

10. Is Couchbase certified under the EU-U.S. Data Privacy Framework?

Yes, Couchbase is certified in the EU-U.S. Data Privacy Framework, the Swiss Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework. For additional information, please see our listing on the Data Privacy Framework Program website or refer to our Privacy Policy.

11. How does Couchbase assist customers with data subject access requests under data protection laws?

Couchbase Capella is designed to give our customers full control over the personal data that is stored in Capella. This allows our customers to respond to data subject requests without involving Couchbase. However, we also commit to helping our customers as needed to respond to data subject requests as described in our Capella Data Processing Addendum.

12. How can I learn more about Couchbase’s privacy practices?

Please reach out to privacy@couchbase.com with any additional questions about Couchbase’s privacy practices.

Legal notice: This document is provided for informational purposes only. Couchbase’s products and services are subject to change without notice, and nothing in this document is intended to create any commitments or guarantees from Couchbase, our affiliates, or our service providers. This document is not a part of, nor does it modify, any agreement between Couchbase and its customers.