Couchbase Capella Cloud Customer Data Processing Addendum

This Data Processing Addendum (this “DPA”) forms part of the Capella Cloud Service Subscription Agreement, or other agreement between Customer and Couchbase governing Customer’s use of the Cloud Service (“Agreement”), between Couchbase, Inc. (“Couchbase”) and the party identified as the “Customer” in the Agreement (“Customer”) (each a “Party” and together, the “Parties”). The effective date of this DPA is the effective date of the Agreement, or if executed separately, the date of the last signature below (“Effective Date”).


This DPA describes the commitments of the Parties concerning the processing of Personal Data in connection with Customer’s use of the Cloud Service. If there is any conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA shall prevail to the extent of such conflict. Any capitalized term not defined in this DPA will have the meaning given it in the Agreement.

This Agreement was last updated on September 21, 2022.


The Parties agree as follows:


1. Definitions. The following capitalized terms, when used in this DPA, will have the corresponding meanings provided below:
a. “Applicable Data Protection Laws” means all worldwide privacy and data protection laws, regulations, rules, ordinances and other decrees applicable to the Personal Data, including (but not limited to): (i) European Data Protection Laws; and (ii) all laws and regulations of the United States, including the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq (CCPA); as may be amended, superseded or replaced.


b. “Customer Data” means any Personal Data processed by Couchbase on behalf of Customer as a service provider or processor (as applicable) in connection with the Cloud Service, as more particularly described in Annex A of this DPA.

c. “EEA” means the Member States of the European Union, plus Iceland, Liechtenstein, and Norway.

d. “European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss FDPA”); and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts in domestic law the GDPR, e-Privacy Directive or any other law relating to data and privacy as a consequence of the UK leaving the European Union (collectively, “UK Data Protection Laws”); in each case as may be amended, superseded or replaced.

e. “Model Clauses” means, depending on the circumstances unique to any particular Customer, any of the following: (i) the standard contractual clauses for processors as approved by the European Commission pursuant to its decision 2021/914 (the “2021 Standard Contractual Clauses”),  and (ii) the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022, (“UK IDTA”), each alternatively referred to as Standard Contractual Clauses, incorporated by reference and forming part of this DPA.

f. “Personal Data” means any information that relates to an identified or identifiable natural person and which is protected as “personal data”, “personal information” or “personally identifiable information” under Applicable Data Protection Laws.

g. “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise processed by Couchbase and/or its Sub-processors in connection with the provision of the Cloud Service. The Parties acknowledge and agree that “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

h. “Sub-processor” means any processor engaged by Couchbase or its Affiliates to assist in fulfilling its obligations with respect to providing the Cloud Service pursuant to the Agreement or this DPA. Sub-processors may include third parties or Couchbase Affiliates but shall exclude any Couchbase employee, contractor or consultant.

i. The terms “controller”, “processor” and “processing” shall have the meanings given to them in the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly; and the terms “business”, “service provider” and “sell” shall have the meanings given to them in the CCPA.

2. Role and Scope of Processing
a. Scope. Subject to Section 2(b), this DPA applies to the extent that Couchbase processes as a processor or service provider (as applicable) any Customer Data protected by Applicable Data Protection Laws.

b. Role of the Parties. The parties acknowledge and agree that (i) with respect to the processing of Customer Data, Customer is the relevant business, controller or processor (as applicable) of such  Customer Data, and Couchbase is a service provider, processor or subprocessor (as applicable) on behalf of Customer, as further described in Annex A of this DPA; and (ii) with respect to Personal Data included in any technical usage data Couchbase collects in connection with Customer’s use of the Cloud Service (“Usage Data”), Couchbase is the relevant business or controller of Usage Data and will process Usage Data in accordance with the Couchbase privacy policy available at https://www.couchbase.com/privacy-policy. Each Party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including any Applicable Data Protection Laws. With respect to Usage Data, Couchbase will process such data in compliance with only Sections 8(a)(iii) and (iv), to the extent applicable.

c. Couchbase processing of personal data. Couchbase agrees that it shall process Customer Data only for the purposes described in the DPA and in accordance with Customer’s documented lawful instructions. The parties agree that the Agreement (including this DPA) sets out the Customer’s complete and final instructions to Couchbase in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Couchbase. Without prejudice to Section 2(d) (Customer responsibilities), Couchbase shall notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Laws, and may suspend processing of Customer Data, if it becomes aware or believes that any data processing instructions from Customer violates Applicable Data Protection Laws.

d. Customer responsibilities. Customer is responsible for the lawfulness of Customer Data processing under or in connection with the Agreement. Customer represents and warrants that (i) it has provided, and will continue to provide all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws for Couchbase to lawfully process Customer Data for the purposes contemplated by the Agreement (including this DPA); (ii) it has complied with all Applicable Data Protection Laws as a controller and/or business of Customer Data for the collection and provision to Couchbase and its Sub-processors of such Customer Data; and (iii) it shall ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws) and that the processing of Customer Data by Couchbase in accordance with Customer’s instructions will not cause Couchbase to be in breach of Applicable Data Protection Laws.

e. Aggregate data. Notwithstanding the foregoing or anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Couchbase and its Affiliates shall have a right to collect and create anonymized, aggregate, and/or de-identified information (as defined by Applicable Data Protection Laws) for its own legitimate business.

3. Subprocessing
a. Authorized Sub-processors. Customer acknowledges and agrees that Couchbase may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Couchbase and authorized by Customer are listed on the Couchbase website (currently posted at https://info.couchbase.com/cloud-subprocessors.html). At least fifteen (15) days prior to any addition of a new sub-processor, Couchbase will update the applicable website and provide Customer notice of that update via the mechanism provided at such Couchbase website, except that if Couchbase reasonably believes engaging a new Sub-processor on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Customer Data or avoid material disruption to the Cloud Service, Couchbase will instead give such notice as soon as reasonably practicable.

4. Security and Audits
a. Security Measures.  Couchbase shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Data in its control from Security Incidents and to preserve the security and confidentiality of the Customer Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing (“Security Measures”). Such Security Measures will include, at a minimum, those measures described in Annex B of this DPA. Couchbase shall ensure that any person who is authorized by Couchbase to process Customer Data under this DPA shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

b. Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Couchbase may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Cloud Service purchased by the Customer.

c. Customer Security Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer shall implement and maintain appropriate technical and organizational security measures designed to protect from Security Incidents and to preserve the security and confidentiality of Customer Data while in its dominion and control. Customer is responsible for (i) protecting the security of all Customer credentials used to access the Cloud Service; (ii) securing the Customer Cloud Environment and any Customer System (with such steps to include, without limitation, the regular rotation of access keys and other industry standard steps to preclude unauthorized access); (iii) backing up and securing Customer Data under Customer’s control within the Customer Cloud Environment or other Customer controlled system; and (iv) reviewing the information made available by Couchbase relating to data security and privacy and making an independent determination as to whether the Cloud Service meet Customer’s requirements and legal obligations under Applicable Data Protection Law.

d. Security Incident Response. To the extent required by Applicable Data Protection Laws, upon becoming aware of a Security Incident, Couchbase shall notify Customer without undue delay via the Cloud Services and shall: (i) to assist Customer in relation to any personal data breach notifications Customer is required to make under Applicable Data Protection Laws, Couchbase will include in such notice to Customer timely information relating to the Security Incident as it becomes known, as is reasonably requested by Customer, taking into account the nature of the Cloud Service, the information available to Couchbase, and any restrictions on disclosing the information, such as confidentiality; and (ii) promptly take steps, deemed necessary and reasonable by Couchbase, to contain, investigate, and remediate any Security Incident, to the extent that the remediation is within Couchbase’s reasonable control. Couchbase’s notification of or response to a Security Incident under this Section 4(d) shall not be construed as an acknowledgment by Couchbase of any fault or liability with respect to the Security Incident. The obligations set forth herein shall not apply to Security Incidents to the extent they are caused by Customer or its Authorized Users.

e. Security Audits. Couchbase shall provide written responses (on a confidential basis) to all reasonable written requests for information made by Customer related to Couchbase’s processing of Customer Data, including responses to information security and audit questionnaires that are necessary to confirm Couchbase’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any twelve (12) month rolling period.  Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Couchbase has experienced a Security Incident, or on another reasonably similar basis.

5. International Transfers
a. Processing locations. Customer acknowledges and agrees that Couchbase may transfer and process Customer Data to and in the United States and anywhere else in the world where Couchbase, its Affiliates or its Sub-processors maintain data processing operations.  Couchbase shall at all times ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this DPA.

b. Transfer Mechanisms. If, at any time, Applicable Data Protection Laws require any further steps to be taken in order to permit the transfer of Customer Data as set out in this DPA (including, without limitation, executing or re-executing the 2021 Standard Contractual Clauses or UK IDTA as a separate document and/or entering into additional cross-border transfer clauses), and/or the transfer mechanisms in this DPA (including, without limitation, as set forth in Section 8 below) are amended, replaced, repealed or otherwise terminated under the Applicable Data Protection Law, then Customer and Couchbase agree to work together in good faith to take all steps reasonably required to enable a transfer in compliance with Applicable Data Protection Laws.

6. Deletion of Customer Data

a. The Cloud Service will provide Customer with controls that Customer may use to delete or retrieve Customer Data during the term in a manner consistent with the functionality of the Cloud Service.


b. Customer hereby authorizes Couchbase, upon termination or expiry of the Agreement, or in case of termination or suspension of the Cloud Service pursuant to the Agreement, to delete all Customer Data (including copies) in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent Couchbase is required by applicable law to retain some or all of the Customer Data.


7. Rights of Individuals and Cooperation
a. Data Subject Requests. The Cloud Service provide Customer with a number of controls, including security features and functionalities, that Customer may use to retrieve, correct, delete or restrict Customer Data, as described in any documentation applicable to the Cloud Service. Without prejudice to Section 4(a), Customer may use these controls as technical and organizational measures to assist it in connection with its obligations under Applicable Data Protection Laws, including its obligations relating to responding to requests from data subjects. To the extent that Customer is unable to independently access the relevant Customer Data within the Cloud Service, Couchbase shall, taking into account the nature of the processing, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Data under the Agreement.  In the event that any such request is made to Couchbase directly, Couchbase shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Couchbase is required to respond to such a request, Couchbase shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

b. Subpoenas and Court Orders. If a law enforcement agency sends Couchbase a demand for Customer Data (for example, through a subpoena or court order), Couchbase shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Couchbase is legally prohibited from doing so.


8. Jurisdiction Specific Terms
a. Europe. To the extent the Customer Data is subject to European Data Protection Laws, the following terms shall apply in addition to the terms in the remainder of this DPA:

i. Sub-processor Obligations. Couchbase shall: (A) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect personal data to the standard required by applicable European Data Protection Law and this DPA; and (B) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Couchbase to breach any of its obligations under this DPA.

ii. Objections to Sub-processors. Customer may object in writing to Couchbase’s appointment of a new Sub-processor on reasonable grounds relating to data protection (e.g. if making Customer Data available to the Sub-processor may violate European Data Protection Law or weaken the protections for such Customer Data) by notifying Couchbase promptly in writing within five (5) calendar days of receipt of notice from Couchbase in accordance with Section 3(a) above.  Such notice shall explain the reasonable grounds for the objection and the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution.  If no such resolution can be reached, Couchbase will, at its sole discretion, either not appoint Sub-processor, or permit Customer to suspend or terminate the affected Cloud Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination). Unless an objection is made as set forth in this Section 8(a)(ii), Customer consents to Couchbase’s use of sub-processors as described in this DPA.

iii. Transfers of Data. To the extent that Couchbase processes (or causes to be processed) any personal data protected by European Data Protection Laws in a third country not recognized as providing adequate protection for personal data (as described in European Data Protection Laws), then the terms and conditions of Annex C (Transfers of Data) will apply and Customer (as data exporter) will be deemed to have entered into the Model Clauses with Couchbase (as data importer) and Couchbase agrees to abide by and process such Customer Data in in compliance with the Model Clauses, which are incorporated in full by reference and form an integral part of this DPA. For the purposes of the descriptions in the Model Clauses: (A) Couchbase agrees that it is a “data importer” and Customer is the “data exporter” (notwithstanding that Customer may itself be an entity located outside the EEA or the United Kingdom); (B) Annex A and Annex B of this DPA shall replace Appendix 1 and Appendix 2 of the Model Clauses. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail to the extent of such conflict. The Model Clauses will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the EEA or the United Kingdom.

iv. Alternative Transfer Mechanism. If and to the extent that Couchbase adopts an alternative data export solution for the transfer of Customer Data as prescribed by applicable European Data Protection Laws (“Alternative Transfer Mechanism“), the Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism applies to the transfer).

v. Data Protection Impact Assessment. To the extent Couchbase is required under applicable European Data Protection Law, Couchbase shall provide reasonably requested information regarding Couchbase processing of personal data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by law.


vi. Transfers of Data from the United Kingdom. Where the transfer of personal data is subject to the laws of the United Kingdom (including the UK General Data Protection Regulation), the parties agree:


1. The provisions of the IDTA, including Part 2 ‘Mandatory Clauses’, shall apply in full;


2. For the purposes of Table 1 of the UK IDTA, the names of the parties, their roles and their details shall be set out in the attached Annex C;


3. For the purposes of Tables 2 and 3 of the UK IDTA, the 2021 Standard Contractual Clauses incorporated into this DPA by reference, including the information set out in the attached Annexes, shall apply; and


4. For the purposes of Table 4 of the UK IDTA, either party may end the UK IDTA if, after a good faith effort by the parties to amend this DPA, the parties are unable to come to a mutual agreement.

b. California. To the extent the Customer Data is subject to the CCPA, the parties agrees that Customer is a business and that it appoints Couchbase as its service provider to process Customer Data as permitted under the Agreement (including this DPA) and the CCPA, or for purposes otherwise agreed in writing (the “Permitted Purposes”). Customer and Couchbase agree that: (i) Couchbase shall not retain, use or disclose personal information for any purpose other than the Permitted Purposes; (ii) Customer Data was not sold to Couchbase and Couchbase shall not “sell” personal information (as defined by the CCPA); (iii) Couchbase shall not retain, use or disclose personal information outside of the direct business relationship between Customer and Couchbase; and (iv) Couchbase may de-identify or aggregate personal information in the course of providing the Cloud Service. Couchbase certifies that it understands the restrictions set out in this Section 8(b) and will comply with them.


9. Limitation of Liability

a. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including the Model Clauses) whether in contract, tort (including negligence) or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement, and any reference in provisions to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the Agreement and this DPA together.


b. Except where Applicable Data Protection Laws require a Customer Affiliate to exercise a right or seek any remedy under this DPA against Couchbase directly by itself, the parties agree that (i) solely the Customer entity that is the contracting party to the Agreement shall exercise any right or seek any remedy any Customer Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Affiliate individually but in a combined manner for all of its Affiliates together.


10. Miscellaneous

a. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. 


b. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.


c. If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the DPA.


d. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by European Data Protection Laws. 


 

Annex A
Data Processing Description

 

This Annex A forms part of the DPA and describes (i) the processing that Couchbase will perform on Customer Data as processor or subprocessor on behalf of Customer as the controller or processor, as applicable, and (ii) transfers of Usage Data that Couchbase will perform as controller.

1) Customer Data

Duration

The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of personal data by Couchbase in accordance with the terms of the Agreement (including this DPA).

Categories of data
The personal data to be processed concern the following categories of data (please specify):
● Personal Data in Customer Content or Support Content: Personal Data included in content or data provided by or on behalf of Customer or Authorized Users by or through the Cloud Service.

 

Special categories of data (if appropriate)
The parties do not intend for any special category data to be processed under the Agreement.

Data subjects
The personal data to be processed concern the following categories of data subjects (please specify):
● Data subjects include individuals about whom data is provided to Couchbase via the Cloud Service by or at the direction of Customer, including Authorized Users. Data subjects may include Customer’s customers, employees, suppliers and end-users.

Processing operations
The personal data will be subject to the following basic processing activities (please specify):
● processing to provide the Cloud Service in accordance with the Agreement;
● processing to perform any steps necessary for the performance of the Agreement;
● processing initiated by Customer in its use of the Cloud Service; and
● processing to comply with other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of the Agreement.

 

Frequency
The personal data may be transferred continuously.

ii) Usage Data

Duration

Usage Data is transferred and maintained during the term of the relevant Agreement plus the period for which Usage Data is necessary for Couchbase’s legitimate business efforts. Certain aggregated and anonymized records of user actions may be retained permanently.


Categories of data

The personal data to be transferred concern the following categories of data (please specify):

●  Personal Data in Usage Data: Usage Data may include user account information, including account ID and email address; personal identification information, including IP address; employment information; contact information; browser information and metadata.


Special categories of data (if appropriate)

The parties do not intend for any special category data to be transferred under the Agreement.


Data subjects

The personal data to be processed concern the following categories of data subjects (please specify):

●  Data subjects may include Customer, Customer’s employees and othe