Couchbase Capella Cloud Kundendatenverarbeitung Addendum

Dieses Addendum zur Datenverarbeitung (dieses "DPA") ist Teil des Capella Master Service Agreement oder einer anderen Vereinbarung zwischen dem Kunden und Couchbase, die die Nutzung des Cloud Service durch den Kunden regelt ("Vereinbarung"), zwischen Couchbase, Inc. ("Couchbase”) and the party identified as “Kunde” in the Agreement (“Customer”) (each a “Party" und zusammen die "Parteien”). The effective date of this DPA is the effective date of the Agreement or, if executed separately, the date of the last signature of this DPA (“Datum des Inkrafttretens").

This DPA describes the commitments of the Parties concerning the processing of Personal Data in connection with Customer’s use of the Cloud Service. Any capitalized term not defined in this DPA will have the meaning given it in the Agreement.

Dieses Abkommen wurde zuletzt aktualisiert am May 07, 2024.

Die Vertragsparteien kommen wie folgt überein:

1. Definitionen. Die folgenden in Großbuchstaben geschriebenen Begriffe haben, wenn sie in dieser DPA verwendet werden, die unten angegebene Bedeutung:

1. "Geltende Datenschutzgesetze” means all worldwide privacy and data protection laws, regulations, rules, ordinances and other decrees applicable to the Personal Data, including (but not limited to): (i) European Data Protection Laws; and (ii) all laws and regulations of the United States, including the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq ("CCPA"), die gegebenenfalls geändert, ersetzt oder überholt werden.

2. “KundendatenDer Begriff "personenbezogene Daten" bezeichnet alle personenbezogenen Daten, die von Couchbase im Auftrag des Kunden als Dienstleister oder Auftragsverarbeiter (je nach Fall) in Verbindung mit dem Cloud-Service verarbeitet werden, wie in Anhang A dieser DSGVO näher beschrieben.

3. "EEA"sind die Mitgliedstaaten der Europäischen Union sowie Island, Liechtenstein und Norwegen.

4. “Europäische Datenschutzgesetze” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR"); (ii) Richtlinie 2002/58/EG über die Verarbeitung personenbezogener Daten und den Schutz der Privatsphäre in der elektronischen Kommunikation ("Datenschutzrichtlinie für elektronische Kommunikation (e-Privacy)"); (iii) alle anwendbaren nationalen Umsetzungen von (i) und (ii); (iv) das Schweizerische Bundesgesetz über den Datenschutz vom 19. Juni 1992 und seine Verordnung ("Schweizer EDA”); and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts into domestic law the GDPR, e-Privacy Directive or any other law relating to data and privacy as a consequence of the UK leaving the European Union (collectively, “UK-Datenschutzgesetze"), die jeweils geändert, ersetzt oder ausgetauscht werden können.

5. “Muster-Klauseln” means, depending on the circumstances unique to Customer, any of the following: (i) the standard contractual clauses for processors as approved by the European Commission pursuant to its decision 2021/914 (the “2021 Standardvertragsklauseln”), and (ii) the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force from March 21, 2022, (“UK IDTA"), jeweils alternativ als Standardvertragsklauseln bezeichnet, durch Verweis einbezogen und Teil dieser DPA.

6. "Persönliche Daten"ist jede Information, die sich auf eine identifizierte oder identifizierbare natürliche Person bezieht und die nach den geltenden Datenschutzgesetzen als "personenbezogene Daten", "persönliche Informationen" oder "persönlich identifizierbare Informationen" geschützt ist.

7. "Sicherheitsvorfall” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise processed by Couchbase and/or its Sub-processors in connection with the provision of the Cloud Service. The Parties acknowledge and agree that “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

8. “Sub-Prozessor” means any processor engaged by Couchbase or its Affiliates to assist in fulfilling its obligations with respect to providing the Cloud Service pursuant to the Agreement or this DPA. Sub-processors may include third parties or Couchbase Affiliates but shall exclude any Couchbase employee, contractor or consultant.

9. The terms “Controller", "Prozessor" und "Verarbeitung"haben die Bedeutung, die ihnen in der Datenschutz-Grundverordnung zugewiesen wird, und "Prozess", "Prozesse" und "verarbeitet" sind entsprechend auszulegen; und die Begriffe "Unternehmen", "Dienstanbieter" und "verkaufen" haben die Bedeutung, die ihnen im CCPA zugewiesen wird.

2. Rolle und Umfang der Verarbeitung

1. Umfang. Vorbehaltlich Abschnitt 2(b) gilt diese DPA in dem Umfang, in dem Couchbase als Auftragsverarbeiter oder Dienstleister (je nach Fall) Kundendaten verarbeitet, die durch geltende Datenschutzgesetze geschützt sind.

2. Die Rolle der Parteien. The parties acknowledge and agree that Customer is the relevant business, controller or processor (as applicable) of Customer Data, and Couchbase is a service provider, processor or subprocessor (as applicable) on behalf of Customer, as further described in Annex A of this DPA. For the avoidance of doubt, the parties acknowledge that Couchbase may be the relevant business or controller with respect to other Personal Data, such as Personal Data included in any technical usage data Couchbase collects in connection with the Cloud Service. Each Party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including any Applicable Data Protection Laws.

3. Couchbase verarbeitet personenbezogene Daten. Couchbase agrees that it shall process Customer Data only for the purposes described in this DPA and in accordance with Customer’s documented lawful instructions. The parties agree that the Agreement (including this DPA) sets out the Customer’s complete and final instructions to Couchbase in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Couchbase. Without prejudice to Section 2(d) (Customer responsibilities), Couchbase shall notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Laws, and may suspend processing of Customer Data, if it becomes aware or believes that any data processing instructions from Customer violates Applicable Data Protection Laws.

4. Verantwortlichkeiten des Kunden. Customer is responsible for the lawfulness of Customer Data processing under or in connection with the Agreement. Customer represents and warrants that (i) it has provided, and will continue to provide, all notices and obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws for Couchbase to lawfully process Customer Data for the purposes contemplated by the Agreement (including this DPA); (ii) it has complied with all Applicable Data Protection Laws as a controller and/or business with respect to Customer Data for the collection and provision to Couchbase and its Sub-processors of such Customer Data; and (iii) it shall ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws) and that the processing of Customer Data by Couchbase in accordance with Customer’s instructions will not cause Couchbase to be in breach of Applicable Data Protection Laws.

5. Aggregierte Daten. For the avoidance of doubt, Customer acknowledges that Couchbase and its Affiliates shall have a right to collect and create anonymized, aggregate, and/or de-identified information (as defined by Applicable Data Protection Laws) for its own legitimate business purposes.

3. Weiterverarbeitung

1. Zugelassene Unterauftragsverarbeiter. Customer acknowledges and agrees that Couchbase may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Couchbase and authorized by Customer are listed on the Couchbase website (currently posted at https://info.couchbase.com/cloud-subprocessors.html). At least fifteen (15) days prior to any addition of a new sub-processor, Couchbase will update the applicable website and provide Customer notice of that update via the mechanism provided at such Couchbase website, except that if Couchbase reasonably believes engaging a new Sub-processor on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Customer Data or avoid material disruption to the Cloud Service, Couchbase will instead give such notice as soon as reasonably practicable.

2. Verpflichtungen des Unterauftragsverarbeiters. To the extent required under Applicable Data Protection Law, Couchbase will: (i) enter into a written agreement with each Sub-processor imposing data protection terms no less protective of Customer Data as Couchbase’s obligations under this DPA to the extent applicable to the services provided by each Sub-processor; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Couchbase to breach any of its obligations under this DPA.

3. Einwände gegen Unterauftragsverarbeiter. Customer may object in writing to Couchbase’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Couchbase promptly in writing within ten (10) calendar days of receipt of notice from Couchbase in accordance with Section 3(a) above. Such notice shall explain the reasonable grounds for the objection and the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If no such resolution can be reached, Couchbase will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected portion of the Cloud Service in accordance with the termination provisions in the Agreement. Couchbase will refund the Customer any prepaid unused fees for such affected portion of the Cloud Service following the effective date of termination. Unless an objection is made as set forth in this Section 3(c), Customer consents to Couchbase’s use of Sub-processors as described in this DPA.

4. Sicherheit und Audits

1. Sicherheitsmaßnahmen. Couchbase shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Data in its control from Security Incidents and to preserve the security and confidentiality of the Customer Data, taking into account the state of the art and industry best practices, the costs of implementation and the nature, scope, context and purposes of processing (“Sicherheitsmaßnahmen"). Diese Sicherheitsmaßnahmen umfassen mindestens die in Anhang B dieser DPA beschriebenen Maßnahmen. Couchbase stellt sicher, dass jede Person, die von Couchbase ermächtigt ist, Kundendaten im Rahmen dieser DPA zu verarbeiten, einer angemessenen Vertraulichkeitsverpflichtung unterliegt (sei es eine vertragliche oder gesetzliche Verpflichtung).

2. Aktualisierungen der Sicherheitsmaßnahmen. Der Kunde erkennt an, dass die Sicherheitsmaßnahmen dem technischen Fortschritt und der Entwicklung unterliegen und dass Couchbase die Sicherheitsmaßnahmen von Zeit zu Zeit aktualisieren oder ändern kann, vorausgesetzt, dass solche Aktualisierungen und Änderungen nicht zu einer Verschlechterung der Gesamtsicherheit des vom Kunden erworbenen Cloud Service führen.

3. Verantwortlichkeiten für die Sicherheit des Kunden. Customer shall implement and maintain appropriate technical and organizational security measures designed to protect from Security Incidents and to preserve the security and confidentiality of Customer Data under its control. Customer is responsible for (i) protecting the security of all Customer credentials used to access the Cloud Service; (ii) securing the Customer Cloud Environment and any Customer System (with such steps to include, without limitation, the regular rotation of access keys and other industry standard steps to preclude unauthorized access); (iii) backing up and securing Customer Data under Customer’s control within the Customer Cloud Environment or other Customer controlled system; and (iv) reviewing the information made available by Couchbase relating to data security and privacy and making an independent determination as to whether the Cloud Service meet Customer’s requirements and legal obligations under Applicable Data Protection Law.

4. Reaktion auf Sicherheitsvorfälle. To the extent required by Applicable Data Protection Laws, upon becoming aware of a Security Incident, Couchbase shall notify Customer without undue delay via the Cloud Services and shall: (i) include in such notice to Customer timely information relating to the Security Incident as it becomes known, as is reasonably requested by Customer to assist Customer in relation to any required personal data breach notifications under Applicable Data Protection Laws, taking into account the nature of the Cloud Service, the information available to Couchbase, and any restrictions on disclosing the information, such as confidentiality obligations; and (ii) promptly take steps, deemed necessary and reasonable by Couchbase, to contain, investigate, and remediate any Security Incident, to the extent that the remediation is within Couchbase’s reasonable control. Couchbase’s notification of or response to a Security Incident under this Section 4(d) shall not be construed as an acknowledgment by Couchbase of any fault or liability with respect to the Security Incident. The obligations set forth herein shall not apply to Security Incidents to the extent they are caused by Customer or its Authorized Users.

5. Sicherheitsprüfungen. Couchbase shall provide written responses (on a confidential basis) to all reasonable written requests for information made by Customer related to Couchbase’s processing of Customer Data, including responses to information security and audit questionnaires that are necessary to confirm Couchbase’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any twelve (12) month rolling period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Couchbase has experienced a Security Incident, or on another reasonably similar basis.

5. Internationale Überweisungen

1. Bearbeitungsorte. The Cloud Service is designed to allow Customer to determine the Cloud Environment and geographical region in which the Customer’s database instance(s) will be deployed as further described in the Documentation. Customer acknowledges and agrees that as part of providing a managed Cloud Service, Couchbase may transfer Customer Data to locations where Couchbase, its Affiliates or its Sub-processors maintain data processing operations. Couchbase shall at all times ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this DPA.

6. Transfer Mechanisms.

1. Data Privacy Framework. Couchbase participates in and certifies compliance with the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework (collectively, the “Data Privacy Framework”). As required by the Data Privacy Framework, Couchbase will (i) provide at least the same level of privacy protection to Customer Data as is required by the Principles and Supplemental Principles in the relevant Data Privacy Framework (the “Principles”), (ii) notify Customer if Couchbase makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework, including the Principles, and (iii) upon notice, take reasonable and appropriate steps to remediate unauthorized processing of Customer Data.

2. Transfers Governed by European Data Protection Laws. To the extent that Couchbase processes (or causes to be processed) any personal data protected by European Data Protection Laws in a third country not recognized as providing adequate protection for personal data (as described in European Data Protection Laws), then the terms and conditions of Annex C (Transfers of Data) will apply and Customer (as data exporter) will be deemed to have entered into the Model Clauses with Couchbase (as data importer) and Couchbase agrees to abide by and process such Customer Data in in compliance with the Model Clauses, which are incorporated in full by reference and form an integral part of this DPA. For the purposes of the descriptions in the Model Clauses: (A) Couchbase agrees that it is a “data importer” and Customer is the “data exporter” (notwithstanding that Customer may itself be an entity located outside the EEA or the United Kingdom); (B) Annex A and Annex B of this DPA shall replace Appendix 1 and Appendix 2 of the Model Clauses. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail to the extent of such conflict. The Model Clauses will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the EEA or the United Kingdom. If and to the extent that Couchbase adopts an alternative data export solution for the transfer of Customer Data as prescribed by applicable European Data Protection Laws (“Alternative Transfer Mechanism“), the Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism applies to the transfer).

3. Additional Transfer Requirements. If, at any time, Applicable Data Protection Laws require any further steps to be taken in order to permit the transfer of Customer Data as set out in this DPA (including, without limitation, executing or re-executing the 2021 Standard Contractual Clauses or UK IDTA as a separate document and/or entering into additional cross-border transfer clauses), and/or the transfer mechanisms in this DPA are amended, replaced, repealed or otherwise terminated under the Applicable Data Protection Law, then Customer and Couchbase agree to work together in good faith to take all steps reasonably required to enable a transfer in compliance with Applicable Data Protection Laws. Additionally, to the extent required under Applicable Data Protection Law, Couchbase will provide reasonably requested information regarding the processing of personal data under the Agreement to enable Customer to carry out data protection impact assessments or prior consultations with supervisory authorities.

7. Deletion of Customer Data

1. The Cloud Service will provide Customer with controls that Customer may use to delete or retrieve Customer Data during the term in a manner consistent with the functionality of the Cloud Service.

2. Customer hereby authorizes Couchbase, upon termination or expiry of the Agreement, or in case of termination or suspension of the Cloud Service pursuant to the Agreement, to delete all Customer Data (including copies) in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent Couchbase is required by applicable law to retain some or all of the Customer Data.

8. Rights of Individuals and Cooperation

1. Ersuchen der betroffenen Person. The Cloud Service provides Customer with a number of controls, including security features and functionalities, that Customer may use to retrieve, correct, delete or restrict Customer Data, as described in any documentation applicable to the Cloud Service. Without prejudice to Section 4(a), Customer may use these controls as technical and organizational measures to assist it in connection with its obligations under Applicable Data Protection Laws, including its obligations relating to responding to requests from data subjects. To the extent that Customer is unable to independently access the relevant Customer Data within the Cloud Service, Couchbase shall, taking into account the nature of the processing, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Data under the Agreement. In the event that any such request that identifies Customer is made to Couchbase directly, Couchbase shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Couchbase is required to respond to such a request, Couchbase shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

2. Vorladungen und Gerichtsbeschlüsse. Wenn eine Strafverfolgungsbehörde Couchbase eine Forderung nach Kundendaten sendet (z.B. durch eine Vorladung oder einen Gerichtsbeschluss), wird Couchbase den Kunden in angemessener Weise von der Forderung in Kenntnis setzen, um dem Kunden die Möglichkeit zu geben, eine Schutzverfügung oder ein anderes geeignetes Rechtsmittel zu beantragen, es sei denn, Couchbase ist dies gesetzlich untersagt.

9. Jurisdiction Specific Terms

1. Kalifornien. To the extent the Customer Data is subject to the CCPA, the parties agree that Customer is a business and that it appoints Couchbase as its service provider (as defined under the CCPA) to process Customer Data as permitted under the Agreement (including this DPA) and the CCPA, or for purposes otherwise agreed in writing (collectively, the “Zulässige Zwecke”). Customer and Couchbase agree that: (i) Couchbase shall not retain, use or disclose personal information for any purpose other than the Permitted Purposes; (ii) Customer Data was not sold to Couchbase and Couchbase shall not “sell” personal information (as defined by the CCPA); (iii) Couchbase shall not retain, use or disclose personal information outside of the direct business relationship between Customer and Couchbase; and (iv) combine Customer Data with personal information (as defined under the CCPA) that Couchbase has received from another source, except as permitted by the CCPA. The parties agree that Couchbase may de-identify or aggregate personal information in the course of providing the Cloud Service. Couchbase certifies that it understands the restrictions set out in this Section 9(a) and will comply with them. Couchbase will notify Customer if it determines that it can no longer comply with the obligations under this Section 9(a) as a service provider under the CCPA.

10. Limitation of Liability

1. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including the Model Clauses) whether in contract, tort (including negligence) or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement, and any reference in provisions to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the Agreement and this DPA together.

2. Except where Applicable Data Protection Laws require a Customer Affiliate to exercise a right or seek any remedy under this DPA against Couchbase directly by itself, the parties agree that (i) solely the Customer entity that is the contracting party to the Agreement shall exercise any right or seek any remedy any Customer Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Affiliate individually but in a combined manner for all of its Affiliates together.

11. Sonstiges

1. In the event of any conflict between this DPA and the Agreement, the parties agree that the terms of this DPA shall prevail, provided that if and to the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA, the provisions of the Standard Contractual Clauses will prevail with respect to processing governed by the Standard Contractual Clauses. Additionally, if there is any conflict between this DPA and a Business Associate Agreement entered into between the parties (a “BAA”), the provisions of the BAA will prevail with respect to any PHI (as defined in such BAA).

2. The parties agree to attempt in good faith to resolve any dispute arising out of or relating to this DPA, before and as a prior condition for commencing legal proceedings of any kind. Any and all negotiations pursuant to this Section 11(b) are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.

3. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.

4. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

5. If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the DPA.

6. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by European Data Protection Laws.

This Annex A forms part of the DPA and describes the processing that Couchbase will perform on Customer Data as processor or subprocessor on behalf of Customer as the controller or processor, as applicable.
Kundendaten
Dauer
Die Dauer der Datenverarbeitung unter dieser DPA ist bis zur Beendigung der Vereinbarung in Übereinstimmung mit ihren Bedingungen plus dem Zeitraum vom Auslaufen der Vereinbarung bis zur Löschung der personenbezogenen Daten durch Couchbase in Übereinstimmung mit den Bedingungen der Vereinbarung (einschließlich dieser DPA).

Kategorien von Daten
Die zu verarbeitenden personenbezogenen Daten betreffen die folgenden Datenkategorien (bitte angeben):

• Persönliche Daten in Kundeninhalten oder Supportinhalten: Personenbezogene Daten, die in Inhalten oder Daten enthalten sind, die vom oder im Namen des Kunden oder autorisierten Nutzern durch oder über den Cloud-Service bereitgestellt werden.

Besondere Kategorien von Daten (falls zutreffend)
Die Parteien beabsichtigen nicht, im Rahmen des Abkommens Daten besonderer Kategorien zu verarbeiten.

Betroffene Personen
Die zu verarbeitenden personenbezogenen Daten betreffen die folgenden Kategorien von betroffenen Personen (bitte angeben):

• Data subjects include individuals about whom data is provided to Couchbase via the Cloud Service by or at the direction of Customer, including Authorized Users. Data subjects may include Customer’s customers, employees, suppliers and end-users.

Verarbeitung der Vorgänge
Die personenbezogenen Daten werden den folgenden grundlegenden Verarbeitungstätigkeiten unterzogen (bitte angeben):

• processing to provide the Cloud Service in accordance with the Agreement;

• processing to perform any steps necessary for the performance of the Agreement;

• processing initiated by Customer in its use of the Cloud Service; and

• processing to comply with other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of the Agreement.

Frequenz
Die personenbezogenen Daten können fortlaufend übermittelt werden.

This Annex describes Couchbase’s Security Measures. Customer acknowledges that the Cloud Service operates pursuant to a shared responsibility model, which requires, among other things, that Customer take certain steps such as protecting the security of Customer Content (which remains stored within Customer’s environment under Customer’s control). If and to the extent Couchbase processes Customer Data on behalf of Customer in connection with the Cloud Service, Couchbase shall implement and maintain the following Security Measures:

Maßnahmen zur Datenverschlüsselung

• All customer data is encrypted in-transit using TLS 1.2 (or higher) and encrypted at-rest using AES-256 encryption.

• Employee laptops are encrypted using full disk AES-256 encryption.

• All credentials are encrypted in transit using TLS 1.2 (or higher) and encrypted at-rest.

• Encryption keys are rotated on an annual basis and are stored and managed by the cloud service provider selected by Customer.

Maßnahmen zur Verfügbarkeit und Wiederherstellbarkeit

• Couchbase maintains Disaster Recovery and Business continuity plans and procedures that are designed to reasonably ensure the availability of the Cloud Service.

• On an annual basis, Capella control plane disaster recovery plans are tested, reviewed, and updated as necessary to achieve the service recovery time objective and data recovery point objective set by Couchbase.

• The Couchbase Capella offering is deployed in geographically distributed data centers operated by industry recognized public cloud service providers such as Amazon (AWS), Microsoft (Azure) and Google (GCP) (as applicable).

• Redundancy is built into the system infrastructure supporting the Couchbase Capella offering. In the event that a primary system fails, the redundant infrastructure in another availability zone is configured to take its place.

• Backups are stored in controlled environments within the cloud infrastructure. Logical access to backup data is restricted to appropriate personnel and is stored in high availability storage.

• On an annual basis, a backup restoration test is performed where operations personnel restore a backup from a snapshot to ensure that data could be recovered in the event of an incident.

Organisatorische Sicherheitsmaßnahmen

• Couchbase has established a formal Information Security Management System (ISMS) in order to protect the confidentiality, integrity and availability of the Couchbase Capella offering and information systems, and to ensure the effectiveness of security controls over data and information systems.

• Couchbase has a defined methodology for categorizing data into sensitivity levels based on which appropriate technical and procedural protection controls are selected and implemented.

• Employees are required to undergo Anti-Bribery & Corruption, Ethics and Code of Conduct, Insider Trading, Global Data Privacy and annual Security Awareness Training.

• Employees are required to sign non-disclosure and Confidentiality agreements upon hire.

• Formal policies and procedures are in place for employee onboarding and offboarding activities. Account provisioning and de-provisioning processes are defined and implemented.

• Employee access is removed upon termination or adjusted as required as a result of role change.

• Multi-factor Authentication (MFA) is enforced for access to critical and production resources.

• Password complexity requirements are enforced.

• Segregation of responsibilities and duties is implemented to reduce opportunities for unauthorized or unintentional modification or misuse.

• Couchbase maintains signed non-disclosure agreements with third parties.

• Couchbase networks are segregated based on trust levels and protected by firewalls.

• Couchbase has a defined process for identification, prioritization, and remediation of vulnerabilities, including internally via testing and continuous scanning.

Protokollierungs- und Überwachungsmaßnahmen

• Logging of user activities, exceptions, faults, and information security events are enabled. Logs are retained, as necessary.

• All logs can be accessed only by authorized Couchbase employees and access controls are in place to prevent unauthorized access.

• Write access to logging data is strictly prohibited. Logging facilities and log information are protected against tampering and unauthorized access through use of access controls and security measures.

• Couchbase has various monitoring measures in place to generate security alerts and identify irregular activity.

• The Couchbase Capella operations team regularly reviews security alerts and their underlying configuration to ensure they are operating as intended and that controls are modified as conditions change.

• Couchbase has a documented incident management and data breach response plan that includes procedures for breach detection, investigation, notification, and remediation.

• Couchbase engages independent third-party service providers for annual penetration testing, and appropriately remediates findings of such tests according to internally defined SLAs.

Maßnahmen zur Zugangskontrolle

• Couchbase implements security best practices and uses a role-based security architecture across the database, network, and application layers and strictly follows principles of least privilege when granting access to key systems.

• Multi-factor Authentication (MFA) is enforced for access to critical and production resources.

• Password complexity requirements are enforced.

• Couchbase has defined job functions and roles to support proper segregation of duties.

• Access to operational, production and disaster recovery environments is protected by use of unique user accounts, strong passwords, use of Multi-Factor Authentication (MFA), role-based access, and principle of least privileges.

• Access keys used by production Couchbase applications (e.g. AWS Access Keys) are accessible only to authorized personnel. They are rotated (changed) as required (e.g., pursuant to a security advisory or personnel departure) and at least yearly.

• User activity in operational environments including access, modification or deletion of data is logged.

• Authorization requests and provisioning is logged, tracked and audited.

• Web Application Firewalls (WAF), in addition to the network-based firewalls, are deployed.

• Mobile device management controls are in place.

Physische Sicherheitsmaßnahmen

• The Couchbase Capella offering is deployed in geographically distributed data centers operated by industry recognized public cloud service providers such as Amazon (AWS), Microsoft (Azure) and Google (GCP) (as applicable).

• Physical access to all facilities containing sensitive data is restricted and managed.

• All information resource facilities (e.g. network closets and storerooms) are physically protected in proportion to the criticality or importance of their function.

• Access to information resource facilities is granted only to company personnel and contractors whose job responsibilities require access to those facilities.

• All information resource facilities that allow access to visitors are configured to track visitor access with a sign-in log.

• Card access records and visitor logs for information resource facilities are kept for routine review based upon the criticality of the information resources being protected.

• Equipment is protected to reduce the risks from environmental threats, hazards, and opportunities for unauthorized access.

Change management measures

• Couchbase has an Access Control and Change Management policy and procedure in place to prevent unauthorized changes.

• Couchbase monitors changes to in-scope systems to ensure that the applicable standard process is followed and to mitigate any risk of un-detected changes to production. Changes are tracked in the change management system.

Governance

• Couchbase has established a formal Information Security Management System (ISMS) in order to protect the confidentiality, integrity and availability of the Couchbase Capella offering and information systems, and to ensure the effectiveness of security controls over data and information systems.

• Couchbase has in place a documented and approved information security policy, including supporting documentation.

• The authority and responsibility for managing Couchbase’s information security program has been delegated to Information Security and Compliance Group, who is authorized by senior management to take actions necessary to establish, implement, and manage Couchbase’s information security program.

• Third parties that provide services to Couchbase or have access to systems and data undergo risk-based assessments before on-boarding, and their security program is periodically reviewed.

Einhaltung der Vorschriften

• Couchbase completes annual audits by an independent third-party auditor against SOC 2 Type 2, HIPAA, CSA STAR and PCI-DSS control requirements, attesting to our commitment to controls that safeguard the confidentiality and availability of information stored and processed in the Couchbase Capella service.

Minimaler Zugang zu Daten

• Data transfer and sharing policies and procedures are established considering applicable regulations.

• Privacy assessments are performed related to implementation of new products/services and processing of personal data by third parties.

• Data collection is limited to the purposes of the processing (or the data that the customer chooses to provide).

• Security measures are in place to provide only the minimum amount of access necessary to perform required functions.

• Data retention requirements are identified

• Access to personal data is restricted to the personnel involved in the processing, adhering to the “need to know” principle, and according to defined roles and responsibilities of the individuals.

Anträge auf Zugang zu personenbezogenen Daten

• Processes are in place that allow individuals to exercise their privacy rights (e.g. right of erasure or right to data portability), as described in Couchbase’s publicly available Privacy Policy.

Couchbase wird auch weiterhin die jüngsten Leitlinien des Europäischen Datenschutzausschusses über zusätzliche Maßnahmen zur Erfüllung der Angemessenheitsanforderungen der Datenschutz-Grundverordnung (DSGVO) und alle anderen von den europäischen Datenschutzbehörden herausgegebenen Leitlinien analysieren, sobald diese vorliegen.

Dieser Anhang legt die Bedingungen fest, die gelten, wenn die Nutzung des Cloud-Dienstes durch den Kunden einen Weiterleitungsmechanismus erfordert, um personenbezogene Daten aus einer Rechtsordnung rechtmäßig an Couchbase zu übertragen, die sich außerhalb dieser Rechtsordnung befindet.

1. Die Standardvertragsklauseln von 2021. For data transfers that are subject to the GDPR, the 2021 Standard Contractual Clauses will apply in the following manner:

1. Module Two (Controller to Processor) will apply where Customer is a controller of Customer Data and Couchbase is a processor of Customer Data;
2. Module Three (Processor to Processor) will apply where Customer is a processor of Customer Data and Couchbase is a sub-processor of Customer Data;
3. For each module, where applicable:
1. in Clause 7, the optional docking clause will apply and the parties shall cooperate in good faith to take the necessary steps to apply the 2021 Standard Contractual Clauses to another party;
2. in Clause 9(a), Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set forth in Section 3 (Subprocessing) of this DPA;
3. in Clause 11, the optional language will not apply;
4. in Clause 17 (Option 2), the 2021 Standard Contractual Clauses will be governed by the law of the EU member state in which the Data Exporter is established, and if no such law, the laws of the Republic of Ireland; provided that with respect to any transfers of data subject to the data protection laws of a country outside the EEA in which the competent authority has approved the use of the 2021 Standard Contractual Clauses (including but not limited to Switzerland) (an “Annehmendes Land") unterliegen die Standardvertragsklauseln 2021 dem Datenschutzrecht des Annahmelandes.
5. in Clause 18(b), disputes will be resolved before the courts of the EU member state in which the Data Exporter is established, and if no such law, the courts of the Republic of Ireland; provided that with respect to any transfers of data subject to the data protection laws of an Adopting Country, any dispute arising from the 2021 Standard Contractual Clauses will be resolved by the courts of the Adopting Country.
6. In Annex I, Part A:

   Data Exporter Customer and authorized affiliates of Customer.

   Contact Details Customer’s email address(es) specified as the relevant account to receive communications under the Cloud Service

   Data Exporter Role Customer is the controller or processor of Customer Data, as applicable

   Activities Relevant to the Data Transferred: Receipt of software and services from Couchbase and affiliates

   Signature & Date By entering into the Agreement and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.

   Data Importer Couchbase, Inc.

   Contact Details: Couchbase Legal Team – legal@couchbase.com

   Data Importer Role: Couchbase is the processor or sub-processor of Customer Data, as applicable

   Activities Relevant to the Data Transferred: Provision of software and services

   Signature & Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the DPA.

7. In Annex I, Part B:

   Die Kategorien der betroffenen Personen sind in Anhang A dieser Datenschutzrichtlinie beschrieben.

   Die übermittelten sensiblen Daten sind in Anhang A dieser Datenschutzrichtlinie beschrieben.

   Die Häufigkeit der Übermittlung erfolgt kontinuierlich während der Laufzeit des Abkommens.

   Die Art der Verarbeitung ist in Anhang A dieser Datenschutzrichtlinie beschrieben.

   Der Zweck der Verarbeitung ist in Anhang A dieser Datenschutzrichtlinie beschrieben.

   Der Zeitraum der Verarbeitung ist in Anhang A dieser Datenschutzrichtlinie beschrieben.

   Für die Übermittlung an Unterauftragsverarbeiter sind Gegenstand, Art und Dauer der Verarbeitung unter https://info.couchbase.com/cloud-subprocessors.html

8. In Annex I, Part C: The supervisory authority of the EU member state specified in Section 1(d)(iv) of this Annex C above shall act as competent supervisory authority; provided that with respect to any transfers of data subject to the data protection laws of an Adopting Country, the supervisory authority is the data protection authority of the Adopting Country.
9. Annex B of this DPA serves as Annex II of the Standard Contractual Clauses.
10. The parties agree that the following describe the parties’ understanding of certain obligations under the Standard Contractual Clauses:
    1. Audits: Data Exporter instructs Data Importer to comply with any audits by complying with the audit provisions of Section 4(e) of the DPA.
    2. Liability: To the extent permitted under European Data Protection Laws, Data Importer’s liability under the 2021 Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Agreement.

2. Transfers of Data from Switzerland. Where the transfer of Personal Data is subject to the Swiss FDPA, the terms of Section 1 above will apply with the following modifications:

1. any references in the Standard Contractual Clauses to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss FADP;
2. any references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and
3. any references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland.

3. Übermittlung von Daten aus dem Vereinigten Königreich. Where the transfer of Personal Data is subject to UK Data Protection Laws, the parties agree:

1. The provisions of the IDTA, including Part 2 ‘Mandatory Clauses’, shall apply in full;
2. For the purposes of Table 1 of the UK IDTA, the names of the parties, their roles and their details shall be set out in the attached Annex C;
3. For the purposes of Tables 2 and 3 of the UK IDTA, the 2021 Standard Contractual Clauses incorporated into this DPA by reference, including the information set out in the attached Annexes, shall apply; and
4. For the purposes of Table 4 of the UK IDTA, either party may end the UK IDTA if, after a good faith effort by the parties to amend this DPA, the parties are unable to come to a mutual agreement.
5. To the extent permitted under UK Data Protection Laws, Data Importer’s liability will be subject to any aggregate limitations on liability set out in the Agreement.