This Data Processing Addendum (this “DPA”) amends the terms and forms part of the Enterprise Subscription License Agreement, or other agreement between Customer and Couchbase governing Customer’s use of the Services (“Agreement”), between Couchbase, Inc. (“Couchbase”) and the party identified as the "Customer" in the Agreement (“Customer”) (each a “Party” and together, the “Parties”).


This DPA describes the commitments of the Parties concerning the processing of Personal Data in connection with Customer's use of the Services. If there is any conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA shall prevail to the extent of such conflict. Any capitalized term not defined in this DPA will have the meaning given it in the Agreement.


This DPA will be effective as of the date we receive a complete and executed DPA from Customer indicated in the signature block below in accordance with the instructions in this DPA (the “Effective Date”). This DPA has been pre-signed on behalf of Couchbase. To enter into this DPA, you must have a valid Agreement, complete the signature block below by signing and providing all items identified as “Required” and submit the completed and signed DPA to Couchbase at dpo@couchbase.com.


The Parties agree as follows:

1. Definitions. The following capitalized terms, when used in this DPA, will have the corresponding meanings provided below:

a. “Applicable Data Protection Laws” means all worldwide privacy and data protection laws, regulations, rules, ordinances and other decrees applicable to the Personal Data, including (but not limited to): (i) European Data Protection Laws; and (ii) all laws and regulations of the United States, including the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq) (“CCPA”); as may be amended, superseded or replaced.

b. "Customer Data" means any Personal Data processed by Couchbase on behalf of Customer as a service provider or processor (as applicable) in connection with the Services, as more particularly described in Annex A of this DPA.
c. “EEA" means the Member States of the European Union, plus Iceland, Liechtenstein, Norway and the United Kingdom until the European Union law ceases to apply.
d. "European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (“e-Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (the “Swiss DPA”); and (v) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts in domestic law the GDPR (the “UK GDPR”), e-Privacy Directive or any other law relating to data and privacy as a consequence of the UK leaving the European Union; in each case as may be amended, superseded or replaced.
e. “Personal Data” means any information that relates to an identified or identifiable natural person and which is protected as "personal data", "personal information" or "personally identifiable information" under Applicable Data Protection Laws.
f. “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise processed by Couchbase and/or its Sub-processors in connection with the provision of the Services. The Parties acknowledge and agree that “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems, or any breach of security caused by Customer. 
g. “Services” means any Couchbase services and products provided to Customer pursuant to the Agreement.
h. “Standard Contractual Clauses” means (i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”). 
i. "Sub-processor" means any processor engaged by Couchbase or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Couchbase Affiliates but shall exclude any Couchbase employee, contractor or consultant.
j. The terms “controller”, “processor” and “processing” shall have the meanings given to them in the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly; and the terms “business”, “service provider” and “sell” shall have the meanings given to them in the CCPA.

2. Role and Scope of Processing

a. Scope. This DPA applies to the extent that Couchbase processes as a processor or service provider (as applicable) any Customer Data protected by Applicable Data Protection Laws.
b. Role of the Parties. The parties acknowledge and agree that (i) Customer is a business or the controller (as applicable) with respect to the processing of Customer Data, and Couchbase shall process Customer Data only as a processor or service provider (as applicable) on behalf of Customer, as further described in Annex A of this DPA and (ii) Couchbase may process Personal Data, including business contact information, as the relevant business or independent controller for its own legitimate business purposes in accordance with the Couchbase privacy policy available at https://www.couchbase.com/privacy-policy, updated from time to time. Each Party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including any Applicable Data Protection Laws.
c. Couchbase processing of Customer Data. Couchbase agrees that it shall process Customer Data only for the purposes described in the DPA and in accordance with Customer's documented lawful instructions. The parties agree that the Agreement (including this DPA) sets out the Customer's complete and final instructions to Couchbase in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Couchbase. Without prejudice to Section 2(d) (Customer responsibilities), Couchbase shall notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Laws, and may suspend processing of Customer Data, if it becomes aware or believes that any data processing instructions from Customer violates Applicable Data Protection Laws.
d. Customer responsibilities. Customer is responsible for the lawfulness of Customer Data processing under or in connection with the Agreement. Customer represents and warrants that (i) it has provided, and will continue to provide all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws for Couchbase to lawfully process Customer Data for the purposes contemplated by the Agreement (including this DPA); (ii) it has complied with all Applicable Data Protection Laws as a controller and/or business of Customer Data for the collection and provision to Couchbase and its Sub-processors of such Customer Data; and (iii) it shall ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws) and that the processing of Customer Data by Couchbase in accordance with Customer's instructions will not cause Couchbase to be in breach of Applicable Data Protection Laws.
e. Aggregate data. Notwithstanding the foregoing or anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Couchbase and its Affiliates shall have a right to collect and create anonymized, aggregate, and/or de-identified information (as defined by Applicable Data Protection Laws) for its own legitimate business.

3. Subprocessing

a. Authorized Sub-processors. Customer acknowledges and agrees that Couchbase may engage Sub-processors to process Customer Data on Customer's behalf. The Sub-processors currently engaged by Couchbase and authorized by Customer are listed in Annex D. Customer may request that Couchbase inform Customer of any changes regarding such Sub-processors.

4. Security and Audits

a. Security Measures. Couchbase shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing ("Security Measures"). Such Security Measures will include, at a minimum, those measures described in Annex B of this DPA. Couchbase shall ensure that any person who is authorized by Couchbase to process Customer Data under this DPA shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
b. Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Couchbase may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
c. Customer Security Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data from Security Incidents and to preserve the security and confidentiality of Customer Data while in its dominion and control. Customer is responsible for, as applicable to the Agreement, protecting the security of all Customer credentials used to access the Services; (ii) securing any Customer System (with such steps to include without limitation the regular rotation of access keys and other industry standard steps to preclude unauthorized access); and (iii) backing up and securing Customer Data under Customer’s control within any Customer controlled system.
d. Security Incident Response. To the extent required by Applicable Data Protection Laws, upon becoming aware of a Security Incident, Couchbase shall notify Customer without undue delay and shall: (i) to assist Customer in relation to any personal data breach notifications Customer is required to make under Applicable Data Protection Laws, Couchbase will include in such notice to Customer timely information relating to the Security Incident as it becomes known, as is reasonably requested by Customer, taking into account the nature of the Services, the information available to Couchbase, and any restrictions on disclosing the information, such as confidentiality; and (ii) promptly take steps, deemed necessary and reasonable by Couchbase, to contain, investigate, and remediate any Security Incident, to the extent that the remediation is within Couchbase’s reasonable control. Couchbase's notification of or response to a Security Incident under this Section 4(d) shall not be construed as an acknowledgment by Couchbase of any fault or liability with respect to the Security Incident. The obligations set forth herein shall not apply to Security Incidents to the extent they are caused by Customer or its Authorized Users.
e. Security Audits. Couchbase shall provide written responses (on a confidential basis) to all reasonable written requests for information made by Customer related to Couchbase’s processing of Customer Data, including responses to information security and audit questionnaires that are necessary to confirm Couchbase's compliance with this DPA, provided that Customer shall not exercise this right more than once in any twelve (12) month rolling period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Couchbase has experienced a Security Incident, or on another reasonably similar basis.

5. International Transfers

a. Processing locations. Customer acknowledges and agrees that Couchbase may transfer and process Customer Data to and in the United States and anywhere else in the world where Couchbase, its Affiliates or its Sub-processors maintain data processing operations. Couchbase shall at all times ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this DPA, including the provisions of Section 8 below regarding transfers. 

6. Deletion of Customer Data

a. The Services will provide Customer with controls that Customer may use to delete or retrieve Customer Data during the term in a manner consistent with the functionality of the Services.
b. Upon termination or expiry of the Agreement, on Customer's request, Couchbase shall delete all Customer Data (including copies) in its possession or control in accordance with the Agreement, save that this requirement shall not apply to the extent Couchbase is required by applicable law to retain some or all of the Customer Data.

 

7. Rights of Individuals and Cooperation

a. Data Subject Requests. The Services provide Customer with a number of controls, including security features and functionalities, that Customer may use to retrieve, correct, delete or restrict Customer Data, as described in any documentation applicable to the Services. Without prejudice to Section 4(a), Customer may use these controls as technical and organizational measures to assist it in connection with its obligations under Applicable Data Protection Laws, including its obligations relating to responding to requests from data subjects. To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Couchbase shall, taking into account the nature of the processing, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Data under the Agreement. In the event that any such request is made to Couchbase directly, Couchbase shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Couchbase is required to respond to such a request, Couchbase shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
b. Subpoenas and Court Orders. If a law enforcement agency sends Couchbase a demand for Customer Data (for example, through a subpoena or court order), Couchbase shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Couchbase is legally prohibited from doing so.

 

8. Jurisdiction Specific Terms

a. Europe. To the extent the Customer Data is subject to European Data Protection Laws, the following terms shall apply in addition to the terms in the remainder of this DPA:

1. Sub-processor Obligations. Couchbase shall: (A) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect personal data to the standard required by applicable European Data Protection Law and this DPA; and (B) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Couchbase to breach any of its obligations under this DPA.

2. Objections to Sub-processors. Customer may object in writing to Couchbase’s appointment of a new Sub-processor on reasonable grounds relating to data protection (e.g. if making Customer Data available to the Sub-processor may violate European Data Protection Law or weaken the protections for such Customer Data) by notifying Couchbase promptly in writing within five (5) calendar days of receipt of notice from Couchbase in accordance with Section 3(a) above. Such notice shall explain the reasonable grounds for the objection and the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If no such resolution can be reached, Couchbase will, at its sole discretion, either not appoint Sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination). Unless an objection is made as set forth in this Section 8(a)(ii), Customer consents to Couchbase’s use of sub-processors as described in this DPA.

3. Transfers of Data. To the extent that Couchbase processes (or causes to be processed) any Personal Data protected by European Data Protection Laws in a third country not recognized as providing adequate protection for Personal Data (as described in European Data Protection Laws), then the terms and conditions of Annex C (Transfers of Data) will apply and Customer (as data exporter) will be deemed to have entered into the Standard Contractual Clauses with Couchbase (as data importer) as set forth in Annex C and Couchbase agrees to abide by and process such Customer Data in compliance with the Standard Contractual Clauses, which are incorporated in full by reference and form an integral part of this DPA. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses. Accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict. The Standard Contractual Clauses will not apply to Customer Data that is not transferred, either directly or via onward transfer, outside the EEA or the United Kingdom. 


4. Alternative Transfer Mechanism. If and to the extent that Couchbase adopts an alternative data export solution for the transfer of Customer Data as prescribed by applicable European Data Protection Laws ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism applies to the transfer).

v. Data Protection Impact Assessment. To the extent Couchbase is required under applicable European Data Protection Law, Couchbase shall provide reasonably requested information regarding Couchbase processing of personal data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by law.

b. California. To the extent the Customer Data is subject to the CCPA, the parties agrees that Customer is a business and that it appoints Couchbase as its service provider to process Customer Data as permitted under the Agreement (including this DPA) and the CCPA, or for purposes otherwise agreed in writing (the "Permitted Purposes"). Customer and Couchbase agree that: (i) Couchbase shall not retain, use or disclose personal information for any purpose other than the Permitted Purposes; (ii) Customer Data was not sold to Couchbase and Couchbase shall not "sell" personal information (as defined by the CCPA); (iii) Couchbase shall not retain, use or disclose personal information outside of the direct business relationship between Customer and Couchbase; and (iv) Couchbase may de-identify or aggregate personal information in the course of providing the Services. Couchbase certifies that it understands the restrictions set out in this Section 8(b) and will comply with them.

 

9. Limitation of Liability

a. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including the Standard Contractual Clauses) whether in contract, tort (including negligence) or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement, and any reference in provisions to the liability of a party means the aggregate liability of that party and all of its Affiliates under and in connection with the Agreement and this DPA together.
b. Except where Applicable Data Protection Laws require a Customer Affiliate to exercise a right or seek any remedy under this DPA against Couchbase directly by itself, the parties agree that (i) solely the Customer entity that is the contracting party to the Agreement shall exercise any right or seek any remedy any Customer Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Affiliate individually but in a combined manner for all of its Affiliates together. 

10. Miscellaneous

a. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.
b. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
c. If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the DPA.
d. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by European Data Protection Laws.

 

IN WITNESS WHEREOF, the parties have caused this DPA to be executed by their authorized representative and this DPA shall be effective on the date both parties sign this DPA:

 

 

Annex A
Data Processing Description

 

This Annex A forms part of the DPA and describes the processing that Couchbase will perform on behalf of the Customer as well as describes the transfer of any Personal Data under the DPA.


Controller to Processor / Processor to Processor 


Duration and Retention

The duration of the data processing (and transfers, if applicable) under this DPA is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of Personal Data by Couchbase in accordance with the terms of the Agreement. 


Frequency of the Transfer 

When initiated, transfers of Personal Data may be continuous. 


Categories of data

The Personal Data to be processed (and transferred, if applicable) concern the following categories of data (please specify): 

● Personal Data included in content or data provided by or on behalf of Customer or Authorized Users by or through the Services, including in connection with any Support.

 

Special categories of data (if appropriate)

The parties do not intend for any special category data to be processed or transferred under the Agreement.

Data subjects

The Personal Data to be processed (and transferred, if applicable) concern the following categories of data subjects (please specify): 

● Data subjects include individuals about whom data is provided to Couchbase via the Services by or at the direction of Customer, including Authorized Users. Data subjects may include Customer’s customers, employees, suppliers and end-users.

Processing operations

The Personal Data will be subject to the following basic processing activities and any transfers are for the following purposes (please specify):
● processing to provide the Services in accordance with the Agreement
● processing to perform any steps necessary for the performance of the Agreement
● processing initiated by Customer in its use of the Services
● processing to comply with other reasonable instructions provided by Customer (e.g. via email or support tickets) that are consistent with the terms of this Agreement.

Controller to Controller 


Retention 

Couchbase retains Personal Data it processes as a controller for as long as required for its legitimate business purposes, determined by whether Couchbase has a legal obligation to retain the Personal Data and the length of time of Couchbase’s business relationship with a customer. 


Frequency of the Transfer 

When initiated, transfers of Personal Data may be continuous. 


Categories of data 

The Personal Data to be processed (and transferred, if applicable) concern the following categories of data (please specify): 

● Customer employee and authorized user contact information, which may include name, company name, role, email and phone number; and 
● Employee and authorized user usage information, which may include location and IP address.

 

Special categories of data (if appropriate) 

The parties do not intend for any special category data to be processed or transferred under the Agreement. 


Data subjects 

The Personal Data to be processed (and transferred, if applicable) concern the following categories of data subjects (please specify): 

● Customer’s employees and authorized users. 


Processing operations 

The Personal Data will be processed for Couchbase’s legitimate business purposes and subject to the following basic processing activities and any transfers are for the following purposes (please specify): 
● Billing, account and customer relationship management and related correspondence with customers; 
● Complying with and resolving legal obligations; and
● Product and service improvement.

 

Annex B
Security Measures


This Annex describes Couchbase’s Security Measures in providing the Services. Customer acknowledges that the Service operates pursuant to a shared responsibility model, which requires, among other things, that Customer take certain steps such as protecting the security of any Customer environment into which Couchbase products are deployed. If and to the extent Couchbase processes Customer Data on behalf of Customer in connection with the Service, Couchbase shall implement and maintain the following Security Measures:

1. System Access Controls: Couchbase shall take reasonable measures to prevent unauthorized use of the systems used for processing Customer Data. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, strong authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels. 

2. Data Access Controls: Couchbase shall take reasonable measures to provide that any Customer Data in Couchbase’s control is accessible and manageable only by properly authorized staff. Application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Customer Data to which they have access privileges; and, that Customer Data cannot be read, copied, modified or removed without authorization in the course of processing. 

3. Transmission Controls: Couchbase shall take reasonable measures to ensure that Customer Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport. Couchbase uses industry standard firewall and encryption technologies to protect data in transit and at rest. 

4. Input Controls: Couchbase shall take reasonable measures to provide that it is possible to check and establish whether and by whom Customer Data has been entered into data processing systems, modified or removed; and, any transfer of Customer Data to a third-party service provider is made via a secure transmission. 

5. Data Protection: Couchbase shall take reasonable measures to ensure that Customer Data is protected against accidental destruction or loss. 

6. Logical Separation: Customer Data in Couchbase’s control is logically segregated on systems managed by the Couchbase to prevent unauthorized access             

Annex C

The Standard Contractual Clauses shall apply as follows: 

1. EU SCCs (Controller to Processor / Processor to Processor Transfers) – with respect to Personal Data that is protected by the GDPR and for which Couchbase serves as a processor or subprocessor on behalf of Customer, the EU SCCs shall apply, completed as follows:
a. Module Two or Module Three will apply (as applicable); 
b. in Clause 7, the optional docking clause will apply;
c. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 8(a) of this DPA;
d. in Clause 11, the optional language will not apply;
e. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law of the EU member state in which the data exporter is established, and if no such law, Irish law;
f. in Clause 18(b), disputes shall be resolved before the courts of the EU member state in which the data exporter is established, and if no such law, the courts of the Republic of Ireland;
g. Annex I, Part A: 
    i. Data Exporter: Customer and authorized affiliates of Customer.
    ii.Contact Details (Required):
    iii. Data Exporter Role: Customer is the controller or processor of Customer Data, as applicable.
    iv.Signature & Date: By entering into the DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
    v. Data Importer: Couchbase, Inc.
    vi. Contact Details: Couchbase Legal Team - legal@couchbase.com 
    vii. Data Importer Role: Couchbase is the processor or sub-processor of Customer Data, as applicable.
    viii. Signature & Date: By entering into the DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the DPA. 
h. Annex I, Part B of the EU SCCs shall be deemed completed with the information set out in Annex A to this Addendum; 
i. In Annex I, Part C, the supervisory authority of the EU member state specified in Section 1(a) of this Annex C shall act as competent supervisory authority; and 
j. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex B to this Addendum. 

 

2. EU SCCs (Controller to Controller Transfers) – with respect to Personal Data that is protected by the GDPR and for which Couchbase serves as a controller pursuant to Section 2(b)(ii) of the DPA, the EU SCCs shall apply, completed as follows: 
a. Module One will apply’ 
b. in Clause 7, the optional docking clause will apply;
c. in Clause 11, the optional language will not apply;
d. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law of the EU member state in which the data exporter is established, and if no such law, Irish law;
e. in Clause 18(b), disputes shall be resolved before the courts of the EU member state in which the data exporter is established, and if no such law, the courts of the Republic of Ireland;
f. Annex I, Part A: 
   i. Data Exporter: Customer and authorized affiliates of Customer.
   ii. Contact Details (Required):    
   iii. Data Exporter Role: Customer is an independent controller of Personal Data. 
   iv.Signature & Date: By entering into the DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
   v. Data Importer: Couchbase, Inc.
   vi. Contact Details: Couchbase Legal Team - legal@couchbase.com 
   vii. Data Importer Role: Couchbase is an independent controller of Personal Data.
   viii. Signature & Date: By entering into the DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the DPA.
g. Annex I, Part B of the EU SCCs shall be deemed completed with the information set out in Annex A to this Addendum;
h. In Annex I, Part C, the supervisory authority of the EU member state specified in Section 1(a) of this Annex C shall act as competent supervisory authority; and
i. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex B to this Addendum. 

 

3. UK SCCs – with respect to Personal Data that is protected by the UK GDPR, the EU SCCs shall apply in accordance with Sections 1-2 above, with the following modifications:
a. Any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR; references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK GDPR; 
b. References to “EU”, “Union,” “Member State” and “Member State law” are all replaced with “UK”; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Information Commissioner and the courts of England and Wales; 
c. Clause 17 of the EU SCCs is replaced to state that “The Clauses are governed by the laws of England and Wales” and Clause 18 of the EU SCCs is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the UK GDPR, in which event the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes of the UK SCCs shall be populated using the information contained in Annexes A and B and set out in Sections 1(g), 1(i), 2(f) and 2(h) above, as applicable. 
 

4. Swiss SCCs - with respect to Personal Data that is protected by the UK GDPR, the EU SCCs shall apply in accordance with Sections 1-2 above, with the following modifications:
a. Any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;
b. References to “EU”, “Union,” “Member State” and “Member State law” are all replaced with references to Switzerland and Swiss law, as the case may be; and
c. references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCS shall instead be incorporated by reference and form an integral part of this Addendum and shall apply to such transfers. Where this is the case, the relevant Annexes of the UK SCCs shall be populated using the information contained in Annexes A and B and set out in Sections 1(g), 1(i), 2(f) and 2(h) above, as applicable. 

Annex D
List of Affiliates and Subprocessors



Couchbase may engage the following Affiliates located in the following locations in Processing Personal Data:

Entity Name Location
Couchbase Limited United Kingdom
Couchbase France SAS France
Couchbase Germany GMBH Germany
Couchbase Israel Technologies Ltd Israel
Couchbase India Private Limited India
Couchbase Japan KK Japan
Couchbase Canada Technologies Limited Canada
Couchbase Australia Pty Limited Australia
Couchbase Singapore Pte. Limited Singapore

Couchbase may engage the following third-party technology providers in Processing Personal Data:

Name of Subprocessor Location Subprocessor Description of Services
Amazon Web Services, Inc. United States Cloud infrastructure provider
Salesforce.com, Inc. United States Customer relationship management
Zendesk Inc. United States Customer support
Direct Line Tele Response United States Customer support
Pager Duty, Inc. United States Customer support
Zoom Video Communications, Inc United States Customer support
Slack Technologies, Inc. United States Customer support
Atlassian Corporation PLC (Jira) United States Customer support