Data Processing Agreement

Rights and responsibilities for the processing and security of customer data.

This Data Processing Agreement (“Agreement”), effective as of the DPA Effective Date (defined below), is entered into by and between Bugsnag Inc. (“Bugsnag”) and you (“Customer”) (collectively the “Parties”)

Last updated: Dec 10, 2019

Introduction

A. Customer is a controller of certain personal data (as described in Annex A) and wishes to appoint Bugsnag as a processor to process this personal data on its behalf in connection with Bugsnag’s performance of a master services agreement between the parties for Customer’s use of Bugsnag’s offering(s) (the “Master Services Agreement”).

B. The parties have entered into this Agreement to ensure that Bugsnag conducts such data processing in accordance with Customer’s instructions and Applicable Data Protection Law requirements, and with full respect for the fundamental data protection rights of the data subjects whose personal data will be processed.

C. If applicable, Bugsnag further acknowledges that Customer has self-certified its compliance to the EU-US Privacy Shield framework and pursuant to the Privacy Shield is required to flow down certain Privacy Shield data protection requirements to Bugsnag under this Agreement.

1. Definitions and interpretation

1.1. Definitions: In this Agreement, the following terms shall have the following meanings:

1.1.1. “Applicable Data Protection Law" shall mean all applicable international, national, federal, state, provincial, and local laws, rules, regulations, directives, and governmental requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of the Processing of Data (defined below), including but not limited to the General Data Protection Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”), the e-Privacy Directive 2002/58/EC, the e-Privacy Regulation 2017/003 (once it takes effect), the California Consumer Privacy Act of 2018, Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code (“CCPA”) and any equivalent or similar laws, rules, regulations, directives, and governmental requirements in applicable jurisdictions, and any laws implementing, replacing or supplementing any of them, as amended, consolidated, re-enacted or replaced from time to time.

1.1.2. “controller”, “processor”, “data subject”, “personal data” and “processing” (and “process”) shall have the meanings given in Applicable Data Protection Law.

1.1.3. “Master Services Agreement” shall have the meaning given in paragraph A of the Introduction to this Agreement.

1.1.4. “Privacy Shield” means the EU-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016.

1.1.5. “DPA Effective Date” means either (i) Dec 10, 2019; and (ii) the date on which you accept or otherwise agree or opt-in to this Addendum, if that date is after Dec 10, 2019.

1.2. Interpretation: Capitalized terms used but not defined in this Agreement shall have the meanings given in the Master Services Agreement.

2. Data Protection

2.1. Relationship of the parties: Customer (the controller) appoints Bugsnag as a processor to process the personal data described in Annex A that is the subject of the Master Services Agreement (the “Data”). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.

2.2. Purpose limitation: Bugsnag shall process the Data as a processor only for the purposes described Annex A as necessary to perform its obligations under the Master Services Agreement and strictly in accordance with the documented instructions of Customer (the “Permitted Purpose”), except where otherwise required by any EU (or any EU Member State) law applicable to Bugsnag. In no event shall Bugsnag process the Data for its own purposes or those of any third party.

2.3. International transfers: Bugsnag shall not transfer the Data (nor permit the Data to be transferred) outside of the European Economic Area (“EEA”) or the United States unless (i) it has first obtained Customer’s prior written consent (for example, as evidenced at Annex C); and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

2.4. Confidentiality of processing: Bugsnag shall ensure that any person that it authorises to process the Data (including Bugsnag’s staff, agents and subcontractors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Bugsnag shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.

2.5. Security: Bugsnag shall implement appropriate administrative, physical, technical and organisational measures (“Security Measures”) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:

2.5.1. the pseudonymisation and encryption of personal data;

2.5.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

2.5.3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

2.5.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

At a minimum, such Security Measures shall include the measures identified in Annex B.

2.6. Subprocessing: Bugsnag shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Customer. A list of approved subprocessors as at the date of this Agreement is attached at Annex C. Bugsnag may revise this list from time to time and Bugsnag will publish its revised subprocessors on its website. If Customer refuses to consent to Bugsnag’s appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Bugsnag will not appoint the subprocessor or Customer may elect to suspend or terminate this Agreement and the Master Services Agreement without penalty.

2.7. Cooperation and data subjects’ rights: Bugsnag shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to Customer (at its own expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Bugsnag, Bugsnag shall promptly inform Customer providing full details of the same.

2.8. Data Protection Impact Assessment: If Bugsnag believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Customer and provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.

2.9. Security incidents: Upon becoming aware of a Security Incident, Bugsnag shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Bugsnag shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all developments in connection with the Security Incident.

2.10. Deletion or return of Data: Upon termination or expiry of this Agreement, Bugsnag shall (at Customer’s election) destroy or return to Customer all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Bugsnag is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event Bugsnag shall isolate and protect the Data from any further processing except to the extent required by such law.

2.11. Audit: Bugsnag has and will maintain commercially reasonable internal security controls and auditing procedures to audit its controls. On request from Customer, Bugsnag will provide summaries of previous audit results. Once in a rolling 12-month period or following a Security Incident or as otherwise required by Applicable Data Protection Law, Bugsnag will permit Customer or its auditor to conduct an audit of Bugsnag to verify Bugsnag’s compliance with this DPA and Applicable Data Protection Law at Customer’s expense (“Audit”). Customer and Bugsnag will agree in advance on reasonable timing, scope, and security controls applicable to the Audit (including restricting access to Bugsnag’s trade secrets and data belonging to Bugsnag’s other customers). If the Security Incident is caused by Customer then Bugsnag may charge Customer a reasonable fee for the Audit if Bugsnag documents the basis and calculation of the fee in advance. If Customer provides Bugsnag with notice of a security deficiency (detected through tests or audits performed under this section or otherwise), Bugsnag will remediate the deficiency as appropriate, within a reasonable timeframe.

2.12. CCPA: The terms “Personal Information”, “Sell”, “Sale”, and “Service Provider” shall have the same meaning as in the CCPA. Bugsnag is acting as a Service Provider with Customer. Bugsnag shall retain, use and disclose Data solely for the purpose of performing Bugsnag’s obligations under the Master Services Agreement for Customer and for no commercial purpose other than the performance of such obligations. Bugsnag does not receive any Data as consideration for the services described in the Master Services Agreement. Bugsnag shall not Sell Data, and shall not retain, use or disclose Data except as necessary for the sole purpose of performing the services described in the Master Services Agreement. Bugsnag shall refrain from taking any action that would cause any transfers of Data, either to Bugsnag or from Bugsnag, to qualify as a Sale of Personal Information.

3. Privacy Shield

3.1. During the Term of the Master Services Agreement, Bugsnag is, and will remain a certified member of the EU-US Privacy Shield under a registration (“Registration”) and shall maintain the Registration. Bugsnag adheres to, and shall continue to comply with, the Privacy Shield Principles with respect to the transfers or access of any Personal Information from the EU to the United States under this Agreement. If Bugsnag’s Registration expires, lapses, or is revoked (each a “Notifiable Event”) then it shall notify Customer in writing as soon as possible and, if directed to do so by Customer, shall stop processing Data promptly after the occurrence of any Notifiable Event. Where a Notifiable Event occurs, or should Privacy Shield otherwise cease to provide a valid legal basis to transfer personal data to the United States, Bugsnag shall (upon the direction of Customer) enter into the model contract for the transfer of personal data to processors in third countries as set out under European Commission 2010/87/EU of 5 February 2010 (“Model Clauses”) and/or any amending or superseding legislation in order to ensure an adequate level of protection with respect to the privacy rights of individuals.

3.2. Bugsnag acknowledges that Customer may disclose this Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.

4. Miscellaneous

This Agreement shall be governed by, and construed in accordance with, the law of the State of California USA and the courts located in San Francisco County, California shall have exclusive jurisdiction to heard any dispute or other issue arising out of, or in connection with, this Agreement, except where otherwise required by Applicable Data Protection Law.

Annex A: Data Processing Description

This Annex A forms part of the Agreement and describes the processing that the processor will performed on behalf of the controller.

Controller

The controller is:

The Customer

Processor

The processor is:

Bugsnag Inc., a Delaware corporation (“Bugsnag”)

Data subjects

The personal data to be processed concern the following categories of data subjects:

Data subjects may include end users of the Customer’s software, mobile apps, and/or websites. Data subjects also may include engineering team employees and contractors of the Customer who login to use the Services described in the Master Services Agreement.

Categories of data

The personal data to be processed concern the following categories of data:

Regarding application end users: Crash data, configuration data, browser data, device identification, build data, and any user data, including personally identifiable data, supplied by Customer to Bugsnag.

Special categories of data (if appropriate)

The personal data to be processed concern the following special categories of data:

None.

Processing operations

The personal data will be subject to the following basic processing activities:

The personal data will be stored and processed only in order to provide the services described in the Master Services Agreement for the benefit of Customer.

Annex B: Minimum Security Measures

Minimum Security Measures shall include an information security program that safeguards Customer Data and Customer confidential information. Such Security Measures must include:

  1. strict logical or physical separation between Customer Data and Customer confidential information, Bugsnag’s own data and data of other customers of Bugsnag;

  2. maintaining industry-standard perimeter protection for Bugsnag’s network and devices connected thereto (“Bugsnag’s System”);

  3. applying, as soon as practicable, patches or other controls to Bugsnag’s System that effectively address actual or potential code-based security vulnerabilities;

  4. employing commercially reasonable efforts to ensure that Bugsnag’s System remains free of security vulnerabilities, viruses, malware, and other harmful code;

  5. employing commercially reasonable efforts to practice safe coding standard and practices which address common application security vulnerabilities;

  6. providing appropriate education and training to Bugsnag employees and workers regarding these Security Measures and ensuring that those individuals are bound by confidentiality obligations;

  7. accessing or transferring Customer Data or Customer confidential information to or from Customer systems only in a secure and confidential manner, including complying with specific security provisions and procedures set forth by Customer in advance in writing, and

  8. limiting Bugsnag employee/agent/subcontractor access to Bugsnag’s network, systems, devices and facilities to those with a need for such access, and whose access privileges shall be revoked promptly upon their termination.

Bugsnag shall provide to Customer an individual point of contact for security purposes, and shall update this information from time to time as necessary.

Annex C: Approved Subprocessors

Please refer to: https://docs.bugsnag.com/legal/subprocessors/