Last Updated Dec. 15, 2022
This Data Processing Addendum including all of its Annexes (this “Addendum”) supplements and forms part of the End User Agreement accepted by Customer on or about the date hereof (the “Agreement”) by and between Verkada Inc. (“Verkada”) and the Customer identified therein (“Customer”, and together with Verkada, the “Parties”). All capitalized terms used but not otherwise defined herein have the respective meanings ascribed to them in the Agreement.
Verkada reserves the right to modify or update the terms of this Addendum in its discretion, the effective date of which will be the earlier of (i) 30 days from the date of such update or modification and (ii) Customer’s continued use of the Products.
Customer has purchased a subscription to the Software pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
In the provision of the Software by Verkada to Customer pursuant to the Agreement, Customer acts as Controller and Verkada acts as Processor or Service Provider with respect to the Personal Data, or, as the case may be, Customer acts as a Processor for its end user customers including such end user customers’ affiliated companies (as ultimate Controllers) and Verkada will act as a sub-Processor acting on the instruction of the Customer vis-a-vis its end user customers.
The parties agree as follows:
Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this Addendum will have the meanings given to them herein or in applicable Data Protection Laws.
“Controller” means the entity or Business which solely or jointly with other entities determines the purposes and means of the Processing of Personal Data, and for the purposes of this Addendum means Customer, including when acting on behalf of its own end user customer.
“Data Breach” has the meaning given to it in the Data Protection Laws and for the purpose of this Addendum relates to the personal data Processed by Verkada on behalf of Customer.
“Data Protection Laws” means to the extent applicable to Customer’s use of the Software, all applicable data protection and privacy laws, their implementing regulations, regulatory guidance, and secondary legislation, each as updated or replaced from time to time, including, as they may apply: (i) the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and any applicable national implementing laws; (ii) the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018; (iii) U.S. legislation (e.g., the California Consumer Privacy Act and the California Privacy Rights Act); and (iv) any other laws that may be applicable.
“Data Subject” means the identified or identifiable person to whom the Personal Data relates, as defined in applicable Data Protection Laws.
“EEA” means the European Economic Area.
“EU Standard Contractual Clauses” or “EU SCCs” or “Clauses” means the standard data protection clauses for the transfer of Personal Data to processors established in third countries, as described in Article 46 of the EU GDPR pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses, as approved by the European Commission in the European Commission’s Implementing Decision 2021/914/EU of 4 June 2021, as each may be amended, updated, or replaced from time to time.
“Personal Data” has the meaning given to it in the Data Protection Laws, and for the purpose of this Addendum relates to the personal data Processed by Verkada on behalf of Customer as described in Section 3.
“Processing” has the meaning given to it in the Data Protection Laws and “process”, “processes” and “processed” will be construed accordingly.
“Processor” means the entity or Service Provider which Processes Personal Data on behalf of the Controller, as defined in applicable Data Protection Laws and for the purposes of this Addendum means Verkada.
Compliance with Laws. Each party will comply with the Data Protection Laws as applicable to it. In particular, Customer will comply with its obligations as Controller (or on behalf of Controller), and Verkada will comply with its obligations as Processor.
Data Processing.
Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, where such terms are used by applicable Data Protection Laws, (i) the Customer is the Controller, (ii) Verkada is the Processor or Service Provider and that (iii) the Processor may engage sub-Processors or other Service Providers pursuant to the requirements set forth in Section 10 below.
Customer Obligations.
Customer (as Controller or on behalf of the ultimate Controller) undertakes that all instructions for the Processing of Personal Data under the Agreement or this Addendum or as otherwise agreed will comply with the Data Protection Laws, and such instructions will not in any way cause Verkada to be in breach of any Data Protection Laws.
The Customer will have sole responsibility for the means by which the Customer acquired the Personal Data.
Verkada’s Processing of Personal Data.
Verkada will Process Personal Data only in accordance with Customer’s (i) instructions as outlined in the Agreement and this Addendum or (ii) as otherwise documented by Customer, in either event only as permitted by applicable Data Protection Laws and for purpose of providing the Products to Customer in accordance with the terms of the Agreement.
Unless prohibited by applicable law, Verkada will notify Customer if, in its opinion, an instruction infringes any Data Protection Law to which it is subject, in which case Verkada will be entitled to suspend performance of such instruction without any kind of liability towards the Customer, until Customer confirms in writing that such instruction is valid under such Data Protection Law. Any additional instructions regarding the manner in which Verkada Processes the Personal Data will require prior written agreement between Verkada and Customer.
Verkada will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of the Processor, to the extent that such act or omission is a result of the Customer’s instructions.
Verkada will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Verkada receives a binding order from a law enforcement agency for Personal Data, Verkada will notify Customer of the request it has received so long as Verkada is not legally prohibited from doing so.
Where Verkada acts as Customer’s Service Provider, Verkada shall not: (i) sell Personal Data; (ii) collect, retain, use, or disclose Personal Data (a) for any purpose other than providing the Products specified in the Agreement and this Addendum or (b) outside of the direct business relationship between Verkada and Customer; or (iii) combine this Personal Data with Personal Data that Processor obtains from other sources except as permitted by applicable Data Protection Laws. Verkada certifies that it understands the prohibitions outlined in this Section 3(c)(v) and will comply with them.
Verkada will take reasonable steps to ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
The duration of the Processing, the nature and specific purposes of the Processing, the types of Personal Data Processed, and categories of Data Subjects under this Addendum are further specified in the Annexes to this Addendum and, on a more general level, in the Agreement.
Transfers of Personal Data. Verkada shall transfer Personal Data between jurisdictions as a Data Processor in accordance with applicable Data Protection Laws, including as relevant provisions of this Section 4.
Transfers of Personal Data Outside the EEA.
Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from EEA to other jurisdictions where such jurisdictions are deemed to provide an adequate level of data protection under applicable Data Protection Laws.
Transfers to other third countries. If the Processing of Personal Data includes transfers from EEA/EU Member States to countries outside the EEA/EU which have not been deemed adequate under applicable Data Protection Laws, the parties’ EU Standard Contractual Clauses are hereby incorporated into and form part of this Addendum. The Parties agree to include the optional Clause 7 (Docking clause) to the EU SCCs incorporated into this Addendum. With regards to clauses 8 to 18 of the EU SCCs, the different modules and options will apply as follows:
Module Two shall apply.
The Option within Clause 11(a) of the EU SCCs, providing for the optional use of an independent dispute resolution body, is not selected.
The Options and information required for Clauses 17 and 18 of the EU SCCs, covering governing law and jurisdiction, are outlined in Section 13 of this Addendum.
Option 2 within Clause 9(a) of the EU SCCs, covering authorization for sub-processors, is selected, as discussed within Section 10 of this Addendum.
Transfers of Personal Data Outside Switzerland. If Personal Data is transferred from Switzerland in a manner that would trigger obligations under the Federal Act on Data Protection of Switzerland (“FADP”), the EU SCCs shall apply to such transfers and shall be deemed to be modified in a manner to that incorporates relevant references and definitions that would render such EU SCCs an adequate tool for such transfers under the FADP.
Transfers of Personal Data Outside the UK. If Personal Data is transferred in a manner that would trigger obligations under UK GDPR, the parties agree that Annex IV shall apply.
Annexes. This Addendum and its Annexes, together with the Agreement, including as relevant applicable Clauses, serve as a binding contract that sets out the subject matter, duration, nature, and purpose of the Processing, the type of Personal Data and categories of data subjects as well as the obligations and rights of the Controller. Verkada may execute relevant contractual addenda, including as relevant the EU SCCs (Module 3) with any relevant Subprocessor (as hereinafter defined, including Affiliates). Unless Verkada notifies Customer to the contrary, if the European Commission subsequently amends the EU SCCs at a later date, such amended terms will supersede and replace any EU SCCs executed between the parties.
Alternative Data Export Solution. The parties agree that the data export solutions identified in this Section 4 will not apply if and to the extent that Customer adopts an alternative data export solution for the lawful transfer of Personal Data (as recognized under applicable Data Protection Laws), in which event, Customer shall reasonably cooperate with Verkada to implement such solution and such alternative data export solution will apply instead (but solely to the extent such alternative data export solution extends to the territories to which Personal Data is transferred under this Addendum).
Customer shall be responsible for obligations corresponding to Data Controllers under Data Protection Laws
Technical and Organizational Measures. Verkada will implement appropriate technical and organizational measures to ensure a level of security of Personal Data appropriate to the risk, as further described in Annex II to this Addendum. In assessing the appropriate level of security, Verkada will take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
Data Subjects rights. Verkada will assist Customer in responding to Data Subjects’ requests exercising their rights under the Data Protection Laws. To that effect, Verkada will (i) to the extent permitted by applicable law, promptly notify Customer of any request received directly from Data Subjects to access, correct or delete its Personal Data without responding to that request, and (ii) upon written request from Customer, provide Customer with information that Verkada has available to reasonably assist Customer in fulfilling its obligations to respond to Data Subjects exercising their rights under the Data Protection Laws.
Data Protection Impact Assessments. If Customer is required under the Data Protection Laws to conduct a Data Protection Impact Assessment, then upon written request from Customer, Verkada will use commercially reasonable efforts to assist in the fulfilment of Customer’s obligation as related to its use of the Products, to the extent Customer does not otherwise have access to the relevant information. If required under Data Protection Laws, Verkada will provide reasonable assistance to Customer in the cooperation or prior consultation with Data Protection Authorities in relation to any applicable Data Protection Impact Assessment.
Audit of Technical and Organizational Measures. Verkada will make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Products. To this end, upon written request (not more than once annually) Customer may, at its sole cost and expense, verify Verkada’s compliance with its data protection obligations as specified in this Addendum by: (i) submitting a security assessment questionnaire to Verkada; and (ii) if Customer is not satisfied with Verkada’s responses to the questionnaire, then Customer may conduct an audit in the form of meetings with Verkada’s information security experts upon a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Verkada’s normal business operations and subject always to Verkada’s agreement on scope and timings. Such audit will be performed during normal business hours, in such a manner as not to unreasonably disrupt normal business operations, and in no event will take place over the course of more than two business days. The Customer may perform the verification described above by itself or through a mutually agreed upon third party auditor, so long as Customer or its authorized auditor executes a mutually agreed upon non-disclosure agreement. Customer will be responsible for any actions taken by its authorized auditor. All information disclosed by Verkada under this Section 8 will be deemed Verkada’s Confidential Information, and Customer will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Verkada will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 8 within a mutually agreeable timeframe.
Breach notification. If Verkada becomes aware of a Data Breach, then Verkada will notify the Customer without undue delay after becoming aware of such Data Breach, will co-operate with the Customer, and will take commercially reasonable steps to investigate, mitigate, and remediate such Data Breach. Verkada will provide all reasonably required support and cooperation necessary to enable Customer to comply with its legal obligations pursuant applicable Data Protection Laws.
Sub-processing.
Customer agrees that Verkada may engage either Verkada affiliated companies or third-party providers as sub-Processors under the Agreement and this Addendum (“Subprocessors”) and hereby authorizes Verkada to engage such Subprocessors in providing the Products to Customer. Verkada will restrict the Processing activities performed by Subprocessors to only what is necessary to provide the Products to Customer pursuant to the Agreement and this Addendum. Verkada will impose appropriate contractual obligations in writing upon the Subprocessors that are no less protective than this Addendum.
Verkada maintains an updated list of all Subprocessors used by Verkada which is available upon written request. Verkada may amend the list of Subprocessors by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Verkada in writing the reasons of its objection. Verkada will work in good faith to address Customer’s objections. If Verkada is unable or unwilling to adequately address Customer’s objections to Customer’s reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with Section 6.2 of the Agreement.
Return or Deletion of Personal Data. Verkada will delete or return, in Customer’s discretion, Personal Data within a reasonable period of time following the termination or expiration of the Agreement following written request from Customer unless otherwise required by applicable Data Protection Laws.
Termination. This Addendum shall automatically terminate upon the termination or expiration of the Agreement. Sections 3(b), 3(c)(iii), and 14 of this Addendum shall survive the termination or expiration of this Addendum for any reason. This Addendum cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this Addendum shall automatically terminate.
Governing Law. This Addendum shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
For the purposes of Clauses 17 and 18 of the EU SCCs, where applicable, to the extent that the governing law and jurisdiction provisions in the Agreement do not meet the requirements of the EU SCCs, the parties select Option 2 of Clause 17, and agree that the EU SCCs shall be governed by the law of the EU Member State in which the data exporter is established; where such law does not allow for third-party beneficiary rights, the EU SCCs shall be governed by the laws of the country of Ireland. Pursuant to Clause 18, any dispute between the Parties arising from the EU SCCs shall be resolved by the courts of Ireland, and the Parties submit themselves to such jurisdiction. For the purposes of Clause 13 of the GDPR, the Supervisory Authority shall be the data exporter’s applicable Supervisory Authority. Data exporter shall notify data importer of the applicable Supervisory Authority by email at [email protected] and shall provide any necessary updates without undue delay.
Entire Agreement; Conflict. Except as amended by this Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum as to the subject matter herein, the terms of this Addendum will control.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: The Customer named in the Agreement
Address: The address of the Customer’s corporate headquarters
Contact person’s name, position and contact details: The primary administrative contact listed in the Hosted Software.
Activities relevant to the data transferred under these Clauses: Purchase of subscription and use of Software under the Agreement
Role (controller/processor): Controller
Data importer(s):
Name: Verkada, Inc.
Address: 406 E. 3rd Ave, San Mateo, CA 94401, USA
Contact details Kyle Randolph, CISO, [email protected]
Activities relevant to the data transferred under these Clauses: Processing of personal data to provide Products as set forth in the Agreement
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Individuals who may appear in the video footage captured by Data Exporter’s security cameras and individuals authorized by Data Exporter to use the Software on behalf of Data Exporter or individuals whose personal data the Data Exporter chooses to provide.
Categories of personal data transferred:
Audio and video data to provide the Services and Products,
Contact information, including names, emails and phone number(s), and
Personal Data that the Controller chooses to provide at its own direction
Note: Data Importer does not process sensitive data except at the direction of or as permitted by Data Exporter.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous basis during the Term of the Agreement
Nature of the processing:
As specified under the Agreement (i.e., enterprise Software-as-a-Service platform for physical security)
Purpose(s) of the data transfer and further processing:
For the provision of the specific business purpose and services/Products under the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
During the term of the Agreement and as provided therein.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
During the Term of the Agreement for the purpose of providing the services/Products.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority/ies applicable to Data Exporter as notified to Data Importer in accordance with Section 13(a) of the Addendum.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDINGTECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITYOF THE DATA
Data Importer (also referred to as Verkada below) has taken and will maintain appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, with such measures located here: https://www.verkada.com/trust/security-controls/ .
ANNEX III – LIST OF SUB-PROCESSORS
To view Data Importer’s list of sub-processors, please submit your request at: https://my.pima.app/p/verkada/verkada-subprocessors
ANNEX IV UK ADDENDUM TO EU STANDARD CONTRACTUAL CLAUSES
PART 1: TABLES
Table 1: Parties
Start date | Effective the date of the execution of the Addendum | |
The Parties | Exporter (who sends the Restricted Transfer) As listed in Annex I | Importer (who receives the Restricted Transfer) As listed in Annex I |
Parties’ Details | As listed in Annex I | As listed in Annex I |
Key Contacts | As listed in Annex I | As listed in Annex I |
Table 2: Selected SCCs, Modules and Selected Clauses
“Addendum EU SCCs” | The version of the approved EU SCCs agreed to in the Addendum to which this UK Addendum is appended to, including the Appendix Information. |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved SCCs (other than the Parties), and which for this UK Addendum is set out in:
Annex 1A: List of Parties: See Annex I |
Annex 1B: Description of Transfer: Annex I |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex II |
Annex III: List of Sub processors: Annex III |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum: ☐ Importer ☐ Exporter ☐ neither Party |
PART 2: MANDATORY CLAUSES
“Mandatory Clauses” | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |