Data Processing Addendum

Data Processing Addendum

This Castor Data Processing Addendum (the “DPA”) is incorporated by reference into the SaaS Services Agreement or other commercial agreement between Castor and Customer (the “Agreement”) regarding Castor’s Services. Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.

This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data (defined below) is processed by Castor under the Agreement.

NOW THEREFORE, the parties agree as follows:

1. Definitions

1.a “Breach” means a breach by Castor of its security obligations in this DPA that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data stored or otherwise processed in Customer’s Castor instance.

1.b “California Data Protection Law” means the California Consumer Privacy Act as amended by the California Privacy Rights Act, its associated regulations and their successors.

1.c “Controller”, “Processor”, “Data Subject” and “Process” (whether or not capitalized) have the meanings ascribed to them by GDPR and include equivalent terms in California Data Protection Law, in each case as applicable to the Services.

1.d “Customer Data” means: (a) all metadata from Customer’s databases (Dataware Model, Queries log, Roles and access and Data Visualisation Reports (as described in Annex A), (b) other customer Confidential Information used to provision the Software and to create Models for Customer’s Software implementation, and (c) all analytical results generated by the Software. Customer Data includes Customer’s Personal Data.

1.e “Data Protection Laws” means GDPR, UK GDPR and California Data Protection Law.

1.f “GDPR” means the General Data Protection Regulation 2016/679 and its implementing legislation enacted into local law by European Union member states.

1.g “Personal Data” means any Customer Data: (a) relating to an identified or identifiable individual, within the meaning of GDPR (regardless of whether GDPR applies), and (b) constituting “personal information” as such term is defined in California Data Protection Law.

1.h “Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by European Commission Implementing Decision 2021/914. Appendix 1 to this DPA contains certain interpretive and supplementary provisions regarding application of the Standard Contractual Clauses. The information required by Annexes 1 and 2 of the Standard Contractual Clauses is provided in Annexes A and B of this DPA.

1.i “UK GDPR” means the Data Protection Act 2018 and GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018.

2. Handling of Customer Data

2.a Relationship of the Parties. Customer (the controller) appoints Castor as a processor to process Personal Data: (a) for the purposes described in the Agreement, or (b) with Customer’s prior written consent (collectively the “Permitted Purpose”). If Castor becomes aware that processing for the Permitted Purpose infringes Data Protection Laws, it will promptly inform Customer. The details of the transfer and in particular the special categories of Personal Data where applicable are specified in the attached Annex A and incorporated herein by this reference.

2.b Confidentiality of Processing. Castor will treat Customer Data as Customer’s Confidential Information. Castor will protect the Customer Data in accordance with the confidentiality obligations under the Agreement.

2.c Personnel Confidentiality. Castor will ensure that: (a) only Castor personnel who must have access to the Personal Data in order to meet Castor’s obligations under the Agreement have access to the Personal Data, (b) such personnel have received appropriate training and instructions regarding processing of Personal Data, and (c) such personnel are subject to written agreements of confidentiality or are under an appropriate statutory obligation of confidentiality regarding Customer Data and other Customer Confidential Information.

2.d Primacy of this DPA. In the event of any contradiction between the DPA and the Agreement, the DPA shall prevail.

2.e Cooperation and Data Subjects' Rights. Castor will provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Data Protection Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Data. If any such request, correspondence, enquiry or complaint is made directly to Castor, Castor will promptly inform Customer providing full details of the same.

2.f Customer Data Return and Disposal. Within 30 days after a written request by Customer or the termination or expiration of the Agreement, Castor will: (a) if requested by Customer, provide Customer with a copy of any Customer Data in Castor’s possession that Customer does not already have; and (b) securely destroy all Customer Data in Castor’s possession in a manner that makes such Customer Data non-readable and non-retrievable. Notwithstanding the foregoing, Castor may retain copies of Customer Data: (x) to the extent Castor has a separate legal right or obligation to retain some or all of the Customer Data; and (y) in the capacity of a Data Controller for Castor’s business operations (such as in email records, customer support or accounting records).

2.g Subprocessors

(a) Customer hereby consents to Castor’s appointment of certain third-party processors of Personal Data under this Agreement (“Subprocessors”). Castor’s current Subprocessors are listed at https://www.castordoc.com/subprocessors. Castor confirms that it:
(1) has entered (or, for future appointments, will enter) into a written agreement with each Subprocessor incorporating terms which are at least as protective of Personal Data provided by Customer as those set out in this DPA; and
(2) will update the website above with any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Customer the opportunity to object to such changes. Customer’s sole recourse if it objects to a Subprocessor will be to terminate Customer’s subscription to the Service.

2.h Data Protection Impact Assessment. Castor will provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that Customer may be required to perform under Data Protection Laws.

3. Transfer of Personal Data Outside of the EU/EEA

3.a Consent. Castor may not transfer Personal Data to, or process such data in, a location outside of the European Economic Area or the UK without Customer’s prior written consent, except in compliance with Section 3.2 below (in each case a “Transfer”).

3.b Compliant Transfer Mechanisms. Without prejudice to the foregoing, Customer consents to Transfers where Castor has implemented a Transfer solution compliant with GDPR and UK GDPR, which for example may include: (a) where such transfer is subject to an adequacy decision by the European Commission; (b) the SCCs for the transfer of Personal Data to Processors established in third countries; (c) another appropriate safeguard pursuant to Article 46 of GDPR or equivalent safeguard under UK GDPR; or (d) a derogation pursuant to Article 49 of GDPR or equivalent derogation under UK GDPR.

4. Audit

4.a Audit. On written request from Customer, Castor shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its processing of Personal Data, including responses to information security and audit questionnaires that are strictly necessary to confirm Castor’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any rolling 12 month period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Castor has experienced a Breach, or other reasonably similar basis.

5. Customer Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, Customer shall maintain appropriate technical and organizational measures for the protection of Customer Data, including without limitation the following:

5.a Customer Responsibilities. Customer is responsible for security relating to its environment and databases and security relating its configuration of the Services. This includes implementing and managing procedural, technical, and administrative safeguards on its software and networks sufficient to: (a) ensure the confidentiality, security, integrity, and privacy of Customer Data in transit, at rest, and in storage; (b) protect against any anticipated threats or hazards to the security and integrity of Customer Data; and (c) protect against any unauthorized processing, loss, use, disclosure or acquisition of or access to Customer Data. Notwithstanding any other provision of this DPA, the Agreement or any other agreement related to the Services, Castor will have no obligations or liability as to any breach or loss resulting from: (x) Customer’s environment, databases, systems or software, or (y) Customer’s security configuration or administration of the Services.

5.b Appropriate Permissioning. Customer is solely responsible for provisioning Users on the Software, including: (a) methods of authenticating Users (such as industry-standard secure username/password policies, two-factor authentication or SAML-supported SSO iDP); (b) restricting access by User or group, and from the database level down to the row or column level; (c) managing admin privileges; (d) deauthorizing personnel who no longer need access to the Software; (e) setting up any API usage in a secure way; and (e) regularly auditing any public access links Users create and restricting the permission to create public links, as necessary.

5.c Castor Permission to Access Customer Databases. In order to use the Software, Customer must authorize the Service to access Customer’s databases. When granting authorization, Customer must follow the principle of least privilege to Customer database information, especially by granting no more than read-only access to database data. Castor will not be responsible for any breach or loss to the extent Customer provides the Software with write or admin access to Customer’s databases.

6. Data Breach Notification and Resolution

6.a Breach Notice. If it becomes aware of a confirmed Breach, Castor shall inform Customer via email without undue delay. Castor shall further take any such reasonably necessary measures and actions to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach.

6.b Cooperation. Castor will provide reasonable information and cooperation to Customer so that Customer can fulfill any Breach reporting obligations it may have under (and in accordance with the timescales required by) Data Protection Laws.

7. Miscellaneous

7.a Data Protection Officer. Castor’s Data Protection Officer is Xavier de Boisredon and can be reached at xavier@castordoc.com.

7.b Integration with Agreement. This DPA is part of the Agreement and is governed by its terms and conditions including limitations of liability.

7.c Construction; Interpretation. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.

7.d Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.

7.e Assignment. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee. This DPA may not be otherwise assigned by either party.

7.f Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by GDPR, in which case this DPA will be governed by the laws of the Republic of France.

APPENDIX 1: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS

1. Incorporation of Standard Contractual Clauses

The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:

1.a Module 1: Transfer controller to controller, Clauses 1 to 6, 8 and 10 to 18 apply where Castor Processes Personal Data as a Controller, Castor and its relevant Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.

1.b Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply where Castor Processes Personal Data as a Processor, Castor and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.

1.c Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply where Castor Processes Personal Data as a Processor, Castor and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.

2. Standard Contractual Clause Optional Provisions

Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:

2.a Clause 7 (Docking Clause) is omitted;

2.b In Clause 9(a) (Use of sub-processors)  – Option 2 shall apply and the parties shall follow the process and timing agreed in the DPA to appoint sub-processors;

2.c In Clause 11(a) (Redress) – the Optional provision shall NOT apply;

2.d In Clause 16(b) (Suspension of transfers) if Castor is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;

2.e In Clause 17 (Governing Law) – the laws of the Republic of France shall govern; and

2.f In Clause 18 (Choice of forum and jurisdiction) – the courts of the Republic of France shall have jurisdiction.

3. Supplementary Terms to Standard Contractual Clauses

3.a Documentation and compliance. For the purposes of Clauses 8.9(b) and 8.9(e) the review and audit provisions in the Agreement and DPA shall apply.

3.b Notification and Transparency.
(a) The Parties acknowledge and agree that Castor, where required by the Standard Contractual Clauses to notify the competent supervisory authority, shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification where Customer so desires to do, and without delaying the timing of the notification unduly. 
(b) For purposes of Clause 8.2 – Module 1, Clause 8.3 – Module 2 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Castor to make the appropriate communications to data subjects and accordingly, Customer shall (following notification by the Data Importer) have the option to be the party who communicates with the data subject, and Castor shall provide the level of assistance set out in the DPA.

3.c Liability. For the purposes of Clause 12(a), the liability of the Parties shall be limited in accordance with the limitation of liability provisions in the Agreement. 

3.d Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without being signed directly, Castor and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the SCCs, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly.

4. Swiss Law Provisions

4.a Personal Data transfers from Switzerland will be governed by the SCCs as conformed to Swiss law as follows:
(a) references to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to Switzerland, the Swiss Federal Data Protection Act, and the Swiss Federal Data Protection and Information Commissioner; and
(b) In Clause 17 (Governing Law) the laws of Switzerland shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of Switzerland shall have jurisdiction.

5. United Kingdom Law Provisions

5.a Personal Data transfers from the United Kingdom will be governed by the SCCs as conformed to UK law pursuant to the International Data Transfer Addendum (the “IDTA”) issued by the UK Information Commissioner’s Office (the “ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.

5.b In Part 1 of the IDTA, the information required by Tables 1 – 3 is provided in the MSA, DPA and these SCCs.

5.c The IDTA’s Mandatory Clauses are incorporated by reference into this DPA in accordance with Alternative Part 2 of the template IDTA.

5.d References to the EU, member states and GDPR in the Standard Contractual Clauses are amended mutatis mutandis to refer to the United Kingdom, UK GDPR and the ICO.

5.e In Clause 17 of the Standard Contractual Clauses (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK.

Annex A

Details of Processing

This Annex A describes the details of the processing and serves the purposes of satisfying the requirements of GDPR Article 28.‍

Subject matter, nature and purpose:‍

Castor Users are your employees that use the Product. There are two categories of data:

1. Information about Castor Users. This information about Castor Users includes end-user login/registration information for Castor Users as well as metadata about their usage.

2. The Castor Product uses a read-only connection to access the minimum amount of data needed to build your data catalog. To function as planned, it needs to retrieve the following data:

- Data model metadata (Data Warehouse schemas, tables, columns names and descriptions and DBT manifest). Castor does not need access to the Customer’s data itself

- Data Warehouse query logs. These will enable Castor platform to guide users in querying and reading the data. Queries are the only data asset that can contain Personal Data. More specifically in the “WHERE” clauses. It is worth noting that the occurrence of having a Personal Data Point is low and unstructured, given that the said point needs to be explicitly quoted in the query. The said queries (potentially containing personal data) will be retained on Castor’s server only for 90 days in their raw format. A version excluding the personal data may be retained for 365 days.

- Data Warehouse roles and access. These will enable Castor platform to let user know if they have access to given tables of the dataware

- Data Visualization Reports (name, description, users, underlying queries). These will enable Castor users to find relevant reports and understand dependencies with datasets. Castor only needs a read access on these assets

‍
Duration: For the Term of the Agreement.

‍
Data subjects: Customer employees, and where applicable contractors and agents.

‍
Categories of data

Personal data may include any category of personal data, including without limitation:

- Name

- Email address

- Cookie Information

- Device Identifiers, IP-address and other online identifiers - Account log-in details and passwords

- Telephone/mobile number

- Location Data

Cookie information and device identifiers are used to enable login, authentication and service delivery. Location data is used to enable login, authentication and service delivery.

Annex B

Technical and Organisational Measures (TOMs)

1. People

We do reference checks on all our employees and have them sign a confidentiality clause within their contract. All employees must use 1Password with MFA enabled, have their computer disk encrypted, an antivirus installed and auto-lock activated.
We do a yearly company-wide training on security and each development and management tasks, and their relative duties, follow a RACI matrix structure, allowing to segregate the roles of developing, consulting, and validating

2. Physical

Physical access to Castor facilities is protected by individual identification badges, any guest must be invited, welcomed, and accompanied at all time

3. Data

Our data hosting servers are located in Frankfurt, Germany. Data is encrypted in transit with a TLS protocol. Data at rest is encrypted as per this documentation. Only system and tech administrators can access to the data for debugging purposes. All connection to the database are logged.

‍4. Hosting & Network

We rely on the cloud provider (GCP) networks and authentication with production, staging and testing environments. We encourage our client to use IP whitelisting for Castor
Production environment is totally independent from staging and tests environments with different projects and private networks on GCP and not shared network
Outbound traffic is either channeled through GCP shared static IPs and inbound traffic goes through castor reserved static IP
Only administrators can adjust network rights. We don't allow direct connection to the production cluster and only debug access to developers to some production machines with logging of all connections
Clocks time is being inherited from virtual machine belonging to google cluster which perfom time sync using Network Time Protocol (NTP)

5. Logs

Logs are collected from the application and handled by google cloud logging. Access to the logs is granted by the system administrator and granted to developers only. Google Cloud handles multi zone redundancy for log storage. We retain a maximum of 90 days of logs

6. Availability & Resilience

We have automatic backups of production databases. We also have a replica setup for production databases for fail-over strategy: in case of failures of the leader the follower will take over: high availability on google cloud.
Backup is performed daily automatically and can be adjusted. We target a restoration under 2 hours
We have an administrator on duty who will be warned by monitoring alerts We communicate to customers about such issues and follow a restoration procedure‍

7. Security audits

We have a yearly pen test and security audit to assess vulnerabilities and an action plan. We also operate a bug bounty program to solicit independent bug and vulnerability reports.