Surreal Cloud beta is LIVE! Get started for free.

Data Processing Agreement

Privacy

This Data Processing Agreement, including its Annexes and the SCCs (“DPA”), forms an integral part of the SurrealDB Master Services Agreement, or any other written agreement that governs Customer’s use of the Services entered into between the Customer and SurrealDB Ltd (“SurrealDB”) (the “Agreement”), and applies solely to the extent that SurrealDB processes any Customer Personal Data in connection with the Services. By agreeing to this DPA, Customer enters into this DPA on behalf of itself and, if applicable and to the extent required under Data Protection Laws, in the name and on behalf of its Affiliates. All capitalised terms not defined herein shall have the meaning set forth in the Agreement. For the purposes of the DPA only, and except where otherwise indicated, the term “Customer” shall include Customer and its Affiliates. This DPA ​​​supersedes any existing data processing terms concluded in relation to the Services and ​prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

  1. Definitions:

    In this DPA:

    1. Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in Data Protection Law;

    2. Consumer Rights” shall be interpreted consistent with the same or similar term under Data Protection Law;

    3. Customer Personal Data” means Personal Data Processed by SurrealDB as a Processor on behalf of Customer or Third Party Controller;

    4. Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union, and all other data protection laws of the EEA, the United Kingdom (“UK”), and collectively, all United States (“U.S. Privacy Law”) state privacy laws and their implementing regulations, that apply generally to the processing of individuals’ Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information), each as applicable, and as may be amended or replaced from time to time;

    5. Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Data Protection Law;

    6. International Data Transfer” means any disclosure of Customer Personal Data by an organisation subject to Data Protection Law to another organisation located outside the EEA, the UK, or the US

    7. Services” means the services provided by SurrealDB to Customer under the Agreement;

    8. Subprocessor” means a Processor engaged by SurrealDB to Process Customer Personal Data;

    9. SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;

    10. Third-Party Controller” means a Controller for which Customer is a Processor;

    11. UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

    12. Capitalised terms used but not defined herein have the meaning given to them in the Agreement.

  2. Scope

    1. Scope. This DPA applies to the Processing of Customer Personal Data by SurrealDB subject to Data Protection Law to provide the Services.

    2. Subject Matter. The subject matter, nature and purpose of the Processing under this DPA is the provision of the Online Services to Customer in accordance with the Agreement..

    3. Types of Customer Personal Data. The types of Customer Personal Data processed under this DPA include any Customer Personal Data uploaded to the Online Services by Customer.

    4. Categories of Data Subjects. The data subjects may include Customer’s customers, employees, suppliers, and end users, or any other individual whose personal data Customer uploads to the Cloud Services.

    5. Duration. The duration of the data processing under this DPA is until the expiration or termination of the Agreement in accordance with its terms.

    6. Roles of the Parties. Customer is a Controller and appoints SurrealDB as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers. If Customer is a Processor on behalf of a Third-Party Controller, then Customer is the single point of contact for SurrealDB and must obtain all necessary authorisations from such Third-Party Controller; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

    7. ​​Customer acknowledges that SurrealDB may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. SurrealDB is the Controller for such Processing and will Process such data in accordance with Data Protection Law.

  3. Instructions

    1. SurrealDB will Process Customer Personal Data to provide the Services and in accordance with Customer’s instructions as documented in this DPA and the Agreement.

    2. Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. SurrealDB may charge a reasonable mutually agreed fee to comply with any additional instructions.

    3. Unless prohibited by applicable law, SurrealDB will inform Customer if SurrealDB is subject to a legal obligation that requires SurrealDB to Process Customer Personal Data in contravention of Customer’s documented instructions.

  4. Personnel. SurrealDB will ensure that all personnel authorised to Process Customer Personal Data are subject to an obligation of confidentiality.

  5. Security and Personal Data Breaches

    1. SurrealDB shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk as set forth in the Security Addendum.

    2. Customer acknowledges that the security measures as set forth in the Security Addendum are appropriate in relation to the risks associated with Customer’s intended Processing and will notify SurrealDB prior to any intended Processing for which SurrealDB’s security measures may not be appropriate.

    3. SurrealDB will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If SurrealDB’s notification is delayed, it will be accompanied by reasons for the delay.

  6. ​​​Subprocessing

    1. ​ Customer provides a general authorisation to SurrealDB use of Subprocessors to process Customer Personal Data in accordance with this Section, including those Subprocessors listed at www.surrealdb.com/subprocessors (“Subprocessor List”). Customer acknowledges and agrees that (a) SurrealDB’s Affiliates may be retained as Subprocessors; and (b) SurrealDB’s and SurrealDB’s Affiliates respectively may engage third-party Subprocessors to provide the Services. SurrealDB or an SurrealDB Affiliate has entered into a written agreement with each Subprocessor containing, in substance, data protection obligations no less protective than those in the Agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Subprocessor.

    2. SurrealDB shall notify Customer prior to any change to the Subprocessors List. Such notice will be sent to individuals who have signed up to receive updates to the Subprocessor List via the mechanism(s) indicated on the Subprocessor List. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following SurrealDB’s notification of the intended change. Customer and SurrealDB will work together in good faith to address Customer’s objection.

  7. Assistance

    1. Taking into account the nature of the Processing and the information available to SurrealDB, SurrealDB will assist Customer, including, as appropriate, by implementing technical and organisational measures, with (i) the fulfilment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; (ii) conduct data protection impact assessments to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to SurrealDB; (iii) prior consultations with Supervisory Authorities; and (iii) notification of a Personal Data Breach.

    2. SurrealDB may charge a reasonable fee for assistance under this Section 7. If SurrealDB is at fault, SurrealDB and Customer shall each bear their own costs related to assistance.

  8. Audit

    1. Upon reasonable request, SurrealDB shall make available to Customer all documentary information necessary to demonstrate compliance with the obligations of this DPA. Only to the extent (1) Customer cannot reasonably satisfy SurrealDB’s compliance with this DPA through such documentary information, and where required by Applicable Data Protection Laws or mandated by Customer’s Supervisory Authority, shall SurrealDB allow for and contribute to audits, including on-site inspections. Such onsite audits shall be no more than once per year performed by an independent auditor as agreed upon by Customer and SurrealDB. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data and shall be conducted upon reasonable notice, during normal business hours, and in a manner that causes minimal disruption.

    2. SurrealDB will inform Customer if SurrealDB believes that Customer’s instruction under Section 3.1 infringes Data Protection Law. SurrealDB may suspend the audit or inspection or withhold requested information until Customer has modified or confirmed the lawfulness of the instructions in writing.

    3. SurrealDB and Customer each bear their own costs related to an audit.

  9. Consumer Rights

    1. SurrealDB shall provide commercially reasonable assistance to Customer for the fulfilment of Customer’s obligations to respond to U.S. Privacy Law-related Consumer rights requests regarding Customer Personal Data.

    2. Where applicable, Customer shall inform SurrealDB of any Consumer request made pursuant to the U.S. Privacy Laws that they must comply with. Customer shall provide SurrealDB with the information necessary for SurrealDB to comply with the request.

    3. SurrealDB shall not be required to delete any Customer Personal Data to comply with a Consumer’s request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws; provided, however, that in such case, SurrealDB will promptly inform Customer of the exceptions relied upon under applicable U.S. Privacy Laws and SurrealDB shall not use Customer Personal Data retained for any purpose other than provided for by that exception.

  10. ​​​ International Data Transfers

    1. Customer hereby authorises SurrealDB to perform International Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Law; or pursuant to the SCCs and the UK Addendum referred to in Sections 10.2 and 10.3.

    2. By signing this DPA, SurrealDB and Customer conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows:

      • the “data exporter” is Customer; the “data importer” is SurrealDB; the optional docking clause in Clause 7 is implemented;

      • Option 2 of Clause 9(a) is implemented and the time period therein is fourteen (14) days;

      • the optional redress clause in Clause 11(a) is struck;

      • Option 1 in Clause 17 is implemented and the governing law is the law of Ireland and the courts in Clause 18(b) are the Courts of Ireland;

      • Annex I and II to Module 2 and 3 of the SCCs are Annex I and II to this DPA respectively.

      • For International Data Transfers from Switzerland,:

      • (i) Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland and

      • (ii) the SCCs cover Personal Data pertaining to legal entities until the entry into force of the revised Swiss Federal Act on Data Protection of 2020.

    3. In relation to transfers of Customer Personal Data protected by the UK GDPR, the SCCs as implemented under Section 10.1 above shall apply with the following modifications to Part 1:

      • (i) in Table 1, the “Exporter” is Customer and the “Importer” is SurrealDB, their details are set forth in this DPA, and the Agreement;
      • (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 9.2 of this DPA;
      • (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex I and II respectively; and
      • (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

    4. If SurrealDB’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of SurrealDB’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and SurrealDB will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, SurrealDB reserves the right to amend the Agreement and this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Law.

  11. Liability

Notwithstanding anything to the contrary in the Agreement or this DPA and to the maximum extent permitted by law, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including all Annexes hereto), the SCCs or any data protection agreements in connection with the Agreement (if any), whether in contract, tort or under any other theory of liability, shall remain subject to the limitation of liability section of the Agreement and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA, including all Annexes hereto. Customer agrees that any regulatory penalties incurred by SurrealDB that arise in connection with Customer’s failure to comply with its obligations under this DPA or any laws or regulations including Applicable Data Protection Laws shall reduce SurrealDBs’ liability under the Agreement as if such penalties were liabilities to Customer under the Agreement.

  1. Termination and deletion of Customer Personal Data

    1. This DPA is terminated upon the termination of the Agreement.

    2. Unless required or permitted by applicable law, SurrealDB will delete all remaining copies of Customer Personal Data within 30 calendar days after termination or expiry of the Agreement.

  2. Applicable law and jurisdiction

This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

  1. Modification of this DPA

This DPA may only be modified by a written amendment signed by both SurrealDB and Customer.

  1. Invalidity and severability

If any provision of this DPA is found by any court or administrative body of a competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

ANNEX I

PARTICULARS OF PROCESSING

  1. LIST OF PARTIES

    Data exporter:

    • Name: Customer (as defined above)
    • Address: See signature page above.
    • Contact person’s name, position and contact details: See signature page above.
    • Activities relevant to the data transferred under these Clauses: Customer receives SurrealDB’s services as described in the Agreement and Customer provides Personal Data to SurrealDB in that context.
    • Signature and date: See signature page above.
    • Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller

    Data importer:

    • Name: SurrealDB (as defined above)
    • Address: See signature page above.
    • Contact person’s name, position and contact details: See signature page above.
    • Activities relevant to the data transferred under these Clauses: SurrealDB provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
    • Signature and date: See signature page above
    • Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller

  2. DESCRIPTION OF INTERNATIONAL DATA TRANSFER

    Category of Data Subjects [Please only keep relevant categories and add new categories as appropriate.]
    Customer’s customers or end-users
    Customer’s personnel, staff and contractors
    [Complete]

    • Categories of Personal Data transferred:

      #Category of Personal Data [Please only keep relevant categories and add new categories as appropriate.]
      1.Contact details
      2.Customer Personal Data uploaded by Customer to the Services
      3.[Complete]

    • Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Not applicable.

    • The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): On a continuous basis.

    • Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement.

    • Purpose(s) of the data transfer and further processing: The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement.

    • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.

    • For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

  3. COMPETENT SUPERVISORY AUTHORITY

    • ​​​The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority a) of Customer’s country of establishment, or, where not applicable, b) of the country where Customer’s EU data protection representative is located, or, where not applicable, c) of one of the EEA countries where the Data Subjects are located.
    • The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
    • The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
line