Data Processing Addendum ("DPA")

Based on the General Data Protection Regulation (GDPR) and European Commission
Decision 2010/87/EU - Standard Contractual Clauses (Processors)

This Data Processing Addendum (“DPA”) forms part of the Entromy End User License
Agreement (or other such titled written or electronic agreement addressing the same subject
matter) between Entromy LLC (“Entromy”) and Customer for the purchase of Entromy
services from ENTROMY (identified collectively either as the “Service” or otherwise in the
applicable agreement, and hereinafter defined as the “Service”), wherein such agreement is
hereinafter defined as the “Agreement,” and whereby this DPA reflects the parties’ agreement
with regard to the Processing of Personal Data. Customer enters into this DPA on behalf of
itself and, to the extent required under applicable Data Protection Laws and Regulations, in
the name and on behalf of its Authorized Affiliates, if and to the extent ENTROMY processes
Personal Data for which such Authorized Affiliates qualify as the Controller. All capitalized
terms not defined herein shall have the meaning set forth in the Agreement. In providing the
Service to Customer pursuant to the Agreement, ENTROMY may Process Personal Data on
behalf of Customer, and the parties agree to comply with the following provisions with
respect to any Personal Data.


INSTRUCTIONS ON HOW TO EXECUTE THIS DPA WITH ENTROMY


1. This DPA consists of distinct parts: this body and its set of definitions and provisions, the
Standard Contractual Clauses, and Appendices 1-3.
2. This DPA has been pre-signed on behalf of Entromy LLC, as the data importer.
3. To complete this DPA, Customer must: (a) Complete the information in the signature box
and sign on Page 8. (b) Complete the information as the data exporter on Page 9. (c) Complete
the information in the signature box and sign on Pages 17, 19, 20 and 21.
4. Customer must send the completed and signed DPA to Entromy by email to
privacy@entromy.com. Upon receipt of the validly-completed DPA by ENTROMY at this
email address, this DPA shall come into effect and legally bind the parties.

APPLICATION OF THIS DPA


If the Customer entity signing this DPA is a party to the Agreement, then this DPA is an
addendum to, and forms part of, the Agreement. In such case ENTROMY is party to this
DPA.


If the Customer entity signing this DPA is neither a party to an Order Form nor the
Agreement, then this DPA is not valid and therefore is not legally binding. Such entity should
request that the Customer entity who is a party to the Agreement executes this DPA.


DPA DEFINITIONS


“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under
common control with the Customer entity signing this Agreement, or with Entromy LLC, as
the case may be. "Control," for purposes of this definition, means direct or indirect
ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of Customer's Affiliate(s) which (a) is subject to the data
protection laws and regulations of the European Union, the European Economic Area and/or
their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the
Service pursuant to the Agreement between Customer and ENTROMY, but has not signed
its own Order Form with ENTROMY and is not a "Customer" as defined under the
Agreement.
“Controller” means the entity which determines the purposes and means of the Processing of
Personal Data.
“Customer Data” means all electronic data submitted by or on behalf of Customer, or an
Authorized Affiliate, to the Service.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and
regulations of the European Union, the European Economic Area and their member states,
Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the
Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation).
“Personal Data” means any information relating to (i) an identified or identifiable natural
person and, (ii) an identified or identifiable legal entity (where such information is protected
similarly as personal data or personally identifiable information under applicable Data
Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
“Processing” (including its root word, “Process”) means any operation or set of operations
which is performed upon Personal Data, whether or not by automatic means, such as
collection, recording, organization, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Trust & Compliance Documentation” means the Documentation applicable to the specific
Service purchased by Customer, as may be updated periodically, and accessible via
ENTROMY’s website at www.entromy.com or as otherwise made reasonably available by
ENTROMY.
“ENTROMY” means the ENTROMY entity which is a party to this DPA, as specified in the
section “Application of this DPA” above, being Entromy LLC a limited liability company
incorporated in the State of Delaware and its primary address as One Boston Place, Suite
2600, Boston, MA 02108, or an Affiliate of ENTROMY, as applicable.
“ENTROMY Group” means ENTROMY and its Affiliates engaged in the Processing of
Personal Data.
“Standard Contractual Clauses” means the agreement executed by and between Customer and
ENTROMY and included herein, pursuant to the European Commission’s decision
(C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal
data to processors established in third countries which do not ensure an adequate level of data
protection.
“Sub-processor” means any Processor engaged by ENTROMY or a member of the
ENTROMY Group.
“Supervisory Authority” means an independent public authority which is established by an
EU Member State pursuant to the GDPR.

DPA TERMS


ENTROMY and the signatory below at the address below (“Customer”) hereby enter into
this DPA effective as of the last signature date below. This DPA is incorporated into and
forms part of the Agreement.
1. Provision of the Service. ENTROMY provides the Service to Customer under
the Agreement. In connection with the Service, the parties anticipate that ENTROMY
may Process Customer Data that contains Personal Data relating to Data Subjects.
2. The Parties’ Roles. The parties agree that with regard to the Processing of Personal
Data, Customer is the Controller, ENTROMY is the Processor, and that ENTROMY or
members of the ENTROMY Group may engage Sub-processors pursuant to the requirements
of this DPA.
3. Customer Responsibilities. Customer shall, in its use of the Service, Process
Personal Data in accordance with the requirements of Data Protection Laws and Regulations.
For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall
comply with Data Protection Laws and Regulations. Customer shall have sole responsibility
for the accuracy, quality, and legality of Personal Data and the means by which Customer
acquired Personal Data.
4. Processing Purposes. ENTROMY shall keep Personal Data confidential and shall
only Process Personal Data on behalf of and in accordance with Customer’s documented
instructions for the following purposes: (i) Processing in accordance with the Agreement and
applicable Order Form(s); (ii) Processing initiated by Users in their use of the Service; and
(iii) Processing to comply with other documented, reasonable instructions provided by
Customer (for example, via email) where such instructions are consistent with the terms of the
Agreement. ENTROMY shall not be required to comply with or observe Customer’s
instructions if such instructions would violate the GDPR or other EU law or EU member state
data protection provisions.
5. Scope of Processing. The subject-matter of Processing of Personal Data by
ENTROMY is the performance of the Service pursuant to the Agreement. The duration of the
Processing, the nature and purpose of the Processing, the types of Personal Data and
categories of Data Subjects Processed under this DPA are further specified in Appendix 1 to
this DPA.
6. Data Subject Requests. To the extent legally permitted, ENTROMY shall promptly
notify Customer if it receives a request from an EEA Data Subject for access to, correction,
amendment or deletion of that person’s Personal Data. ENTROMY shall not respond to any
such EEA Data Subject request without Customer’s prior written consent except to confirm
that the request relates to Customer. ENTROMY shall provide Customer with commercially-
reasonable cooperation and assistance in relation to handling an EEA Data Subject’s request
for access to that person’s Personal Data. To the extent Customer, in its use of the Service,
does not have the ability to correct, block or delete Personal Data, as required by the Standard
Contractual Clauses, ENTROMY shall comply with any commercially-reasonable request by
Customer to facilitate such actions to the extent ENTROMY is legally permitted to do so.
Customer shall be responsible for any costs arising from ENTROMY’s provision of such
assistance.
7. Post-GDPR Data Subject Requests. Effective from 25 May 2018, the following
wording will replace the immediately-preceding section number 6 in its entirety: To the extent
legally permitted, ENTROMY shall promptly notify Customer if ENTROMY receives a
request from a Data Subject to exercise the Data Subject's right of access, right to
rectification, restriction of Processing, erasure (“right to be forgotten”), data portability,
object to the Processing, or its right not to be subject to an automated individual decision
making (“Data Subject Request”). Factoring into account the nature of the Processing,
ENTROMY shall assist Customer by appropriate organizational and technical measures,
insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data
Subject Request under Data Protection Laws and Regulations. In addition, to the extent
Customer, in its use of the Service, does not have the ability to address a Data Subject
Request, ENTROMY shall, upon Customer’s request, provide commercially-reasonable
efforts to assist Customer in responding to such Data Subject Request, to the extent that
ENTROMY is legally authorized to do so, and the response to such Data Subject Request is
required under Data Protection Laws and Regulations. To the extent
legally permitted, Customer shall be responsible for any costs arising from ENTROMY’s
provision of such assistance.
8. ENTROMY Personnel. ENTROMY shall ensure that its personnel engaged in the
Processing of Personal Data are informed of the confidential nature of the Personal Data,
have received appropriate training regarding their responsibilities, and have executed written
confidentiality agreements. ENTROMY shall take commercially-reasonable steps to ensure
the reliability of any ENTROMY personnel engaged in the Processing of Personal Data.
ENTROMY shall ensure that ENTROMY’s access to Personal Data is limited to those
personnel assisting in the provision of the Service in accordance with the Agreement.
9. Data Protection Officer. Effective from 25 May 2018, ENTROMY shall have
appointed, or shall appoint, a data protection officer if and whereby such appointment is
required by Data Protection Laws and Regulations. Any such appointed person may be reached
at privacy@entromy.com.
10. ENTROMY’s Sub-processors. Customer has instructed or authorized the use of Sub-
processors to assist ENTROMY with respect to the performance of ENTROMY's obligations
under the Agreement and ENTROMY agrees to be responsible for the acts or omissions of
such Sub-processors to the same extent as ENTROMY would be liable if performing the
services of the Sub-processors under the terms of the Agreement. Upon written request of the
Customer, ENTROMY will provide to Customer a list of its then-current Sub-processors.
Customer acknowledges and agrees that (a) ENTROMY’s Affiliates may be retained as Sub-
processors; and (b) ENTROMY and ENTROMY’s Affiliates respectively may engage third-
party Sub-processors in connection with the provision of the Service. On ENTROMY’s
Agreements webpage, Customer may find a mechanism to subscribe to notifications of new
Sub-processors for each applicable Service, to which Customer shall subscribe, and if
Customer subscribes, ENTROMY shall provide notification of a new Sub- processor(s)
before authorizing any new Sub-processor(s) to process Personal Data in connection with the
provision of the applicable Service. In order to exercise its right to object to ENTROMY’s use
of a new Sub-processor, Customer shall notify ENTROMY promptly in writing within
ten (10) business days after receipt of ENTROMY’s notice in accordance with the mechanism
set out above. In the event Customer objects to a new Sub-processor, and that objection is not
unreasonable, ENTROMY will use reasonable efforts to make available to Customer a change
in the Service or recommend a commercially-reasonable change to Customer’s configuration
or use of the Service to avoid Processing of Personal Data by the objected-to new Sub-
processor without unreasonably burdening the Customer. If ENTROMY is unable to make
available such change within a reasonable time period, which shall not exceed thirty (30) days,
Customer may terminate the applicable Order Form(s) with respect only to those aspects of the
Service which cannot be provided by ENTROMY without the use of the objected-to new Sub-
processor by providing written notice to ENTROMY. ENTROMY will refund Customer any
prepaid fees covering the remainder of the term of such Order Form(s) following the effective
date of termination with respect to such terminated Service. The parties agree that the copies
of the Sub-processor agreements that must be provided by ENTROMY to Customer pursuant
to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or
clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by
ENTROMY beforehand; and, that such copies will be provided by ENTROMY, in a manner
to be determined in its discretion, only upon request by Customer.
11. Liability for Sub-processors. ENTROMY shall be liable for the acts and
omissions of its Sub-processors to the same extent ENTROMY would be liable if
performing the services of each Sub-processor directly under the terms of this DPA,
except as otherwise set forth in the Agreement.
12. Security Measures. ENTROMY shall maintain appropriate organizational and
technical measures for protection of the security (including protection against unauthorized
or unlawful Processing, and against unlawful or accidental destruction, alteration or damage
or loss, unauthorized disclosure of, or access to, Customer Data), confidentiality, and
integrity of Customer Data, as set forth in ENTROMY’s applicable Trust & Compliance
Documentation. ENTROMY regularly monitors compliance with these measures.
ENTROMY will not materially decrease the overall security of the Service during
Customer’s and/or Authorized Affiliates’ subscription term.
13. Third-Party Certifications and Audit Results. ENTROMY has attained the
third-party certifications and audit results set forth in the Trust & Compliance
Documentation. Upon Customer’s written request at reasonable intervals, and subject to
the confidentiality obligations set forth in the Agreement, ENTROMY shall make
available to Customer a copy of ENTROMY’s then most recent third-party certifications
or audit results, as applicable.
14. Notifications Regarding Customer Data. ENTROMY has in place reasonable and
appropriate security incident management policies and procedures, as specified in the Trust &
Compliance Documentation and shall notify Customer without undue delay after becoming
aware of the unlawful or accidental destruction, alteration or damage or loss, unauthorized
disclosure of, or access to, Customer Data, including Personal Data, transmitted, stored or
otherwise Processed by ENTROMY or its Sub-processors of which ENTROMY becomes
aware (hereinafter, a “Customer Data Incident”), as required to assist the Customer in
ensuring compliance with its obligations to notify the Supervisory Authority in the event of
Personal Data breach. ENTROMY shall make reasonable efforts to identify the cause of such
Customer Data Incident, and take those steps as ENTROMY deems necessary and reasonable
in order to remediate the cause of such a Customer Data Incident, to the extent that the
remediation is within ENTROMY’s reasonable control. The obligations set forth herein shall
not apply to incidents that are caused by either Customer or Customer’s Users.
15. Return of Customer Data. ENTROMY shall return Customer Data to Customer
and, to the extent allowed by applicable law, delete Customer Data in accordance with the
procedures and time periods specified in the Trust & Compliance Documentation, unless the
retention of the data is requested from ENTROMY according to mandatory statutory laws.
16. Authorized Affiliates. The parties agree that, by executing the DPA, the Customer
enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its
Authorized Affiliate(s), thereby establishing a separate DPA between ENTROMY and each
such Authorized Affiliate, subject to the provisions of the Agreement. Each Authorized
Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable,
the Agreement. An Authorized Affiliate is not and does not become a party to the
Agreement, and is only a party to the DPA. All access to and use of the Service by
Authorized Affiliate(s) must comply with the terms and conditions of the Agreement and any
violation thereof by an Authorized Affiliate shall be deemed a violation by Customer.
17. Communications. The Customer that is the contracting party to the Agreement shall
remain responsible for coordinating all communication with ENTROMY under this DPA,
and shall be entitled to transmit and receive any communication in relation to this DPA on
behalf of its Authorized Affiliate(s).
18. Exercise of Rights. Where an Authorized Affiliate becomes a party to the DPA, it
shall to the extent required under applicable Data Protection Laws and Regulations be entitled
to exercise the rights and seek remedies under this DPA, except where applicable Data
Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek
any remedy under this DPA against ENTROMY directly by itself, the parties agree that (i)
solely the Customer that is the contracting party to the Agreement shall exercise any such
right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer
that is the contracting party to the Agreement shall exercise any such rights under this DPA in
a combined manner for all of its Authorized Affiliates together, instead of doing so
separately for each Authorized Affiliate.
19. Liability. Each party’s and all of its Affiliates’ liability, taken together in the
aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates
and ENTROMY, whether in contract, tort or under any other theory of liability, is subject to
the‘Limitation of Liability’ section of the Agreement, and any reference in such section to the
liability of a party means the aggregate liability of that party and all of its Affiliates under the
Agreement and all DPAs together. ENTROMY's and its Affiliates’ total liability for all
claims from the Customer and all of its Authorized Affiliates arising out of or related to the
Agreement and each DPA shall apply in the aggregate for all claims under both the
Agreement and all DPAs established under this Agreement, including by Customer and all
Authorized Affiliates, and shall not be understood to apply individually and severally to
Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.
Each reference to the DPA herein means this DPA including its Appendices.
20. GDPR. Effective from 25 May 2018, ENTROMY will Process Personal Data in
accordance with the GDPR requirements directly applicable to ENTROMY's provision of
the Service.
21. Data Protection Impact Assessment. Effective from 25 May 2018, upon Customer’s
request, ENTROMY shall provide Customer with reasonable cooperation and assistance
needed to fulfil Customer’s obligation under the GDPR to carry out a data protection impact
assessment related to Customer’s use of the Service, to the extent Customer does not
otherwise have access to the relevant information, and to the extent such information is
available to ENTROMY. ENTROMY shall provide reasonable assistance to Customer in the
cooperation or prior consultation with the Supervisory Authority in the performance of its
tasks relating to Section 21 of this DPA, to the extent required under the GDPR.
22. Standard Contractual Clauses. The Standard Contractual Clauses apply to (i) the
legal entity that has executed the Standard Contractual Clauses as a data exporter and its
Authorized Affiliates and, (ii) all Affiliates of Customer established within the European
Economic Area, Switzerland and the United Kingdom, which have signed Order Forms for
the Service. For the purpose of the Standard Contractual Clauses the aforementioned entities
shall be deemed “data exporters.”
23. Customer’s Processing Instructions. This DPA and the Agreement are Customer’s
complete and final instructions at the time of signature of the Agreement to ENTROMY for
the Processing of Personal Data. Any additional or alternate instructions must be agreed upon
separately. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following
is deemed an instruction by the Customer to process Personal Data: (a) Processing in
accordance with the Agreement and applicable Order Form(s); (b) Processing initiated by
Users in their use of the Service and (c) Processing to comply with other reasonable
instructions provided by Customer (e.g., via email) where such instructions are consistent
with the terms of the Agreement.
24. Audits. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of
the Standard Contractual Clauses shall be carried out in accordance with the following
specifications: following Customer’s written request, and subject to the confidentiality
obligations set forth in the Agreement, ENTROMY shall make available to Customer
information regarding the ENTROMY’s compliance with the obligations set forth in this DPA
in the form of the third-party certifications and audits set forth in the Trust & Compliance
Documentation, to the extent that ENTROMY makes them generally available to its
customers.
Customer may contact ENTROMY in accordance with the “Notices” Section of the
Agreement to request an on-site audit of the procedures relevant to the protection of
Personal Data.
Customer shall reimburse ENTROMY for any time expended for any such on-site audit at the
ENTROMY Group’s then-current professional services rates, which shall be made available
to Customer upon request. Before the commencement of any such on-site audit, Customer
and Okta shall mutually agree upon the scope, timing, and duration of the audit in addition to
the reimbursement rate for which Customer shall be responsible. All reimbursement rates
shall be reasonable, taking into account the resources expended by ENTROMY. Customer
shall promptly notify ENTROMY and provide information about any actual or suspected
non-compliance discovered during an audit. The provision in this section shall by no means
derogate from or materially alter the provisions on audits as specified in the Standard
Contractual Clauses.
25. Data Deletion. The parties agree that the certification of deletion of Personal Data
that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by
ENTROMY to Customer only upon Customer’s request.
26. Order of Precedence. This DPA is incorporated into and forms part of the
Agreement. For matters not addressed under this DPA, the terms of the Agreement apply. With
respect to the rights and obligation of the parties vis-à-vis each other, in the event of a conflict
between the terms of the Agreement and this DPA, the terms of this DPA will control. In the
event of a conflict between the terms of the DPA and the Standard Contractual Clauses, the
Standard Contractual Clauses will prevail.