Data Processing Agreement

Great Expectations Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements any online or other terms of service, privacy policy, or written agreement (collectively the “Agreement”) between Great Expectations Labs, Inc. (“Great Expectations”) and you or the entity or organization that you represent (“Customer” or “you”), each on behalf of themselves and their Affiliates (together, the “Parties”). This DPA governs the processing of any Personal Information that Customer may make accessible to Great Expectations and is effective as of the Agreement’s effective date (“Effective Date”).

1. Precedence; Survival

Terms not defined in this DPA or in applicable Data Protection Laws, have the meaning assigned to them in the Agreement. In the event of any conflict or inconsistency, this DPA supersedes and prevails over any conflicting terms in the Agreement. The provisions of this DPA survive any termination of the Agreement to the extent necessary.

2. Definitions

2.1 "Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information.

2.2 “Data Protection Laws” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR and the UK GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time.

2.3 “Data Subject” means the individual to whom Personal Information relates.

2.4 “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

2.5 “Processing” means any operation or set of operations which is performed on Personal Information, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Information.

2.6 “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Information on behalf of a Controller.

2.7 “Sensitive Information” means a class of Personal Information including (a) social security number, passport number, driver’s license number, or similar identifier, (b) credit or debit card number (other than truncated digits), financial information, banking account numbers or passwords, (c) employment, financial, genetic, biometric or health information, (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation, (e) account passwords, (f) criminal history, or (g) any other information or combinations of information that falls within the definition of “special categories of data” under GDPR or any other applicable Data Protection Law. Great Expectations will not Process or transfer any Sensitive Information unless specifically instructed by Customer; provided, however, that any transfer or request by Customer for Great Expectations to Process Sensitive Information, whether implicit or explicit, constitutes Customer’s assent for Great Expectations to Process Sensitive Information.

2.8 “Standard Contractual Clauses” means Regulation (EU) 2016/679 of the European Parliament and the Council approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2.9 “Subprocessor” means a natural or legal person, public authority, agency or other body engaged by a Processor who has or may potentially have access to Personal Information, or processes Personal Information.

2.10 “UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

2.11 “UK Transfer Addendum” means the addendum pursuant to the International Commissioner's Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022.

3. Details of Processing

3.1 Classification of the Parties. To the extent that Great Expectations Processes Personal Information, Great Expectations is deemed a Processor. For the purposes of this DPA and the Agreement, Customer is deemed a Controller. Further, Great Expectations is the data importer and Customer is the data exporter.

3.2 Categories of Data Subjects. Customer may submit, transfer, or grant access to, Personal Information to Great Expectations, or direct Great Expectations to Process Personal Information as part of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Data Subjects including Customer employees, contractors, collaborators, customers, prospects, suppliers, agents, and subcontractors.

3.3 Categories of Personal Information. Personal Information, the extent of which is determined and controlled by Customer in its sole discretion, including but not limited to name, address, phone number, email address and associated email data, navigational data (including website usage information), system usage data, and other electronic data submitted, stored, sent, or received by Customer, or the Customer end users, including where applicable Sensitive Information.

3.4 Sensitive Information. The Parties do not anticipate the transfer of Sensitive Information. Customer is in sole control over any Sensitive Information it requests Great Expectations to Process.

3.5 Frequency of Transfer. Great Expectations will Process Personal Information on a continuous basis for the duration of the Agreement, subject to limiting provisions in this DPA.

3.6 Purpose of the Processing. Great Expectations will Process Personal Information for purposes of providing the Services, as further instructed by Customer in its use of the Services, and otherwise agreed to in the Agreement. For the avoidance of doubt, Customer completely controls the amount of Personal Information Processed by Great Expectations, including controlling what Processing occurs on Customer’s systems compared to what Personal Information is Processed through Great Expectations’ cloud.

3.7 Retention. Great Expectations will Process Personal Information for the duration of the Agreement, subject to other limited provisions of this DPA.

4. Customer Responsibility

Within the scope of the Agreement and in its use of Great Expectations’ Services, Customer shall be solely responsible for complying with the statutory requirements relating to the Data Protection Laws, in particular regarding the disclosure and transfer of Personal Information to Great Expectations and the Processing of Personal Information. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Information must comply with Data Protection Laws. This DPA is Customer’s complete and final instruction to Processor in relation to Personal Information and that additional instructions outside the scope of this DPA would require prior written agreement between the Parties. Instructions must initially be specified in the Agreement and may, from time to time thereafter, be amended, amplified, or replaced by Customer in separate written instructions (as individual instructions).

Customer shall inform Great Expectations without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Information by Great Expectations, including if Customer’s instructions or transfer of Personal Information to Great Expectations violate Data Protection Laws.

5. Great Expectations Obligations

5.1 Compliance with Instructions. The Parties acknowledge that Customer is the Controller of Personal Information and Great Expectations is the Processor of Personal Information. Great Expectations shall Process Personal Information only within the scope of Customer’s instructions. If Great Expectations believes that an instruction of Customer violates Data Protection Laws, it will immediately inform Customer without delay. If Great Expectations cannot process Personal Information in accordance with the instructions due to a legal requirement under any applicable Data Protection Laws, Great Expectations will (i) promptly notify Customer of that legal requirement before the relevant Processing to the extent permitted by Data Protection Laws; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Information) until such time as Customer issues new instructions with which Great Expectations is able to comply. If this provision is invoked, Great Expectations will not be liable to Customer under the Agreement for any failure to perform the applicable services until such time as Customer issues new instructions in regard to the Processing.

5.2 Security. Great Expectations shall take the appropriate technical and organizational measures to adequately protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information, described under Exhibit C.

5.3 Confidentiality. Great Expectations shall ensure that any personnel whom Great Expectations authorizes to process Personal Information on its behalf is subject to confidentiality obligations with respect to that Personal Information. The undertaking to confidentiality continues after the termination of the above-entitled activities.

5.4 Personal Information Breaches. Great Expectations will notify Customer without undue delay, and at least within the time required by Data Protection Laws, after it becomes aware of any Personal Information Breach affecting any Personal Information. At Customer’s reasonable request, Great Expectations will promptly provide Customer with all reasonable assistance necessary to enable Customer to notify relevant Personal Information Breaches to competent authorities or affected Data Subjects, if Customer is required to do so under the Data Protection Laws.

5.5 Deletion or Retrieval of Personal Information.

Other than to the extent required to comply with Data Protection Laws, following termination or expiration of the Agreement, Great Expectations will delete or return all Personal Information (including copies thereof) Processed pursuant to this DPA. If Great Expectations is unable to delete Personal Information for technical or other reasons, Great Expectations will apply reasonable measures to ensure that Personal Information is blocked from any further Processing.

Customer shall, upon termination or expiration of the Agreement and by way of issuing an instruction, stipulate, within a period of time set by Great Expectations, the reasonable measures to return Personal Information or to delete stored Personal Information. Customer shall pay any additional cost arising in connection with the return or deletion of Personal Information after the termination or expiration of the Agreement.

5.6 Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is available to Great Expectations and Customer does not otherwise have access to the required information, Great Expectations will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any Data Protection Laws, in each case solely in relation to the processing of Personal Information.

6. Data Subject Requests

Great Expectations will provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws. If such request is made directly to Great Expectations, Great Expectations will promptly inform Customer and will advise Data Subjects to submit their request to Customer. Customer is solely responsible for responding to any Data Subjects’ requests.

7. Audits

Great Expectations shall, in accordance with Data Protection Laws and in response to a reasonable written request by Customer, make available to Customer such information in Great Expectations’ possession or control related to Great Expectations’ compliance with the obligations of data processors under Data Protection Laws in relation to its Processing of Personal Information.

Customer may, upon written request and at least thirty (30) days’ written notice to Great Expectations, during regular business hours and without interrupting Great Expectations’ business operations, allow for a mutually agreed upon third-party auditor to conduct an inspection of Great Expectations’ business operations solely to determine Great Expectations’ compliance with this DPA.

Great Expectations shall, upon Customer written request and on at least thirty (30) days’ written notice to Great Expectations, provide Customer with all information necessary for such audit, to the extent that such information is within Great Expectations’ control and Great Expectations is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

8. Subprocessors

8.1 Appointment of Subprocessors. Customer acknowledges (a) the engagement as Subprocessors of Great Expectations’ Affiliates and the third parties listed, if any, at Exhibit D, and (b) that Great Expectations and its Affiliates respectively may engage third-party Subprocessors in connection with the provision of the Services. Great Expectations may add to or delete from the list of Subprocessors at any time, and Customer’s consent extends to any third parties added thereto. For the avoidance of doubt, the above authorization constitutes Customer’s general authorization to the subprocessing by Great Expectations for purposes of Clause 9(a), option 2 of the Standard Contractual Clauses.

Where Great Expectations engages Subprocessors, Great Expectations will enter into a contract with the Subprocessor that imposes on the Subprocessor the same or substantially similar obligations that apply to Great Expectations under this DPA. Where the Subprocessor fails to fulfill its data processing obligations, Great Expectations remains liable to Customer for the performance of such Subprocessors obligations.

Where a Subprocessor is engaged, Customer must be granted the right to monitor and inspect the Subprocessor’s activities in accordance with this DPA and Data Protection Laws, including to obtain information from Great Expectations, upon written request, on the substance of the contract and the implementation of the data protection obligations under the subprocessing contract, where necessary by inspecting the relevant contract documents.

The provisions of this Section mutually apply if Great Expectations engages a Subprocessor in a country outside the European Economic Area (“EEA”) or the United Kingdom ("UK"), not recognized by the European Commission or UK government, respectively, as providing an adequate level of protection for Personal Information. If, in the performance of this DPA, Great Expectations transfers any Personal Information to a Subprocessor located outside of the EEA or UK, Great Expectations shall, in advance of any such transfer, ensure that a legal mechanism in respect of that Processing is in place.

8.2 Current Processor List and Notification or Objection to New Subprocessors. If Great Expectations intends to engage Subprocessors other than the companies listed on the Subprocessors list in Exhibit D, Great Expectations will notify Customer in writing. Upon receiving such notification, Customer may object to any Subprocessors within thirty (30) days after any addition. The objection must be based on reasonable grounds. If Great Expectations and Customer are unable to resolve such objection, either Party may terminate the Agreement by providing written notice to the other Party.

9. Data Transfers

Customer acknowledges that, in connection with the performance of the Services under the Agreement, Personal Information will be transferred to Great Expectations in the United States and to its Subprocessors. Great Expectations may access and perform Processing of Personal Information on a global basis as necessary to provide the Services.

The Standard Contractual Clauses apply with respect to Personal Information that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for Personal Information (as described in the Data Protection Laws). Details of the Standard Contractual Clauses are attached as Exhibit A.

The UK Transfer Addendum applies with respect to Personal Information that is transferred outside the UK, either directly or via onward transfer, to any country not recognized by the International Commissioner’s Office as providing an adequate level of protection for Personal Information (as described in the Data Protection Laws). Details of the UK Transfer Addendum are attached as Exhibit B.

To the extent that Customer or Great Expectations are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently revoked or held in a court of competent jurisdiction to be invalid, Customer and Great Expectations shall cooperate in good faith to pursue a suitable alternate mechanism that can lawfully support the transfer.

10. Disposition of Personal Information

At your request (by emailing info@greatexpectations.io) or within sixty (60) days after termination of the Agreement, whichever is sooner, Great Expectations shall delete or return to you all Personal Information, including any Personal Information subcontracted to a third party for Processing, except as required by applicable law. At that time, with respect to Personal Information that Great Expectations is required by applicable law to retain, Great Expectations will isolate and protect Personal Information from further Processing, except as required by applicable law. Great Expectations will use commercially reasonable efforts to ensure that any Subprocessors who are in possession of Personal Information will also comply with this provision. Great Expectations’ obligation under this Section does not apply to Anonymized Information that Great Expectations can continue to use for any legal purpose.

11. Confidentiality

Great Expectations will keep Personal Information strictly confidential and ensure that any employees, Subprocessors, or other agents who have access to Personal Information (1) are informed of and subject to this strict duty of confidentiality; (2) access and Process only such Personal Information as is strictly necessary to perform Great Expectations’ obligations under the Agreement; and (3) not permit any person to Process Personal Information who is not subject to the foregoing duties.

12. Security

Great Expectations will at all times take reasonable measures to ensure that Personal Information is adequately protected in accordance with the requirements of the Data Protection Laws. To this end, Great Expectations will implement appropriate technical and organizational measures to protect Personal Information from security incidents. These measures are described in Exhibit C attached to this DPA.

When Great Expectations becomes aware of any security incident, which consists of the unpermitted, accidental, or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any of Personal Information, Great Expectations will inform Customer without any undue delay, and in no event longer than forty-eight (48) business hours after discovery of the security incident. Great Expectations will cooperate reasonably with Customer and provide information to fulfill Customer’s data breach obligations under the Data Protection Laws. Great Expectations will also take additional measures and actions, in its sole discretion or as required by Data Protection Laws, that are necessary to remedy or mitigate the effects of the security incident, and keep Customer informed of every material development connected with the security incident. Except as required by law, Great Expectations will not take action to notify Data Subjects of any security incident.

13. Adoption of DPA into Agreement

We have adopted this DPA and made it effective through the Agreement into which Customer entered with Great Expectations. No further execution of the DPA is necessary; provided, however, that if under any Data Protection Law a separate, signed document is necessary, the Parties shall execute a version of this DPA. The signature lines used for the Agreement are incorporated for Annex I.A of the Standard Contractual Clauses.

Exhibit A

Details of the Standard Contractual Clauses

When applicable, the Parties fully incorporate the Standard Contractual Clauses, including the following options and provisions:

A. Applicable Module

Based on the nature of the Services, the module indicated below applies:

Module One (Controller to Controller)

Module Two (Controller to Processor)

Module Three (Processor to Processor)

Module Four (Processor to Controller)

B. Options

For each module, where applicable, the Parties agree on the following options:

1. Clause 7: the optional docking clause does not apply.

2. Clause 9(a): Option 2 applies. “ten (10) business days” replaces [Specify time period].

3. Clause 11: the optional language does not apply.

4. Clause 13(a): The data exporter is considered established in an EU Member State.

5. Clause 17: Option 1 applies; Ireland law governs.

6. Clause 18(b): The courts of Ireland have jurisdiction.

C. Data Exporter & Importer

Pursuant to Annex I, Part A, the Parties have identified the data exporter and data importer in Section 13 of the DPA.

D. Description of Transfer

Pursuant to Annex I, Part B, the Parties agree that the data transfers are consistent with the descriptions noted in Section 3 of the DPA.

E. Competent Supervisory Authority

For the purposes of Annex I, Part C of the Standard Contractual Clauses, the country in which the Data Exporter is established, if applicable, shall determine the competent supervisory authority.

F. Security of Processing

For the purposes of Annex II of the Standard Contractual Clauses, Exhibit C describes the required Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data. 

Exhibit B

Details of the UK Transfer Addendum

This Exhibit forms part of the DPA and supplements the Standard Contractual Clauses, pursuant to the International Commissioner's Office decision of February 2, 2022 implementing the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022.

Part 1 is as follows:

(a) The information required on Table 1 is found in Section 13 of the DPA.
(b) The information required on Table 2 is found on Exhibit A.
(c) The information required on Table 3 is found on Exhibit A.
(d) Table 4 is Data importer.

Part 2 is as follows:

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

Exhibit C

Security Measures

Great Expectations utilizes Amazon Web Services (“AWS”) and relies to a great extent on the technical security measures adopted by AWS. In addition to the security measures adopted by AWS, and to the extent data processing activities occur outside the AWS system, Great Expectations has implemented the following technical and organizational measures to ensure the security of Client Data:  

1. Employees are only allowed access to tasks assigned to them.  

2. We ensure that all computers processing personal data (including computers with remote access) are password protected, both after booting up and when left, even for a short period.

3. We assign individual user passwords for authentication.

4. We only grant system access to our authorized personnel and strictly limit their access to applications required for those personnel to fulfill their specific responsibilities.

5. We have implemented a password policy that prohibits the sharing of passwords, outlines procedures to follow after disclosure of a password, and requires that passwords be changed regularly.

6. We ensure that passwords are always stored in encrypted form.

7. We have adopted procedures to deactivate user accounts when an employee, agent, or administrator leaves the company or moves to another responsibility within the company.

8. We have established rules for the safe and permanent destruction of data that are no longer required.

9. Except as necessary for the provision of the Services, Client Data cannot be read, copied, modified or removed without authorization during transfer or storage.

10. We encrypt data during any transmission.

11. We are able to retrospectively examine and establish whether and by whom Client Data has been entered into data processing systems, modified or removed.

12. We log administrator and user activities.

13. We process the personal data received from different clients so that in each step of the processing the Client can be identified and so that data is always physically or logically separated.

14. We create back-up copies stored in protected environments.

15. We perform regular restore tests from our backups.

16. We have created business recovery strategies.

17. We do not use personal data for any purpose other than what have been contracted to perform.

18. We do not remove Client Data from our business computers or premises for any reason (unless you have specifically authorised such removal for business purposes).

19. We ensure that each computer system runs a current anti-virus solution.

20. We have designated a responsible person to perform the functions of a data protection officer.

21. We have obtained the written commitment of our employees to maintain confidentiality and to comply with our requirements under the DPA and the GDPR.

22. We regularly train our staff on data privacy and data security.

Exhibit D

List of Subprocessors