This Data Processing Addendum ("DPA") is entered into as an addendum to the agreement (hereinafter “Agreement”) between Partner and Black Duck Software, Inc. on behalf of itself and its Affiliates (“Black Duck”). Each party is a "Party" and together, the "Parties". This DPA applies in connection with the Partner’s participation in the Black Duck Lead Distribution Program (“Program”). The Parties agree that notwithstanding anything to the contrary, the obligations, rights, and liabilities, if any, stemming from this DPA shall be enforceable only between Black Duck, Inc. and the Partner unless otherwise specified in the Agreement. In the event of any conflict between the terms of this DPA and any other term of the Agreement, the terms of this DPA shall prevail for with regards to the subject matter herein.
1. DEFINITIONS
1.1 "Applicable Data Protection Law" means all data protection and privacy laws applicable to each respective Party in connection with the processing of Personal Data under this DPA, which may include the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”), the California Consumer Privacy Act ("CCPA"), and any other applicable privacy laws and regulations.
1.2 "Business" or “Controller” means the entity that determines the purposes and means of Processing Personal Data.
1.3 "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed pursuant to the Agreement.
1.4 "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably be linked, directly or indirectly, with a particular consumer or household.
1.5 “Processed” means any set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means.
2. ROLES OF THE PARTIES
2.1 The Parties acknowledge that, in relation to Personal Data Processed pursuant to the Agreement, each Party acts as a separate and independent controller.
3. DATA PROCESSING TERMS
3.1 Each Party shall comply with Applicable Data Protection Law as it relates to their Processing of Personal Data under this DPA.
3.2 Partner shall implement appropriate security measures to protect Personal Data against unauthorized access, loss, destruction, or disclosure where such is consistent with Applicable Data Protection Law.
3.3 Each Party shall be responsible for responding to Data Subject requests and regulatory inquiries relating to its respective Processing of Personal Data.
4. CROSS-BORDER DATA TRANSFERS
4.1. International Data Transfers from the EEA
4.1.1 To the extent that the Partner receives or otherwise processes Personal Data that is subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR") from Black Duck in the EEA and such processing involves a Restricted Transfer to a country outside the EEA that does not benefit from an adequacy decision, the Parties agree that they shall comply with the obligations set out in the Standard Contractual Clauses for controller-to-controller transfers, as approved by the European Commission in Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"). "Restricted Transfer" means a transfer of Personal Data to a country or territory outside the European Economic Area (EEA) or the United Kingdom (UK), which is not subject to an adequacy decision under Article 45 of the EU GDPR or the UK GDPR (as applicable), and which would be unlawful in the absence of appropriate safeguards under Chapter V of the EU GDPR or the UK GDPR.
4.1.2 The Parties agree that for the purposes of the EU SCCs:
(i) Module 1 (Controller-to-Controller) shall apply;
(ii) Black Duck is the “data exporter” and the Partner is the “data importer”;
(iii) Clause 7 (Docking Clause) shall apply;
(iv) Clause 11 (Redress) shall not apply;
(v) Clause 17 (Governing Law) shall be the laws of Ireland;
(vi) Clause 18 (Choice of Forum and Jurisdiction) shall be the courts of Ireland;
(vii) Annexes I and II of the EU SCCs shall be populated as set out in Schedule A to this DPA.
4.2. International Data Transfers from the UK
4.2.1 To the extent that the Partner receives or otherwise processes Personal Data that is subject to the UK General Data Protection Regulation ("UK GDPR") from Black Duck in the UK, and such processing involves a Restricted Transfer to a country outside the UK that does not benefit from an adequacy regulation, the Parties agree that the EU SCCs as outlined in Clause 1 above shall apply and are incorporated by reference, subject to the following modifications to reflect the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner’s Office under Section 119A of the Data Protection Act 2018 (the “UK Addendum”):
(i) The EU SCCs are varied in accordance with Part 2 (Mandatory Clauses) of the UK Addendum;
(ii) The importer and exporter shall complete the information required by Tables 1 to 4 of Part 1 of the UK Addendum, as set out in Schedule B to this DPA;
(iii) In the event of any inconsistency between the EU SCCs and the UK Addendum, the terms of the UK Addendum shall prevail to the extent required by UK Data Protection Law.
4.3. DPA-SCCs Conflict
In the event of any conflict or inconsistency between the terms of this DPA and the EU SCCs (including as amended by the UK Addendum), the terms of the EU SCCs (as so amended) shall prevail with respect to Personal Data transferred pursuant to the EU SCCs (including the UK Addendum).
4.4. Additional DPA Mechanisms
If and to the extent a transfer of Personal Data to a third country requires a data transfer mechanism not currently addressed in this DPA, the parties shall cooperate in good faith to implement an appropriate and legally valid transfer mechanism to ensure compliance with applicable Data Protection Laws. Black Duck may incorporate additional transfer mechanisms to this DPA including those required for additional jurisdictions from time to time.
5. MODIFICATION
Black Duck may update this DPA if necessary to comply with changes in law or regulatory requirements (“Updates”). Such Updates shall become effective upon publication and shall not increase liabilities or materially increase compliance burden of this DPA.
Schedule A – Annexes I and II to the EU SCCs (Module 2)
Annex I – A. List of Parties
Data Exporter |
Name: Black Duck Software, Inc. or Black Duck Affiliate Address: 800 District Ave #101, Burlington, MA 01803 or Black Duck Affiliate address |
Data Importer |
Name: Partner name as specified in the Agreement Address: Partner address as specified in the Agreement Contact: Partner point of contact in the Agreement unless the Agreement or DPA identifies another point of contact for this purpose Role: Processor |
Annex I - B. Description of the Transfer
Categories of data subjects:
Categories of personal data transferred:
Sensitive data transferred:
Frequency of the transfer:
Nature of the processing:
Purpose(s) of the data transfer and further processing:
Retention period:
Annex I – C. Competent Supervisory Authority
Ireland
Annex II – Technical and Organizational Measures
Each Party agrees to implement and maintain, for the duration of the data transfer and subsequent processing, technical and organizational measures appropriate to the risk associated with the processing of personal data, in accordance with Article 32 of the GDPR. The specific measures outlined below shall be implemented where appropriate, taking into account the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons.
1. Access Control: Unique user IDs, strong password policies, role-based access. Access rights reviewed regularly.
2. Data Encryption: TLS in transit; industry-standard encryption at rest where feasible.
3. Data Minimization & Retention: Only necessary data processed; retention per policy/legal requirements.
4. Physical Security: Controlled access to premises.
5. Monitoring & Logging: Logging of access and activity, protected against tampering.
6. Incident Response: Has an Incident response plan with concrete and reasonable action items to be taken.
7. Staff Training & Confidentiality: Data protection training and confidentiality obligations for personnel.
8. Data Integrity & Availability: Backup and disaster recovery measures where appropriate.
Schedule B – UK Addendum Tables (as required by the UK IDTA Addendum)
This Schedule B forms part of the UK Addendum to the EU Standard Contractual Clauses incorporated into this DPA between the Partner and the Black Duck. The signing of the Agreement shall constitute agreement to the EU SCCs and the UK IDTA Addendum.
Table 1: Parties
Start Date |
Effective Date of the Agreement |
Exporter |
Black Duck Software, Inc. or Black Duck Affiliate |
Exporter Address |
800 District Ave #101, Burlington, MA 01803 or Black Duck Affiliate Address |
Exporter Contact Details |
CPO, Dataprivacy@blackduck.com |
Exporter Role |
Controller |
Importer |
Partner |
Importer Address |
Partner Address as identified in the Agreement |
Importer Contact Details |
Partner point of contact in the Agreement unless the Agreement or DPA identifies another point of contact for this purpose |
Importer Role |
Processor |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs |
The version of the approved EU SCCs included in this DPA |
Modules |
Module 1 – Controller to Controller |
Table 3: Appendix Information
This is a summary of the information set out in Annexes I- II of the EU SCCs (see Schedule A of this DPA).
Annex 1(A): List of Parties |
As detailed in Table 1 above |
Annex 1(B): Description of Transfer |
See Annex I-B of Schedule A to the DPA |
Annex 1(C): Competent Supervisory Authority |
UK Information Commissioner’s Office (ICO) |
Annex 2: Technical and Organizational Measures |
See Annex II of Schedule A to the DPA |
Table 4: Ending the Addendum when the Approved SCCs Change
Neither Party may end the Addendum as set out in Section 19 of the UK Addendum if the EU SCCs change. |