Data processing addendum

Last Updated: November 29, 2018


This Data Processing Addendum (“Data Processing Addendum” or “DPA”) is effective from November 29, 2018 (the “Effective Date”)

Elastic Projects, Inc. (“Elastic Projects”, “we”, “our”, or “us”) and the non-Elastic Projects legal entity agreeing to this DPA (“Customer”, “you”, or “your”) enter into this Data Processing Addendum by executing or accepting one or more agreements related to Elastic Projects’ provision of its Services to Customer (the “Services Agreement(s)”). “Services” will be as defined in such Services Agreement.

If we Process any personal data (each as defined below) provided by you that originates from individuals located in the EEA, this DPA will apply to the Processing of such Customer Personal Data (as defined below). If there is a conflict between any of the terms of this DPA and the terms of the applicable Services Agreement, the provisions of this DPA will govern.


Standard contractual clauses (processors)

For the purposes of this Appendix 1, references to the “data exporter” and “data importer” shall be to the Customer and to Elastic respectively (each a “party“; together “the parties“).

Clause 1
Definitions

For the purposes of the Clauses:

  1. ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  2. the data exporter’ means the controller who transfers the personal data;
  3. ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  4. ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  5. the applicable data protection lawmeans the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  6. ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:

Clause 5
Obligations of the data importer

The data importer agrees and warrants:

Clause 6
Liability

Clause 7
Mediation and jurisdiction

Clause 8
Cooperation with supervisory authorities

Clause 9
Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Subprocessing

Clause 12
Obligation after the termination of personal data processing services


Appendix 1

Details of the transfer

Data exporter
The data exporter is the Customer
Data importer
The data importer is Elastic
Data subjects
The personal data transferred concern the following categories of data subjects: the Customer’s Authorized Users, and any other persons authorised by the Customer to access and use the Services, including employees and independent contractors.
Categories of data
The personal data transferred concern the following categories of data: names, email addresses, geographic locations, and any other personal data provided by the Customer in connection with its use of the Services.
Processing Operations
The personal data transferred will be subject to the following basic processing activities: transmitting, collecting, storing and analysing data in order to provide the Services to the Customer, and any other activities related to the provision of the Services or specified in the Agreement.

Appendix 2

Security Controls

The Services include customer-configurable security controls that allow Customer to tailor the security of the Services for its own use.  These controls include:

  • Unique User identifiers (User IDs) to ensure that activities can be attributed to the responsible individual.

Software Security

The Services include effective controls to prevent the classes of software vulnerabilities relevant to the Services, the design of the services, and the software languages used in the delivery of the services.  For general web applications, these vulnerability classes include, but are not limited to:

  • SQL injection
  • Cross site scripting
  • Cross site request forgery
  • Session fixation
  • Sensitive cookies permitted to be sent over insecure channels
  • Buffer overflows
  • Command injection
  • Directory traversal
  • Insecure third-party domain access and cross domain policies
  • HTTP response splitting
  • Unauthorized privilege escalation
  • Use of HTTPS using other than SSLv3 or TLS
  • Use of SSL/TLS with null ciphers or ciphers using symmetric keys of less than 128 bits in length
  • Returning verbose error information to clients
  • Exposing cryptography errors to client (e.g. incorrect padding)
  • Arbitrary redirection

Security Procedures, Policies and Logging

The Services are operated in accordance with the following procedures to enhance security:

  • User credentials or credential equivalents stored on Elastic Projects’ third party hosting services provider’s servers or in persistent cookies are not stored in a format from which the original password can be derived (e.g. plaintext, encryptions other than one-way hashes) or easily discovered by brute force attacks given knowledge of the stored representation.
  • User access log entries will be maintained, containing date, time, User ID, URL executed or entity ID operated on, operation performed (viewed, edited, etc.) and source IP address.  Customer acknowledges that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP.
  • Logging will be kept for a minimum of 90 days.
  • Logging will be kept in a secure area to prevent tampering.
  • Passwords are not logged under any circumstances.

Intrusion Detection

Elastic Projects, or an authorized third party, will monitor the Services for unauthorized intrusions using network-based intrusion detection mechanisms.

User Authentication

Access to the Services requires a valid User ID and password combination, which are encrypted via SSL while in transmission.  A random session ID cookie greater than or equal to 128 bits in length is used to uniquely identify each User.

Security Logs

Elastic Projects shall ensure that all Elastic Projects systems, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable the security audits referred to herein.

Incident Management

Elastic Projects maintains security incident management policies and procedures, including detailed security incident escalation procedures.  Elastic Projects will promptly notify Customer in the event Elastic Projects becomes aware of an actual or reasonably suspected unauthorized disclosure of Customer Data.

Right to Audit Reports of Security Procedures

Elastic Projects agrees that at least once per year and after any security incident in which Customer Data is accessed by or disclosed to a third party: (a) undergo an industry accepted third party audit or assessment and, upon request from Customer, will furnish evidence of successful completion of the audit or assessment; and (b) make commercially reasonable efforts to remediate any critical and high severity issues identified during any third party audit, assessments, and/or penetration tests in a timely manner.

SOC 2 Report

Subject to reasonable confidentiality obligations consistent with generally accepted industry practices regarding such report, once per year during the term of the Agreement Elastic Projects will, upon request, provide Customer with a SOC 2 Report from Elastic Projects’ third-party hosting services provider. The provision of such SOC 2 Report will be considered to fulfill the requirements of Clauses 5(f) and 12(2) of the Standard Contract Clauses.

Physical Security

Elastic Projects’ third-party hosting services provider maintains data centers that have an access system that controls access to the data center.  Such controls are designed to ensure that this system permits only authorized personnel to have access to secure areas.  Elastic Projects’ third party hosting services provider’s facility is also designed to withstand adverse weather and other reasonably predictable natural conditions, and is secured by guards and access screening.

Reliability and Backup

All networking components, SSL accelerators, load balancers, Web servers and application servers are configured in a redundant configuration.  All Customer Data is stored on a primary database server that is clustered with a backup database server for redundancy.  All Customer Data is stored on carrier-class disk storage using RAID disks and multiple data paths.  All Customer Data, up to the last committed transaction, is automatically backed up on a regular basis.

Disaster Recovery

Elastic Projects has a disaster recovery facility or facilities that are geographically remote, along with required hardware, software, and Internet connectivity, in the event Elastic Projects production facilities at the primary data center were to be rendered unavailable.

Viruses

Elastic Projects will make commercially reasonable efforts to ensure that the Services will not introduce any viruses to Customer’s systems.  Customer will make commercially reasonable efforts to ensure that content uploaded into the Services by Customer will not introduce any viruses into Elastic Projects’ systems.

Data Encryption

Elastic Projects uses industry accepted encryption products to protect Customer Data and communications during transmissions between Customer’s network and the Services, including minimum https TLS 256 bit. Elastic  Projects will encrypt data at rest using industry standard algorithms.

System Changes and Enhancements

Elastic Projects plans to enhance and maintain the Services during the term of the Agreement.  Security controls, procedures, policies and features may change or be added.  Elastic Projects will provide security controls that deliver a level of security protection that is not materially lower than that provided as of the Effective Date.