Data Processing Addendum

Revised 25/02/2021

This Data Protection Addendum (“DPA”) forms part of:

(hereinafter collectively referred to as “Agreement”).

The parties acknowledge and accept that each Customer Affiliate may be a Controller in respect of the Personal Data and shall therefore be entitled to benefit from the terms of this DPA as if it were Customer.

1. Definitions

1.1. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

(a) “Data Protection Laws” means Regulation (EU) 2016/679 (“GDPR”) together with supplementary national data protection laws in member states of the European Union, EEA countries, and all other applicable legislation relating to the processing of personal data of natural persons, together with binding guidance and codes of practice issued from time to time by relevant supervisory authorities;

(b) “EEA” means the European Economic Area;

(c) “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to Processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;

(d) “Customer Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

(e) “Customer Personal Data” means any Personal Data Processed by Commvault (i) on behalf of Customer or any Customer Affiliate; or (ii) otherwise Processed by Commvault, in each case pursuant to or in connection with instructions given by Customer or any Customer Affiliate consistent with the Agreement.

(f) “Services” means Services as defined by Master Services Agreement and/or Cloud Services as defined by Metallic Cloud Storage Service Online Subscription Agreement.

1.2. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process” and “Processor” have the same meanings as described in the Data Protection Laws and cognate terms shall be construed accordingly.

1.3. Capitalized terms not otherwise defined in this DPA shall have the meanings ascribed to them in the Agreement.

2. Roles of the Parties

Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, and as more fully described in Annex 1 hereto, Customer is the Controller and Commvault is the Processor of such data, except when Customer acts as a Processor of Personal Data, in which case Commvault is a Sub-processor. Customer warrants to Commvault that Customer’s instructions, including appointment of Commvault as a Processor or Subprocessor respectively and authorization of international transfers as described in section 7 of this DPA, have been authorized by the relevant Controller.

To the extent Commvault uses or otherwise processes Personal Data subject to the GDPR or other Data Protection Laws in connection with Commvault’s legitimate business operations, Commvault will be an independent data Controller for such use and will be responsible for complying with all applicable Data Protection Laws.

3. Description of Personal Data Processing

In Annex 1 here to, the Parties have mutually set out their understanding of the Customer Personal Data to be Processed by Commvault pursuant to this DPA, as required by Article 28(3) of the GDPR. 

4. Data Processing Terms

4.1.  Commvault shall comply with all applicable Data Protection Laws in respect of its Processing of Customer Personal Data and shall not deliberately or negligently do anything to put Customer in breach of its obligations thereunder.

4.2. Commvault shall:

4.2.1. process only the types of Customer Personal Data relating to the categories of Data Subjects and solely on the documented instructions of Customer, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Agreement and this DPA  (unless required by Union or Member State law to which Commvault is subject, in which case Commvault shall inform Customer of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest); Customer agrees that the Agreement along with the product documentation and Customer’s use and configuration of the Services, are Customer’s complete and final documented instructions to Commvault for the processing of Personal Data. Any additional or alternate instructions must be agreed by Parties in writing. Commvault shall immediately inform Customer if, in Commvault’s opinion, an instruction infringes Data Protection Laws;

4.2.2. take reasonable steps to ensure the reliability of any persons who may have access to the Customer Personal Data and ensure that they have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is strictly limited to those persons who need to access the relevant Customer Personal Data, as strictly necessary for the purposes set out in section 4.2.1 above in the context of that person’s duties to Commvault;

4.2.3. implement and maintain the technical and organizational measures set out in the Annex 2 to the DPA and, taking into account  the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement, on an on-going basis, any further appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risk of the Processing of Customer Personal Data in accordance with Article 32 of the GDPR;

4.2.4. not permit any third party to Process the Customer Personal Data without Customer’s prior authorization, such authorization to be conditional upon Commvault complying with the provisions of Article 28(4) of the GDPR and section 5 below;

4.2.5. promptly notify Customer of any communication from a Data Subject regarding the Processing of Customer Personal Data, or any other communication (including from a supervisory authority) relating to any obligation under the Data Protection Laws in respect of the Customer Personal Data and, taking into account the nature of the Processing, promptly provide all reasonable assistance to Commvault to respond to any such communication, including by taking all necessary technical and organizational measures for the fulfilment of Commvault’s obligation to respond to requests for the exercising of a Data Subject’s rights laid down in Chapter III GDPR;

4.2.6. notify Customer without undue delay, and in any case within 24 (twenty-four) hours, upon becoming aware of, or reasonably suspecting, any Personal Data Breach involving Customer Personal Data, such notice to include all information reasonably required by Customer to comply with its obligations under the Data Protection Laws;

4.2.7. without prejudice to any other section of this DPA, provide all reasonable assistance to Commvault in relation to its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the Processing and information available to Customer;

4.2.8. in addition to any audit rights granted pursuant to the Agreement, make available to Customer on request all information necessary to demonstrate compliance with this DPA and with the Data Protection Laws, and allow for and contribute to audits, including inspections, by Customer, or an auditor mandated by Customer; and

4.2.9. cease Processing the Customer Personal Data immediately upon the termination or expiry of the Agreement and at Commvault’s option within 30 days either return, or securely delete the Customer Personal Data and all copies of it, and in each case provide written, including electronically, certification to Customer that it has complied fully with this section 4.2.9, unless (and solely to the extent and for such period as) applicable Data Protection Laws require storage of the Personal Data.

4.3 Customer acknowledges and agrees that it is responsible for complying with all applicable laws, rules and regulations regarding Customer Personal Data subject to the Services, and that it has determined that the use of the Services is in compliance with such requirements.

5. Subprocessing

5.1. Customer acknowledges and agrees that Commvault may use Sub-processors.

5.2. Commvault shall inform the Customer in writing, including electronically, of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Customer the opportunity to object to such changes on reasonable grounds prior to the engagement of the concerned Sub-processor(s). In such case Parties will cooperate in good faith to find a mutually acceptable resolution to address such objection. The list of Sub-processors already authorized by Commvault can be found in Annex 3.

5.3. Where Commvault engages a Sub-processor for carrying out specific processing activities on behalf of the Customer, the same or comparable (in any case however not less favorable) data protection obligations as set out in this DPA shall be imposed on that Sub-processor by way of a contract or other legal act under EU, Member State law or Data Protection Laws, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Laws and this DPA.

5.4. If the Sub-processor does not fulfil its data protection obligations, Commvault shall remain fully liable to the Customer as regards the fulfilment of the obligations of the Sub-processor described herein.

6. International Transfers

6.1. Where Customer Personal Data that is: (i) subject to GDPR under art. 3 of the GDPR and (ii) is processed by Commvault outside the EEA in a territory that does not deem to provide an adequate level of data protection pursuant to EU Commissions adequacy decisions, Commvault shall transfer such data subject to one of the available appropriate safeguards in accordance with art. 46 of the GDPR. For this purpose any such transfer may take place based on Standard Contractual Clauses.

6.2. The scheme referred to in section 6.1 shall also apply to Customer Personal Data:

6.2. International data transfers under Standard Contractual Clauses shall also apply to Customer Personal Data from other countries where applicable Data Protection Laws recognize Standard Contractual Clauses as a valid measure for Personal Data transfers out of those countries.

6.3. In countries where regulatory approval and/or notification is required for use of the Standard Contractual Clauses, the Standard Contractual Clauses cannot be relied upon to legitimize export of data from the country, unless Customer has the required regulatory approval and/or has notified the regulator as applicable.

6.4. In cases defined in section 6.1 and 6.2, execution of the DPA includes execution of the Standard Contractual Clauses that constitute Annex 4 to this DPA including any of its’ Appendices. For avoidance of doubt it shall be deemed that Parties have signed the Annex 4 to this DPA and Appendices thereto.

6.5. Where and to extent that scheme referred to in section 6.1 applies, if there is any conflict between this Agreement and Standard Contractual Clauses, Standard Contractual Clauses will prevail.

7. Precedence

7.1 The provisions of this DPA are supplemental to the provisions of the Agreement. In the event of inconsistencies between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail with respect to the subject matter of this DPA.

7.2 Where and to the extent that Standard Contractual Clauses apply, if there is any conflict between this DPA and Standard Contractual Clauses, Standard Contractual Clauses will prevail.

8. Severability

8.1. The parties agree that, if any section or sub-section of this DPA is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this DPA.

9. Commencement and Termination

9.1. Execution of the Agreement includes execution of this DPA and any Annexes thereto.

9.2. This DPA shall co-term with the term of the Agreement. For the duration of the provision of Services under the Agreement, this DPA cannot be terminated unless other agreement governing the Processing of Personal Data in connection with the provision of the Services or Cloud Services under the Agreement has been agreed between the parties.

9.3. If the provision of Services is terminated, and the Customer Personal Data is deleted or returned to the Customer in accordance with section 4.2.9, the DPA may be terminated by written notice by either party.

10. Contact

With regards to issues covered by this DPA, Customer may contact Commvault using the following contacts/contact points:

customersuccess@metallic.io or;
our Global Data Governance Officer GDGO@commvault.com.

Annex 1 – Description of Processing of Customer Personal Data

Subject matter and duration of the Processing of the Personal Data

The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and consist of one or more of the following:

Service/Cloud ServiceSubject matterDuration
MetallicSaaS-delivered backup and recovery
eDiscovery (Data Discovery
As defined by the relevant Agreement
Metallic Cloud Storage ServicesCloud storageAs defined by the relevant Agreement
Technical SupportTroubleshooting, technical support, maintenanceAs defined by the relevant Agreement

The nature and purpose of the Processing of the Personal Data

Service/Cloud ServiceNature and purpose
Metallic1. Service provision
2. Preventing, detecting, investigating, mitigating, and repairing problems, including security incidents;
3. Preventing frauds;
4. Auditing;
5. Billing
6. Ongoing improvement (maintenance, including installing the latest updates and making improvements to the reliability, efficacy, quality and security)
7. Compliance with and enforcement of application legal requirements (e.g. maintaining records, litigation, mediation, arbitration, tax law, anti money laundering, trade sanctions, whistle-blowing, complying with data subject requests, etc.)
Metallic Cloud Storage Services1. Cloud Service provision
2. Preventing, detecting, investigating, mitigating, and repairing problems, including security incidents;
3. Preventing frauds;
4. Auditing;
5. Billing
6. Ongoing improvement (maintenance, including installing the latest updates and making improvements to the reliability, efficacy, quality and security)
7. Compliance with and enforcement of application legal requirements (e.g. maintaining records, litigation, mediation, arbitration, tax law, anti money laundering, trade sanctions, whistle-blowing, complying with data subject requests, etc.)
Technical SupportTechnical support

The categories of Data Subject to whom the Customer Personal Data relates

Service/Cloud ServiceCategories of Data Subjects
Metallic• Customer’s staff involved in managing and using Services (End users)
• Other categories based on exact use case of the Services
Metallic Cloud Storage Services• Customer’s staff involved in managing and using Services (End users)
• Other categories based on exact use case of the Cloud Services
Technical Support• Customer’s staff involved in managing and using Services and/or Cloud Services (End users)
• Other categories based on exact use case of the Cloud Services e.g. support tickets

The types of Customer Personal Data to be Processed

Service/Cloud ServiceData types
Metallic• Customer Data subject to backup – due to nature of Services and encryption involved the exact types of data Customer Personal Data cannot be conclusively established and may vary depending on the exact use case of the Services.
• CommCell ID
• Service usage information (metrics/logs)
• Credentials such as passwords, account history, password hints, and similar security information used for authentication
• Interactions with Commvault e.g. inquiries or complaints, support tickets.
• Host names and IP addresses (depending on configuration)
• File names and file paths (depending on the configuration)
Metallic Cloud Storage Services• Customer Data subject to backup – due to nature of Services and encryption involved the exact types of data Customer Personal Data cannot be conclusively established and may vary depending on the exact use case of the Services.
• CommCell ID
• Service usage information (metrics/logs)
• Credentials such as passwords, account history, password hints, and similar security information used for authentication
• Interactions with Commvault e.g. inquiries or complaints, support tickets.
• Host names and IP addresses (depending on configuration)
• File names and file paths (depending on the configuration)
Technical Support• First and last name,
• Contact information (including postal address, email, phone, fax)
• Company and/or employer
• Title and/or position
• Logs
• Data types for respectively Metallic Service or Metallic Cloud Storage Service subject to support services

Annex 2 – Technical and Organizational Measures

Description of the minimum technical and organizational security measures implemented by Commvault (the data importer)

The Technical and Organizational Security Measures

Commvault has implemented and maintains a security program that leverages a combination of the ISO/IEC 27000-series of control standards, NIST 800-30/CSF, and Information Security Forum ISF best practices.

Access Control (Physical)

Web applications, communications, and database servers of Commvault are located in secure data centers. Commvault has implemented suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment.

This is accomplished by:

  • Establishing security areas;
  • Securing the data processing equipment and personal computers;
  • Establishing access authorizations for employees and third parties, including the respective documentation;
  • Regulations/restrictions on card-keys;
  • Restricting physical access to the servers by using electronically-locked doors and separate cages within facilities (e.g., production and development);
  • Access to the data center is logged, monitored, and tracked via electronic and CCTV video surveillance by personnel; and
  • Data centers are protected by security alarm systems, and other appropriate security measures, such as user-related authentication procedures, including biometric authentication in some instances, and/or electronic access cards

Access Control (Logical)

Commvault has implemented suitable measures to prevent its data processing systems from being used by unauthorized persons.

This is accomplished by:

  • Utilizing firewall, router and VPN-based access controls to protect the private service networks and back-end-servers;
  • Continuously monitoring infrastructure security;
  • Regularly examining security risks by internal employees and third party auditors;
  • Role-based access control implemented in a manner consistent with principle of least privilege.
  • Remote access to Commvault’s network infrastructure is secured using various two-factor authentication tokens, or multi-factor authentication.
  • Access to host servers, applications, databases, routers, switches, etc., is logged.
  • Access and account management requests must be submitted through internal approval systems.
  • Access must be approved by an appropriate approving authority. In most cases, the approval for a request requires two approvals at minimum: the employee’s manager and the role approver or “owner” for the particular system or internal application.
  • Passwords must adhere to the Commvault password policy, which includes minimum length requirements, enforcing complexity and set periodic resets.
  • Password resets are handled via Commvault ticketing system. New or reset passwords are sent to the employee using internal secure, encrypted email system or by leaving a voicemail for the employee.

Commvault’s intrusion detection systems include signature-based network IDS, host-based IDS, and security incident and event management (SIEM) systems. Commvault also uses commercial and custom tools to collect and examine its application and system logs for anomalies.

Access Control to Use Systems

Persons entitled to use the systems are only able to access data within the scope and to the extent covered by their respective access permission (authorization).

This is accomplished by:

  • Employee policies and training;
  • Users have unique log in credentials — role based access control systems are used to restrict access to particular functions;
  • Monitoring activities
  • Effective and measured disciplinary actions;
  • Controlling access in compliance with the security principle of “least privilege”;
  • Internal segmentation and logical isolation of Commvault’s employees to enforce least privilege access policies;
  • Regular review of accounts and privileges (typically every 12 months depending on the particular system and sensitivity of data it provides access to);
  • Control of files, controlled and documented destruction of data; and policies controlling the retention of back-up copies

Availability

Commvault has implemented suitable measures to ensure that data is protected from accidental destruction or loss.

This is accomplished by:

  • Global and redundant infrastructure that is set up with disaster recovery;
  • Constantly evaluating data centers and Internet service providers (ISPs) to optimize performance for its customers in regards to bandwidth, latency and disaster recovery isolation;
  • Situating data centers in secure co-location facilities that are ISP carrier neutral and provide physical security, redundant power, and infrastructure redundancy;
  • Service level agreements from ISPs to ensure a high level of uptime;
  • Rapid failover capability; and
  • Commvault maintains full capacity disaster recovery (DR) sites and tests its DR centers

Transmission Control

Commvault has implemented suitable measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media.

This is accomplished by:

  • Use of adequate firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
  • Sensitive Personal Data is encrypted during transmission using up to date versions of TLS or other security protocols using strong encryption algorithms and keys;
  • Protecting web-based access to account management interfaces by employees through encrypted TLS
  • End-to-end encryption of screen sharing for remote access, support, or real time communication;
  • Use of integrity checks to monitor the completeness and correctness of the transfer of data.

Input Control

Commvault has implemented suitable measures to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems or removed.

This is accomplished by:

  • An authorization policy for the input of Personal Data into memory, as well as for the reading, alteration and deletion of such stored data;
  • Authentication of the authorized personnel;
  • Protective measures for Personal Data input into memory, as well as for the reading, alteration and deletion of stored Personal Data, including by documenting or logging material changes to account data or account settings;
  • Segregation and protection of all stored Personal Data via database schemas, logical access controls, and/or encryption;
  • Utilization of user identification credentials;
  • Physical security of data processing facilities;
  • Session time outs.

Monitoring

Commvault has implemented suitable measures to monitor, in accordance with applicable privacy laws, access restrictions of Commvault’s system administrators and to ensure that they act in accordance with instructions received.

This is accomplished by:

  • Individual appointment of system administrators;
  • Adoption of suitable measures to register system administrators’ access logs to the infrastructure and keep them secure, accurate and unmodified for a reasonable period of time;
  • Regular audits of system administrators’ activity to assess compliance with assigned tasks, the instructions received by Controller and applicable laws;
  • Keeping an updated list with system administrators’ identification details (e.g. name, surname, function or organizational area) and responsibilities.

For Technical and Organizational Measures applicable to Microsoft Azure please refer to applicable terms and documentation in particular available here: https://www.microsoft.com/en-us/trust-center/privacy

Annex 3 – Authorized Subprocessors

Name of SubprocessorDescription of ProcessingLocation of Subprocessor
Commvault Systems (India) Pvt. Ltd.Technical Support PersonnelIndia
Commvault Systems LimitedTechnical Support PersonnelUnited Kingdom
Commvault Systems (Australia) Pty. Ltd.Technical Support PersonnelAustralia
Microsoft CorporationAzure Cloud/Technical Support PlatformLocation (Azure region) based on customer selection

Annex 4 –  Standard Contractual Clauses for international transfers from controller to processor

Date of contract: [DATE WHEN CUSTOMER ACCEPTS THE AGREEMENT]

You (Customer)

(the data exporter)

 and

Name of the data importing organisation: Commvault Systems, Inc.

Address: 1 Commvault Way ,Tinton Falls, NJ 07724, USA

Telephone: +1 732-728-5310 (toll free: +1 888-746-3849)

Fax: +1 732-870-4525

Email: https://www.commvault.com/contact-us

Other information needed to identify the organisation (eg a company number): N/A

(the data importer)

Clause 1. Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2. Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3. Third-party beneficiary clause

(1) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

(2) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

(3) The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

(4) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4. Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses;

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5. Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorised access; and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6. Liability

(1) The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

(2) If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

(3) If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7. Mediation and jurisdiction

(1) The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

(2) The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8. Cooperation with supervisory authorities

(1) The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

(2) The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

(3) The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9. Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established. 

Clause 10. Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.

Clause 11. Sub-processing

(1) The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses3. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

(2) The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

(3) The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

(4) The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12. Obligation after termination

(1) The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

(2) The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

Additional commercial clauses
Priority of standard contractual clauses

The Standard Contractual Clauses take priority over any other agreement between the parties, whether entered into before or after the date these Clauses are entered into.

Unless the Clauses are expressly referred to and expressly amended, the parties do not intend that any other agreement entered into by the parties, before or after the date the Clauses are entered into, will amend the terms or the effects of the Clauses, or limit any liability under the Clauses, and no term of any such other agreement should be read or interpreted as having that effect.

Appendix 1

This Appendix forms part of the Clauses.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Customer engaging Commvault to provide Services under the Agreement.

Data importer

The data importer is (please specify briefly your activities relevant to the transfer):

COMMVAULT SYSTEMS, INC. Commvault provides following services: data backup and recovery, cloud and infrastructure management, retention and compliance in on-site and SaaS model.

The data importer’s business or organisation type is:

  • IT, digital, technology and telecoms

 The data importer’s activities for the data exporter, which are relevant to the transfer are:

  • IT, digital, technology or telecom services, including provision of technology products or services, telecoms and network services, digital services, hosting, cloud and support services or software licensing

For description of the processing of Personal Data refer to Annex 1 of the DPA.

Appendix 2

This Appendix forms part of the Clauses.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(a) and 5(c) (or document / legislation attached).

For description of the importer’s security measures refer to Annex 2 of the DPA.