NOT FOR EDITING
Last modified on October 18, 2024
Archived version here
This Data Processing Addendum (“DPA”) forms part of and is subject to the agreement, whether written or electronic, between Customer (as defined below) and ClickHouse (as defined below) for the Services (as defined in Section 1 below) (collectively, the “Agreement”). For the purposes of this DPA, “ClickHouse” means the entity identified as “ClickHouse” on an Order Form or in the Agreement and “Customer” means the entity or individual identified as “Customer” on an Order Form or the entity or individual identified in the Agreement as registering to use Services.
This DPA describes the commitments of ClickHouse and the Customer (each a “party” and together, the “parties”) concerning the processing of Personal Data in connection with the provision of one or more ClickHouse Cloud offerings contemplated by the applicable Agreement. Capitalized terms not defined in this DPA have the meaning set forth in the Services Agreement.
1 Definitions
1.1 “Applicable Data Protection Laws” means European Data Protection Laws and the California Privacy Act of 2018, as amended by the California Privacy Rights Act (California Civil Code §§ 1798.100 et seq (“CCPA”) as the same may be amended, superseded or replaced.
1.2 “Authorized Affiliate” means an Affiliate (as defined in the Agreement) of Customer who has not signed an Order Form but acts as a controller or processor for the Customer Personal Data processed by ClickHouse pursuant to the Agreement, for so long as such entity remains a Customer Affiliate.
1.3 “Customer Personal Data" means any Personal Data processed by ClickHouse on behalf of Customer as a service provider or processor (as applicable) in connection with any ClickHouse software-as-a-service offering, as more particularly described in Section 3.6 of this DPA.
1.4 “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK-U.S. extension to the EU-U.S. Data Privacy Framework and the Swiss-US Data Privacy Framework as set forth by the U.S. Department of Commerce.
1.5 “EEA” means any countries that are parties to the European Economic Area and Switzerland.
1.6 “European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (“e-Privacy Directive”); (iii) any applicable national implementations of (i) and (ii); (iv) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; and (v) in respect of the United Kingdom (“UK”), the UK GDPR, and (vi) any applicable national legislation that replaces or converts in domestic law the GDPR, e-Privacy Directive or any other law relating to data and privacy, in each case as the same may be amended, superseded or replaced.
1.7 "Standard Contractual Clauses" or “SCCs” means the standard contractual clauses as adopted by the EU Commission by means of the Implementing Decision EU 2021/914 of June 4, 2021 found at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en
1.8 “Personal Data” means any information that relates to an identified or identifiable natural person and which is protected as "personal data", "personal information" or "personally identifiable information" under Applicable Data Protection Laws.
1.9 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.
1.10 “Services” means any ClickHouse software-as-a-service offering made available by ClickHouse to Customer under an Agreement, and any other services provided by ClickHouse to Customer under such Agreement, including but not limited to support and technical service.
1.11 “Sub-Processor” means any processor engaged by ClickHouse or its Affiliates to process Customer Data. Sub-processors may include third parties or ClickHouse Affiliates.
1.12 “UK Addendum” means the international data transfer addendum to the SCCs issued by the Information Commissioner for Parties making a transfer of personal data from the United Kingdom to any other country which is not deemed adequate under Article 46 of the UK GDPR.
1.13 “UK GDPR” means the GDPR, as implemented by Section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018 and supplemented by the Data Protection Act of 2018.
1.14 The terms “controller”, “processor” and “processing” shall have the meanings given to them in the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly; and the terms “business”, “service provider”, “sell” and “share” shall have the meanings given to them in the CCPA.
2 Scope and Applicability of this DPA. This DPA applies where and only to the extent that ClickHouse processes Customer Personal Data on behalf of Customer as a processor (or, with respect to the CCPA, as a service provider) in the course of providing the Services.
3 Roles and Scope of Processing
3.1 Role of the Parties. As between ClickHouse and Customer, ClickHouse shall process Customer Personal Data only as a processor (or sub-processor) acting on behalf of Customer and, with respect to CCPA, as a service provider, in each case, regardless of whether Customer acts as a controller or as a data processor on behalf of a third-party controller with respect to Customer Personal Data.
3.2 Scope of Processing. ClickHouse certifies that it will not (i) "sell" or “share” Customer Personal Data; (ii) retain, use or disclose Customer Personal Data outside of the direct business relationship between Customer and ClickHouse or for any purpose other than as permitted under the Agreement (including this DPA) or for purposes otherwise agreed in writing or permitted by the CCPA; or (iii) combine Customer Personal Data with Personal Data that ClickHouse collects or receives from another person. ClickHouse and Customer acknowledge and agree that the disclosure of Customer Personal Data by Customer to ClickHouse does not constitute a “sale.” Customer agrees that ClickHouse may de-identify or aggregate Customer Personal Data in the course of providing the Service to Customer.
3.3 Customer Instructions. ClickHouse shall process Customer Personal Data only for the purposes described in the Agreement and in accordance with Customer's documented lawful instructions and Applicable Data Protection Laws. The parties agree that the Agreement and applicable Order Form (including this DPA) sets out the Customer's complete and final instructions to ClickHouse in relation to the processing of Customer Personal Data. Without prejudice to Section 3.4 (Customer Responsibilities), ClickHouse shall notify Customer in writing, unless prohibited from doing so under Applicable Data Protection Laws, if it becomes aware or believes that any data processing instructions from Customer violates Applicable Data Protection Laws or if ClickHouse determines that it can no longer meet its obligations under Applicable Data Protection Laws. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate ClickHouse’s unauthorized use of Customer Personal Data.
3.4 Customer Responsibilities. Customer is responsible for the lawfulness of Customer Personal Data processing under or in connection with the Services. Customer shall (i) have provided, and will continue to provide all notices and have obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws for ClickHouse to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA); (ii) make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data; (iii) have complied with all Applicable Data Protection Laws applicable to the collection of Customer Personal Data and the transfer of such Customer Personal Data to ClickHouse and its Sub-processors; and (iv) ensure its processing instructions comply with applicable laws (including Applicable Data Protection Laws). Where applicable, Customer shall be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with any third-party controllers for whom Customer acts as a processor (and ClickHouse a sub-processor).
3.5 Customer Affiliates. ClickHouse’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions:
3.5.1 Customer shall be responsible for Authorized Affiliates’ compliance with this DPA. Any and all acts and/or omissions by an Authorized Affiliate with respect to this DPA shall be deemed the acts and/or omissions of Customer; and
3.5.2 Authorized Affiliates shall not bring a claim directly against ClickHouse. If an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or otherwise against ClickHouse (an “Authorized Affiliate Claim”): (i) Customer must bring such Authorized Affiliate Claim directly against ClickHouse on behalf of such Authorized Affiliate, unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim; and (ii) all Authorized Affiliate Claims shall be considered claims made by Customer and shall be subject to any liability restrictions set forth in the Agreement, including damages disclaimer and any aggregate limitation of liability.
3.6 Details of Processing. Details of processing by ClickHouse are set forth below:
3.6.1 Subject Matter of Processing. Customer Personal Data that Customer elects to transfer to ClickHouse to be processed for the provision, receipt and/or use of the applicable Services as set forth in the Agreement.
3.6.2 Frequency and Duration of Processing. For duration of the Services or for so long as Customer grants ClickHouse access to process the Customer Personal Data, as applicable. Notwithstanding expiration or termination of the applicable Order Form or the Agreement, ClickHouse shall continue to process Customer Personal Data until such Customer Personal Data is deleted or Customer removes ClickHouse's access to process such Customer Personal Data. The period for which Customer Personal Data will be retained and the criteria used to determine that period shall be determined by Customer during the term of the Agreement. Upon termination or expiration of the Agreement, Customer may retrieve or delete all Customer Personal Data as set forth in the Agreement. Any Customer Personal Data not deleted by Customer shall be deleted by ClickHouse promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement.
3.6.3 Nature of Processing. Customer Personal Data that Customer elects to transfer to ClickHouse to be processed for the provision, receipt and/or use of the applicable Services as set forth in the Agreement.
3.6.4 Purpose of Processing. The operation, support, use or provisioning of the Services as set out in the Agreement and compliance with applicable laws.
3.6.5 Categories of Data Subjects. Categories of data subjects is as determined by Customer. Includes natural persons whose Personal Data Customer elects to transfer to ClickHouse for processing for the provision, receipt and/or use of the applicable Services as set forth in the Agreement. These may include but are not limited to: (i) prospects, customers, business partners and vendors of Customer (who are natural persons); (ii) employees or contact persons of Customer’s prospects, customers, business partners and vendors; and/or (iii) employees, agents, advisors, freelancers of Customer (who are natural persons).
3.6.6 Type of Personal Data: Type of Personal Data is as determined by Customer subject to such restrictions as may be set forth in the Agreement. Includes Personal Data types that are included in data that Customer transfers to ClickHouse for processing for the provision, receipt and/or use of the applicable Services as set forth in the Agreement. These may include but are not limited to: (i) name, address, title, contact details; (ii) credit card details, account details, payment information, (iii) employer, job title, geographic location, area of responsibility; and/or (iv) IP addresses, usage data, cookie data, location data.
4 Sub-Processing
4.1 Authorized Sub-Processors.** Customer provides ClickHouse with a general authorization to engage Sub-Processors. The Sub-Processors currently engaged by ClickHouse and authorized by Customer are available for external Sub-Processors as set forth at https://www.clickhouse.com/legal/agreements/subprocessors.
4.2 Sub-Processor Obligations. ClickHouse shall: (i) enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective of Personal Data than that those required by this DPA, to the extent applicable to the nature of the service provided by the Sub-Processor; and (ii) remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause ClickHouse to breach any of its obligations under this DPA. Upon written request, and subject to any confidentiality restrictions, ClickHouse shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-Processor agreements where required to satisfy Customer’s obligations under Data Protection Laws.
4.3 Changes to Sub-Processors. ClickHouse shall notify Customer if it changes its Sub-Processors in advance to any such changes for the applicable Services. ClickHouse’s notification shall be via the mechanisms set forth in the weblinks provided in Section 4.1. Customer may object in writing to ClickHouse’s appointment of a new Sub-Processor by notifying ClickHouse promptly in writing within thirty (30) days of notice of the change. Customer’s notification shall explain the reasonable grounds relating to data protection for the objection. The parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties are not able to reach resolution, ClickHouse will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer (as Customer’s sole and exclusive remedy) to suspend or terminate the affected Services in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
5 Security and Audits
5.1 ClickHouse Security Standards. ClickHouse shall implement and maintain reasonable and appropriate technical and organizational security measures designed to protect Customer Personal Data from Personal Data Breach and to preserve the security and confidentiality of the Customer Personal Data, in each case in accordance with the ClickHouse’s then-current security standards as set forth at https://clickhouse.com/legal/agreements/security-addendum (the “ClickHouse Security Addendum”). ClickHouse shall ensure that any person who is authorized by ClickHouse to process Customer Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.2 Customer Security Responsibilities. Customer shall implement and maintain reasonable and appropriate technical and organizational security measures designed to protect Personal Data from Personal Data Breaches and to preserve the security and confidentiality of Customer Personal Data while in its dominion and control including, without limitation, those measures of the Service that can be selected or configured by Customer and where Customer has purchased ClickHouse BYOC Cloud, the Customer BYOC VPC managed by Customer as further described in the ClickHouse Security Addendum. ClickHouse shall have no obligation to assess the contents or accuracy of Customer Personal Data, including to identify whether any data transferred to ClickHouse for processing is subject to any specific legal, regulatory, or other requirement. Customer is responsible for reviewing the information made available by ClickHouse relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws.
5.3 Audit. ClickHouse shall maintain an audit program to help ensure compliance with the obligations set out in this DPA and shall make available to Customer information to demonstrate compliance with the obligations set out in this DPA as set forth in this Section 5.3. The exercise of any audit rights under the SCCs shall be as described in this Section 5 and Customer agrees that these rights are carried out on behalf of Customer and any third-party controller for whom Customer is acting as a processor, in each case, subject to the confidentiality restrictions in the Agreement.
5.3.1 Third-Party Certifications and Audits. Upon Customer’s written request, at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, ClickHouse shall make available to Customer or Customer’s Third-Party Auditor (as defined in Section 5.3.4) information regarding ClickHouse’s compliance with the obligations set forth in this DPA in the form of a copy of ClickHouse’s then most recent third-party audits or certifications, if any, (“ClickHouse Audit Reports”) set forth in the ClickHouse Security Addendum. Such third-party audits or certifications may also be disclosed to Customer’s competent supervisory authority on its request. Upon request, ClickHouse shall also provide Customer with a report and/or confirmation of a report of any third-party auditors’ audits of external Sub-Processors that have been made available by those external Sub-Processors to ClickHouse, but solely to the extent that the external Sub-processor allows ClickHouse to disclose such reports or evidence to Customer (“External Sub-processor Audit Reports”). Customer acknowledges that (i) ClickHouse Audit Reports shall be the Confidential Information of ClickHouse; (ii) External Sub-processor Audit Reports shall be the Confidential Information of ClickHouse as well as the confidential information of the external Sub-processor and (iii) certain external Sub-processors may require Customer to execute a non-disclosure agreement with them in order to view an external Sub- processor Audit Report.
5.3.2 On-Site Audit. Customer may request an on-site audit of ClickHouse’s applicable controls related to the processing activities under this DPA when: (i) the information provided under the Third-Party Certification and Audits section of this DPA is not sufficient to demonstrate ClickHouse’s compliance with the obligations set out in this DPA or (ii) required by Applicable Data Protection Laws or Customer’s competent supervisory authority.
5.3.3 Conduct of On-Site Audit. Any on-site audit described in Section 5.3.2 above will (i) be limited to processing facilities operated by ClickHouse and its Affiliates; (ii) be conducted reasonably, in good faith and in a proportional manner, taking into account the nature and complexity of the Services; (iii) conducted no more than one time per year with at least three weeks’ notice unless an emergency justifies less notice, in which case, the parties will use good faith efforts to accommodate the shorter notice period; and (iv) conducted during ClickHouse’s normal business hours and shall not unreasonably interfere with ClickHouse’s day-to-day operations. Before any on-site audit, Customer and ClickHouse shall agree upon the scope, timing and duration of the audit and the reimbursement rate to ClickHouse for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by or on behalf of ClickHouse. Customer acknowledges that ClickHouse operates a multi-tenant cloud environment and, accordingly, ClickHouse shall have the right to reasonably adapt the scope of any on-site audit to avoid or mitigate risks to ClickHouse service availability and the confidentiality of other ClickHouse customer information. Customer must promptly provide ClickHouse with information regarding any non-compliance discovered during the course of an On-Site Audit. The results of any On-Site Audit shall be considered ClickHouse’s Confidential Information and may be disclosed to a third party (other than a Third-Party Auditor, where applicable) only with ClickHouse’s prior written consent.
5.3.4 Third-Party Auditor. A Third-Party Auditor means a third-party independent contractor that is not a competitor of ClickHouse. An On-Site Audit can be conducted through a Third-Party Auditor if: (i) prior to the On-Site Audit, the Third-Party Auditor enters into a non-disclosure agreement containing confidentiality provisions no less protective than those set forth in the Agreement to protect ClickHouse’s and its customers’ proprietary and confidential information; and (ii) Customer bears the costs and expenses of the Third-Party Auditor.
5.4 Data Protection Impact Assessment. Upon Customer’s request, ClickHouse shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available.
6 International Transfers
6.1 Hosting and Processing Locations. For ClickHouse Cloud, ClickHouse will only host Customer Personal Data in the region(s) offered by ClickHouse and selected by Customer as set forth on an Order Form or as otherwise configured by Customer via the Services. Customer Personal Data will not be transferred by ClickHouse for Processing outside the selected hosting region except as reasonably necessary to provide the Services or as necessary to comply with the law or binding order of a governmental body. As between Customer and ClickHouse, Customer is solely responsible for selecting the regions from which its end users will access the Service and for any transfers of Customer Personal Data conducted by its end users via the Services. For ClickHouse BYOC Cloud, ClickHouse will not host Customer Personal Data but may be granted access to Customer Personal Data hosted by Customer. As between Customer and ClickHouse, Customer is solely responsible for any access granted to ClickHouse to Customer Personal Data hosted by Customer.
6.2 Personal Data Transfers Outside of the EEA. Any transfer by Customer from the EEA and/or Switzerland to ClickHouse in a country outside of the EEA and/or Switzerland, where such transfer is not governed by an adequacy decision made by the European Commission or the Swiss Federal Data Protection and Information Commission, as applicable, that does not ensure an adequate level of protection under the applicable European Data Protection Law (a “Restricted EEA and/or Switzerland Transfer”) shall be governed by and performed in accordance with the SCCs, which are incorporated by reference into this DPA and deemed executed concurrent with the execution of this DPA. Schedule I to this DPA sets forth the specific, additional and/or optional clauses for the SCCs.
6.3 Personal Data Transfers Outside of the UK. Any transfer by Customer from the UK to ClickHouse outside of the UK, where such transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State (a “Restricted UK Transfer” and, together with a Restricted Transfer EEA and/or Switzerland Transfer, a “Restricted Transfer”), shall be governed by and performed in accordance with the SCCs as modified to include the UK Addendum and their Annexes, which are (collectively) incorporated by reference into this DPA and deemed executed concurrent with the execution of this DPA. Schedule II to this DPA sets forth the specific, additional and/or optional information and clauses for the SCCs as modified to include the UK Addendum and their Annexes.
6.4 Data Privacy Framework. ClickHouse participates in and certifies compliance with the Data Privacy Framework. Customer and ClickHouse acknowledge and agree that transfers of Customer Personal Data from the EEA, Switzerland, or the UK to the United States pursuant to the Data Privacy Framework shall not be a Restricted Transfer. ClickHouse will notify Customer if its Data Privacy Framework certification lapses or is otherwise invalidated, in which case (i) any transfers of Personal Data by Customer from the EEA and/or Switzerland to ClickHouse in the United States shall immediately be deemed a Restricted EEA and/or Switzerland Transfer and the provisions of Section 6.2 shall apply and/or (ii) any transfers of Personal Data by Customer from the UK to ClickHouse in the United States shall immediately be deemed a Restricted UK Transfer and the provisions of Section 6.3 shall apply, as applicable.
6.5 Alternate Transfer Mechanism. If ClickHouse adopts an alternative transfer mechanism for Restricted Transfers (including, without limitation, any new version or successor to the SCCs) pursuant to the applicable European Data Protection Law, such alternate transfer mechanism shall automatically apply in lieu of the SCCs to the extent that such alternative transfer mechanism complies with the applicable European Data Protection Law and applies in the territories into which the Personal Data is transferred.
7 Personal Data Breach Management and Notification. If ClickHouse becomes aware of a Personal Data Breach, ClickHouse shall: (i) promptly notify Customer of the discovery of the Personal Data Breach, which shall include a summary of the known circumstances of the Personal Data Breach and the corrective action taken or to be taken by ClickHouse; (ii) conduct an investigation of the circumstances of the Personal Data Breach; (iii) use commercially reasonable efforts to mitigate the effects of the Personal Data Breach; and (iv) use commercially reasonable efforts to communicate and cooperate with Customer concerning its responses to the Personal Data Breach. Customer acknowledges that ClickHouse personnel do not have visibility into data ingested by Customer into the Service. Accordingly, it would be unlikely that the notice provided by ClickHouse would include information concerning the categories and approximate number of data subjects concerned and/or the categories and approximate number of personal data records concerned. ClickHouse’s notification of a Personal Data Breach and its communication and cooperation with Customer concerning a Personal Data Breach shall not be construed as an acknowledgment of fault or liability by ClickHouse.
8 Rights of Individuals and Cooperation
8.1 Data Subject Requests. To the extent that Customer is unable to independently access the relevant Customer Personal Data within the Service, ClickHouse shall, taking into account the nature of the processing, provide reasonable cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Agreement. If any such request is made to ClickHouse directly, ClickHouse shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If ClickHouse is required to respond to such a request, ClickHouse shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
8.2 Data Impact Assessments. To the extent ClickHouse is required under applicable European Data Protection Law, ClickHouse shall provide reasonably requested information regarding ClickHouse’s processing of Customer Personal Data under the Agreement to assist the Customer to carry out data protection impact assessments or prior consultations with supervisory authorities as required by law.
8.3 Third Party Demands. If ClickHouse receives a demand from a third party (including, without limitation, any governmental, regulatory or supervisory authority) to retain, disclose or transfer Customer Personal Data, ClickHouse shall use commercially reasonable efforts to direct the demanding party to Customer and Customer authorizes ClickHouse to disclose such information to such third party as may be reasonably necessary to direct the third party to Customer. Where ClickHouse is unable to direct the demanding party to Customer, ClickHouse shall, to the extent legally permitted, provide Customer notice of the demand and cooperate with Customer, at the Customer’s cost and expense, in seeking a protective order, or confidential treatment, or taking other measures to oppose or limit such demand.
9 Relationship to the Agreement; Limitation of Liability
9.1 Relationship to the Agreement. Except for the changes made by this DPA as applicable to the Service, the Agreement remains unchanged and in full force and effect. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by European Data Protection Laws.
9.2 Limitation of Liability. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA and the SCCs (including any SCCs between Authorized Affiliates and ClickHouse), whether in contract, tort or under any other theory of liability is subject to the liability restrictions set forth in the Agreement, including the damages disclaimer and any aggregate limitation of liability.
Pursuant to Section 6.2 of this Data Processing Addendum between ClickHouse and Customer, the SCCs are deemed incorporated into and form part of this DPA. The following specific and/or optional clauses shall apply to the SCCs as described in more detail below; any optional clauses in the SCCs not expressly selected are not included.
1 Module Two terms apply where Customer is the controller of Customer Personal Data and Module Three terms apply where Customer is the processor of Customer Personal Data.
2 The optional docking clause in Clause 7 is incorporated with respect to Authorized Affiliates only; Authorized Affiliates may accede to the DPA and SCCs under the same terms and conditions, subject to Section 3.3 of this DPA with the agreement of parties.
3 For Clause 9, Option 2 (“General Authorization) is selected and the process and time period for additional or replacement Sub-Processors shall be as set out in Section 4.3 of this DPA.
4 For Clause 9(c), where confidentiality restrictions prohibit ClickHouse from providing a copy of a Sub-Processor agreement to Customer, ClickHouse shall (on a confidential basis) provide all information that it reasonably can in connection with such Sub-Processor Agreement to Customer.
5 For Clause 13 and Annex I.C of the SCCs, Customer shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to ClickHouse on request.
6 For Clause 17, Option 1 shall apply and the Member State for purposes of governing law shall be the Netherlands.
7 For Clause 18(b), any dispute shall be resolved by the courts of the Netherlands.
8 For Annex I.A., the “data importer” shall be ClickHouse and the “data exporter” shall be Customer and any Authorized Affiliates that have acceded to the SCCs pursuant to the DPA.
9 For Annex I.B., the description of the transfer is as described in Section 3.6 (“EEA Customers - Details of Processing”) of this DPA.
10 For Annex II, the technical and organizational measures are: (i) with respect to ClickHouse, those measures described in Section 5.1 (“ClickHouse Security Standards”) and (ii) with respect to Customer, those measures described in Section 5.2 (“Customer Security Standards”).
11 For Annex III, the Sub-Processors shall be as described in Section 4.1 (“Authorized Sub-Processors”).
Pursuant to Section 6.3 of this Data Processing Addendum between ClickHouse and Customer, the SCCs, as supplemented by the specific and optional clauses set forth in Schedule I to this DPA (the “EEA SCCs”) and as modified to include the UK Addendum (the “UK SCCs”) are deemed incorporated into and form part of this DPA. For the avoidance of doubt, in the event of any conflict between (i) the EEA SCCs and (ii) UK SCCs, the UK SCCs shall prevail. The following information completes the UK Addendum and Annexes:
1 For Table 1 of the UK Addendum: (a) the Start Date, Parties’ Details and Key Contact are as set forth in the Order Form and Agreement and (b) the Exporter is Customer and the Importer is ClickHouse.
2 For Table 2, the Selected SCCs, Modules and Selected Clauses are as set forth Section 6.2 of this DPA and Schedule I to this DPA.
3 Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent ICO issues a revised Approved Addendum under Section 18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly
4 For Annex 1A, ClickHouse and Customer and its Authorized Affiliates are the Parties.
5 For Annex 1B, the Description of the Transfer is as set forth under Section 3.6 (“EEA and UK Customers - Details of Processing”) of this DPA.
6 For Annex II, the technical and organizational measures are: (i) with respect to ClickHouse, those measures described in Section 5.1 (“ClickHouse Security Standards”) and (ii) with respect to Customer, those measures described in Section 5.2 (“Customer Security Standards”).
7 For Annex III, the Sub-Processors shall be as described in Section 4.1 (“Authorized Sub-Processors”).