EnterpriseDB Data Processing Addendum


Updated:  October 2, 2024

1. Scope, Order of Precedence and Parties

This Data Processing Addendum (“DPA”) applies to the Processing of Personal Data by EnterpriseDB Corporation and its Affiliates on Your behalf when providing Our Software, Cloud Services, Support Services or Professional Services (“Products and Services”). The Products and Services are described in the relevant license and/or services agreement and the applicable order (collectively, the “Agreement”). In the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA shall control. In the event of a conflict between the terms of this DPA and the EU Standard Contractual Clauses, the UK SCC Addendum, or Swiss Addendum (if applicable), the terms of the EU Standard Contractual Clauses, the UK SCC Addendum, Swiss Addendum or CCPA Addendum (if applicable) shall control.

This DPA is between the end-user customer (“You” or “Your”) and the EnterpriseDB contracting entity (“EDB”, “We”, “Us” or “Our”) and is incorporated by reference into the Agreement.

2. Definitions

Affiliate” means any subsidiary of EnterpriseDB Corporation that may assist in the processing of Your Personal Data under the Agreement and this DPA.

Aggregate” means information that relates to a group or category of individuals, from which identities have been removed such that the information is not linked or reasonably linkable to any individual.

Applicable Data Protection Laws” means (i) the EU General Data Protection Regulation 2016/679 (“GDPR”) and laws or regulations implementing or supplementing the GDPR; and (ii) any other international, federal, state, provincial and local privacy or data protection laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective that apply to the Processing of Personal Data under the Agreement.

Controller” is a legally defined term that generally refers to the party that determines the purposes and means (the why and how) of the processing of Personal Data.

Personal Data” means any of your data uploaded, transmitted or otherwise Processed in connection with the performance of Products and Services that can identify a unique individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of individuals, or as otherwise defined under Applicable Data Protection Laws.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by Us in order to perform the Products and Services.

Processor” is a legally defined term that generally refers to the party that processes Personal Data on behalf of the Controller.

Sub-Processor” means any third party engaged by a Processor or another Sub-Processor to assist with the Processing of Personal Data for the performance of Products and/or Services under the Agreement.

Swiss SCC Addendum” means the adaptation of the 2021 EU SCCs designed to ensure an adequate level of protection for data transfers from Switzerland to a third country subject to the Swiss Federal Act on Data Protection (“FADP").

Usage Data” means technical data collected from Your use of Services for the purposes specified herein.

UK Data Protection Laws” means the UK GDPR and the Data Protection Act 2018, or any successor UK data protection laws as updated, amended or replaced from time to time.

"UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (vB1.0 or any subsequent version) issued by the UK Information Commissioner’s Office.

2021 EU Standard Contractual Clauses” or “2021 EU SCCs” means the contractual clauses annexed to the EU Commission Decision 2021/914/EU or any successor clauses approved by the EU Commission.

Terms used but not defined in this DPA (e.g., “Business Purpose”, “Consumer”, “Controller”, “Data Subject”, “Process/Processing”, “Processor”) shall have the same meaning as set forth in the Agreement or Applicable Data Protection Laws.

3. Roles as Controller and Processor

For purposes of this DPA, You are the Controller of the Personal Data Processed by EDB under the terms of the Agreement. You are responsible for complying with your obligations as a Controller under Applicable Data Protection Laws governing your provision of Personal Data to Us for the performance of the Products and Services, including without limitation obtaining any consents, providing any notices, otherwise establishing the required legal basis, and responding promptly to any inquiries from a data protection authority. Unless specified in the Agreement, You will not provide Us access to any Personal Data that imposes specific data protection requirements greater than those agreed to in the Agreement and this DPA, and you will limit Our access to Personal Data as necessary for Your use of the Products and Services under the Agreement.

EDB is the Processor and service provider with respect to such Personal Data, except when You act as a Processor of Personal Data, in which case We are a Sub-Processor.

EDB is responsible for the Processing of Usage Data solely for Our legitimate business interests, including, securing, managing, measuring and improving Customer’s use of EDB Services in accordance with the Agreement and pursuant to the terms of this DPA.

Each party shall comply with their respective obligations as Controllers and Processors under Applicable Data Protection Laws.

4. EDB’s Purpose of Processing

EDB and any persons acting under its authority under this DPA, including Sub-Processors and Affiliates as described in Section 7, will Process Personal Data only for the purposes of performing the Services in accordance with your written instructions as specified in the Agreement, this DPA, and Applicable Data Protection Laws. We may also Aggregate Personal Data as part of the Products and Services in order to provide, secure, and enhance EDB Services.

We will not disclose Personal Data in response to a subpoena, judicial or administrative order, or other binding instrument (a “Demand”) unless required by law. We will promptly notify You of any Demand unless prohibited by law and provide You reasonable assistance to facilitate Your timely response to the Demand. We may provide Personal Data to Affiliates in connection with any anticipated or actual merger, acquisition, sale, bankruptcy, or other reorganization of some or all of its business, subject to the obligation to protect Personal Data consistent with the terms of this DPA.

5. CCPA Compliance

EDB will not process, retain, use, or disclose Your Personal Data for any purpose other than for the purposes set out in the Agreement, DPA and as permitted under the CCPA, where applicable. EDB will not Sell or Share Your information as those terms are defined under the CCPA.

6. Data Subjects and Categories of Personal Data

You determine the Personal Data to which You provide Us access to in order to perform the Products and Services. This may involve the Processing of Personal Data of the following categories of Your Data Subjects:

  1. Employees and applicants
  2. Customers and end users
  3. Suppliers, agents, and contractors

The Processing of Your Personal Data may also include the following categories of Personal Data:

  1. Direct identifiers such as first name, last name, date of birth, and home address
  2. Communications data such as home telephone number, cell telephone number, email address, postal mail address, and fax number
  3. Family and other personal circumstance information, such as age, date of birth, marital status, spouse or partner, and number and names of children
  4. Employment information such as employer, work address, work email and phone, job title and function, salary, manager, employment ID, system usernames and passwords, performance information, and CV data
  5. Other data such as financial, good or services purchased, and license details 
  6. Usage data including device and other identifiers, online profiles and behavior, and IP address
  7. Other Personal Data to which You provide EDB access in connection with the provision of Services

7. Sub-Processing

Subject to the terms of this DPA, You authorize Us to engage Sub-Processors and Affiliates for the Processing of Personal Data. These Sub-Processors and Affiliates are bound by written agreements that require them to provide at least the level of data protection required of Us by the Agreement and this DPA, and We have implemented reasonable measures designed to confirm compliance with such measures. You may request Us to perform an audit on a Sub-Processor or to obtain an existing third-party audit report related to the Sub-Processor’s operations to verify compliance with these requirements. You may also request copies of the data protection terms We have in place with any Sub-Processor or Affiliate involved in providing the Products and/or Services. We remain responsible at all times for such Sub-Processors’ and Affiliates’ compliance with the requirements of the Agreement, this DPA and Applicable Data Protection Laws.
A list of sub-Processors as well as a mechanism to obtain notice of any updates to the list, are available at https://trust.enterprisedb.com/subprocessors. At least thirty (30) calendar days before authorizing any new Sub-Processor to access Personal Data, We will notify you. Where EDB is a Processor, the following terms apply:

  1. During this notice period, objections (if any) to EDB’s appointment of the new Sub-Processor must be provided to EDB in writing and based on reasonable grounds. In such an event, the Parties will discuss those objections in good faith with a view to achieving resolution. If it can be reasonably demonstrated to EDB that the new Sub-processor is unable to Process YourPersonal Data in compliance with the terms of the DPA and EDB cannot provide an alternative Sub-Processor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, You, as Your sole and exclusive remedy, may terminate the Order Form(s) with respect to only those aspects which cannot be provided by EDB without the use of the new Sub-processor by providing advance written notice to EDB of such termination..
  2. EDB will refund You any prepaid unused fees of such Order Form(s) following the effective date of such termination. 
  3. If the affected Product or Service is part of a suite (or similar single purchase of Products and Services), then any such termination will apply to the entire suite.

8. International Transfer of Personal Data

We may transfer Personal Data to the United States and/or to other third countries as necessary to perform the Products and/or Services, and you appoint EDB to perform any such transfer in order to process Personal Data as necessary to provide the Services. We will follow the requirements of this DPA regardless of where such Personal Data is stored or Processed.

Where the Processing involves the international transfer of Personal Data of a resident(s) of a country within the EEA, Switzerland or UK to EDB, Affiliates or Sub-Processors in a jurisdiction (i) that has not been deemed by the European Commission or the UK Information Commissioner’s Office to provide an adequate level of data protection, and (ii) there is not another legal basis for the international transfer of such Personal Data, such transfers are subject to either the 2021 EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss SCC Addendum (as applicable) or other valid transfer mechanisms available under Applicable Data Protection Laws. For international transfers subject to:

  1. the GDPR, the Parties hereby incorporate by reference the 2021 EU SCCs in unmodified form (Module One where You and EDB are both Controllers, Module Two where You are a Controller and EDB is a Processor, or Module Three where both You and EDB are both Processors, as applicable)
  2. the UK Data Protection Laws, the Parties hereby incorporate by reference the UK SCC Addendum in unmodified form
  3. the FADP, the Parties hereby incorporate by reference the Swiss SCC Addendum

The 2021 EU SCCs and the UK SCC Addendum shall be between You and EnterpriseDB Corporation, irrespective of Your location. For such purposes, You will act as the Data Exporter on Your behalf and on behalf of any of Your entities, and EnterpriseDB Corporation will act as the Data Importer on its own behalf and/or on behalf of its Affiliates. 

For each module of the 2021 EU SCCs, where applicable:

(i) Clause 7, any acceding entity shall enforce its rights through You;

(ii) Clause 9, option 2 (“General Written Authorization”) is selected, and the process and time period for prior notice of Sub-processor changes shall be as set out in Section 7 of this DPA;

(iii) Clause 11, the optional language of (a) will not apply;

(iv) Clause 17, option 1 shall apply and refer to the law of the Netherlands;

(v) Clause 18(b), disputes shall be resolved before the courts of the Netherlands;

(vi) Annex 1(A), purposes of processing, (B) categories of data subjects and personal data are specified in Section 6 of this DPA; 

(vii) Annex 1(C) the data exporter’s competent supervisory authority shall be determined in accordance with EU GDPR and Clause 13 of the Standard Contractual Clauses; and

(vii) Annex 2, technical and organizational security measures, are specified in Section 10 below. 

For the purposes of the Swiss SCC Addendum, (i) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the 2021 EU SCCs; (ii) the references to the GDPR should be understood as references to the FADP insofar as the data transfers are subject to the FADP; (iii) the Federal Data Protection and Information Commissioner of Switzerland shall be the competent supervisory authority in Annex I.C under Clause 13 of the 2021 EU SCCs, where the transfer of Personal Data is subject to the FADP.

In the event of any direct conflict between this Addendum and the 2021 EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss SCC Addendum the 2021 EU Standard Contractual Clauses, the UK SCC Addendum and/or the Swiss SCC Addendum (as applicable) shall prevail.

9. Requests from Data Subjects

We will make available to You the Personal Data of Your Data Subjects and the ability to fulfill requests by Data Subjects to exercise one or more of their rights under Applicable Data Protection Laws in a manner consistent with Our role as a Processor. We will provide reasonable assistance to assist with Your response.

If We receive a request directly from Your Data Subject to exercise one or more of their rights under Applicable Data Protection Laws, We will direct the Data Subject to You unless prohibited by law.

10. Security

We shall implement and maintain appropriate administrative, technical, and organizational practices designed to protect Personal Data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such security practices are set forth in the  EDB Information Security Exhibit located at https://trust.enterprisedb.com/securityexhibit at the time the services are performed. We seek to continually strengthen and improve its security practices, and so reserve the right to modify the controls described therein upon notice to you, either individually or via our website. Any modifications will not diminish the level of security during the relevant term of Services.

Our employees are bound by appropriate confidentiality agreements and required to comply with Our corporate privacy and security policies and procedures, including the applicable requirements of this DPA.

11. Personal Data Breach

We shall notify You without undue delay after becoming aware of a Personal Data Breach involving Personal Data in Our possession, custody or control. Such notification shall at least: (i) describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Your Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) provide the name and contact details of a contact where more information can be obtained; and (iii) describe the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects. You will coordinate with Us on the content of any public statements or required notices to individuals and/or Supervisory Authorities.

12. Your Instructions and Providing Information & Assistance

You may provide additional instructions to Us related to the Processing of Personal Data that are necessary for You and EDB to comply with our respective obligations under Applicable Data Protection Laws as Controller and Processor. We will comply with such instructions, provided that in the event that Your instructionsimpose costs on Us beyond those included in the scope of Products and Services under the Agreement, the parties agree to negotiate in good faith to determine the additional costs. We will promptly inform You if We believe that Your instructions are not consistent with the Products and Services or Applicable Data Protection Laws, provided that We will not be obligated to independently inspect or verify Your Processing of Personal Data.

We will provide You information reasonably necessary to assist You in enabling Your compliance with Your obligations under Applicable Data Protection Laws as further specified in this DPA.

13. Return and Deletion of Personal Data

We will return or provide an opportunity for You to retrieve all Personal Data after the end of the provision of Services and delete existing copies. With respect to cloud services, You shall have thirty (30) calendar days to download Your Personal Data after termination of the Agreement and You must contact technical support for download access and instructions. In the event You do not contact technical support for this purpose within 30 calendar days after the end of the provision of Products and/or Services, We shall delete Your Personal Data promptly once that Personal Data is no longer accessible by You, except for (i) back-ups deleted in the ordinary course, and (ii) retention as required by applicable law. In the event of either (i) or (ii), We will continue to comply with the relevant provisions of this DPA until such data has been deleted. We will provide written confirmation of deletion upon request.

14. Audit

In the event the information you request of EDB under Section 12 above does not satisfy your obligations under Applicable Data Protection Laws, You may carry out an audit of Our Processing of Your Personal Data up to one time per year or as otherwise required by Applicable Data Protection Laws. To request an audit, you must provide Us a proposed detailed audit plan three weeks in advance, and We will work with you in good faith to agree on a final written plan. Any such audit shall be conducted at Your own expense, during normal business hours, without disruption to Our business, and in accordance with Our security rules and requirements. Prior to any audit, We undertake to provide You reasonably requested information and associated evidence to satisfy Your audit obligations, and You undertake to review this information prior to undertaking any independent audit. If any of the requested scope of the audit is covered by an audit report issued to Us by a qualified third-party auditor within the prior twelve months, the parties agree that the scope of Your audit will be reduced accordingly.

You may use a third-party auditor with Our agreement, which will not be unreasonably withheld. Prior to any third-party audit, such auditor shall be required to execute an appropriate confidentiality agreement with Us. If the third party is Your Supervisory Authority that applicable law enables it to audit Us directly, We will cooperate with and provide reasonable assistance to the Supervisory Authority in accordance with Applicable Data Protection Laws.

You will provide Us a copy of any final report unless prohibited by Applicable Data Protection Laws, will treat the report and findings as confidential information in accordance with the terms of the Agreement (or confidentiality agreement entered into between You and EDB), and use the report and findings solely for the purpose of assessing Our compliance with the terms of the Agreement, this DPA, and Applicable Data Protection Laws.

15. Term

This DPA becomes effective upon Your purchase of the Products and Services. Termination of the Agreement does not relieve either party of its obligations under this DPA.