Hasura, Inc. Data Processing Addendum

Last Updated on 10th July, 2024

THIS DATA PROCESSING ADDENDUM (“Data Processing Addendum” or “DPA”) is an agreement between you and the entity you represent (“Customer” or “Licensee") and Hasura, Inc. (“Hasura” or “Licensor”) and supplements the Agreement between Customer and Hasura. This DPA applies to Hasura’s Processing of Customer Personal Data pursuant to the Agreement. Unless otherwise defined in this DPA, capitalized terms shall have the meaning given to them in the Agreement. For the avoidance of doubt, all refences in the Agreement to “Licensee” shall be references to Customer pursuant to this DPA.
  • INTERPRETATION
    1. In this Data Processing Addendum, the following terms shall have the meanings set out in this Paragraph 1, unless expressly stated otherwise:
      1. “Addendum Effective Date” means the effective date of the Agreement.
      2. “Agreement” means the Hasura, Inc. Master Software and Services License Agreement available at https://hasura.io/legal/msa/ or other similar agreement entered into between Customer and Hasura governing Customer’s use of the Services.
      3. “Applicable Data Protection Laws” means data protection and privacy laws and regulations applicable to the processing of Customer Personal Data under the Agreement, including but not limited to, where applicable, the GDPR, the Australian Privacy Act and the CCPA, in each case, to the extent applicable to the relevant Customer Personal Data or Processing thereof under the Agreement.
      4. “Australian Privacy Act” means the Australian Privacy Act 1988 (Cth), including the Australian Privacy Principles.
      5. “Customer Personal Data” means any Personal Data Processed by or on behalf of Hasura on behalf of Customer to perform the Services under the Agreement.
      6. “CCPA” means the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder.
      7. “Data Subject Request” means the exercise by Data Subjects of their rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data.
      8. “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
      9. “Delete” means the effective date of the Agreement.
      10. “EEA” means the European Economic Area.
      11. “GDPR” means: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“EU GDPR”); (ii) the EU GDPR as it forms part of United Kingdom (“UK”) law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iii) any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018).
      12. “Personnel” means a person’s employees, agents, consultants or contractors.
      13. “Personal Data” means Customer Data that constitutes “personal data,” “personal information,” or similar information governed by Applicable Data Protection Laws, except that Personal Data does not include such information pertaining to Customer’s business contacts who are Customer Personnel where Hasura acts as a Controller of such information.
      14. “Personal Data Breach” means a breach of Hasura’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Hasura’s possession, custody or control. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
      15. “Processing” means any operation or set of operations which is performed on Customer Personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      16. “Relevant Body” means:
        1. in the context of the UK and the UK GDPR, the UK Information Commissioner’s Office and/or UK Government (as and where applicable); and/or
        2. in the context of the EEA and the EU GDPR, the European Commission.
      17. “Restricted Country” means:
        1. in the context of the UK, a country or territory outside the UK; and
        2. in the context of the EEA, a country or territory outside the EEA,
        that the Relevant Body has not deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance with the GDPR.
      18. “Restricted Transfer” means the disclosure, grant of access or other transfer of Personal Data to any person which would be prohibited without a legal basis under the GDPR.
      19. “Services” means those services and activities to be supplied to or carried out by or on behalf of Hasura for Customer pursuant to the Agreement.
      20. “Standard Contractual Clauses” means the Standard Contractual Clauses for Processors as approved by the European Commission and available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (as updated, amended or superseded from time to time).
      21. “Subprocessor” means any third party appointed by or on behalf of Hasura to Process Customer Personal Data.
      22. “Supervisory Authority”:
        1. in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office; and
        2. in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR.
      23. “UK Addendum” means the UK International Data Transfer Addendum to the Standard Contractual Clauses as approved by the UK Information Commissioner’s Office under section 119A(1) of the UK Data Protection Act 2018, or any set of clauses approved by a Supervisory Authority which subsequently amends, replaces or supersedes the same.
    2. In this Data Processing Addendum:
      1. the terms, “Controller” and “Processor” shall have the meaning ascribed to the corresponding terms in the GDPR, and “Controller” shall include a “business” as defined in the CCPA;
      2. the terms, “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Customer Personal Data that constitutes personal information governed by the CCPA, or the Australian Privacy Act, whichever is applicable; and
      3. unless otherwise defined in this Data Processing Addendum, all capitalized terms in this Data Processing Addendum shall have the meaning given to them in the Agreement.
  • DURATION AND SCOPE OF THIS DATA PROCESSING AGREEMENT
    1. This Data Processing Addendum will remain in effect so long as Hasura Processes Customer Personal Data, notwithstanding the expiration or termination of the Agreement.
    2. Schedule 1 (EU Annex) and Schedule 4 (UK Annex) to this Data Processing Addendum applies only to the Processing of Customer Personal Data subject to the GDPR. Schedule 2 (California Annex) to this Data Processing Addendum applies only to the Processing of Customer Personal Data subject to the CCPA with respect to which Customer is a “business” (as defined in the CCPA). Schedule 5 (Australia Annex) to this Data Processing Addendum applies only to the Processing of Customer Personal Data subject to the Australian Privacy Act.
  • PROCESSING OF CUSTOMER PERSONAL DATA
    1. Hasura shall not Process Customer Personal Data other than on Customer’s instructions or as required by Applicable Data Protection Laws.
    2. Customer instructs Hasura to Process Customer Personal Data as necessary:
      1. to provide the Services to Customer; and
      2. to perform Hasura’s obligations and exercise Hasura’s rights under the Agreement, including to maintain records relating to the Service and comply with any legal or self-regulatory obligations relating to the Service.
    3. If applicable law requires Hasura to conduct Processing that is inconsistent with the Customer’s instructions, then Hasura will immediately notify Customer in writing prior to commencing the Processing, unless applicable law prohibits such notification. Hasura also will immediately notify Customer if Hasura believes that Customer’s instructions violate, or result in Processing in violation of Applicable Data Protection Laws.
    4. Customer acknowledges and agrees that Hasura may create and derive from Processing related to the Agreement, deidentified, anonymized and/or aggregated data that does not identify any natural person and use, publicize, or share with third parties such data to improve Hasura’s products and services and for its other legitimate business purposes.
  • HASURA PERSONNEL
    Hasura shall:
    1. limit access to Hasura Personnel who need to access the relevant Customer Personal Data for the purposes described in this Data Processing Addendum; and
    2. subject Hasura Personnel to confidentiality undertakings or professional or statutory obligations of confidentiality.
  • SECURITY
    Hasura shall implement and maintain technical and organizational measures in relation to Customer Personal Data designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access as described in Schedule 3 (Security Measures). Hasura may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
  • DATA SUBJECT RIGHTS
    1. Hasura, taking into the account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligation to respond to Data Subject Requests. If Hasura receives a Data Subject Request, Hasura will advise the Data Subject to submit the request to Customer and Customer will be responsible for responding to any such request.
    2. Hasura shall:
      1. promptly notify Customer if it receives a Data Subject Request; and
      2. not respond to any Data Subject Request except on the written instructions of Customer (and in such circumstances, at Customer’s cost) or as required by Applicable Data Protection Laws.
  • PERSONAL DATA BREACH
    1. Hasura shall notify Customer without undue delay upon Hasura’s discovering a Personal Data Breach affecting Customer Personal Data. Hasura shall provide Customer with information (insofar as such information is within Hasura’s possession and knowledge) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. Hasura’s notification of or response to a Personal Data Breach will not be construed as Hasura’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
    2. Hasura shall, at Customer’s cost, co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Personal Data Breach.
    3. Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
  • CUSTOMERS’S RESPONSIBILITIES
    1. Customer agrees that, without limitation of Hasura’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Service, including (a) making appropriate use of the Service to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; (c) securing Customer’s systems and devices that Hasura uses to provide the Service; (d) providing all appropriate notices and obtaining any necessary consents for Hasura to Process Customer Personal Data as set forth in the Agreement; and (e) backing up Customer Personal Data.
    2. Customer Personal Data provided or otherwise made available to Hasura shall not contain any (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) biometric information; (e) passwords to any online accounts; (f) credentials to any financial accounts; (g) tax return data; (h) any payment card information subject to the Payment Card Industry Data Security Standard; (i) Personal Data of children under 13 years of age; or (j) any other information that falls within any special categories of data (as defined in GDPR).
  • LIABILITY CAP
    1. The total combined liability of either party towards the other party, whether in contract, tort or any other theory of liability, under or in connection with Agreement, or this Data Processing Addendum combined, will be limited to the limitations on liability or other liability caps agreed to by the parties in the Agreement. Despite the foregoing, in no event will any party limit its liability with respect to any individual’s data protection rights, whether under this Data Processing Addendum or otherwise.
  • GENERAL
    1. This Data Processing Addendum shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date.
    2. In the event of any conflict or inconsistency between:
      1. this Data Processing Addendum and the Agreement, this Data Processing Addendum shall prevail; or
      2. any Standard Contractual Clauses entered into pursuant to Section 2(b) of this Data Processing Addendum, Schedule 1 and/or the Agreement, the Standard Contractual Clauses shall prevail.
      3. any UK Addendum entered into pursuant to Section 2(b) of this Data Processing Addendum, Schedule 4 and/or the Agreement, the Standard Contractual Clauses shall prevail.

Schedule 1 – EU Standard Contractual Clauses


If and to the extent that the Agreement involves a Restricted Transfer from the EEA or Switzerland, then the Parties agree that the SCCs shall apply. Should the European Commission annul the Adequacy Decision for Switzerland then the SCCs shall also apply to transfers from the European Union to Switzerland. Please find the full text here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN#d1e32-57-1
The SCCs are construed, and/or supplemented as follows:
  1. POTENTIAL APPLICABLE MODULE(s): (Module 2 C2P, Module 3 P2P).
    If according to Annex I:
    • • Customer is acting as a Controller and Licensor as a Processor, Module 2 will apply;
    • • Customer is acting as a Processor and Licensor as a Processor, Module 3 will apply;
  2. OPTIONS.
    For each module, where applicable, the Parties agree on the following options:
    • • Clause 7 (Docking Clause): the optional docking clause shall not apply.
    • • Clause 9 (a) (Use of Sub-processors): Option 2 shall apply;
    • • Clause 11 (Redress): The option in Clause 11(a) (Redress) does not apply.
    • • Clause 13 (Supervision): The Parties choose Option 2. The supervisory authority of the Member State in which the representative is established.
    • • Clause 17 (Governing Law): The Parties choose Option 1 of Clause 17. The Parties agree that the governing law shall be the law of the Grand Duchy of Luxembourg.
    • • Clause 18(b) (Forum and Jurisdiction): Disputes shall be resolved in the courts of the district of Luxembourg City.

Schedule 1, ANNEX I


  1. LIST OF PARTIES
    Data exporter(s): The data exporter is Customer (as defined in this DPA) which export Personal Data to Restricted Countries under the Agreement.

    Name: The entity identified as “Customer” in the DPA.

    Address: The address for Customer associated with its Hasura account or as otherwise specified in the DPA or the Agreement.

    Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as otherwise specified in the DPA or the Agreement.

    EU representative under Art. 27 GDPR: [ ]

    Data exporter role (as applicable): controller/processor


    Data importer(s): The data importer is the Licensor (as defined in this DPA).

    Name: Hasura as identified in the DPA.

    Address: The address for Hasura specified in the Agreement.

    Contact person’s name, position and contact details: The contact details for Hasura specified in the DPA or the Agreement.

    EU representative under Art. 27 GDPR: Jesse Martin - [email protected]

    Data importer role: processor
  2. DESCRIPTION OF TRANSFER
    ItemExplanation
    Categories of Data Subjects whose Personal Data is transferredData exporter’s users, employees and third parties with whom it has, or may develop, a commercial relationship
    Categories of Personal Data transferredThe personal data relating to individuals which is provided by the data exporter
    Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.Not Applicable
    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).As necessary for the performance of the items set forth in Section 3.2 of the DPA and only for the duration of the performance of the items set forth in Section 3.2 of the DPA or as otherwise required by applicable law
    Nature of the processingAs necessary for the performance of the items set forth in Section 3.2 of the DPA
    Purpose(s) of the data transfer and further processingAs necessary for the performance of the items set forth in Section 3.2 of the DPA
    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that periodAs necessary for the performance of the items set forth in Section 3.2 of the DPA or as required by applicable law
    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processingOnly as necessary for the performance of the items set forth in Section 3.2 of the DPA and only for the duration of the performance of the items set forth in Section 3.2 of the DPA or as otherwise required by applicable law
  3. DESCRIPTION OF TRANSFER
    The data exporter’s competent supervisory authority will be determined in accordance with the Data Protection Law
    • • Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with GDPR is the data protection authority of France.
    • • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority :
    • • Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as the competent supervisory authority.
    • • Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.

Schedule 1, ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA


As applicable:
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Hasura agrees to abide by the terms of the security measures attached as Schedule 3 to this Data Processing Addendum.

Schedule 1, ANNEX III

LIST OF SUB-PROCESSORS


Information about Sub-processors, including their functions and locations, is available at: https://hasura.io/legal/subprocessors/ (as may be updated by Hasura from time to time) or such other website address as Hasura may provide to Customer from time to time.

Schedule 2: California Annex


  • It is the parties’ intent that with respect to any personal information, Hasura is a service provider. Hasura shall not (a) sell any personal information; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the items set forth in Section 3.2 of the DPA including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the items set forth in Section 3.2 of the DPA; or (c) retain, use or disclose the personal information outside of the direct business relationship between Hasura and Customer. Hasura hereby certifies that it understands its obligations under this Schedule 2 and will comply with them.
  • The parties acknowledge that Hasura’s retention, use and disclosure of personal information authorized by Customer’s instructions stated in the Data Processing Addendum are integral to Customer’s provision of the Services and the business relationship between the parties. The exchange of Customer Personal Data does not form part of the consideration exchanged between the parties in respect of the Agreement or any other business dealings.

Schedule 3: Security Measures


As from the Addendum Effective Date, Hasura will implement and maintain the security measures set out in this Schedule 3 (“Security Measures”).
  • Organizational management and dedicated staff responsible for the development, implementation and maintenance of Hasura’s information security program.
  • Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Hasura’s organization, monitoring and maintaining compliance with Hasura’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
  • Data security controls which include at a minimum logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Customer Personal Data.
  • Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
  • Password controls designed to manage and control password strength and usage.
  • System audit or event logging and related monitoring procedures to proactively record user access and system activity.
  • Physical security of data centers and other areas containing Customer Personal Data designed to protect information assets from unauthorized physical access or damage.
  • Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems.
  • Incident management procedures design to allow Hasura to investigate, respond to, mitigate and notify of events related to Hasura’s technology and information assets.
  • Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.
Hasura may update or modify such Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services.

Schedule 4

Schedule 1 – UK Addendum to the EU Standard Contractual Clauses


If and to the extent that the Agreement involves a Restricted Transfer from the UK, then the Parties agree that the UK Addendum shall apply as set out in this Schedule 4.
Part 1: Tables
Table 1: Parties
The PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)
Parties' detailsThe entity identified as “Customer” in the DPAThe entity identified as “Customer” in the DPA
Signature (if required for the purposes of Section 2)The parties’ signature and date on the DPA constitutes their signature and date on this UK Addendum.The parties’ signature and date on the DPA constitutes their signature and date on this UK Addendum.
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCsThe version of the Approved EU SCCs which this Addendum is appended to, including the Appendix Information.
Table 3: Appendix Information
"Appendix Information" means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As set out in Schedule 1, Annex I.
Annex 1B: Description of Transfer: As set out in Schedule 1, Annex I.
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: As set out in Schedule 1, Annex II.
Annex III: List of Sub processors (Modules 2 and 3 only): As set out in Schedule 1, Annex III.
Table 4: Ending this Addendum when the Approved Addendum changes
Ending this Addendum when the Approved Addendum changesWhich Parties may end this Addendum as set out in Section 19:
Importer
Importer
Importer
Part 2: Mandatory Clauses
Mandatory ClausesPart 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.
Transfer Risk Assessment
The Exporter has completed a transfer risk assessment (TRA). It has relied on the Department for Science, Innovation and Technology’s Analysis of the UK Extension to the EU-US data privacy framework published in September 2023 (the DSIT analysis). The Exporter is satisfied that the DSIT analysis concludes that US laws and practices provide adequate protections for people whose personal information is transferred to the US for risks to people’s rights: (i) arising in the US from third parties that are not bound by this IDTA accessing the transferred personal information in particular, government and public bodies; and (ii) arising from difficulties enforcing the IDTA. The Exporter considers that it is reasonable and proportionate for it to rely on the DSIT analysis, given the scope of this assessment is as required under Article 45 UK GDPR, and the enactment of adequacy regulations under Section 17A DPA 2018 by the Secretary of State and Parliament, on the basis of that assessment. The Exporter will review this TRA if a new or amended version of the DSIT analysis is published, or the DSIT analysis is withdrawn.

Schedule 5: Australia Annex


Hasura agrees to comply with the Australian Privacy Act when Processing Customer Personal Data, to the extent applicable to Hasura.
2024 Edition

The GraphQL Handbook

A GraphQL Handbook for developers and architects to help plan your GraphQL adoption journey.
The GraphQL Handbook