Our next-gen architecture is built to help you make sense of your ever-growing data.

Watch a 4-min demo video!

Data Processing Agreement

 

 

This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to, the Coralogix Master Subscription Terms (“Principal Agreement”), entered into by and between Coralogix Ltd., with offices located at Abba Hillel Silver Rd. 19 Ramat Gan, and/or its Affiliates (“Coralogix”) and you and/or your Affiliates (“Customer”). The DPA together with the Principal Agreement are collectively referred to as the “Agreement“. Coralogix and Customer are hereinafter jointly referred to as “Parties” and individually as “Party”. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement.

1. Definitions

1.1. “Affiliate” means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity;

1.2. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

1.3. “Customer Personal Data” means any Personal Data Processed by Coralogix on behalf of Customer pursuant to or in connection with the Principal Agreement;

1.4. “Data Protection Laws” / “applicable laws” means (a) EU Data Protection Laws, (b) the UK GDPR, (c) the Swiss FADP, and (d) to the extent applicable, the data protection or privacy laws of any other applicable country as agreed in writing between the Parties, including in the United States of America, India and Israel;

1.5. “Data Subject” means the identified or identifiable person to whom Personal Data relates;

1.6. “EU GDPR” means regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data,  (General Data Protection Regulation) or supplements;

1.7. “EU SCC” or “EU Standard Contractual Clauses” means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to Processors (as set out in Annex to Commission Decision 2010/87/EU) established in third countries which do not ensure an adequate level of data protection;

1.8. “FADP” means the Swiss Federal Act on Data Protection (FADP), June 19, 1992, SR 235.1 and any subsequent amendments, replacements, or supplements including any guidelines and clarifying materials published by the Swiss Federal Data Protection and Information Commissioner (FDPIC);

1.9.  “Personal Data” means any information relating to (i) an identified or identifiable natural person and (ii) an identified or identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, where for each (i) or (ii), such data is Customer Personal Data;

1.10. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;

1.11. “Process/Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as (but not limited to) collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

1.12. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the EU / UK GDPR;

1.13. “Sub Processor” means a Processor appointed by Coralogix, on its behalf, to Process the Customer Personal Data excluding an employee of Coralogix;

1.14. “Standard Contractual Clauses” or “SCCs” means the EU SCC, the UK Addendum, and the Swiss Addendum as defined herein, and as applicable to the transfers of Personal Data pursuant to this DPA;

1.15. “Swiss Addendum” means the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner, specifically the FADP;

1.16. “UK Addendum” means the International Data Transfer Addendum to the EU SCC issued by the UK Information Commissioner’s Office;

1.17. “UK GDPR” means the Data Protection Act 2018, c. 12 (U.K.) and the EU GDPR as adapted into law of the United Kingdom;

1.18. “India Addendum” means the applicable standard data protection clauses issued, approved, or duly recognized according to the laws of the Republic of India, specifically the DPDP Act and/or the Aadhaar Act and/or any other Indian Privacy Law (together the “Indian Privacy Laws”);

2. Processing of Customer Personal Data

2.1. This DPA applies only to Personal Data obtained by Coralogix from the Customer’s use of Coralogix’s services, as outlined in Annex 1 (Details of Processing of Customer Personal Data). Coralogix acts as a Processor of Personal Data on behalf of the Customer, who is the Controller.

2.2. Coralogix shall not Process Customer Personal Data other than according to the Customer’s documented reasonable and customary instructions as specified in the Principal Agreement or this DPA, unless such Processing is necessary by applicable laws.

2.3. Customer instructs Coralogix (and authorizes Coralogix to instruct each Sub Processor) to (i) Process Customer Personal Data to the extent required for the provision of Coralogix’s Services under the Agreement; and, in particular (ii) transfer Customer Personal Data to any country or territory, all as reasonably necessary for the provision of the Services and as per the terms of this Agreement and applicable laws.

2.4. The Customer guarantees it has the authority to provide instructions regarding Personal Data on behalf of itself and its Affiliates, for the duration of the Agreement and any additional lawful Processing period

2.5. Without derogating from any other provision of the Agreement, and in the event that the Customer Personal Data includes, any Personal Data which is not expressly identified under Annex 1 (Details of Processing of Customer Personal Data) (collectively, “Excess Personal Data”), Customer and not Coralogix, shall be fully responsible for any use, Processing, editing, hosting, transferring, storing, reproducing, modifying of such Excess Personal Data, and Customer hereby represents and warrants that Customer has provided sufficient notices and obtained necessary or advisable consents required from any third-party and otherwise has the lawful basis upon which to share the Excess Information, including any Personal Data, included therein with Coralogix and its Affiliates, and to make any and all uses as otherwise contemplated under the Agreement.

3. Customer Obligations

Customer shall comply with all applicable laws in connection with the performance of this DPA. As between the Parties, Customer shall be solely responsible for compliance with applicable laws (including Data Protection Laws) regarding the collection of and transfer to Coralogix of Customer Personal Data. Customer agrees not to provide Coralogix with any Special Categories of Personal Data (i.e. Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) other than as provided in Annex 1 (Details of Processing of Customer Personal Data).

4. Coralogix Personnel

Coralogix shall take reasonable steps to ensure that access to the Customer Personal Data is limited on a need to know/access basis, and that all Coralogix personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access and/or use of Customer Personal Data.

5. Security

In relation to the Customer Personal Data, Coralogix shall implement appropriate technical and organizational measures as identified under Annex 4 (Technical and Organizational Measures) to establish an appropriate level of security for the Customer Personal Data.

6. Sub Processing

6.1. Customer authorizes Coralogix and each Coralogix Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 6 to appoint) Sub Processors in accordance with this Section 6 and any restrictions in the Agreement.

6.2. Coralogix and each Coralogix Affiliate may continue to use those Sub Processors already engaged by Coralogix or any Coralogix Affiliate as of the date of this DPA as identified in Annex 3 to this DPA (List of Authorized Sub Processors), including for the purpose of cloud hosting services by reputable Sub Processors.

6.3. Coralogix may appoint new Sub Processors and shall give prior notice of the appointment of any new Sub Processor (for instance by updating the list of sub-processors on its website at least seven (7) days in advance of appointment of the new Sub Processor, which list could be subscribed to by the Customer for receiving the relevant updates), whether by general or specific reference to such Sub Processor (e.g., by name or type of service), including relevant details of the Processing to be undertaken by the new Sub Processor. If Customer notifies Coralogix in writing of any objections (on reasonable data protection grounds) prior to the proposed appointment, the parties shall discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach a resolution, the Company will either not appoint or replace the Sub Processor for the applicable services, or, if this is not possible, the Customer may terminate the applicable order form(s) with respect only to those Services which cannot be provided by the Company without the use of the objected-to new SubProcessor by providing written notice to the Company. The Company will refund the Customer any prepaid fees covering the remainder of the term of such order form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on the Customer. If the Customer does not object to the appointment of a new Sub-Processor within three (3) business days, the appointment or replacement of the relevant Sub Processor shall be deemed approved by the Customer.

6.4. With respect to each new Sub Processor, Coralogix shall:

6.4.1.   take reasonable steps (for instance by way of reviewing privacy policies as appropriate) before the Sub Processor first Processes Customer Personal Data, to ensure that the Sub Processor is committed to provide the level of protection for Customer Personal Data required by the Agreement; and:

6.4.2.   ensure that the arrangement between Coralogix and the Sub Processor is governed by a written contract, including terms which offer a materially similar level of protection for Customer Personal Data as those set out in this DPA and meet the requirements of Data Protection Laws; and:

6.4.3.   remain responsible for Processing of Customer Personal Data by Sub Processor.

7. Data Subject Rights

7.1. Customer shall be solely responsible for compliance with any statutory and regulatory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Customer Personal Data, etc.). After considering the nature of the Processing, Coralogix shall reasonably endeavor to assist Customer insofar as feasible, to fulfil Customer’s said obligations with respect to such Data Subject requests, as applicable, at Customer’s sole expense.

7.2. Coralogix shall:

7.2.1.   unless otherwise required under applicable laws, promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and

7.2.2.   ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which Coralogix is subject, in which case Coralogix shall, to the extent permitted by applicable laws, inform Customer of that legal requirement before it responds to the request.

8. Personal Data Breach

8.1. Coralogix shall notify Customer within forty-eight (48) hours upon Coralogix becoming aware of a Personal Data Breach affecting Customer Personal Data, in connection with Coralogix’s or Coralogix’s Affiliates’ Processing of such Customer Personal Data. In such event, Coralogix shall provide Customer with information (to the extent in Coralogix’s possession) to assist Customer to meet any obligations to inform Data Subjects or data protection authorities of the Personal Data Breach under the Data Protection Laws.

8.2. At the written request of the Customer, Coralogix shall reasonably cooperate with Customer and take such commercially reasonable steps as are agreed by the Parties or necessary under Data Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach at Customer’s sole expense.

9. Data Protection Impact Assessment and Prior Consultation

At the written request of the Customer, Coralogix and each Coralogix Affiliate shall provide reasonable assistance to Customer, at Customer’s expense, with any data protection impact assessments or prior consultations with competent data privacy supervisory authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely in relation to the Processing of Customer Personal Data by Coralogix.

10. Deletion or return of Customer Personal Data

10.1. Subject to Section 10.2 below, Coralogix shall promptly but no later than sixty (60) days of the date of cessation of any Services involving the Processing of Customer Personal Data, delete or pseudonymize all copies of such Customer Personal Data, except any copies that are authorized to be retained under this DPA or required to be retained in accordance with applicable law and/or regulation. Coralogix shall ensure the confidentiality of all such Customer Personal Data and shall ensure that it is only Processed for such legal purpose(s).

10.2. Upon Customer’s prior written request, Coralogix shall provide written certification to Customer that it has complied with this Section 10.

11. Audit Rights

11.1. Upon Customer’s prior written request and as required by applicable Data Protection Laws, Coralogix shall provide a reputable independent auditor, chosen by the Customer, with necessary information to demonstrate compliance with the DPA. This includes allowing audits or inspections related to the Processing of Customer Personal Data, subject to standard confidentiality obligations.

11.2. Audits and the provision of related information will be at the Customer’s sole expense and only apply if the Agreement does not already provide the relevant information and meet the audit requirements under applicable laws.

11.3. Customer shall give Coralogix reasonable prior written noticeof any audit or inspection to be conducted, including the time, scope and duration of the audit and shall not cause (and ensure that each of its mandated auditors does not cause) any damage, injury, tort or disruption to Coralogix premises, equipment, personnel and business in the course of such an audit or inspection. Coralogix shall not give access to its premises for the purposes of such an audit or inspection if:

11.3.1. an audit has already been performed by or on behalf of the Customer in the preceding twelve (12) month period; or:

11.3.2. an individual fails to produce reasonable evidence of identity and/or authority; or:

11.3.3. Coralogix was not given written notice of such audit or inspection at least thirty (30) days in advance; or:

11.3.4. the audit or inspection takes place outside normal business hours, unless the audit or inspection needs to be conducted on an emergency basis and Customer has given prior notice to Coralogix that this is the case before attendance outside those hours begins; or:

11.3.5. the audit or inspection is for premises outside Coralogix’s control (such as data storage farms of Coralogix’s cloud hosting providers or Sub Processors).

12. Restricted Transfers

12.1. Processing of Personal Data shall be carried out by Coralogix exclusively within the EU/EEA, Switzerland, the United Kingdom, or the Republic of India unless otherwise previously explicitly approved in writing by the Customer. The approval shall be deemed granted for Sub Processors enumerated in Annex 3 (List of authorized Sub Processors) attached hereto. It is hereby clarified that if the Customer Personal Data is transferred, whether directly or via onward transfer, to any country or recipient not recognized by the applicable governing authority as providing an adequate level of protection of Personal Data (“Restricted Transfer”), then the Standard Contractual Clauses will apply to such transfer, as detailed below.

12.2. Transfers from the EEA: Where a Restricted Transfer is made from the EEA, the terms of the transfer between the Parties shall be governed by the EU Standard Contractual Clauses which are incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA. The particular roles of the Parties, the applicable extent, and the relevant modules of the EU Standard Contractual Clauses that will apply to such transfers are defined in Section A of Annex 2 (Standard Contractual Clauses)

12.3. Transfers from the UK: Where a Restricted Transfer is made from the UK, the terms of the transfer between the Parties shall be governed by the UK Addendum that is incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA, as applicable to the transfer. Section B of Annex 2 (Standard Contractual Clauses) includes all necessary information that is required in Part 1 of the UK Addendum.

12.4. Transfers from Switzerland: Where one Party transfers Personal Data from Switzerland to the other Party who has its place of business in an unsecure country, the terms of the transfer between the Parties shall be governed, to the extent applicable by the Swiss Addendum which is incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA. Section C of Annex 2 (Standard Contractual Clauses) includes all necessary information that is required in under the Swiss Addendum.

12.5. Transfers from India: To the extent that the Service involves Processing Personal Data of individuals located in the Republic of India, and where one Party transfers Personal Data from the Republic of India to the other Party who has its place of business in an unsecured country, the terms of the transfer between the Parties shall be governed, to the extent applicable by the Indian Addendum which is incorporated herein by reference and considered duly executed between the Parties upon execution of this DPA. Section D of Annex 2 (Standard Contractual Clauses) includes all necessary information required under the Indian Addendum.

13. General Terms

13.1. Governing Law and Jurisdiction.

13.1.1. The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.

13.1.2. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.

13.2. Order of Precedence. In the event of any conflict or inconsistency between this DPA and the Principal Agreement, this DPA shall prevail solely with respect to the subject matter of this DPA (except where explicitly agreed otherwise in writing, signed on behalf of the Parties). This DPA is not intended to, and does not in any way limit or derogate from Customer’s own obligations and liabilities towards Coralogix under the Agreement, and/or pursuant to the EU / UK GDPR or any law applicable to Customer, in connection with the collection, handling and use of Personal Data by Customer or its Affiliates or other Processors or their Sub Processors, including with respect to the transfer or provision or Personal Data to Coralogix and/or providing access thereto to Coralogix.

13.3. Changes in Data Protection Laws.

13.3.1. Customer may by at least forty five (45) calendar days’ prior written notice to Coralogix, request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under any applicable Data Protection Laws, to allow Processing of those Customer Personal Data to be made (or continue to be made) without breach of that Data Protection Laws; and

13.3.2. If Customer gives notice with respect to its request to modify this DPA under Section 13.3.1:

13.3.2.1. Coralogix shall make commercially reasonable efforts to accommodate such modification request; and

13.3.2.2. Customer shall not unreasonably withhold or delay Agreement to any consequential variations to this DPA proposed by Coralogix to protect Coralogix against additional risks, or to indemnify and compensate Coralogix for any further steps and costs associated with the variations made herein.

13.3.3. If Customer gives notice under Section 13.3.1 the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer’s notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within thirty (30) days, then Customer or Coralogix may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof).

13.4. Severance. Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Annex 1 

Details of Processing of Customer Personal Data

This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) of EU / UK GDPR.

Data Exporter Data Importer
Name: The above signed Party (Customer) Name: Coralogix Ltd.
Role: Processor and/or Controller Role: Processor

 

  1. Subject Matter and Duration of the Processing of Customer Personal Data. The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement.
  2. The nature and purpose of the Processing of Customer Personal Data: The nature of the Processing includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, or restricting, erasing or destroying data (whether or not by automated means).

The types of Customer Personal Data to be Processed are as follows:

Personal Data which may be sent in logs.
Customer employee contact information.

Special Categories of Personal Data are as follows: As may be sent in logs with prior written approval by Coralogix.

The categories of Data Subjects to whom the Customer Personal Data relates to are as follows: As may be sent in logs.

The obligations and rights of Customer are as follows: The obligations and rights of Customer and Customer Affiliates are set out in the Principal Agreement and this DPA.

Annex 2

Standard Contractual Clauses

A. EU Standard Contractual Clauses

For the purposes of the EU Standard Contractual Clauses, the Parties agree on the following:

(i). Module One and Module four language shall be deleted.

(ii). Clause 7 (Docking Clause) does not apply.

(iii). For Clause 9 (Use of sub-processors) (a) (only for MODULE TWO: Transfer controller to Processor and MODULE THREE: Transfer Processor to Processor), Option 1 applies with a thirty (30) day time period.

(iv). The optional paragraph under Clause 11 (Redress) (a) does not apply.

(v). For Clause 17 (Governing law) (only for MODULE TWO: Transfer Controller to Processor and MODULE THREE: Transfer Processor to Processor), Option 1 applies. The EU Standard Contractual Clauses shall be governed by the law of Ireland.

(vi). For Clause 18 (Choice of forum and jurisdiction), any dispute arising from the EU Standard Contractual Clauses shall be resolved by the courts of Ireland.

The following modules of the EU Standard Contractual Clauses may apply to the transfers under this DPA:

☒        MODULE TWO: Transfer Controller to Processor

☒         MODULE THREE: Transfer Processor to Processor

 

Data Exporter: Customer.
Data Importer:  Coralogix, Abba Hillel Silver Rd. 19 Ramat Gan, Israel; Shiran Wolfman, [email protected]; Compliance Officer & DPO.
Categories of data subjects whose Personal Data is transferred:   See Annex 1
Categories of Personal Data transferred:  See Annex 1
Special categories of Personal Data (if applicable):  See Annex 1
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):   The Processing is continuous for the duration of the Principal Agreement.
Nature of the Processing: The nature and purpose of Processing of Personal Data for the Controller are defined in the Principal Agreement.
Purpose(s) of the data transfer and further Processing: The nature and purpose of Processing of Personal Data for the Controller are defined in the Principal Agreement.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: The Personal Data will be Processed in accordance with this DPA.
Competent supervisory authority: Irish Data Protection Commission
Technical and organizational measures (only for MODULE TWO and MODULE THREE):   See Annex 4 for technical and organizational measures implemented by the data importer.
List of SubProcessors (only for MODULE TWO and MODULE THREE):   See Annex 3 below.

 

B. UK Addendum

Start date The execution date of the DPA
Addendum EU SCCs The UK Addendum is appended to the EU Standard Contractual Clauses incorporated by Section 12 of the DPA.
List of Parties Data Exporter: See Section A of Annex 2
Data Importer: See Section A of Annex 2
Description of Transfer See Section A of Annex 2
Technical and Organizational Measures See Annex 4 below
List of Sub Processors See Annex 3 below
Ending the UK Addendum when the Approved UKAddendum changes Neither of the Parties may end the UK Addendum under Section 13.3.

 

C. Swiss Addendum

Insofar as the data transfer under the DPA is governed by the FADP, provided that none of these amendments will have the effect or be construed to amend the Standard Contractual Clauses in relation to the processing of Personal Data under the EU GDPR, the following shall apply:

1. the Swiss Federal Data Protection and Information Commissioner (the “FDPIC”) will be the competent supervisory authority, in Annex I.C under Clause 13 of the Swiss Addendum;

2. the applicable law for contractual claims and place of jurisdiction for actions between the Parties under Clauses 17 and 18 of the Standard Contractual Clauses shall be as set forth in the Standard Contractual Clauses, provided that the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18c;

3. references to the EU GDPR should be understood as references to the FADP; and

4. where the FADP protects legal entities as data subjects, the Swiss Addendum will apply to data relating to identified or identifiable legal entities.

Start date The execution date of the DPA
Addendum EU SCCs The Swiss Addendum is appended to the EU Standard Contractual Clauses incorporated by Section 12.4 of the DPA.
List of Parties Data Exporter: See Section A of Annex 2
Data Importer: See Section A of Annex 2
Description of Transfer See Section A of Annex 2
Technical and Organizational Measures
List of Sub Processors

 

D. Indian Addendum

Insofar as the data transfer under the DPA is governed by the DPDP Act or any other applicable Indian law, provided that the Person (as defined below) located in the Republic of India or none of these amendments will have the effect or be construed to amend the Standard Contractual Clauses in relation to the processing of Personal Data under the EU GDPR, the following shall apply:

1. Definitions

1.1. “Indian Privacy Laws” means the Digital Personal Data Protection Act, 2023, No. 13 of 2023 (India) (“DPDP Act”) and the Targeted Delivery of Financial and Other Subsidies Act, 2016, No. 36 of 2016 (India) (“Aadhaar Act”) or any other Indian Privacy Law.

1.2. “Data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.

1.3. “Data Fiduciary” means any person who, alone or in conjunction with other persons, determines the purpose and means of processing Personal Data.

1.4. “Data Principal” means the individual to whom the Personal Data relates and where such individual is—(i) a child, including the parents or lawful guardian of such a child; (ii) a person with disability, including her lawful guardian, acting on her behalf.

1.5. “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary.

1.6. “Data Protection Officer” means an individual appointed by the Significant Data Fiduciary under the DPDP Act.

1.7. “Digital Personal Data” means Personal Data in digital form.

1.8. “Person” includes— (i) an individual; (ii) a Hindu undivided family; (iii) Coralogix; (iv) a firm; (v) an association of persons or a body of individuals, whether incorporated or not; (vi) the State, as defined under Article 12 of the Constitution of India; and (vii) every artificial juristic person, not falling within any of the preceding sub-clauses.

1.9. “Personal Data” means any data about an individual identifiable by or in relation to such data.

2. General Requirements  

2.1. During any period in which Coralogix stores or processes the Personal Data of the Customer (including following the termination of the relationship between the Parties and/or the DPA), Coralogix agrees to comply with the Indian Privacy Laws.

2.2. Coralogix undertakes and agrees (i) to take all required measures to assure the privacy of Personal Data, (ii) that Personal Data will not be transferred to any other Person either within or outside its jurisdiction, except as necessary for the provision of Services and/or required by any applicable law, (iii) it shall contractually obligate all third-party service providers, outsourcers, processors, or other users of the Personal Data collected, held, or controlled by Coralogix to: (a) comply with the Indian Privacy Laws relating to the Coralogix’s data privacy and security policies; (b) take reasonable steps to protect and secure such Personal Data; and (c) restrict the use of Personal Data solely to the extent authorized or required by the servicing, outsourcing, processing or similar arrangement.

2.3. In addition to the obligations of this DPA, Coralogix’s processing of Personal Data will (i) keep the same confidential; (ii) implement appropriate organizational controls and training programs to train those of Coralogix’s personnel authorized to access and process the Personal Data, to ensure compliance with this DPA and any Indian Privacy Laws.

2.4. Coralogix shall execute DPAs identical or substantially similar to this DPA with all its third-party service providers, outsourcers, processors, or other users of the Personal Data involved in executing the obligations under the Agreement, such that the third-party service providers, outsourcers, processors, or other users of the Personal Data are bound by the terms of any Indian Privacy Laws.

2.5. Coralogix shall implement and publish a privacy policy on its website in accordance with the Indian Privacy Laws and the applicable provisions of the Aadhaar Act.

2.6. Coralogix shall implement data privacy and security policies and procedures regarding the privacy, security, use, collection, storage, disclosure, dissemination, transmission, or transfer (including cross-border transfer) of any Personal Data of Person sufficient to comply with the any Indian Privacy Laws.

3. Retention and Return of Personal Data  

Notwithstanding the aforesaid in Section 13.3.3 (Termination) of the DPA, Coralogix will retain Personal Data provided by Customer or collected or processed for or on behalf of Customer only for as long as necessary to satisfy the purpose(s) for which it was provided to Coralogix. Coralogix will promptly return, delete, or destroy all Personal Data upon the earlier of Customer’s request or after the termination or expiration of the Agreement or this DPA. Coralogix will provide Customer with written confirmation that all such copies have been deleted or destroyed.

4. Data Subject Rights

4.1. Notwithstanding the aforesaid in Sections 2 and 11 of the DPA, Coralogix will provide such information and assistance as required by the Indian Privacy Laws that apply to Coralogix so that Customer can comply with Data Subject rights under the Indian Privacy Laws (including inspection, correction, rectification, erasure, and restriction of processing activities).

4.2. When a Data Subject whose Personal Data is being processed by Coralogix with a written request to inspect their Personal Data, Coralogix shall (i) within a reasonable period of time of receiving such request, inform the Data Subject of whether Coralogix processes the Data Subject’s Personal Data and shall provide no additional information; (ii) provide the Data Subject with Customer’s name and address for further inquiries; and (iii) provide Customer with written notice of the inquiry together with all relevant details within a reasonable period of time of being approached by the Data Subject, all without charge to the Data Subject.

4.3. If inspection reveals that the Personal Data being processed by Coralogix is inaccurate, Customer will instruct Coralogix to make corrections, and Coralogix will make such corrections and provide Customer with a written notice that the correction has been made.

5. Security of Personal Data  

5.1. To the extent applicable, Coralogix shall duly appoint a grievance officer to address and resolve any grievances regarding the protection of Personal Data collected and stored by Coralogix.

5.2. Coralogix represents and warrants that there are no pending or unresolved grievances in relation to the protection of Personal Data and it is not in breach or non-compliance of any Indian Privacy Laws as of the Effective Date.

5.3. Notwithstanding the aforesaid in, except for disclosure of Personal Data required by data security requirements, authorized in writing by the Data Subject or provided for in Coralogix’s data privacy and security policies, the Coralogix has never sold, rented or otherwise made available, and shall not sell, rent or otherwise make available, to third parties any Personal Data  collected by.

5.4. Notwithstanding the aforesaid of the DPA,   the listed Security Incidents to the Indian Computer Emergency Response Team (“CERT-In”) as mandated under the applicable Indian Privacy Laws, within six (6) hours following awareness of such Security Incidents.

6. Miscellaneous

6.1. Obligation to Erase: Unless required otherwise by the Indian Privacy Laws or any other applicable law, Coralogix will erase the Personal Data of Customer when it receives a request to do so based on a reasonable Customer’s request.

6.2. Data Minimisation: Coralogix shall access and deal with only the utmost necessary Personal Data which is required to be accessed to provide the services to the Customer.

6.3. Data Protection. Coralogix will implement measures to protect personally identifiable Customer Data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by its sub-processors – by taking reasonable security safeguards to prevent a Personal Data Breach.

6.4. Data Transfer Restrictions: Coralogix shall not transfer or store Customer Personal Data outside India without the Customer’s prior written approval.

Annex 3

List of authorized Sub Processors

List of authorized Sub Processors – https://coralogix.com/authorized-sub-processors/

Annex 4

Technical and Organizational Measures

Technical and organizational measures including such measures to ensure the security of the data.

Coralogix’ s Technical and Organizational Measures are outlined under Coralogix’ s EU / UK GDPR Compliance file (as may be amended from time to time) available at https://coralogix.com/wp-content/uploads/2024/01/GDPR-Compliance-2024.docx.pdf