THIS DATA PROCESSING ADDENDUM (“DPA”) is made between Tinybird Inc. with offices at 45 Pleasant Street, Newburyport, 01950, MA USA (“Tinybird”), and the Customer identified in the Order Form. This DPA is incorporated into and made subject to the Tinybird Analytics License Agreement between Tinybird and Customer, or to any other written agreement between Tinybird and Customer (such as Tinybird’s Free, Developer and Developer Pro Terms of Service), that governs Customer’s use of the Services (as defined below) (the “Agreement”).
1.1 For purposes of this DPA, the following initially capitalized words have the following meanings:
2. Status of the parties
2.1 The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annex A.
2.2. In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties acknowledge and agree that Customer is the Data Controller and Tinybird is the Data Processor. Tinybird agrees that it will process all Personal Data in accordance with its obligations pursuant to this DPA.
2.3 As between the parties, Customer is solely responsible for obtaining, and has obtained or will obtain, all necessary consents, licenses and approvals for the processing, or otherwise has a valid legal basis under Data Protection Laws for the Processing of Personal Data (the “Customer Legal Basis Assurance”). Without limiting the Customer Legal Basis Assurance, each of Customer and Tinybird warrant in relation to Personal Data that it will comply with (and will ensure that any of its personnel comply with), the Data Protection Laws applicable to it.
3. Tinybird obligations
3.1 Instructions. Tinybird will only process the Personal Data in order to provide the Services and will act only in accordance with the Agreement and Customer’s written instructions. The Agreement, this DPA, and Customer’s use of the Tinybird Platform’s features and functionality, are Customer’s written instructions to Tinybird in relation to the processing of Personal Data.
3.2 Contrary Laws. If the Data Protection Laws require Tinybird to process Personal Data other than pursuant to Customer’s instructions, Tinybird will notify Customer prior to processing (unless prohibited from so doing by applicable law).
3.3 Infringing Instructions. Tinybird will immediately inform Customer if, in Tinybird’s opinion, any instructions provided by Customer under Clause 3.1 infringe the GDPR or other applicable Data Protection Laws.
3.4 Appropriate Technical and Organizational Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, Tinybird will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data in Tinybird’s possession or under its control. Such measures include security measures equal to or better than those specified in Annex B below. Customer has reviewed Tinybird’s security program and acknowledges that it is designed to ensure a level of security appropriate to the risk. Customer further acknowledges that it is responsible for its configuration of the Tinybird Platform and for using features and functionality of the Services to ensure a level of security appropriate to the risks presented by the processing.
3.5 Access by Tinybird Personnel. Tinybird will ensure that its personnel have access to Personal Data only as necessary to perform the Services in accordance with the Agreement and this DPA, and that any persons whom it authorises to have access to the Personal Data are under written obligations of confidentiality.
3.6 Personal Data Breaches. Taking into account the nature of the processing and the information available to Tinybird:
3.7 Deletion or Return of Personal Data. Tinybird will return Personal Data to Customer by permitting Customer to export Personal Data from the Tinybird Platform at any time during provision of the Services, using the Tinybird Platform’s then existing features and functionality. Customer may delete Customer Data on its “Tenants” at any time. (“Tenant” means a logical isolation unit, or dedicated share of a particular Tinybird Platform instance; the dedicated share may be configured to reflect the needs of the specific Customer business unit using the share.) Tinybird will delete Customer’s Tenants (and any data remaining on such Tenants) within 30 days of termination or expiration of the Subscription Term, and other Personal Data retained by Tinybird (if any). Tinybird is not obligated to delete copies of Personal Data retained in automated backup copies generated by Tinybird, which Tinybird will retain for up to, and delete within, 14 months from their creation. Such backup copies will remain subject to this DPA and the Agreement until they are destroyed.
3.8 Assistance. Taking into account the nature of processing and the information available to Tinybird, Tinybird will assist Customer when reasonably requested in relation to Customer’s obligations under Data Protection Laws with respect to:
3.9 Data Subject Requests. Taking into account the nature of the processing, Tinybird will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to respond to data subjects’ requests to exercise their rights under Chapter III of the GDPR or other applicable Data Protection Laws. Tinybird will promptly notify Customer of requests received by Tinybird, unless otherwise required by applicable law. Customer may make changes to Personal Data processed with the Tinybird Platform using the features and functionality of the Tinybird Platform. Tinybird will not make changes to such data except as agreed in writing with Customer. If and to the extent that Customer is unable to respond to a data subject request by using features and functionality of the Tinybird Platform and a response to the data subject is required by Data Protection Laws, Tinybird will, upon written request by Customer, reasonably assist Customer in responding to the request.
3.10 Records of Processing Activities. Tinybird will maintain records of its processing activities as required by Article 30.2 of the GDPR, and make such records available to the applicable supervisory authority upon request.
4.1 Disclosure and Transfer of Personal Data. Tinybird will not disclose or transfer Personal Data to any third party without the prior written permission of Customer, except (i) as specifically stated in the Agreement or this DPA, or (ii) where such disclosure or transfer is required by any applicable law, regulation, or public authority.
4.2 Consent to Sub-Processors. Customer consents to Tinybird’s use of sub-processors to provide aspects of the Services, and to Tinybird’s disclosure and provision of Personal Data to those sub-processors. Tinybird publishes a list of its then-current sub-processors at https://tinybird.co/tinybird-subprocessors.pdf (“Sub-Processor List”). Tinybird will require its sub-processors to comply with terms that are substantially no less protective of Personal Data than those imposed on Tinybird in this Agreement (to the extent applicable to the services provided by the sub-processor). Tinybird will be liable for any breach of its obligations under this Agreement that is caused by an act, error or omission of a sub-processor.
4.3 Authorization of New Sub-Processors. Tinybird may authorize new sub-processors, provided that:
4.4 Objections to New Sub-Processors. If Customer objects to the authorization of any future sub-processor on reasonable data protection grounds within 30 days of notification of the proposed authorization, and if Tinybird is unable to provide an alternative or workaround to avoid processing of Personal Data by the objected to sub-processor within a reasonable period of time, not to exceed 30 days from receipt of the objection (the “Correction Period”), then, at any time within expiration of the Correction Period, Customer may elect to terminate the processing of Personal Data under affected Sales Orders to the Agreement without penalty, by written notice to Tinybird to that effect. If Customer terminates any such Sales Order in accordance with the foregoing, then Tinybird will refund to Customer a pro-rata amount of any affected Services fees prepaid to Tinybird and applicable to the unutilized portion of the Subscription Term for terminated Services.
5. Audit and records
5.1 Provision of Information. Tinybird will make available to Customer such information in Tinybird’s possession or control as Customer may reasonably request with a view to demonstrating Tinybird’s compliance with the obligations of data processors under the Data Protection Laws in relation to its processing of Personal Data.
5.2 Audit Right. Customer may exercise its right of audit under the Data Protection Laws, through Tinybird providing:
6. Data transfers
This Section 6 applies to any processing by Tinybird or its sub-processors of any Personal Data subject to the GDPR.
6.1 To the extent any processing by Tinybird of Personal Data takes place in any country outside the European Economic Area (“EEA”) (other than exclusively in an Adequate Country), the parties agree that the Standard Contractual Clauses will apply in respect of that processing; Tinybird will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and Customer will comply with the obligations of ‘data exporter’. In this respect, Customer and Tinybird agree that the Standard Contractual Clauses are incorporated into and made subject to this DPA by this reference.
6.2 Customer acknowledges that the provision of the Services under the Agreement may require the processing of Personal Data by sub-processors in countries outside the EEA from time to time.
6.3. If, in the performance of this DPA, Tinybird transfers any Personal Data to a sub-processor (including any Tinybird Affiliate that acts as a sub-processor) where such sub-processor will process Personal Data outside the EEA (other than exclusively in an Adequate Country), then Tinybird will in advance of any such transfer ensure that a mechanism to achieve adequacy in respect of that processing is in place, such as:
6.4 The following terms will apply to the Standard Contractual Clauses:
7. Authorized Affiliates
7.1 By executing the Agreement, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Tinybird and each such Authorized Affiliate, subject to the provisions of the Agreement and this Section 7 and Section 8. Each Authorized Affiliate agrees to be bound by the obligations of Customer under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA.
7.2 The Customer that is the contracting party to the Agreement will remain responsible for coordinating all communication with Tinybird under this DPA and will be entitled to make and will receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
7.3 Where an Authorized Affiliate becomes a party to the DPA with Tinybird it will, to the extent required under applicable Data Protection Laws, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
8. Limitation of Liability
8.1 Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Tinybird, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitations and Exclusions of Liability’ (or its equivalent) section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Tinybird’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs will apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, will not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.
9.1 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail insofar as the subject matter concerns the processing of Personal Data. In the event of any conflict between the terms of this DPA and the Standard Contractual Clauses then, only insofar as the Standard Contractual Clauses apply, the Standard Contractual Clauses will prevail.
9.2 Customer and Tinybird each agree that the dispute resolution provisions of the Agreement (including governing law and venue) apply to this DPA.
LIST OF PARTIES
Data exporter(s): Customer Entity as described in the Agreement (‘Customer’)
Address: The Address is as set out in the Agreement
Contact person’s name, position and contact details: The Contact Details are as set out in the Agreement
Activities relevant to the data transferred under these Clauses: As set out in the master agreement between the parties.
Role (controller/processor): Controller
Name: Tinybird Inc.
Address: Tramontana 28, 1D, 28223, Pozuelo de Alarcón, Madrid
Contact person’s name, position and contact details: CTO, Raúl Ochoa, firstname.lastname@example.org
Activities relevant to the data transferred under these Clauses: As set out in the master agreement between the parties.
Role (controller/processor): Processor
DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data subjects are end users, or individuals purporting to be end users, of the Customer Applications, or other data subjects with respect to whom Customer elects to collect their personal data, and Customer’s and Customer Affiliate members’, and its and their service providers, employees, consultants, agents and representatives authorized by Customer to use the Services
Categories of personal data transferred
Email addresses or unique identification methods depending on the authentication method selected by Customer, and any other personal data that the Customer uploads to the Tinybird platform with the purpose of querying or analysing it;
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (eg. whether the data is transferred on a one-off or continuous basis).
Nature of the processing
The processing will comprise the following: Tinybird provides a data analytics platform, which Customer may use to develop and integrate data products and applications. The Tinybird Platform is not an application in itself; the Customer will need to write its own code to enable interoperability between the Tinybird Platform and Customer applications, and to determine how to use the Tinybird Platform within the Customer’s architecture. Tinybird is responsible only for the Tinybird Platform. Tinybird is not responsible for the Customer’s networks, systems or applications (collectively, “Customer Systems”), the means by which the Customer chooses to integrate the Tinybird Platform into the Customer Systems, or the security and data protection measures that the Customer applies to the Customer Systems. The Tinybird Platform acts as a backend for data querying via Customer defined queries and APIs that then need to be integrated into Customer applications. Tinybird has minimal control over the nature and scope of the personal data that Customer chooses to process using the Tinybird Platform, minimal insight into the identity of the Customer’s users, and no role in the means by which Customer obtains personal data of Customer’s users or Customer’s decision-making as to the purpose for which the personal data is processed.
Purpose(s) of the data transfer and further processing
The purpose of the data processing is the provision of the Tinybird Services to the Customer and the performance of the Tinybird’s obligations under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The duration of the data processing under this DPA is until the termination or expiration of the Underlying Agreements in accordance with its terms.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The subject matter, nature and duration of the Processing of Personal Data by (Sub) Processors, if applicable, shall be as outlined above.
COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Spanish Data Protection Authority
The Data Importer currently abides by the security standards in this Annex B. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the applicable Services Agreement.
Infrastructure. The Data Importer hosts its services in geographically distributed, secure data centers operated by Google Cloud (GCP).
Redundancy. The services are replicated across multiple data centers within a geographic region to eliminate single points of failure using an active/passive configuration in order to minimize the impact of environmental risks.
Monitoring. The services are protected by automated monitoring which is designed to detect a variety of failure conditions and which will, when appropriate, trigger failover mechanisms.
Backups. Backups are performed on a regular basis and stored in a secondary site within the same geographic region.
Business Continuity. The Data Importer replicates its service and data over multiple data centers within a geographic region (when made available by Data Importers infrastructure as a service providers) to protect against loss of service or data. The Data Importer conducts periodic tests of failover and data backup procedures to ensure readiness for business continuity and disaster recovery.
Networks & Transmission.
Network Data Transmission. Interactions between users, administrators and Data Importer modules are done using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols.
Network Security. The Data Importer employs multiple layers of DOS protection, Intrusion Detection, Rate Limiting and other network security services from both its hosting providers and third party providers.
Encryption Technologies. The Data Importer makes HTTPS encryption (also referred to as SSL or TLS connection) available.
Access Procedures. Only authorized employees are allowed access to these restricted components and all access is approved by an employee’s manager and service owner. Only a small number of individuals are approved to access the restricted components.
Access Mechanisms. Access to the Data Importer’s production service and build infrastructure occurs only over a secured channel and requires two-factor authentication.
In Transit. Interactions between users, administrators and Tinybird modules are done using the Secure Socket Layer (SSL) or Transport Layer Security (TLS) standard cryptographic protocols.
At Rest. The Data Importer uses cryptographic hashing and encryption mechanisms to protect sensitive information such as cryptographic keys and application secrets.
Redundancy. The Data Importer stores data in a multi-tenant environment within the Data Importer’s hosted infrastructure. The data and service are replicated across multiple hosted data centers within the same geographic region.
Data Isolation. The Data Importer logically isolates the Data Exporter’s data, and the Data Exporter has a large degree of control over the specific data stored in the Service. Data Deletion. The Data Importer provides to the Data Exporter a mechanism that can be used to delete the Data Exporter’s data.
Software Code Review. The Data Importer employs a code review process to improve the security of the code used to provide the Services. All changes to the service are reviewed and approved by a senior engineer other than the author of the change.
Automated testing. Each software build is subjected to a comprehensive suite of automated tests. Security Scan. The Data Importer employs a third party to scan the Service for security vulnerabilities on a periodic basis.
Staff Conduct and Security.
Staff Conduct. The Data Importer personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, usage, compliance and professional standards.
Background Checks. The Data Importer conducts reasonably appropriate background checks as legally permissible and in accordance with applicable local labor law and statutory regulations.
Subprocessor Security. Prior to onboarding sub-processors that will handle any data provided by a Data Exporter, the Data Importer conducts an assessment of the security and privacy practices of the sub-processor to help ensure that the sub-processor provides a level of security and data protection controls appropriate to their access to data and the scope of the services they are engaged to provide.