Kong Data Protection Addendum
Kong Data Protection Addendum
This Data Protection Addendum (“Addendum”) forms part of the agreement between Customer and Kong covering Customer’s use of the Products (as defined below) (“Agreement”).
I. Introduction
1. Definitions
● “Account Information” has the meaning given in the Agreement, except that where a term of this Addendum by its context relates to personal data, “Account Information” will be deemed to mean personal data in the Account Information.
● “Applicable Data Protection Law” means all laws and regulations applicable to Kong’s processing of personal data under the Agreement.
● “controller” means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
● “Customer Content” has the meaning given in the Agreement, except that where a term of this Addendum by its context relates to personal data, “Customer Content” will be deemed to mean personal data in the Customer Content.
● “personal data” means all data which is defined as “personal data”, “personal information” or “personally identifiable information” (or any analogous term) under Applicable Data Protection Laws.
● “processor” means an entity which processes personal data on behalf of a controller and includes “service provider” or any analogous term defined under Applicable Data Protection Laws.
● “processing” (and “process”) means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
● “Personal Data Breach” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed for the purposes of providing the Products to Customer by Kong, its sub-processors, or any other identified or unidentified third party.
● “Products” means the products and services provided by Kong or its Affiliates, as applicable, that are (a) used by Customer, including, without limitation, products and Products that are on a trial basis or otherwise free of charge or (b) ordered by Customer under an Order Form.
● “sub-processor” means (a) Kong, when Kong is processing Customer Content that contains personal data and where Customer is a processor of such Customer Content or (b) where Kong is processing Customer Content that contains personal data where Customer is a controller of such Customer Content, any third-party processor engaged by Kong to process Customer Content that contains personal data in order to provide the Products to Customer.
● “Third Party Request” means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.
Any capitalized term not defined in this Section 1 will have the meaning provided in this Addendum or the Agreement.
II. Controller and Processor
2. Relationship
2.1 Kong as a Processor. Customer and Kong agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor and Kong is a processor or sub-processor. Kong will process such Customer Content in accordance with Customer’s instructions as set forth in Section 5 (Customer Instructions).
2.2 Kong as a Controller of Account Information. Customer and Kong acknowledge that, with regard to the processing of Account Information, Customer is a controller and Kong is an independent controller, not a joint controller with Customer. Kong will process Account Information as a controller in order to (a) manage the relationship with Customer; (b) carry out Kong’s core business operations, such as accounting and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Products; (d) perform identity verification; and (e) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum and the Agreement.
3. Purpose Limitation. Kong will process personal data in order to provide and in connection with the Products. Schedule 1 (Details of Processing) of this Addendum further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.
4. Compliance. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Products and its own processing of personal data and (b) it has, and will continue to have, the right to transfer, or provide access to, personal data to Kong for processing in accordance with the terms of the Agreement and this Addendum.
III. Kong as a Processor – Processing Customer Content
5. Customer Instructions. Customer appoints Kong as a processor or sub-processor to process Customer Content on behalf of, and in accordance with, Customer’s instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Products to Customer, and which includes investigating security incidents and detecting and preventing network exploits or abuse; (b) as necessary to comply with applicable law or regulation, including Applicable Data Protection Law; and (c) as otherwise agreed in writing between Customer and Kong (“Permitted Purposes”).
5.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Kong is neither responsible for determining which laws or regulations are applicable to Customer’s business nor whether Kong’s provision of the Products meets or will meet the requirements of such laws or regulations. Customer will ensure that Kong’s processing of Customer Content, when done in accordance with Customer’s instructions, will not cause Kong to violate any applicable law or regulation, including Applicable Data Protection Law. Kong will inform Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate any applicable law or regulation, including Applicable Data Protection Law.
5.2 Additional Instructions. Additional instructions outside the scope of the Agreement or this Addendum will be agreed to in writing between Customer and Kong, including any additional fees that may be payable by Customer to Kong for carrying out such additional instructions.
6. Confidentiality
6.1 Responding to Third Party Requests. If any Third Party Request is made directly to Kong in connection with Kong’s processing of Customer Content, Kong will promptly inform Customer and provide details of the same, to the extent legally permitted. Kong will not respond to any Third Party Request without Customer’s prior consent, except as legally required to do so or to confirm that such Third Party Request relates to Customer.
6.2 Confidentiality Obligations of Kong Personnel. Kong will ensure that any person it authorizes to process Customer Content has agreed to protect personal data in accordance with Kong's confidentiality obligations in the Agreement.
7. Sub-processors
7.1 Authorization for Onward Sub-processing. Customer provides a general authorization for Kong to engage onward sub-processors that is conditioned on the following requirements:
(a) Kong will restrict the onward sub-processor’s access to Customer Content only to what is necessary to provide the Products, and Kong will prohibit the sub-processor from processing the personal data for any other purpose;
(b) Kong agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Content to the standard required by Applicable Data Protection Law, including the requirements set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; and
(c) Kong will remain liable for any breach of this Addendum that is caused by an act, error, or omission of its sub-processors.
7.2 Current Sub-processors and Notification of Sub-processor Changes. Customer consents to Kong engaging third party sub-processors to process Customer Content within the Products for the Permitted Purposes. Kong will maintain a list of sub-processors at konghq.com/sub-processors and will add the names of new and replacement sub-processors to the list at least 30 days prior to the date those sub-processors start processing personal data.
7.3 Objection Right for new Sub-processors. Customer may object to Kong's appointment or replacement of a sub-processor within 10 days after the date Kong updates the list of sub-processors, provided the objection is in writing and based on reasonable grounds relating to data protection. In such an event, Customer and Kong agree to discuss commercially reasonable alternative solutions in good faith. If Kong is reasonably able to provide the Product to the Customer in accordance with the Agreement without using the sub-processor and decides in its discretion to do so, then Customer will have no further rights under this section 7.3 in respect of the proposed use of the sub-processor. If Kong, in its discretion, requires use of the sub-processor and is unable to satisfy Customer’s objection regarding the proposed use of the new or replacement sub-processor, then Customer may terminate the applicable Order Form as its sole remedy effective upon the date Kong begins use of the new or replacement sub-processor solely with respect to the Products that will use the proposed new sub-processor for the processing of Personal Data. If Customer does not provide a timely objection to any new or replacement sub-processor in accordance with this section 7.3, Customer will be deemed to have consented to the sub-processor and waived its right to object.
8. Data Subject Rights. Kong will provide reasonable assistance to Customer in complying with Customer's data protection obligations with respect to data subject rights under Applicable Data Protection Law, at Customer’s expense if such reasonable assistance will require Kong to assign significant resources to that effort.
9. Impact Assessments and Consultations. Kong will provide reasonable cooperation to Customer in connection with any data protection impact assessment or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law, at Customer’s expense if such reasonable cooperation or consultations will require Kong to assign significant resources to that effort.
10. Deletion of Customer Content. Kong will, in accordance with Section 3 (Duration of the Processing) of Schedule 1 (Details of Processing) of this Addendum, delete any Customer Content under its custody or control stored within the Products. However, Kong may retain Customer Content, or any portion of it, if required by applicable law or regulation, including Applicable Data Protection Law, provided such Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
IV. Security and Audits
11. Security
11.1 Security Measures. Kong has implemented and will maintain the technical and organizational security measures as set forth in the Agreement. Additional information about Kong’s technical and organizational security measures to protect Account Information and Customer Content is set forth in Schedule 2 (Technical and Organizational Security Measures) of this Addendum. Customer acknowledges that Kong’s security measures are subject to technical progress and development and that Kong may update or modify its security measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Products.
11.2 Determination of Security Requirements. Customer acknowledges the Products include certain features and functionalities that Customer may elect to use which impact the security of Customer Content processed by the Products, such as, but not limited to, supporting multi-factor authentication through the Customer’s identity single-sign on provider, and features that allow the Customer to define permissions for individual users managed by Customer and its authorized users through the Product. Customer is responsible for reviewing the information Kong makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Products meet the Customer’s requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the Products and using features and functionalities made available by Kong to maintain appropriate security in light of the nature of Customer Content processed through the Products.
11.3 Personal Data Breach Notification. Kong will provide notification of a Personal Data Breach in the following manner:
(a) Kong will, to the extent permitted by applicable law or regulation, notify Customer without undue delay, but in no event later than 72 hours after Kong’s discovery of a Personal Data Breach impacting Customer Content;
(b) Kong will notify Customer of any Personal Data Breach via email to the email address(es) designated by Customer in Customer’s account.
Taking into account the information available to Kong, such notice will include a description of the nature and cause of the Personal Data Breach and the expected resolution time. To the extent possible, Kong will subsequently update the Customer with information regarding evaluation of the root cause, potential impact, remediation actions taken, and actions planned to prevent a future similar event. Kong will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Personal Data Breach.
12. Audits. Customer and Kong acknowledge that Customer must be able to assess Kong’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as Kong is acting as a processor on behalf of Customer.
12.1 Kong’s Audit Program. Kong uses external auditors to assess the adequacy of its security measures with respect to its processing of Customer Content. Such audits are performed at least once annually at Kong’s expense by independent third-party security professionals at Kong’s selection and result in the generation of a confidential audit report (“Audit Report”).
12.2 Customer Audit. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Kong will make available to Customer a copy of Kong’s most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Law will be satisfied by these Audit Reports. To the extent that Kong’s provision of an Audit Report does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with Kong that: (a) ensures the use of an independent third party; (b) provides written notice to Kong in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Customer at Kong’s then-current rates; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Customer; and (g) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
V. International Provisions
13. Jurisdiction Specific Terms. To the extent Kong processes personal data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum, the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) apply in addition to the terms of this Addendum.
14. Cross-Border Data Transfer Mechanisms. To the extent Customer’s use of the Products requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area, the United Kingdom, Switzerland, Guernsey, Jersey, or any other jurisdiction listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum) to Kong located outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in Schedule 3 (Cross Border Transfer Mechanisms) of this Addendum will apply.
VI. Miscellaneous
15. Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; (2) the terms of this Addendum outside of Schedule 4 (Jurisdiction Specific Terms); and (3) the Agreement. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, without limitation, the exclusions and limitations set forth in the Agreement.
16. Updates. Kong may update the terms of this Addendum from time to time; provided, however, Kong will provide at least 30 days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or Products or material changes to any of the existing Products.
________________________________________
Schedule 1
Details of Processing
1. Nature and Purpose of the Processing.
1.1 Customer Content. Kong will process Customer Content as a processor in accordance with Customer’s documented instructions as set forth in the Agreement and Section 5 (Customer Instructions) of this Addendum.
1.2 Account Information. Kong will process Account Information as a controller for the purposes set forth in Section 2.2 (Kong as a Controller of Account Information) of this Addendum.
2. Processing Activities
2.1 Customer Content. The processing activities may include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, destruction or other operations.
2.2 Account Information. The processing activities may include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, destruction or other operations.
3. Retention Period. The period for which personal data will be retained and the criteria used to determine that period is as follows:
3.1 Customer Content. Until the earliest of (i) expiry/termination of the Agreement, or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Agreement (to the extent applicable).
3.2 Account Information. Kong will process Account Information as long as required (a) to provide the Products to Customer; (b) for Kong’s legitimate business needs; or (c) by applicable law or regulation. Account Information will be stored in accordance with the Kong Privacy Notice.
4. Categories of Data Subjects
4.1 Customer Content. Natural persons that access or use Customer’s domains, networks, websites, APIs, and applications.
4.2 Account Information. Customer’s employees and individuals authorized by Customer to access Customer’s Kong account or receive technical support, Customer’s accounts payable personnel, technical liaisons, and other Customer employees and individuals authorized by Customer who may interact with Kong in the ordinary course of business for purposes of the parties’ business relationship.
5. Categories of Personal Data. Kong processes personal data contained in Account Information and Customer Content. The extent of any personal data processed in Customer Content is determined and controlled by the Customer in its sole discretion.
6. Sensitive Data or Special Categories of Data. Customer, its end users, administrators, and/or other partners may upload or transfer Customer Content which may include special categories of data, the extent of which is determined and controlled by the Customer in its sole discretion. Such special categories of data include, but may not be limited to, information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning an individual’s health or sex life. Any special categories of data will be protected by applying the security measures described in Schedule 2.
________________________________________
Schedule 2
Technical and Organizational Security Measures
See the attached Annex B.
Where applicable, this Schedule 2 will serve as Annex II to the EU Standard Contractual Clauses.
________________________________________
Schedule 3
Cross Border Data Transfer Mechanisms
1. Definitions
● “EEA” means the European Economic Area
● “EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
● “UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.
2. Cross Border Data Transfer Mechanisms
2.1 Order of Precedence. In the event the Products are covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the EU Standard Contractual Clauses as set forth in Section 2.2 (EU Standard Contractual Clauses) of this Schedule 3; (b) the UK International Data Transfer Agreement as set forth in Section 2.3 (UK International Data Transfer Agreement) of this Schedule 3; and, if neither (a) nor (b) is applicable, then (c) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
2.4 EU Standard Contractual Clauses. The EU Standard Contractual Clauses will apply to personal data that is transferred via the Products from the EEA, Switzerland, Guernsey, or Jersey, either directly or via onward transfer, to any country or recipient outside the EEA, Switzerland, Guernsey, or Jersey that is not recognized by the relevant competent authority as providing an adequate level of protection for personal data. For data transfers that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into, and incorporated into this Addendum by this reference, and completed as follows:
(a) Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where Kong is processing Account Information;
(b) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a controller of Customer Content and Kong is processing Customer Content;
(c) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Customer Content and Kong is processing Customer Content;
(d) For each Module, where applicable:
(i) in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will apply;
(ii) in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in Section 7.2 (Current Sub-processors and Notification of Sub-processor Changes) of this Addendum;
(iii) in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;
(iv) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by German law;
(v) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Munich, Germany;
(vi) in Annex I, Part A of the EU Standard Contractual Clauses:
Data Exporter: Customer
Contact details: The email addresses designated by Customer in Customer’s account via its notification preferences, or designated in the Agreement.
Data Exporter Role: The Data Exporter’s role is set forth in Section 2 (Relationship) of this Addendum.
Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.
Data Importer: Kong Inc.
Contact details: Kong Privacy Team – legal-privacy@konghq.com
Data Importer Role: The Data Importer’s role is set forth in Section 2 (Relationship) of this Addendum.
Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement;
(vii) in Annex I, Part B of the EU Standard Contractual Clauses:
The categories of data subjects are set forth in Section 4 of Schedule 1 (Details of Processing) of this Addendum.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is set forth in Section 1 of Schedule 1 (Details of Processing) of this Addendum.
The purpose of the processing is set forth in Section 1 of Schedule 1 (Details of Processing) of this Addendum.
The period for which the personal data will be retained is set forth in Section 3 of Schedule 1 (Details of Processing) of this Addendum.
For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth at Annex A.
(viii) in Annex I, Part C of the EU Standard Contractual Clauses: The Bavarian Data Protection Authority (Bayerischer Landesbeauftragter für den Datenschutz) will be the competent supervisory authority; and
(ix) Schedule 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the EU Standard Contractual Clauses.
2.5 UK International Data Transfer Agreement. Customer and Kong agree that the UK International Data Transfer Agreement will apply to personal data that is transferred via the Products from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Agreement, the UK International Data Transfer Agreement will be deemed entered into, and incorporated into this Addendum by this reference, and completed as follows:
(a) In Table 1 of the UK International Data Transfer Agreement, Customer's and Kong's details and key contact information are set forth in Section 2.3 (e)(vi) of this Schedule 3;
(b) In Table 2 of the UK International Data Transfer Agreement, information about the version of the Approved EU SCCs, modules, and selected clauses, which the UK International Data Transfer Agreement is appended to, are set forth in Section 2.4 (EU Standard Contractual Clauses) of this Schedule 3;
(c) In Table 3 of the UK International Data Transfer Agreement:
(i) The list of Parties is set forth in Section 2.4(e)(vi) of this Schedule 3.
(ii) The description of the transfer is set forth in Section 1 (Nature and Purpose of the Processing) of Schedule 1 (Details of the Processing).
(iii) Annex II is located in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.
(iv) The list of sub-processors is available at Annex A; and
(d) In Table 4 of the UK International Data Transfer Agreement, both the Importer and the exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Agreement.
2.6 Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Agreement and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms), or the Agreement, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Agreement, as applicable, will prevail.
________________________________________
Schedule 4
Jurisdiction Specific Terms
1. Australia:
1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
1.2 The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
1.3 The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.
2. Canada:
2.1 The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act.
2.2 Kong’s sub-processors, as set forth in Section 7 (Sub-processors) of this Addendum, are third parties under Applicable Data Protection Law, with whom Kong has entered into a written contract that includes terms substantially similar to this Addendum. Kong has conducted appropriate due diligence on its sub-processors.
2.3 Kong will implement technical and organizational measures as set forth in Section 11 (Security) of this Addendum.
3. European Economic Area (EEA):
3.1 The definition of “Applicable Data Protection Law” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).
3.2 When Kong engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
3.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
4. Mexico:
4.1 The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations.
4.2 When acting as a processor, Kong will:
(a) treat personal data in accordance with Customer’s instructions set forth in Section 5 (Customer Instructions) of this Addendum;
(b) process personal data only to the extent necessary to provide the Products;
(c) implement security measures in accordance with Applicable Data Protection Law and Section 11 (Security) of this Addendum;
(d) keep confidentiality regarding the personal data processed in accordance with the Agreement;
(e) delete all personal data upon termination of the Agreement in accordance with Section 10 (Return or Deletion of Customer Content) of this Addendum; and
(f) only transfer personal data to sub-processors in accordance with Section 7 (Sub-processors) of this Addendum.
5. Singapore:
5.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (“PDPA”).
5.2 Kong will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 11 (Security) of this Addendum and complying with the terms of the Agreement.
6. Switzerland:
6.1 The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection, as revised (“FADP”).
6.2 When Kong engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that Switzerland has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
6.3 To the extent that personal data transfers from Switzerland are subject to the EU Standard Contractual Clauses in accordance with Section 2.3 of Schedule 3 (Cross Border Data Transfer Mechanisms), the following amendments will apply to the EU Standard Contractual Clauses:
(a) references to “EU Member State” and “Member State” will be interpreted to include Switzerland, and
(b) insofar as the transfer or onward transfers are subject to the FADP:
(i) references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;
(ii) the “competent supervisory authority” in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
(iii) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
(iv) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
7. United Kingdom (UK):
7.1 References in this Addendum to “GDPR” will be deemed references to the corresponding laws and regulations of the United Kingdom, including, without limitation, the UK GDPR and Data Protection Act 2018.
7.2 When Kong engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the UK International Data Transfer Agreement or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.
7.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.
8. United States of America:
8.1 “US State Privacy Laws” mean all state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.
8.2 The definition of “Applicable Data Protection Law” includes US State Privacy Laws.
8.3 The following terms apply where Kong processes personal data subject to the CCPA:
(a) The term “personal information”, as used in this Section 8.3, will have the meaning provided in the CCPA;
(b) Kong is a service provider when processing Customer Content. Kong will process any personal information contained in Customer Content only for the business purposes set forth in the Agreement, including the purpose of processing and processing activities set forth in this Addendum (“Purpose”). As a service provider, Kong will not sell or share Customer Content or retain, use, or disclose Customer Content (i) for any purpose other than the Purpose, including retaining, using, or disclosing Customer Content for a commercial purpose other than the Purpose, or as otherwise permitted by the CCPA; or (ii) outside of the direct business relationship between Customer and Kong;
(c) Kong will (i) comply with obligations applicable to it as a service provider under the CCPA and (ii) provide personal information with the same level of privacy protection as is required by the CCPA. Customer is responsible for ensuring that it has complied, and will continue to comply, with the requirements of the CCPA in its use of the Products and its own processing of personal information;
(d) Customer will have the right to take reasonable and appropriate steps to help ensure that Kong uses personal information in a manner consistent with Customer’s obligations under the CCPA;
(e) Kong will notify Customer if it makes a determination that it can no longer meet its obligations as a service provider under the CCPA;
(f) Upon notice, Customer will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of personal information;
(g) Kong will provide reasonable additional and timely assistance to assist Customer in complying with its obligations with respect to consumer requests as set forth in the Agreement;
(h) For any sub-processor used by Kong to process personal information subject to the CCPA, Kong will ensure that Kong’s agreement with such sub-processor complies with the CCPA, including, without limitation, the contractual requirements for service providers and contractors;
(i) Kong will not combine Customer Content that it receives from, or on behalf of, Customer, with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, unless such combination is required to perform any business purpose as permitted by the CCPA, including any regulations thereto, or by regulations adopted by the California Privacy Protection Agency; and
(j) Kong certifies that it understands and will comply with its obligations under the CCPA.
8.4 Kong acknowledges and confirms that it does not receive Customer Content as consideration for any Products provided to Customer.
________________________________________
Annex A
Kong Sub-Processors
Product: Kong Konnect Dedicated Cloud Gateways
Third Party Sub-processors
Kong Affiliates
Kong may engage one or more of our Affiliates to provide support and perform other service functions:
Annex B
Technical and Organizational Security Measures
See https://konghq.com/compliance/technical-and-organizational-security-measures