1. Application and Scope.
This data processing addendum (“this DPA”) applies to Personal Data transferred to Cribl through or related to your use of Cribl’s products or services (“Covered Activities”) under Cribl’s Standard Terms of Service or other written agreements between you and Cribl that incorporate this DPA by reference (“Applicable Agreement”).
Covered Activities include without limitation your use of your access to Cribl’s products and services, including without limitation use by persons or organizations that you have authorized to use Cribl’s products or services on your behalf, such as your affiliates or subsidiaries. You may only use Cribl’s products or services on behalf of others to the extent allowed by an Applicable Agreement.
This DPA supplements Applicable Agreements and includes, to the extent provided by this DPA, Schedule 1– Standard Contract Clauses: Controller to Processor, and Schedule 2– Standard Contract Clauses: Controller to Controller, each as may be amended under this DPA. In the event of a conflict between this DPA and an Applicable Agreement, the terms and conditions of this DPA shall control unless specifically superseded by the terms and conditions provided in an Applicable Agreement. In the event of a conflict between this DPA and Schedule 1 or Schedule 2, the applicable schedules shall control to the extent necessary to resolve the conflict.
This DPA is intended to comply with the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 (“the GDPR”) and other applicable data protection laws (“Data Protection Laws”), but only to the extent they apply. Words and phrases that are capitalized in this DPA shall have the same meanings as provided in the GDPR as of January 1, 2022, unless otherwise defined in this DPA.
2. Roles and Responsibilities.
You are the Controller for all Personal Data that you submit to Cribl or through Covered Activities (“Customer Personal Data”). Cribl is the Processor for Customer Personal Data. This DPA and all Applicable Agreements are your documented processing instructions.
You and Cribl are each independent Controllers for Personal Data that you submit to Cribl related to the creation, administration, or support of your account with Cribl, including the name, username, email address, and phone number of authorized users of Cribl’s products or services and billing contacts (“Account Data”). You are responsible for ensuring Account Data is accurate.
You are responsible for ensuring that you have a sufficient legal basis to send Customer Personal Data and Account Data to Cribl. You are solely responsible for ensuring that no special categories of Personal Data (GDPR Article 9) or Personal Data relating to criminal convictions or offenses (GDPR Article 10) are sent to Cribl.
3. Processing of Personal Data.
Cribl shall Process Customer Personal Data as requested through instructions made through Cribl’s products or services or otherwise to Cribl. In processing Customer Personal Data, Cribl shall comply with this DPA and all applicable Data Protection Laws.
Cribl may use sub-processors listed in Schedule 1 to process Customer Personal Data under this DPA (“Sub-processors”). All Sub-processors shall enter into a written agreement with Cribl related to data protection requirements no less protective of Customer Personal Data than those provided in this DPA.
Cribl may add or replace Sub-processors as it deems appropriate, but in all cases shall remain responsible to you for the provision of products and services as agreed under Applicable Agreements and liable for the acts and omissions of Sub-processors related to Cribl’s performance under this DPA to the same extent that Cribl would be liable if it performed such acts or omissions itself.
Cribl will send you a written notice of new or replacement Sub-processors that will process Customer Personal Data (“Change Notice”) before such Sub-processors Processes Customer Personal Data. You may object to any new or replacement Sub-processors on reasonable grounds related to the protection of Customer Personal Data by submitting an email to email@example.com within fourteen days of receiving a Change Notice (“Objection”).
Cribl may resolve your Objection to a new or replacement Sub-processor by Processing Customer Personal Data without using that Sub-processor, not using that Sub-processor for any Processing, correcting any issues or other steps identified in your Objection, or not providing (or you not using) the portions of Cribl’s products or services that would use that Sub-processor by mutual agreement. Cribl may use the new or replacement Sub-processor during the Objection process.
If your Objection is not resolved to your satisfaction or to Cribl’s satisfaction, you or Cribl may terminate the Applicable Agreement. Upon such terminations, you must pay, within thirty days from the date the agreement ended, any unpaid balance owed to Cribl related to your use of Cribl’s products or services less the balance attributable to the unused remainder of the contract term or unused paid usage, as applicable. Cribl will refund prior payments attributable to the unused remainder of the contract term or unused paid usage.
If you do not submit an Objection within fourteen days of receiving a Change Notice, you will be deemed to have authorized Cribl to use the new or replacement Sub-processor and waived your right to object to that Sub-processor.
Cribl shall take reasonable steps to limit access to Customer Personal Data to only those employees, agents, contractors, and Sub-processors who need to have access to Customer Personal Data to fulfill the purposes of this DPA or an Applicable Agreement, or to comply with Applicable Laws.
Cribl shall ensure that all employees, agents, contractors, and Sub-processors who obtain access to Customer Personal Data under this DPA are subject to confidentiality requirements by a contract between Cribl and each such person.
Cribl shall use technical and organizational measures as appropriate to ensure a level of security appropriate to the risks to the rights and freedoms of Data Subjects while considering (1) the state of the art, (2) the costs of implementation, (3) the varying likelihood and severity of risks to the rights and freedoms of natural persons, including risks related to a data breach of Customer Personal Data, and (4) the nature, scope, context, and purposes of Processing (“Security Measures”).
Security Measures include without limitation those provided in Annex 2 of Schedule 1 for Customer Personal Data and those provided in Annex 2 of Schedule 2 for Account Data.
Cribl may make from time to time such changes to Security Measures as Cribl determines necessary or appropriate, including without limitation to comply with Applicable Law. No such changes may reduce the level of protection for Customer Personal Data below what is required by this DPA or an Applicable Agreement.
Cribl will take reasonable steps to ensure compliance with Security Measures by its employees, agents, contractors, and Sub-processors to the extent applicable to their respective roles and responsibilities.
7. Data Subject Rights.
Cribl shall notify you, to the extent allowed by Applicable Law, of any request that it receives from a Data Subject related to Customer Personal Data. You are responsible for responding to requests from Data Subjects. Cribl will not respond to requests it receives except to advise Data Subjects to contact you. Cribl may confirm to a Data Subject that the Data Subject’s request related to you.
Upon request, Cribl will provide you reasonable assistance to respond to requests to exercise Data Subject rights under Applicable Law Cribl to the extent allowed by Applicable Law for requests made in accordance with Applicable Law and to the extent reasonably possible using Cribl’s products and services given the nature of the Customer Personal Data Processed. You shall be responsible for costs related to Cribl’s assistance.
8. Deletion Upon Termination.
Upon the termination of an Applicable Agreement, Cribl will delete data related to the Applicable Agreement, including Customer Personal Data, from Cribl’s products and services to the extent applicable, between thirty and ninety days of the termination of the Applicable Agreement. Notwithstanding the foregoing, Cribl is not obligated to delete data, including Customer Personal Data, to the extent Cribl is required to retain Customer Personal Data by Applicable Law or other applicable legal requirements.
You are responsible for exporting all data, including Customer Personal Data, from Cribl’s products and services within thirty days of the termination of the Applicable Agreement.
9. Data Breaches.
Cribl will notify you within forty-eight hours of becoming aware of a Data Breach involving Customer Personal Data stored or Processed by Cribl or its Sub-processors (“Customer Personal Data Breach”). Customer Data Breaches do not include Data Breaches caused by you, persons or organizations that you have authorized to use Cribl’s products or services on your behalf, or your affiliates or subsidiaries.
Cribl will issue notices of Customer Personal Data Breaches through Cribl’s products or services related to the Data Breach, emailing you using the email address you have provided to Cribl for notices or listed on the signature page of an Applicable Agreement, or using the notice procedures provided in the Applicable Agreement. You are responsible for ensuring Cribl has accurate contact information for such notices.
Cribl will take such actions related to Customer Personal Data Breaches and its Security Measures as it deems necessary and appropriate to identify and address the cause or causes of Customer Personal Data Breaches. Cribl will provide you with reasonable cooperation and assistance related to Customer Personal Data Breaches, reasonable information in Cribl’s possession related to Customer Personal Data Breaches including without limitation, to the extent allowed by Applicable Law, remediation efforts and notifications to appropriate Supervisory Authorities, and, to the extent known, the possible cause or causes of Customer Personal Data Breaches, the possible categories or Data Subjects and types of Customer Personal Data involved in Personal Data Breaches, and possible consequences to Data Subjects.
Cribl’s notification and other actions taken related to Customer Personal Data Breaches are not acknowledgements of fault or liability.
Cribl will not reference you in any public filings, notices, or press releases associated with Customer Personal Data Breaches without your prior consent except to the extent required by Applicable Law.
You will provide Cribl with copies of any proposed notices to a Supervisory Authority, Data Subjects, or the public related to a Customer Personal Data Breach before issuing such notices and, to the extent allowed by Applicable Law, allow Cribl to provide clarifications or corrections to such notices with sufficient time before applicable deadlines.
Cribl will allow you to conduct an audit of Cribl’s policies and procedures as may be required to demonstrate Cribl’s compliance with this DPA and Applicable Law. You must provide at least thirty days’ written notice of such audits and can only conduct one audit during any twelve-month period except as required by a Supervisory Authority or required due to a Customer Personal Data breach.
All audits shall be conducted in a manner that minimizes disruptions to Cribl’s normal business operations and protects the confidentiality of information obtained through such audits in accordance with Applicable Agreements. You and Cribl shall mutually agree on each audit’s participants, schedule, and scope. Cribl may require persons involved in audits to execute mutually agreeable confidentiality and non-disclosure agreements and all such persons shall comply with this DPA and Cribl’s security policies and procedures. Audits do not allow your or any third-party auditor to access Cribl’s hosting sites, underlying systems, or infrastructure. You shall reimburse Cribl for time spent by Cribl and its personnel in connection with the audit.
You must provide Cribl with all reports and any identified non-compliance arising from audits conducted under this DPA.
11. Assistance and Impact Assessments.
Cribl will, considering the nature, scope, context, and purposes of the Processing, provide reasonable cooperation and assistance as needed for you to comply with your obligations under Applicable Law, including the requirement for you to assess the impact of Processing on the protection of Customer Personal Data (“Impact Assessment for Personal Customer Data”) and as required related to your cooperation with a Supervisory Authority under Applicable Law.
Cribl will, considering the nature, scope, context, and purposes of the Processing, assess the impact of Processing on the protection of Account Data for which it is a Controller (“Impact Assessment for Account Data”).
12. Data Transfers.
You consent to such cross-border transfers of Customer Personal Data and Account Data to Cribl and Cribl’s products and services as may be required to the United States or other jurisdiction in which Customer Personal Data or Account Data may be processed, including without limitation from the European Union or the European Economic Area to the United States.
You agree that the performance of this DPA and all Applicable Agreements requires the transfer of Customer Personal Data and Account Data outside the Union and the European Economic Area, including without limitation transfers from you to Cribl and from Cribl to a Sub-processor.
Schedule 1 and Schedule 2 apply only when Customer Personal Data and Account Data are transferred outside of the EU or the EEA to any country not recognized by the European Commission as having an adequate level of protection under Applicable Law. Schedule 1 relates to data transfers from Controllers to Processors and Schedule 2 relates to data transfers from Controllers to Controllers.
The use of the Standard Contract Clauses in Schedule 1 and Schedule 2, including Cribl’s Security Measures, provide appropriate safeguards to protect Customer Personal Data and Account Data transferred under this DPA and Applicable Agreements. The Standard Contract Clauses in Schedule 1 and Schedule 2 have been adopted by the European Commission under Applicable Law.