Data Processing Addendum

Effective Starting September 27, 2021

This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Terms of Service, currently located at https://www.pagerduty.com/terms-of-service/ made between PagerDuty, Inc. (“PagerDuty”) and Customer (the term “Customer” means the company that You represent) for the provision of the PagerDuty Services (the “Agreement”). This DPA reflects the parties’ agreement with respect to the Processing of Customer’s Personal Data in accordance with the requirements of the Data Privacy Laws and Regulations. To the extent the terms and conditions of this DPA are inconsistent with the Terms of Service or applicable Order Form, this DPA shall control as it relates to the Processing of Customer Personal Data. References to the Agreement will be construed as including this DPA. This DPA shall be effective on the effective date of the Agreement or if the Agreement was effective prior to the publishing of this version of the DPA then the Effective Starting date published above for this DPA (provided that Customer has an Agreement in place already) (“Effective Date”). Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement.

How this DPA Applies

If Customer is not a party to an Order Form nor the Agreement, this DPA is not valid and not legally binding.

Data Processing Terms

1. Definitions

   The terms used in this Addendum shall have the meanings set forth below. Except as modified below, the terms of the Agreement shall remain in full force and effect.

   For the purposes of this DPA:

   1. ‘Customer Personal Data’ means any Customer data that is Personal Data. For purposes of this DPA, Customer Personal Data does not include personal information of employees or other representatives of Customer with whom PagerDuty has a direct business relationship.
   2. ‘Data Privacy Laws’ means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), equivalent requirements in the United Kingdom including the UK Data Protection Regulation and the Data Protection Act 2018 (“UK Data Protection Law”), and the Swiss Federal Act on Data Protection (“FADP”). For the avoidance of doubt, if PagerDuty’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
   3. ‘Data Subject’ means an identified or identifiable natural person about whom Personal Data relates.
   4. ‘Personal Data’ includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws.
   5. ‘Process’ or ‘Processing’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or communication, restriction, erasure or destruction.
   6.  ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 
   7. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
   8. “Standard Contractual Clauses” (or “SCCs”) refers to one or both of the following, as the context requires:

      a) For Personal Data for which Customer is subject to UK Data Protection Law, the “2010 Standard Contractual Clauses,” defined as the clauses issued pursuant to EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec/2010/87/2016-12-17; and

      b) For Personal Data subject for which Customer is subject to the GDPR, the “2021 Standard Contractual Clauses,” defined as the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj.

2. Scope and Purposes of Processing
   2. PagerDuty will Process Customer Personal Data solely: (1) to fulfill its obligations to Customer under the Agreement, including this Addendum; (2) on Customer’s behalf; and (3) in compliance with Data Privacy Laws. If a Data Privacy Law to which PagerDuty is subject requires PagerDuty to Process Customer Personal Data in a manner that conflicts with the terms of the Agreement or this Addendum, PagerDuty will inform Customer of that legal requirement before Processing, unless that law prohibits Customer from providing such information on important grounds of public interest within the meaning of Data Privacy Laws.
   3. Without limiting the foregoing, Customer directs PagerDuty, and PagerDuty agrees, to Process Customer Personal Data solely in accordance with Customer’s written instructions, as may be provided by Customer to PagerDuty from time to time.
   4. PagerDuty will not:

      a) Sell Customer Personal Data or otherwise Process Customer Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, PagerDuty will not Process Customer Personal Data outside of the direct business relationship between Customer and PagerDuty. For purposes of this paragraph, “sell” shall have the meaning set forth in applicable Data Privacy Laws.

      b) Attempt to link, identify, or otherwise create a relationship between Customer Personal Data and non-Personal Data or any other data without the express written authorization of Customer.

3. Personal Data Processing Requirements. PagerDuty will:
   3. Taking into account the nature of the Processing, PagerDuty shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a verifiable request by a Data Subject (or their lawful representatives) under applicable Data Privacy Laws (such as rights to access or delete Personal Data). In addition, to the extent Customer, in its use of the Services, does not have the ability to address such verifiable request, PagerDuty shall upon written request of Customer, use commercially reasonable efforts to assist or cause any applicable subprocessor to assist, Customer in the fulfilment of Customer’s obligations to respond to such requests, to the extent PagerDuty or the subprocessor is legally permitted to do so and the response to the verifiable request is required under applicable Data Privacy Laws. To the extent legally permitted, Customer shall be responsible for PagerDuty’s provision of such assistance, including any fees associated with the provision of additional functionality.
   4. Ensure that the persons it authorizes to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   5. Promptly notify Customer of (i) any third-party or Data Subject complaints regarding the Processing of Customer Personal Data; (ii) any Data Subject requests for exercising their rights under Data Privacy Laws; or (iii) any government or Data Subject requests for access to or information about PagerDuty’s Processing of Customer Personal Data on Customer’s behalf, unless prohibited by Data Privacy Laws. PagerDuty will provide Customer with reasonable cooperation and assistance in relation to any such request.
   6. Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Customer Personal Data, when required by applicable Data Privacy Laws.
4. Subprocessors
   4. PagerDuty’s Subprocessors. A list of subprocessors for the Services as of the Effective Date is located at https://www.pagerduty.com/subprocessors/. Customer has instructed or authorized the use of subprocessors to assist PagerDuty with respect to the performance of PagerDuty’s obligations under the Agreement. Customer acknowledges and agrees that PagerDuty may engage third-party subprocessors to assist PagerDuty in providing or maintaining the Services provided under the Agreement. PagerDuty shall maintain an updated list of subprocessors and Customer may receive notification of changes to the published list of subprocessors by subscribing to the published RSS feed.
   5. Liability for Subprocessors. PagerDuty shall be liable for the acts and omissions of its subprocessors to the same extent PagerDuty would be liable if performing the services of each subprocessor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
   6. If PagerDuty processes Personal Data of residents in the European Economic Area, the United Kingdom, or Switzerland on Customer’s behalf, in order to exercise its right to object to PagerDuty’s use of a new subprocessor, Customer shall notify PagerDuty promptly in writing within ten (10) business days after PagerDuty’s updated list of subprocessors has been made available. In the event Customer objects to a new subprocessor pursuant to this subprovision, and that objection is not unreasonable, PagerDuty will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new subprocessor without unreasonably burdening the Customer. If PagerDuty is unable to make available either type of change within a reasonable time period, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those aspects of the Services which cannot be provided by PagerDuty without the use of the objected-to new subprocessor by providing written notice to PagerDuty.
   7. Copies of Subprocessor Agreements. The parties agree that the copies of the subprocessor agreements that must be sent by PagerDuty to Customer pursuant to the Standard Contractual Clauses (where applicable) may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by PagerDuty beforehand; and, that such copies will be provided by PagerDuty only upon reasonable request by Customer.
5. Security Measures

   PagerDuty will implement appropriate administrative, technical, physical, and organizational measures to protect Customer Personal Data, as set forth in Exhibit B. PagerDuty regularly monitors compliance with these measures. PagerDuty will not materially decrease the overall security of the Services during Customer’s subscription term.

6. Security Breach Management and Notification

   PagerDuty maintains a security incident management procedure and shall, to the extent required under the applicable Data Privacy Law, promptly notify Customer of any actual or reasonably suspected Security Breach, by PagerDuty or its subprocessors of which PagerDuty becomes aware. Customer shall be responsible for notifying Data Subjects affected by a Security Breach unless Customer and PagerDuty make other arrangements. PagerDuty shall make reasonable endeavors to identify and remediate the cause of such Security Breach and to notify Customer no later than seventy-two (72) hours after PagerDuty’s discovery and full remediation unless otherwise required by applicable Data Privacy Law. The notification will include the following information, to the extent known by PagerDuty: (i) the nature of the Security Breach, including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Customer Personal Data records concerned; and (ii) measures taken or proposed to be taken by PagerDuty to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7. Deletion of Customer Personal Data

   PagerDuty shall, upon Customer’s request and subject to the limitations described in the Agreement, delete Customer Personal Data in accordance with the procedures and timeframes specified in the Agreement. The parties agree that the certification of deletion of Personal Data that is described in the Standard Contractual Clauses shall be provided by PagerDuty to Customer only upon Customer’s request.

8. Data Transfers
   8. PagerDuty shall ensure that international transfers are in compliance with all applicable Data Privacy Laws. Where PagerDuty engages in an onward transfer of Customer Personal Data, PagerDuty shall ensure that a lawful data transfer mechanism is in place prior to transferring Customer Personal Data from one country to another.
   9. To the extent legally required, Customer and PagerDuty are deemed to have signed the 2021 Standard Contractual Clauses, which form part of this DPA and (except as described in Section 8.2(d) below) will be deemed completed as follows:

   a) Module 2 of the 2021 Standard Contractual Clauses applies to transfers of Customer Personal Data from Customer (as a controller) to PagerDuty (as a processor) and Module 3 of the 2021 Standard Contractual Clauses applies to transfers of Customer Personal Data from Customer (as a processor) to PagerDuty (as a subprocessor);

   b) Clause 7 of Modules 2 and 3 (the optional docking clause) is not included;

   c) Under Clause 9 of Modules 2 and 3 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth in Exhibit C of this DPA and PagerDuty shall propose an update to that list at least 10 days in advance of any intended additions or replacements of sub-processors in accordance with Section 4.3 of this DPA;

   d) Under Clause 11 of Modules 2 and 3 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;

   e) Under Clause 17 of Modules 2 and 3 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Ireland;

   f) Under Clause 18 of Modules 2 and 3 (Choice of forum and jurisdiction), the parties select the courts of Ireland;

   g) Annex I(A) and I(B) of Modules 2 and 3 (List of Parties) is completed as set forth in Exhibit A of this DPA;

   h) Under Annex I(C) of Modules 2 and 3 (Competent supervisory authority), the parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.

   i) Annex II of Modules 2 and 3 (Technical and organizational measures) is completed with Exhibit B of this DPA; and

   j) Annex III of Modules 2 and 3 (List of subprocessors) is intentionally not included.

   10. For Personal Data about individuals located in the United Kingdom, and other Personal Data for which Customer is subject to UK Data Protection Law:

   a) To the extent required under UK Data Protection Law, the signatories to the Agreement are deemed to have signed the 2010 Standard Contractual Clauses (including its Appendices), which collectively form part of this DPA and will be deemed completed as follows:

   b) The “exporter” is the Customer. 

   c) The “importer” is the PagerDuty. 

   d) Where Clause 9 of the 2010 Standard Contractual Clauses requires specification of the law that governs the 2010 Standard Contractual Clauses, the Parties select the law of the United Kingdom.

   e) The “illustrative indemnification clause” labeled “optional” is deemed stricken from the 2010 Standard Contractual Clauses.

   f) Appendices 1 and 2 of the 2010 Standard Contractual Clauses are deemed completed with the information set forth in Exhibits A and B of this DPA, respectively.

   g) If UK Data Protection Law changes to require either a specific method of relying on the 2021 Standard Contractual Clauses (such as an addendum that makes reference to laws, courts, and authorities in that jurisdiction) or use of a different form of Standard Contractual Clauses (or an equivalent agreement), Customer will update this DPA to implement an approach that is valid under the updated UK Data Protection Law for Personal Data that is subject to it.

   11. For transfers of Personal Data that are subject to the FADP, the 2021 Standard Contractual Clauses form part of this DPA as set forth in Section 8.2 of this DPA, but with the following differences to the extent required by the FADP:

   a) References to the GDPR in the 2021 Standard Contractual Clauses are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.

   b) The term “member state” in the 2021 Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the 2021 Standard Contractual Clauses. 

   c) References to personal data in the 2021 Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.

   d) Under Annex I(C) of the 2021 Standard Contractual Clauses (Competent supervisory authority):

   8.4.d1 Where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

   8.4.d2 Where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in Section 8.2(h) of this DPA insofar as the transfer is governed by the GDPR.

   e) To the extent the SCCs apply, nothing in this DPA or the Agreement shall be construed to prevail over any conflicting clause of the SCCs. Each party acknowledges that it has had the opportunity to review the SCCs.

   12. Changes in Laws. If the transfer of Customer Personal Data under the SCCs or other lawful data transfer mechanism, approved by the relevant data protection authority, ceases to be lawful or the additional safeguards are no longer effective, PagerDuty may, at its discretion: (a) cease transfers of the Customer Personal Data to, or access to such Customer Personal Data from, the relevant jurisdictions; or (b) promptly cooperate with Customer to facilitate use of an alternative lawful data transfer mechanism and alternative additional safeguards that will permit Customer to continue to benefit from the Services in compliance with applicable Data Privacy Laws relating to the protection of Customer Personal Data. If Customer and PagerDuty are unable to promptly implement such an alternative data transfer mechanism or alternative additional safeguards, then Customer may, at its option, upon written notice to PagerDuty suspend the transfer or reduce the scope of the Services to exclude the Customer Personal Data.
9. Audits and Certifications.

   The parties agree that the audits described in the Standard Contractual Clauses shall be carried out in accordance with the following specifications: Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, PagerDuty shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of PagerDuty and that has signed a nondisclosure agreement reasonably acceptable to PagerDuty) information regarding PagerDuty’s compliance with the obligations set forth in this DPA, and its Subprocessors (to the extent that they make such information generally available to customers). Following any notice by PagerDuty to Customer of a Security Breach, upon Customer’s reasonable belief that PagerDuty is in breach of its obligations in respect of protection of Personal Data under this DPA, or if such audit is required by Customer’s Supervisory Authority, Customer may contact PagerDuty in accordance with the notice procedure described in the Agreement to request an on-site audit of PagerDuty’s procedures relevant to the protection of Personal Data, but only to the extent required under applicable Data Privacy Laws. Any such request shall occur no more than once annually. Customer shall reimburse PagerDuty for any time expended for any such on-site audit at PagerDuty’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and PagerDuty shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by PagerDuty. Customer shall promptly notify PagerDuty with information regarding any non-compliance discovered during the course of an audit, and PagerDuty shall use commercially reasonable efforts to address any confirmed non-compliance.

10. Limitation of Liability.

    Notwithstanding anything to the contrary in the Agreement or this DPA, each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, any Order form or the Agreement, whether in contract, tort or under any other theory of liability, shall remain subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and this DPA, including all attachments hereto.

11. Order of Precedence.

    This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms in the Agreement shall apply. With respect to the rights and obligations of the parties with respect to the Processing of Customer Personal Data, the terms of this DPA will control and the parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment,  exhibit, or Standard Contractual Clauses (as applicable) that the parties may have previously entered into regarding the Processing of Customer Personal Data in connection with the PagerDuty Services.

12. Term and Termination; Duration of Processing.

    Notwithstanding expiration or termination of the Agreement, this DPA and the Standard Contractual Clauses (if applicable) will remain in effect until the deletion of all Customer Personal Data as described in this DPA and will automatically expire upon such deletion.