Data Processing Addendum

This Data Processing Addendum (“DPA”), including its Attachments and Appendices, forms part of the subscription agreement, Algolia’s Terms of Service available at https://algolia.com/policies/terms or other written or electronic agreement (the “Agreement”), including any written or electronic service orders, purchase orders or other order forms (each a “Service Order”) entered into between Algolia and Subscriber, pursuant to which Algolia provides the “Services” as defined in the Agreement.

For the purposes of this DPA, the Algolia entity entering into this DPA as the data processor shall depend on the location of the Subscriber. For Subscribers in Europe, the Algolia contracting entity to this DPA is Algolia SAS. For Subscribers outside of Europe, the Algolia contracting entity to this DPA is Algolia, Inc. 

Subscriber enters into this DPA on behalf of itself and in the name and on behalf of its Covered Affiliates if and to the extent the Algolia Group processes personal data for which such Covered Affiliates qualify as the controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Subscriber" shall include Subscriber and its Covered Affiliates.

  1. Definitions
    1. Capitalized terms used but not defined in this DPA shall have the meaning given to them in the Agreement or applicable Data Protection Laws.

      Affiliates” of a party is any entity (a) that the party Controls; (b) that the party is Controlled by; or (c) with which the party is under common Control, where “Control” means direct or indirect control of fifty percent (50%) or more of an entity’s voting interests (including by ownership).

      Algolia” means either (i) Algolia, Inc., a company incorporated in Delaware, with mailing address at 3790 El Camino Real, Unit #518, Palo Alto, CA 94306, if Subscriber is domiciled in a country located outside of Europe; or (ii) Algolia SAS, a French société par actions simplifiées, with offices at 55 Rue d’Amsterdam, 75008 Paris, France, if Subscriber is domiciled in a country in Europe. 

      Algolia Group” means Algolia and its Affiliates engaged in the processing of Subscriber Personal Data in connection with the subscribed Services.

      CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 and its implementing regulations.

      Covered Affiliate” means any of Subscriber's Affiliate(s) which (a) is subject to the Data Protection Laws; and (b) is permitted to use the Services pursuant to the Agreement between Subscriber and Algolia, but has not signed its own Service Order with Algolia and is not a "Subscriber" as defined under the Agreement.

      Data Incidents” means a breach of Algolia’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Subscriber Data transmitted, stored or otherwise processed by Algolia. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Subscriber Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

      "Data Protection Laws" means all data protection and privacy laws and regulations applicable to Subscriber Personal Data processed by Algolia under the Agreement, including European Data Protection Laws, U.S. Data Protection Laws, the Brazilian General Protection Law no. 13,709/2018 (“LGPD”), and the Australian Privacy Act 1988 (Cth).

      EEA” means the European Economic Area.

      European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii)the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection and its implementing regulations (“Swiss FADP”), and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i) to (iv); in each case as may be amended or superseded from time to time. 

      "Restricted Transfer" means (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

      Security Documentation” means all documents and information made available by Algolia to demonstrate compliance by Algolia with its obligations under this DPA, including the Security Measures, Additional Security Information and any third-party certifications or audit reports, as applicable.

      Security Measures” means the technical and organizational safeguards adopted by Algolia applicable to the Services subscribed by Subscriber as described and made available at https://www.algolia.com/security/measures or as otherwise made available by Algolia. The Security Measures as of September 27, 2021 are attached to this DPA as Attachment 2.

      Standard Contractual Clauses” (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" laid before Parliament on 28 January 2022 by the Information Commissioner under s.119A(1) of the UK Data Protection Act 2018 ("UK Addendum").  

      Sub-processor” means any third-party engaged by Algolia, including any member of the Algolia Group which processes Subscriber Data in order to provide parts of the Services as listed on https://www.algolia.com/policies/infrastructure-and-sub-processors/. Where (i) Subscriber is domiciled in a country located outside Europe, Algolia, Inc. acts as the data processor and other Affiliates of the Algolia Group act as Sub-processors, and where (ii) Subscriber is domiciled in a country inside Europe, Algolia SAS acts as the data processor and other Affiliates of the Algolia Group act as Sub-processors. 

      Subscriber” means the subscriber entity party to the Agreement and Affiliates entering into a separate service order with Algolia. 

      Subscriber Data” has the meaning given to it in the Agreement or, if no such meaning is given, means data submitted by or on behalf of Subscriber to the Services under the Subscriber’s Algolia account for Services. 

      Subscriber Personal Data” means the personal data or personal information contained within Subscriber Data.

      Term” means the period from the start of the Agreement until the end of Algolia’s provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Algolia may continue providing the Services for transitional purposes.

      U.S. Data Protection Laws” means all federal and state laws in effect in the United States of America that are applicable to the processing of personal data under this DPA, including, but not limited to, the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.
       
    2. The terms “personal data”, “personal information”, “data subject”, “processing”, “controller”, “processor”, “sell”, “share”,  and “supervisory authority” as used in this DPA have the meanings given in the Data Protection Laws, and the terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses, irrespective of whether other Data Protection Laws apply.
       
  2. Personal Data Processing Terms
    1. The parties agree that if the Data Protection Laws apply to the processing of Subscriber Personal Data, the parties acknowledge and agree that:
      1. With respect to Subscriber Personal Data that the Algolia Group processes on behalf of Subscriber, Subscriber is the controller (or, where Subscriber is instructing Algolia on behalf of a third party controller, a processor on behalf of that controller) and Algolia is either (i) the “processor” or, for purpose of U.S. Data Protection Laws, the “service provider”, (ii) where Subscriber is a processor on behalf of a third party controller, Algolia shall be a “sub-processor” to Subscriber.
      2. Algolia may engage Sub-processors pursuant to Section 7 (Sub-processors).
      3. The subject-matter of the data processing covered by this DPA is the provision of the Services and the processing will be carried out for the duration of the Agreement or so long as Algolia is providing the Services. Attachment 1 of this DPA sets out the nature and purpose of the processing, the types of Subscriber Personal Data Algolia processes and the categories of data subjects whose Personal Data is processed.
      4. Each party will comply with the obligations applicable to it under the Data Protection Laws, including with respect to the processing of Subscriber Personal Data.
      5. If Subscriber is a processor itself, Subscriber warrants to Algolia that Subscriber’s instructions and actions with respect to the Subscriber Personal Data, including its appointment of Algolia as a sub-processor, have been authorized by the relevant controller.
      6. For the avoidance of doubt, Subscriber’s instructions to Algolia for the processing of Subscriber Personal Data shall comply with all applicable laws, including the Data Protection Laws. As between Algolia and Subscriber, Subscriber shall be responsible for the Subscriber Data and the means by which Subscriber acquired Subscriber Data, and shall maintain such authorizations and all other approvals, consents and registrations as are required to carry out lawful personal data processing activities under Data Protection Laws.
      7. For the purposes of this DPA, the following is deemed an instruction by Subscriber to process Subscriber Personal Data (a) to provide the Services; (b) as further specified via Subscriber’s use of the Services (including the Services’ user interface dashboard and other functionality of the Services); (c) as documented in the Agreement (including this DPA and any Service Order that requires processing of Subscriber Personal Data); and (d) as further documented in any other written instructions given by Subscriber (which may be specific instructions or instructions of a general nature as set out in this DPA, the Agreement or as otherwise notified by Subscriber to Algolia from time to time), where such instructions are consistent with the terms of the Agreement.
      8. When Algolia processes Subscriber Personal Data in the course of providing the Services, Algolia will:
        1. Process the Subscriber Personal Data only in accordance with (a) the Agreement and (b) Subscriber’s instructions as described in Section 2.1.7, unless Algolia is required to process Subscriber Personal Data for any other purpose by UK, European Union or member state law to which Algolia is subject. Algolia shall inform Subscriber of this requirement before processing unless prohibited by applicable laws on important grounds of public interest.
        2. Notify Subscriber without undue delay if, in Algolia's opinion, an instruction for the processing of Subscriber Personal Data given by Subscriber infringes applicable Data Protection Laws.
    2. The parties acknowledge and agree that:
      1. The parties will comply with all applicable laws with respect to the processing of Subscriber Personal Data.
      2. Algolia is authorized to create anonymized and aggregated information based on the Subscriber Personal Data (“Anonymized Data”) and such information will not include any Personal Data (as defined in Data Protection Laws). The Anonymized Data may be used for (i) improvement and development of Algolia current and future Services and (ii) identification of industry trends.
         
  3. Data Security
    1. Security Measures
      1. Algolia will implement and maintain appropriate technical and organizational measures designed to protect or secure (i) Subscriber Data, including Subscriber Personal Data, against unauthorized or unlawful processing and against accidental or unlawful loss, destruction or alteration or damage, unauthorized disclosure of, or access to, Subscriber Data, and (ii) the confidentiality and integrity of Subscriber Data, as set forth in the Security Measures. Algolia may update or modify the Security Measures from time to time provided that such updates and modifications will not materially decrease the overall security of the Services. The most up to date Security Measures will be made available at https://www.algolia.com/security/measures.
      2. In addition to the Security Measures, Algolia will, from time to time, make additional security guidelines available that provide Subscriber with information about, in Algolia’s opinion, best practices for securing, accessing and using Subscriber Data including best practices for password and credentials protection (“Additional Security Information”).
      3. Algolia will take reasonable steps to ensure the reliability and competence of Algolia personnel engaged in the processing of Subscriber Personal Data.
      4. Algolia will take appropriate steps to ensure that all Algolia personnel engaged in the processing of Subscriber Personal Data (i) comply with the Security Measures to the extent applicable to their scope of performance, (ii) are informed of the confidential nature of the Subscriber Personal Data, (iii) have received appropriate training on their responsibilities, and (iv) have executed written confidentiality agreements. Algolia shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
    2. Data Incidents
      1. If Algolia becomes aware of a Data Incident, Algolia will: (a) notify Subscriber of the Data Incident without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Subscriber Data.
      2. Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and, as applicable, steps Algolia recommends Subscriber to take to address the Data Incident.
      3. Notification(s) of any Data Incident(s) will be delivered to Subscriber in accordance with the “Manner of Giving Notices” Section of the Agreement or, at Algolia’s discretion, by direct communication (for example, by phone call or an in-person meeting). Subscriber is solely responsible for ensuring that any contact information, including notification email address, provided to Algolia is current and valid.
      4. Algolia will not assess the contents of Subscriber Data in order to identify information subject to any specific legal requirements. Subscriber is solely responsible for complying with incident notification laws applicable to Subscriber and fulfilling any third-party notification obligations related to any Data Incident(s).
      5. Algolia’s notification of or response to a Data Incident under this Section 3.2 (Data Incidents) will not be construed as an acknowledgement by Algolia of any fault or liability with respect to the Data Incident.
    3. Subscriber’s Security Responsibilities and Assessment of Algolia
      1. Subscriber agrees that, without prejudice to Algolia’s obligations under Section 3.1 (Security Measures) and Section 3.2 (Data Incidents):
        1. Subscriber is solely responsible for its use of the Services, including: (i) making appropriate use of the Services and any Additional Security Information to ensure a level of security appropriate to the risk in respect of the Subscriber Data; (ii) securing the account authentication credentials, systems and devices Subscriber uses to access the Services; and (iii) backing up the Subscriber Data; and
        2. Algolia has no obligation to protect Subscriber Data that Subscriber elects to store or transfer outside of Algolia’s and its Sub-processors’ systems (for example, offline or on- premises storage).
      2. Subscriber is solely responsible for reviewing the Security Measures and evaluating for itself whether the Services, the Security Measures, the Additional Security Information and Algolia’s commitments under this Section 3 (Data Security) will meet Subscriber’s needs, including with respect to any security obligations of Subscriber under the Data Protection Laws. Subscriber acknowledges and agrees that the Security Measures implemented and maintained by Algolia as set out in Section 3.1 (Security Measures) provide a level of security appropriate to the risk in respect of the Subscriber Data.
    4. Subscriber’s Assessment of Algolia Compliance; Audit Rights
      1. Subscriber acknowledges that Algolia is regularly audited by independent third-party security and privacy auditors as described at https://www.algolia.com/distributed-secure/security-compliance/. Subscriber may verify Algolia’s compliance with its obligations under this DPA by reviewing the Security Documentation made available online or upon request (on a confidential basis). Upon Subscriber’s reasonable request and once per calendar year, Algolia shall provide Subscriber written responses to Subscriber’s questions related to the processing of its Subscriber Personal Data.                                           
      2. Only to the extent Subscriber cannot reasonably demonstrate Algolia’s compliance with its obligations under this DPA through the exercise of its rights under Section 3.4.1 above, and no more than once per calendar year, Subscriber may contact Algolia in accordance with the “Manner of Giving Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Subscriber Data. Subscriber shall reimburse Algolia for any time expended for any such on-site audit. Before the commencement of any such on-site audit, Subscriber and Algolia shall mutually agree upon the scope, timing, and duration of the audit, that reasonably does not interfere with normal business operations, in addition to the reimbursement rate for which Subscriber shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Algolia. Subscriber shall promptly notify Algolia with information regarding any non- compliance discovered during the course of an audit.
      3. Subscriber may conduct such on-site audit (a) itself, (b) through an Affiliate that is not a competitor of Algolia or (c) through an independent, third-party auditor that is not a competitor of Algolia.
  4. Return or Deletion of Subscriber Data
    1. Algolia will enable Subscriber to delete during the Term Subscriber Data in a manner consistent with the functionality of the Services. If Subscriber uses the Services to delete any Subscriber Data during the Term, this use will constitute an instruction to Algolia to delete the relevant Subscriber Data from Algolia’s systems in accordance with applicable law. Algolia will comply with this instruction as soon as reasonably practicable within a maximum of 90 days, unless UK, European Union or member state law requires storage.
    2. Upon expiry of the Term, subject to the terms of the Agreement, Algolia shall securely delete Subscriber Data, to the extent allowed by applicable law, in accordance with the timeframes specified in Section 4.3 and, upon Subscriber’s written request, return Subscriber Personal Data (to the extent such data has not been deleted by Subscriber from the Services).
    3. Algolia will, after a recovery period of up to 30 days following expiry of the Term, comply with this instruction as soon as reasonably practicable and within a maximum period of 90 days, unless UK, European Union or member state law requires storage. Without prejudice to Section 5 (Data Subject Rights; Data Export), Subscriber acknowledges and agrees that Subscriber will be responsible for exporting, before the Term expires, any Subscriber Data it wishes to retain afterwards.
  5. Data Subject Rights; Data Export
    1. For the duration of the period Algolia provides the Services:
      1. Algolia will, in a manner consistent with the functionality of the Services, enable Subscriber to access, rectify and restrict processing of Subscriber Data, including via the deletion functionality provided by Algolia as described in Section 4 (Return or Deletion of Subscriber Data), and to export Subscriber Data;
      2. Algolia will, without undue delay, notify Subscriber, to the extent legally permitted, if Algolia receives a request from a data subject to exercise their rights in relation to Subscriber Personal Data under Data Protection Laws, including the data subject's right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”); and
      3. If Algolia receives any request from a data subject in relation to Subscriber Personal Data, Algolia may advise the data subject to submit his or her request to Subscriber. Subscriber will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
      4. Taking into account the nature of the processing, Algolia will assist Subscriber by appropriate technical and organizational measures, insofar as it is possible, for the fulfillment of Subscriber’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Subscriber, in its use of the Services, does not have the ability to address a Data Subject Request, Algolia shall, upon Subscriber’s written request, provide Subscriber with reasonable cooperation and assistance to facilitate Subscriber’s response to such Data Subject Request, to the extent Algolia is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Subscriber shall be responsible for any costs arising from Algolia’s provision of such assistance.
         
  6. Data Protection Impact Assessment
    Upon Subscriber's written request, Algolia will provide Subscriber with reasonable cooperation and assistance needed to fulfill Subscriber's obligation under the Data Protection Laws to carry out a data protection impact assessment related to Subscriber's use of the Services, to the extent Subscriber does not otherwise have access to the relevant information, and to the extent such information is available to Algolia. Algolia will provide reasonable assistance to Subscriber in the cooperation or prior consultation with the applicable data protection authority in the performance of its tasks relating to this Section 6 (Data Protection Impact Assessment) to the extent required under Data Protection Laws.
     
  7. Sub-processors
    1. Subscriber authorizes the engagement of Algolia’s Affiliates as Sub-processors. In addition, Subscriber acknowledges and agrees that Algolia and Algolia’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Algolia or an Algolia Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Subscriber Data to the extent applicable to the nature of the services provided by such Sub-processor.
    2. Algolia will make available to Subscriber the current list of Sub-processors for the Services at https://algolia.com/subprocessors (“Infrastructure and Sub-processor List”). Algolia shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to process Subscriber Personal Data in connection with the provision of the Services either by sending an email or via the user interface dashboard of the Services.
    3. Subscriber may object to Algolia’s use of a new Sub-processor by notifying Algolia promptly in writing within ten (10) business days after receipt of Algolia’s notice. In the event Subscriber objects to a new Sub-processor, as permitted in the preceding sentence, Algolia will use reasonable efforts to make available to Subscriber a change in the Services or recommend a commercially reasonable change to Subscriber’s configuration or use of the Services to avoid processing of Subscriber Personal Data by the objected-to new Sub-processor without unreasonably burdening the Subscriber. If Algolia is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Subscriber may terminate the applicable Service Order(s) with respect to only those Services which cannot be provided by Algolia without the use of the objected-to new Sub-processor by providing written notice to Algolia. Algolia will refund Subscriber any prepaid but unused fees covering the remainder of the term of such Service Order following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Subscriber.
    4. Algolia shall be liable for the acts and omissions of its Sub-processors to the same extent Algolia would be liable if performing the services of each Sub-processor directly under the terms of this DPA subject to the limitations set forth in Section 10 (Limitation of Liability) and the Agreement.
       
  8. Covered Affiliates
    1. The parties acknowledge and agree that, by executing the Agreement, the Subscriber enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Covered Affiliates, thereby establishing a separate DPA between Algolia and each such Covered Affiliate subject to the provisions of the Agreement, this Section 8 (Covered Affiliates) and Section 10 (Limitation of Liability). Each Covered Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, a Covered Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services by Covered Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by a Covered Affiliate shall be deemed a violation by Subscriber.
    2. Subscriber that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Algolia under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Covered Affiliates.
    3. Where a Covered Affiliate becomes a party to the DPA with Algolia, it shall, to the extent required under applicable Data Protection Laws, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
      1. Except where applicable Data Protection Laws require the Covered Affiliate to exercise a right or seek any remedy under this DPA against Algolia directly by itself, the parties agree that (a) solely Subscriber that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Covered Affiliate, and (b) Subscriber that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Covered Affiliate individually but in a combined manner for all of its Covered Affiliates together (as set forth, for example, in Section 8.3.2 below).
      2. The parties agree that Subscriber that is the contracting party to the Agreement shall, when carrying out an on-site audit of the procedures relevant to the protection of Subscriber Personal Data, take all reasonable measures to limit any impact on Algolia and its Sub- processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Covered Affiliates in one single audit.
         
  9. Restricted Transfers
    1. The parties agree that when the transfer of Subscriber Personal Data from Subscriber to Algolia is a Restricted Transfer, it shall be subject to the appropriate Standard Contractual Clauses, as follows:
      1. In relation to Subscriber Personal Data that is protected by the EU GDPR, the EU SCCs will apply as follows:
        1. Module Two will apply to the extent that Subscriber is a controller of the Subscriber Personal Data, and Module Three will apply to the extent that Subscriber is a processor of the Subscriber Personal Data on behalf of a third party controller;
        2. In Clause 7, the optional docking clause will apply;
        3. In Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Clause 7 of this DPA;
        4. In Clause 11, the optional language will not apply;
        5. In Clause 17, Option 1 will apply, and the EU SCCs will be governed by French law;
        6. In Clause 18(b), disputes shall be resolved before the courts of France;
        7. Annex I of the EU SCCs shall be deemed completed with (as to Part A) information set out in the Agreement with Subscriber as controller (or processor) and Algolia as processor (or sub-processor), (as to Part B) with the information set out in Attachment 1 to this DPA and (as to Part C) with the supervisory authority set out in Attachment 1 to this DPA;
        8. Annex II of the EU SCCs shall be deemed completed with the information set out in Attachment 2 to this DPA;
      2. In relation to Subscriber Personal Data that is protected by the UK GDPR, the UK Addendum will apply completed as follows:
        1. The EU SCCs, completed as set out above in clause 9.1.1 of this DPA shall also apply to transfers of such Subscriber Personal Data, subject to sub-clause 9.1.2.2 below;
        2. Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options "neither party" shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 4) shall be the start date of the Agreement. 
      3. If any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
    2. With respect to onward transfers, Algolia shall not participate in (nor permit any Sub-processor to participate in) any other Restricted Transfers of Subscriber Personal Data (whether as an exporter or an importer of the Subscriber Personal Data) unless the Restricted Transfer is made in full compliance with applicable Data Protection Laws and pursuant to Standard Contractual Clauses implemented between the relevant exporter and importer of the Subscriber Personal Data. 
       
  10. Limitation of Liability
    Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Agreement or a DPA), and all other DPAs between Covered Affiliates and Algolia, as applicable, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together and shall not be understood to apply individually and severally to Subscriber and/or any Covered Affiliate. 
     
  11. Additional CCPA Terms
    Without limiting the foregoing, to the extent Subscriber Personal Data contains personal information protected under the CCPA: 
    1. Algolia may not (i) sell Subscriber Personal Data or otherwise make Subscriber Personal Data available to any third party for monetary or other valuable consideration; (ii) share Subscriber Personal Data with any third party for cross-context behavioral advertising; (iii) except as otherwise permitted by the CCPA, retain, use, or disclose Subscriber Personal Data for any purpose other than for the business purposes specified in the Agreement or outside of the direct business relationship between the parties; and (iv) except as otherwise permitted by the CCPA, combine Subscriber Personal Data with personal data that Algolia receives from or on behalf of another person or persons, or collects from its own interaction with the data subject.
    2. Algolia shall provide the same level of privacy protection as required of “businesses” by the CCPA (as such term “business” is defined by the CCPA) and will notify Subscriber promptly after making the relevant determination if it determines that it can no longer meet its obligations under the CCPA.
    3. Subscriber will have the right to take reasonable and appropriate steps to (i) ensure that Algolia uses Subscriber Personal Data in a manner consistent with Subscriber’s obligations under the CCPA in accordance with Section 3.4 hereof; and (ii) upon reasonable notice, stop and remediate unauthorized processing of Subscriber Personal Data by taking measures recommended by Algolia to minimize harm and secure Subscriber Personal Data or as set forth in Sections 4 and 5 of this DPA.
       
  12. Effect of this DPA
    Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement, this DPA will govern.
     
  13. Updates
    Algolia may modify the DPA from time to time. Any and all changes to the DPA will be posted at http://algolia.com/policies/data-processing-addendum and the DPA will indicate the date they were last updated. Material changes will become effective thirty (30) days after posting and an adversely affected Subscriber may terminate the Agreement without penalty upon notice to Algolia within ten (10) days of the effective date of the revised DPA with the material changes applicable to Subscriber. Subscriber is deemed to accept and agree to be bound by any changes to the DPA when Subscriber uses the Service after the effective date of those changes. Notwithstanding the foregoing, in the event that the parties enter into, or have entered into a separate formal written data processing agreement, the terms of that agreement shall control over the terms of the DPA unless the parties expressly agree to supersede such agreement with this DPA.

ATTACHMENT 1 TO THE DATA PROCESSING ADDENDUM

DESCRIPTION OF PROCESSING ACTIVITIES

Categories of data subjects whose personal data is transferred:

Data subjects include the individuals about whom personal data is submitted to Algolia via the Services by (or at the direction of) Subscriber or by Subscriber’s end users, the extent of which is determined and controlled by the Subscriber in its sole discretion, and which may include but is not limited to personal data relating to the following categories of data subjects:

  • Service Administrators
    • Employees or contractors of Subscriber, Subscriber’s Affiliates, customers, business partners and vendors having access to the Algolia dashboard (who are natural persons)
    • Agents, advisors, freelancers of Subscriber having access to the Algolia dashboard (who are natural persons)
  • Subscriber’ End Users 
    • Subscriber’s users interacting with the Services (who are natural persons) (“End Users”)

Categories of personal data transferred:

Personal data relating to individuals provided to Algolia via the Services, by (or at the direction of) Subscriber or by Subscriber’s end users, the extent of which is determined and controlled by Subscriber in its sole discretion, and which may include but is not limited to personal data relating to the following categories of data:

  • Service Administrator’s Data
    • First, Middle and Last Name (current and former)
    • Title or position
    • Personal and Business Contact Information (company, email, physical address, phone number)
    • Network connection data
    • IP address
    • Location of request (as indicated in IP address)
  • End User Data
    • Identifier (IP address and userToken)
    • Search and analytics (e.g. Search query, search aggregate)
    • Events 
    • Network connection data
    • Location of request (as indicated in IP address)
    • Search logs (for debugging purposes)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions, keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Subscriber may submit special categories of data to the Service as a part of its Subscriber Data, the extent of which is determined and controlled by Subscriber in its sole discretion, and which is for the sake of clarity personal data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, and the processing of data concerning health or sex life.   Security measures are set out in Attachment 2. 

The frequency of the transfer:

Continuous.

Nature of the processing:

Providing site services on a SaaS model, accessible through API, and creation of Anonymized Data.  

Purpose(s) of the data transfer and further processing:

The provision of Algolia Services to the Subscriber, the performance of Algolia's obligations under the Agreement, or as otherwise agreed by the parties, including as set forth in this DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Until 90 days after termination and expiry of the Agreement. Personal Data is purged from Algolia’s systems on a rolling 90-day period, starting the day after termination, with the latest collected data being purged on day 90.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: 

Where Algolia engages Processors (or sub-Processors) it will do so in compliance with the terms of any applicable Standard Contractual Clauses. The subject matter, nature and duration of the Processing activities carried out by the Processor (or sub-Processor) will not exceed the subject matter, nature and duration of the Processing activities as described in this Attachment. The list of approved sub-Processors is available at https://www.algolia.com/policies/infrastructure-and-sub-processors. 

 

SUPERVISORY AUTHORITY

Supervisory Authority The supervisory authority of France shall act as competent supervisory authority.  

ATTACHMENT 2 TO THE DATA PROCESSING ADDENDUM

SECURITY MEASURES

Algolia implements and maintains Security Measures that meet or exceed the security objectives required for SOC2 audit. Algolia may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. Capitalized terms used herein but not otherwise defined have the meaning given to them in the DPA.

Information Security Program

  1. Data Center and Network Security
    1. Data Centers
      1. Infrastructure. Algolia maintains geographically distributed data centers and stores all production data in physically secure data centers.
      2. Redundancy. Algolia’s infrastructure has been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. This design allows Algolia to perform maintenance and improvements of the infrastructure with minimal impact on the production systems. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications.
      3. Power. All data centers are equipped with redundant power system with various mechanism to provide backup power, such as uninterruptible power supplies (UPS) batteries for short term blackouts, over voltage, under voltage or any power instabilities and diesel generators, for outages extending units of minutes, which allow the data centers to operate for days.
      4. Server Operating System. Algolia uses a Linux based operating system for the application environment with a centrally managed configuration. Algolia has established a policy to keep systems up to date with necessary security updates.
      5. Business Continuity. Algolia replicates data across multiple systems to help protect against accidental destruction or loss. Algolia has designed and regularly plans and tests its business continuity planning and disaster recovery programs.
    2. Network and Transmission
      1. Data Transmission. Algolia uses industry standard encryption schemes and protocols to encrypt data transmissions between the data centers. This is intended to prevent reading, copying or modification of the data.
      2. Intrusion Detection. Algolia employs an intrusion detection system to provide insights into ongoing attack activities and to help remediate the attack faster.
      3. Incident Response. Algolia’s security and operations personnel will promptly react to discovered security incidents and inform the involved parties.
      4. Encryption Technologies. Algolia’s servers support HTTPS encryption, ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA and for supported clients also perfect forward secrecy (PFS) methods to help protect traffic against compromised key or cryptographic breakthrough. Algolia uses only industry standard encryption technologies.
         
  2. Access and Site Controls
    1. Site Controls
      1. Data Center Security Operations. All data centers in use by Algolia maintain 24/7 on-site security operations responsible for all the aspects of physical data center security.
      2. Data Center Access Procedures. Access to the datacenter follows Algolia’s Physical Security policy allowing only pre-approved authorized personnel to access the Algolia equipment.
      3. Data Center Security. All data centers comply with or exceed the security requirements of SOC2. All data centers are equipped with CCTV, on-site security personnel and key card access system.
    2. Access Control
      1. Access Control and Privilege Management. Subscriber’s administrators must authenticate themselves via a central authentication system or via a single sign-on system in order to administer the Services.
      2. Internal Data Access Processes and Policies – Access Policy. Algolia’s internal data access processes and policies are designed to prevent unauthorized persons or systems from getting access to systems used to process personal data. These processes are audited by an independent auditor. Algolia employs a centralized access management system to control access to production systems and servers, and only provides access to a limited number of authorized personnel. SSO, LDAP and SSH certificates are used to provide secure access mechanisms. Algolia requires the use of unique IDs, strong passwords and two factor authentication. Granting of access is guided by an internal policy. Access to the system is logged to provide an audit trail for accountability.
    3. Data
      1. Data Storage, Isolation and Logging. Algolia stores data in a combination of dedicated and multi-tenant environments on Algolia-controlled servers. The data is replicated on multiple redundant systems. Algolia also logically isolates the Subscriber’s data. Subscriber may enable data sharing, should the Services functionality allow it. Subscriber may choose to make use of certain logging capability that Algolia may make available via the Services.
      2. Decommissioned Disks and Disk Erase Policy. Disks used in servers might experience hardware failures, performance issues or errors that lead to their decommission. All decommissioned disks are securely erased if intended for reuse, or securely destroyed due to malfunction.
    4. Personnel Security

      Algolia personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Algolia conducts appropriate background checks to the extent allowed by applicable law and regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Algolia’s confidentiality, privacy and acceptable use policies. All personnel are provided with security training upon employment and then regularly afterwards. Algolia’s personnel will not process Subscriber Data without authorization.
    5. Sub-processor Security
      Algolia conducts audits of security and privacy practices of Sub-processors prior to onboarding the Sub- processors in order to ensure adequate level of security and privacy to data and scope of services they are engaged to provide. Once the Sub-processor audit is performed and associated risk is evaluated, the Sub- processor enters into appropriate privacy, confidentiality and security contract terms.

Security Certifications and Reports

  1. Service Organization Control (SOC) Reports: Currently, Algolia’s information security control environment applicable to the Services undergoes an independent evaluation in the form of SOC2 and SOC 3 audits. To demonstrate compliance with the Security Measures, Algolia will make available for review by Subscriber Algolia’s most recent (i) SOC 2 Report and (ii) SOC 3 Report as described below.
    1. SOC 2 Report” means a confidential Service Organization Control (SOC) 2 report on Algolia’s systems examining logical security controls, physical security controls, and system availability, as produced by Algolia’s independent third-party auditor in relation to the Services.
    2. SOC 3 Report” means a Service Organization Control (SOC) 3 report, as produced by Algolia’s independent third-party auditor in relation to the Services.
    3. Algolia will either update the SOC2 Report and SOC 3 Report at least once every 18 months or pursue comparable audits or certifications to evaluate and help ensure the continued effectiveness of the Security Measures.
  2. ISO27001 and ISO27017 certification:  In March 2020, Algolia received its ISO27001 and ISO27017 certifications which are an information security management system family of standards providing best practice recommendations on information security management, including framework of policies and procedures that include all legal, physical and technical controls involved in an organization’s information management process, and security standards particularly developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security issues, respectively.
  3. TRUSTe certification: Algolia has been awarded the TRUSTe Certified Seal signifying that Algolia’s website Privacy Statement and privacy practices related to the Services have been reviewed by TRUSTe for compliance with TRUSTe’s Certification Standards.

ATTACHMENT 3 TO THE DATA PROCESSING ADDENDUM

ADDENDUM FOR SUBSCRIBERS LOCATED IN THE EEA, UK, OR SWITZERLAND

Notwithstanding anything to the contrary set forth in the DPA, Subscriber’s End User Data, as described in Attachment 1 to the DPA, will not be sent outside of the EEA, Switzerland, or the United Kingdom, provided that Subscriber meets the following requirements and/or obligations (i) Subscriber keeps its services located in the EEA, Switzerland, or the United Kingdom, as applicable, (ii) End-Users do not access the Algolia Insights Services from outside of the EEA, Switzerland, or the United Kingdom, as applicable (e.g. Automated Personalization), and (iii) Subscriber or Subscribers’ End Users do not violate the Agreement, including the Acceptable Use Policy, or use the Services in a way that triggers a security incident resulting in the activation of Algolia’s security review procedures. In such case, the IP address of the End User may be sent to a security watchlist in a country that offers an adequate level of data protection and retained for 12 months for security incident handling. Notwithstanding anything to the contrary set forth herein, EEA/Switzerland/UK based End User Data processed for the analytics features are hosted by default in the EEA/Switzerland/UK. 

Previous versions