Last updated on May 8, 2021
1.1. "CSA Personal Data" means any Personal Data Processed by PingCAP in connection with the provision of the TiDB Cloud Services or performance of its other obligations set out in the TiDB Cloud Services Agreement (CSA);
1.2. "Data Protection Laws" means, in respect of a party, all data protection and privacy laws applicable to that party in exercising its rights or fulfilling its obligations under this Agreement or the Purchase Agreement, including the General Data Protection Regulation 2016/679 ("GDPR"), and the UK GDPR;
1.3. "European Standard Contractual Clauses" means the Standard Contractual Clauses for Processors as approved by the European Commission in the form as set out in Annex 1.
1.4. "," "," "," "," "," "" and "" shall have the same meaning given to them or correlative terms under applicable Data Protection Laws; and
1.5. Any other terms within this with the initial letter capitalized shall have the same meaning as given to such terms in the CSA unless and to the extent that any such term is expressly defined in this .
PingCAP shall perform the TiDB Cloud Services in accordance with the terms of the CSA. In relation to the Processing of the CSA Personal Data, as more particularly described in Sections 3 to 5 below, the parties acknowledge that, where PingCAP provides the TiDB Cloud Services, you shall be the Controller and PingCAP shall be the Processor.
You shall ensure that you have, and will maintain in place, all consents, registrations and authorizations as may be required to enable PingCAP to process the CSA Personal Data.
4.1. PingCAP will comply with all Data Protection Laws relating to its Processing of any CSA Personal Data.
4.2. PingCAP will only Process the CSA Personal Data:
4.2.1. as required to meet your documented instructions (which shall, unless otherwise agreed, be to Process Personal Data as necessary to provide the TiDB Cloud Services under this CSA); or
4.2.2. as required to comply with any Data Protection Law to which PingCAP is subject, in which case PingCAP shall (to the extent permitted by law) inform you of that legal requirement before Processing the CSA Personal Data.
4.3. PingCAP will inform you if it becomes aware of an instruction from you that, in PingCAP’s reasonable opinion, infringes Data Protection Laws.
4.4. PingCAP will implement appropriate technical and organisational measures in relation to the Processing of CSA Personal Data:
4.4.1. such that the Processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of Data Subjects; and
4.4.2. so as to ensure a level of security in respect to the CSA Personal Data Processed by it appropriate to the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, CSA Personal Data transmitted, stored or otherwise Processed, having regard to the nature of the CSA Personal Data and the state of technological development and the cost of implementing any measures;
4.5. Without undue delay after becoming aware of a Personal Data Breach affecting the CSA Personal Data, PingCAP will notify you in accordance with the level of detail for you to fulfil any reporting or other requirements imposed on you under Data Protection Laws;
4.6. Where and in so far as it is not possible to provide all of the information set out in as part of the initial notification of the Personal Data Breach, PingCAP will provide this information in phases as soon as the same is reasonably available;
4.7. Without prejudice to its obligations under , PingCAP will provide reasonable assistance, information and cooperation to you in responding to any request from a Data Subject and to ensure compliance with your obligations under Data Protection Laws with respect to:
4.7.1. the security of the Processing;
4.7.2. notification by you of Personal Data Breaches to Supervisory Authorities or Data Subjects;
4.7.3. the carrying out of data protection impact assessments in relation to the Processing of such Personal Data; and
4.7.4. prior consultation with a Supervisory Authority regarding high risk Processing;
4.8. PingCAP will ensure that all of PingCAP’s personnel authorised to Process the CSA Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and are suitably trained to ensure compliance with Data Protection Laws;
4.9. At your request, PingCAP will either delete or return the CSA Personal Data to you after the end of the provision of the TiDB Cloud Services or as necessary to comply with a verifiable consumer request in accordance with clause 5.5 of the CSA, save that PingCAP shall be entitled to retain copies of the CSA Personal Data to the extent it is required to do so under applicable law provided it shall promptly:
4.9.1. inform the Recipient, in writing, of what CSA Personal Data is to be retained; and
4.9.2. inform the Recipient of the reason it must be retained under such applicable law, and
- 4.10. PingCAP will notify you as soon as is reasonably practicable if PingCAP receives any complaint, notice or communication (whether from a Supervisory Authority or Data Subject or otherwise) which relates directly or indirectly to the Processing of CSA Personal Data, or the exercise of any rights of the Data Subject in respect of CSA Personal Data.
5.1. Subject Matter of the Processing
PingCAP has agreed to provide the TiDB Cloud Services under the CSA, possibly involving the Processing of the CSA Personal Data.
Notwithstanding expiry or termination of the CSA, this DPA and European Standard Contractual Clauses (if applicable) will remain in effect until deletion of all CSA Personal Data as described hereinunder.
5.3. Nature and purpose of the Processing
The nature and purpose of the Processing are to provide the TiDB Cloud Services.
5.4. Types of Personal Data Processed
PingCAP will possibly Process the following types of Personal Data determined and controlled by you during the course of the provision of the TiDB Cloud Services:
5.4.1. Identification, biographical and contact data (such as name, birthday, education, address, phone number, email account, and other contact details);
5.4.2. Financial data (such as payment information, transaction information, account details);
5.4.3. Employment data (such as employer, employee, title, office information, responsibility);
5.4.4. Technical data (such as IP address, operational data, geographic location, cookie data, device and browser information); and/or
5.4.5. Special Categories of Personal Data (if applicable): Subject to any applicable restrictions and/or conditions in the CSA, you may include "special categories of personal data" or similarly sensitive personal data (as described or defined in Data Protection Laws) in CSA Personal Data, the extent of which is determined and controlled by you in your sole discretion.
- 5.5. Categories of Data Subjects
The categories of Data Subjects are determined and controlled by you and may include, but not limited, to:
5.5.1 Your business partners, customers, potential customers (who are natural persons);
5.5.2 Your employees, workers, vendors, independent contractors (who are natural persons); and/or
5.5.3 Employees and/or contact persons of your vendors, independent contractors, business partners, customers and/or potential customers.
You shall provide a general authorization for PingCAP to appoint sub-Processors to assist it with the provision of the Services, provided that PingCAP:
6.1 ensures that the terms on which it appoints such sub-Processors comply with applicable Data Protection Laws and are consistent with the obligations imposed on PingCAP in this ; and
6.2 gives you reasonable prior notice to the email account registered by you in TiDB Cloud by directing you to the updated list of sub-Processors available on PingCAP's website of any intended changes concerning the addition or the replacement of any such sub-Processors. If within ten (10) days of receipt of such notice, you notify PingCAP in writing of any objections (on reasonable grounds associated with data protection considerations) to the proposed appointment, (a) PingCAP shall use reasonable efforts to make available a commercially reasonable change in the provision of the TiDB Cloud Services which avoids the use of that proposed sub-Processor, and (b) where no commercially reasonable change is available, either party may by written notice to the other party with immediate effect terminate the CSA to the extent that it relates to the affected TiDB Cloud Services. In the absence of any written notification from you in relation to the proposed appointment, such appointment would be deemed agreed by you.
For the avoidance of doubt, Section 6.1 constitutes your general consent for PingCAP’s engagement of onward sub-Processors under the European Standard Contractual Clauses.
For any transfer by you of CSA Personal Data from the United Kingdom, Switzerland and/or the European Economic Area (collectively, "Restricted Counties") to PingCAP in a country which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the Data Protection Laws of the Restricted Countries) as required to perform the TiDB Cloud Services, such transfer shall be governed by the European Standard Contractual Clauses. PingCAP agrees to abide by, and Process CSA Personal Data from the Restricted Counties in compliance with the European Standard Contractual Clauses which are incorporated into this DPA in Annex 1, and for these purposes PingCAP shall be the "data importer" and you are the "data exporter" under the European Standard Contractual Clauses (notwithstanding that you may be an entity located outside of the Restricted Countries).
No more than on one (1) occasion in any calendar year, on prior written reasonable notice, PingCAP shall make available to you all necessary information to demonstrate PingCAP’s compliance with its obligations under this DPA, and allow for audits, including inspections, by you (or another auditor mandated by you, provided that such auditor enters into a non-disclosure agreement with PingCAP on terms acceptable to PingCAP) for this purpose, provided that any such audit takes place during normal business hours and does not result in interference with (a) PingCAP’s operations and services, and (b) with the confidentiality or security of the data of PingCAP’s other customers. For the avoidance of doubt, the exercise of audit rights under the European Standard Contractual Clauses shall be as described in this Section 8.
European Standard Contractual Clauses (processors)
If applicable according to Section 7 of this DPA, please click here for the European Standard Contractual Clauses which shall be included in this DPA by reference.