Percona Customer Agreement (09-28-2018)
This Agreement is made effective as of the date countersigned by Percona (the “Effective Date”) set forth on the signature page below between the entity or other person identified as the “Customer” below and Percona LLC, a Delaware limited liability company (“Percona”).
1. Services. Customer may request services from Percona in accord with the procedures established by Percona. Customer will make its facilities and equipment available to Percona, including via remote internet access, when necessary.
2. Relationship. The parties are independent contractors. Nothing in this Agreement should be construed to create a partnership, agency, joint venture, or employer-employee relationship between Customer and Percona or its staff. Percona is not the agent of Customer or vice versa; neither party is authorized to make commitments on behalf of the other. Percona may use its own employees and contractors, and employees and contractors of its subsidiary companies (“Percona Staff”), when providing Services.
3. Licenses. Customer acknowledges that Percona provides services solely with respect to open source software. Unless otherwise expressly provided in an applicable SOW: (a) any bug fixes, modifications, developments or other software code delivered or made available on behalf of Customer for any open source product or project is subject to the same terms and conditions as the underlying open source product or project; (b) any third party software code or other third party works delivered or made available to Customer in connection with this Agreement are subject to the terms and conditions of the applicable third party license; (c) any non-open source Percona product delivered or made available to Customer in connection with this Agreement is licensed to Customer subject to the terms and conditions of the applicable SOW; and (d) in the extraordinary instance that Percona develops custom software exclusively at the direction of Customer, and not subject to any other license above, Percona irrevocably assigns to Customer ownership of its copyright in such custom software product if requested by Customer and agreed in writing by Percona. This Agreement shall not be deemed to replace or otherwise amend any Customer rights or obligations which may exist pursuant to any applicable open source license, including (without limitation) the GNU General Public License or Lesser Public License. Percona and its vendors reserve any and all rights not expressly granted in this Agreement, an applicable third-party license or an applicable SOW.
4. Non-Solicitation. Neither party shall, during the term and for one (1) year after termination, solicit for hire any of the other party's employees or contractors. But nothing shall prevent either party from hiring a respondent to a general solicitation not personally directed to him or her.
5. Endorsements. Customer may not claim that Percona or any Percona Staff have endorsed any Customer product or service without prior written permission.
6. Authority. Customer represents and warrants Customer has the full right to enter into this Agreement without the consent of any third party, and that performance of this Agreement will not conflict with any other obligations. Customer shall provide advance written notice to Percona if any software with respect to which it has engaged Percona is subject to a license other than a FOSS (Free or Open Source Software) License such as a GPL, LGPL or BSD license. Customer shall defend, indemnify and hold Percona and all its subsidiaries and their respective officers and directors harmless from any third-party claims and any related costs and expenses that arise in connection with use of any non-FOSS license including (without limitation) intellectual property infringement claims.
7. Confidentiality and Data Protection “Confidential Information” is any information disclosed by a Disclosing Party to a Receiving Party and clearly marked as confidential or identified in writing to Receiving Party as confidential. Receiving Party shall: (a) not use or reproduce Confidential Information except as required to accomplish the purpose discussed or as required by judicial or other governmental order; and (b) disclose Confidential Information only to staff with a need to know or access to Percona’s web-based systems and tools, and who have also signed a non-disclosure agreement with Percona or a Percona subsidiary. Customer acknowledges that Percona Staff are from multiple nations of citizenship and residence. This Agreement is non-exclusive; either party may independently develop or acquire products or services without use of the other party’s Confidential Information, and either party may currently, or in the future, develop information internally, or receive information from other parties, that is similar to Confidential Information, and/or work with a competitor of the other party, provided that it maintains the confidentiality of Confidential Information. Confidential Information remains the property of Disclosing Party and shall be returned or destroyed upon written request. Copies of Confidential Information deleted from Receiving Party’s systems may remain in a backup file until such system is overwritten. This Section shall survive for one (1) year after termination of the Agreement. This Agreement incorporates by reference the terms and conditions of the Customer Data Protection Addendum attached hereto as Addendum 1.
8. Liability. Except with respect to Section 6, neither party nor its affiliates and/or subsidiaries will be liable for special, incidental, indirect, exemplary or consequential damages or lost profits arising out of or in connection with this Agreement (however arising, including negligence, and damages resulting from impaired or lost data, software or computer failure or any other cause), even if it has been advised of the possibility of such damages. To the extent permitted by applicable law and notwithstanding any other provision of this Agreement, except in the event of a breach of Section 6, in no event will either party be liable to the other party in an amount greater than the amounts paid or payable by Customer to Percona hereunder during the most recent twelve-month period. This limitation of each party’s liability is cumulative, with all payments for claims or damages in connection with this Agreement being aggregated to determine satisfaction of the limit. The existence of one or more claims will not enlarge the limit. The parties agree that the remedies and limitations herein allocate the risks between the parties as authorized by applicable laws. The fees herein reflect, and are set in reliance upon, this allocation of risk and the exclusion of consequential and other damages set forth in this Agreement. Customer agrees that this section represents a reasonable allocation of risk and that Percona would not proceed in the absence of such allocation.
9. Warranties Percona will use its good faith, commercially reasonable efforts to perform the Services in a timely, professional and workmanlike manner. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION 11, TO THE EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PERCONA NOR ANY OF ITS VENDORS OR AFFILIATES MAKES ANY WARRANTIES WHATSOEVER IN CONNECTION WITH THE SERVICES OR ANY WORK PRODUCT PROVIDED UNDER OR IN CONNECTION WITH THIS AGREEMENT OR ANY SOW, AND PERCONA, ITS VENDORS AND AFFILIATES EXPRESSLY DISCLAIM, AND CUSTOMER EXPRESSLY WAIVES, ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, SYSTEM INTEGRATION, AND ACCURACY OF INFORMATIONAL CONTENT. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, PERCONA DOES NOT WARRANT RESULTS OR WARRANT THAT ANY SERVICES OR WORK PRODUCT WILL BE FREE FROM ERRORS, DEFECTS, OR BUGS.
10. Successors and Assigns. Either party may assign this Agreement to the successor-in-interest of a merger, acquisition or sale of substantially all of the party’s assets, provided the assigning party provides written notice thereof to the other party within 30 days after the effective date of the assignment; otherwise, this Agreement may not be assigned without the other party's consent, and any such attempted assignment shall be void and of no effect. Subject to the foregoing, the terms and conditions of this Agreement shall bind, inure to the benefit of, and be enforceable by the respective successors and any permitted assigns of the parties. There are no intended third-party beneficiaries of this Agreement.
11. Governing Law. This Agreement shall be governed in all respects (without regard to any conflict of laws provisions) by the laws of the United States of America and the State of Delaware as such laws are applied to agreements entered into and to be performed entirely within the State of Delaware between Delaware residents.
12. Arbitration. Any claim, whether based on contract, tort or other legal theory arising out of or relating to this Agreement, including interpretation, performance, breach or termination, shall be exclusively and finally resolved by arbitration conducted in the English language by a single arbitrator. If Customer is organized in North or South America, arbitration shall be conducted in Wilmington, Delaware, USA in accordance with the Commercial Arbitration Rules of the American Arbitration Association. If Customer is organized elsewhere, arbitration shall be conducted in London, United Kingdom in accordance with the Rules of Arbitration of the International Chamber of Commerce. The arbitrator shall be bound by the provisions of this Agreement, base the decision on applicable law and judicial precedent, include in such decision the findings of fact and conclusions of law upon which the decision is based, and not grant any remedy or relief that a court could not grant under applicable law. The arbitrator's decision shall be final and binding, and not subject to appeal. Notwithstanding the foregoing, either party may enforce any judgment rendered by the arbitrator in any court of competent jurisdiction. In addition, the arbitrator shall have the right to issue equitable relief, including (without limitation) preliminary injunctive relief.
13. Force Majeure. Percona will not be liable to Customer by reason of any failure in performance of this Agreement if the failure arises out of general failure of internet communications, acts of God, acts of the Customer, acts of governmental authority, fires, strikes, delays in transportation, riots, terrorism or war, or any causes beyond the reasonable control of Percona.
14. Severability. If any part of this Agreement is held by a court of competent jurisdiction to be illegal or unenforceable, the validity or enforceability of the remainder of this Agreement shall not be affected and such provision shall be deemed modified to the minimum extent necessary to make such provision consistent with applicable law and, in its modified form, such provision shall then be enforceable and enforced. Termination is not an exclusive remedy and all other remedies will be available whether or not termination occurs.
15. Waiver. The waiver by either party of a breach of any provision of this Agreement by the other shall not operate or be construed as a waiver of any other or subsequent or preceding breach. No waiver by either party of any right under this Agreement shall be construed as a waiver of any other right.
16. Entire Agreement. This Agreement constitutes the entire agreement between the parties relating to this subject matter and supersedes all prior or contemporaneous agreements concerning such subject matter. The terms of this Agreement will govern all Services undertaken by Percona for Customer; any terms contained in documents provided by Customer that are inconsistent with this Agreement are invalid. No modification of or amendment to this Agreement or any SOW, nor any waiver of any rights under this Agreement, will be effective unless in writing and signed by authorized representatives of both parties.
CUSTOMER DATA PROTECTION ADDENDUM
The purpose of this DPA is to ensure compliance with Data Protection Laws concerning the processing of Personal Data. The DPA includes:
- Exhibit A – DPA General Terms and Conditions; and
- Exhibit B – EU Standard Contractual Clauses.
Except as modified in this DPA, the terms of the Master Services Agreement between the parties (the “MSA”) shall remain in full force and effect. If there is any conflict between this DPA and the MSA regarding Percona’s privacy or security obligations, the provisions of this DPA shall control. Except where the context requires otherwise, references in this DPA to the MSA are to the MSA as amended by, and including, this DPA.
IN WITNESS WHEREOF, in consideration of the mutual obligations set out in this DPA, the parties agree that this DPA is entered into and becomes a binding part of the MSA as of the MSA Effective Date. Each party’s signature on page 1 of the MSA shall be considered a signature to this DPA, including the Standard Contractual Clauses attached to this DPA as indicated above.
Exhibit A: DPA General Terms and Conditions
All capitalized terms used within this DPA, but not defined herein, shall have the meaning ascribed to such term in the Master Agreement. The following capitalized terms will have the meanings indicated below:
“Customer Personal Data” means Personal Data that Customer provides to Percona in connection with the Master Agreement.
“Data Protection Laws” means, when applicable: (a) the European General Data Protection Regulation (EU 2016/679) (“GDPR”), including applicable laws implementing or supplementing the GDPR and as transposed into domestic legislation of Member States, as amended, replaced or superseded from time to time; and (b) any applicable legislation that amends, re-enacts, replaces or supplements the data protection laws in the United Kingdom that arises from the withdrawal of the United Kingdom from the European Union (“EU”) or European Economic Area.
“EEA” means the European Economic Area, plus Switzerland and, if the United Kingdom ceases to be part of the EEA, the United Kingdom.
“Personal Data”, “processing” (and “process”), “Controller”, “Processor”, “Supervisory Authority”, and “Data Subject” shall each have the meanings as set out in Data Protection Laws.
“Services” means the services and other activities to be supplied to Customer by or on behalf of Percona pursuant to the Master Agreement.
“Standard Contractual Clauses” or “SCCs” means an agreement executed by and between Percona and Customer pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection.
"Subprocessor" means any person (including any affiliates or subcontractors of Percona) appointed by or on behalf of Percona to process Customer Personal Data on behalf of Percona in connection with the Master Agreement.
2. CONTROLLER AND PROCESSOR OBLIGATIONS.
2.1 To the extent that Data Protection Laws apply to the processing of Customer Personal Data, the parties acknowledge and agree that: (a) Percona is a Processor, and Customer is a Controller or Processor (as applicable) with regard to the processing of Customer Personal Data; and (b) each party shall comply with its obligations under Data Protection Laws, and this DPA, when processing Personal Data.
2.2 Percona may only process Customer Personal Data to the extent it relates to the categories of Personal Data, the categories of Data Subjects, the scope, nature and purpose of the Services, and duration set out in this DPA and in the Master Agreement.
2.3 During the term of the Master Agreement, any transfer of Customer Personal Data under this DPA from the European Union, the EEA and/or their Member States, Switzerland and the United Kingdom, to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws, to the extent such transfers are subject to Data Protection Laws, shall be in accordance with and governed by the SCCs in accordance with Exhibit B to the DPA, unless Percona is then a member of the EU-U.S. and Swiss-U.S. privacy shield frameworks and those frameworks remain in place, in which case such transfers shall be in accordance with and governed by those frameworks. Percona may, subject to this Section 2.3, store and process Customer Personal Data in the United States and any other country in which Percona or any of its Subprocessors are located or maintain facilities.
2.4 Customer appoints Percona to process Customer Personal Data on behalf of, and in accordance with, Customer’s written instructions as set out in the Master Agreement and this DPA, as otherwise necessary to provide Services, or as otherwise agreed to by both parties in writing. Customer shall ensure that its instructions and its sharing of Customer Personal Data with Percona comply with Data Protection Laws and that Percona’s processing of Customer Personal Data in accordance with Customer’s instructions will not cause Percona to violate any applicable laws, regulations or rules, including Data Protection Laws. If Data Protection Laws apply to the processing of Customer Personal Data and Customer is a Processor, Customer warrants that Customer’s instructions and actions with respect to that Customer Personal Data, including appointment of Percona as another Processor, have been authorized by the relevant controller. Percona agrees not to access, use or process Customer Personal Data, except as necessary to maintain or provide the Services, or as necessary to comply with applicable laws.
2.5 Customer acknowledges that the Services rarely require the use of Customer Personal Data. In the unusual case when Customer believes that Customer Personal Data may prove useful to those Services, before providing such Customer Personal Data, Customer shall: (a) anonymize or pseudonymize such information using any number of readily-available open source tools (including PMM or PTQuery); (b) encrypt such information via an encryption tool; and (c) in the context of support Services, solely provide such information in the form of an attachment to a support ticket. If Percona is providing a Service that requires Percona to have access to a Customer database, Percona may monitor and extract non-Customer Personal Data, such as statistics concerning performance of the applicable database management system, but will not download, store, copy or extract any Customer Personal Data from Customer’s database without Customer’s permission. If Customer provides Percona with access to any laptops or other equipment in connection with consulting or other Services, Customer shall provision and configure such equipment to ensure that it does not include and cannot access Customer Personal Data.
3.1 Except as otherwise permitted below, Percona shall not allow any third parties to access or process the Customer Personal Data without the prior written consent of Customer.
3.2 Customer consents to Percona engaging Percona affiliates, Salesforce, and other third party Subprocessors to process Customer Personal Data for or on behalf of Percona as part of the Services and under this DPA, provided that: i. Percona imposes data protection terms on any Subprocessor that require the Subprocessor to protect Customer Personal Data to the standard required by the Master Agreement, this DPA and Data Protection Laws; and ii. Percona remains liable for any breach of this DPA that is caused by an act, error or omission of any of its Subprocessors.
4.1 Taking into account the state of the art and the costs of the implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Percona shall implement reasonably appropriate technical and organizational measures to ensure a level of security appropriate to the risk against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data. Customer is solely responsible for evaluating for itself whether the Services and Percona’s security measures will meet Customer’s needs and requirements, and agrees that the security measures implemented and maintained by Percona as set out in Appendix 2 of Exhibit B provide a level of security appropriate to the risk in respect of the Customer Personal Data.
4.2 Percona shall ensure that all persons who process Customer Personal Data, including any Subprocessors, are bound by confidentiality obligations consistent with those set out in the Master Agreement and this DPA.
5.1 To the extent required by Data Protection Laws, upon no less than thirty (30) days written notice, Percona shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to related audits, including inspections, conducted by Customer or another auditor appointed by Customer, bound by appropriate obligations of confidentiality, and not reasonably objected to by Percona, at Customer’s cost.
6 DATA SUBJECTS.
6.1 Where Percona directly receives requests from any Data Subjects, or anyone acting on their behalf, to exercise their rights under Data Protection Laws, including to withdraw any consent, or to make any claim or complaint in relation to their rights under Data Protection Laws, then unless prohibited by applicable law, Percona will: (a) advise the Data Subject to submit his/her request to Customer (i.e., the Controller), and Customer will be responsible for responding to any such request; and (b) forward the request, claim or complaint to Customer.
6.2 If and as applicable, to the extent Customer does not have the ability to address a Data Subject request to exercise their rights under Data Protection Laws, Percona shall, upon Customer’s request and expense, provide commercially reasonable assistance to Customer in responding to such Data Subject request. The parties acknowledge and agree that Customer does not need and shall not request assistance in connection with data portability requests.
7 SECURITY INCIDENT.
7.1 Percona shall notify Customer, as soon as reasonably practicable, but no later than seventy-two (72) hours, after becoming aware of a breach of Percona security leading to unauthorized or unlawful processing, use of, or access to Customer Personal Data, or any theft of, loss of, or damage to Customer Personal Data (a “Security Incident”).
7.2 In the event of any Security Incident caused by Percona’s failure to comply with the obligations under this DPA (“Percona Security Incident”), Percona shall use commercially reasonable efforts to remediate the cause of the Percona Security Incident, to the extent that the cause of such Percona Security Incident is within Percona’s control, and to provide Customer with information reasonably necessary for Customer to provide any breach notification notices required by Data Protection Laws.
8 DELETION OF CUSTOMER PERSONAL DATA.
8.1 No later than 180 days after termination of the Master Agreement, Percona shall delete all Customer Personal Data, except to the extent that Percona and/or its Subprocessors may be required either by law and/or for the establishment, exercise or defense of legal claims to retain Customer Personal Data in accordance with Data Protection Laws or are entitled to so retain pursuant to any legitimate interest and/or other rights Percona may have under Data Protection Laws. This DPA shall continue to apply to Customer Personal Data until such data is deleted.
9 GOVERNING LAW.
9.1 This DPA, and any dispute or claim (including any non-contractual disputes or claims) arising out of or in connection with its subject matter or formation shall be governed by and construed in accordance with the laws that govern the Master Agreement, except to the extent certain matters are governed in accordance with the EU Member State law Clause 9 of the SCCs.
Exhibit B: EU Standard Contractual Clauses
Standard Contractual Clauses (Processors)
European Commission Decision C( 2 0 1 0 ) 5 9 3
1. Where Customer Personal Data originating or processed in the EEA is transferred to Percona or a Subprocessor outside of the EEA, the parties agree to abide by this Exhibit B and the EU Standard Contractual Clauses for the transfer of Personal Data from the EEA to Processors established in non-EEA countries that do not provide an adequate level of data protection approved by EC Commission Decision of 5 February 2010, as currently set out at: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087 (referred to as the “Clauses” or the “SCCs”).
2. The Clauses may be varied or terminated only as specifically set out in the Clauses.
3. The parties agree to observe the terms of the Clauses without modification. In the event of inconsistencies between the provisions of the Clauses and the DPA or other agreements between the parties, the Clauses shall take precedence. The terms of the DPA shall not vary the Clauses in any way.
4. Information required for Appendix 1 and Appendix 2 of the Clauses shall be as described in this Exhibit B to the DPA.
5. The governing law in clause 9 of the Clauses shall be the law of the Member State in which Customer (as data exporter) is established.
6. Each of the parties' signatures to the MSA shall be considered a signature to the Clauses and this Exhibit B, as indicated on the first page of the DPA. If so required by the laws or regulatory procedures of any jurisdiction, the parties shall execute or re-execute the Clauses as separate documents setting out the proposed transfers of Customer Personal Data in such manner as may be required.
to the EU Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is the Customer identified on the Signature Page of the MSA.
Customer has engaged Percona to provide Services as described in the Master Agreement.
The data importer is: Percona
Percona provides Services as described in the Master Agreement.
The personal data transferred concern the following categories of data subjects:
- Data exporter's current employees, contractors and customers.
Categories of data
The personal data transferred concern the following categories of data:
- Of data exporter's current employees and contractors:
- Names and contact information, including: phone numbers, email addresses, business mailing addresses, usernames, IP addresses.
- Of data exporter's current customers:
- Names and business contact information, including: phone numbers, email addresses, business mailing addresses, usernames, IP addresses, job titles.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data: None.
The personal data transferred will be subject to the following basic processing activities:
- Data importer will process personal data it receives or accesses in connection with the Services only for the purpose of providing the Services to the data exporter under the Master Agreement and DPA.
- Pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176, the data exporter may provide a general consent to onward subprocessing by the data importer. Data exporter hereby provides a general consent to data importer, pursuant to Clause 11 of the SCCs, to engage onward subprocessors. Such consent is conditional on data importer’s compliance with the requirements set out in Section 2.4 of the DPA.
to the EU Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Data importer has implemented security and/or privacy policies and baselines, as listed below:
- Security and/or Privacy Polices & Baselines:
- Information Security Program Policy;
- Anti-Virus Policy;
- Patching Policy;
- Password Policy;
- Encryption Policy;
- Email Policy;
- Privacy & Security Awareness Training Policy;
- 2FA (Two-Factor Authentication);
- Information Classification Policy;
- Data Protection by Design Policy & Checklist;
- Data Storage, Retention & Disposal Policy;
- Data Request Submission Form;
- Personal Data Handling and Protection Policy;
- Security baselines addressing: Wi-Fi connections; operating systems; encryption; company anti-virus; mobile devices; secure communication;
- Video surveillance at data importer’s headquarters, as well as badge readers;
- Company-wide security awareness training.
- Data importer requires staff to agree to and comply with such Policies and Baselines.
- Email communications to keep staff informed and aware of known security threats and vulnerabilities.
- Communicating new policies and/or procedures to staff.
- Incident Response Plan.
- Vendor management & vendor due diligence.
- Anonymous reporting mechanism.